Cybersecurity touches every aspect of consumer and corporate culture. Cyber attacks have become more frequent and sophisticated. In fact, 40 percent of companies have experienced a data breach in the past 12 months.
Preventing, preparing for, and responding to data breaches in real time is a chief concern for individuals, corporate leaders, and government regulators.
On 24 July, the European Commission presented a new EU Security Union Strategy for the period 2020 to 2025 that focuses on priority areas where the EU can help Member States promote security for all people living in Europe. This spans the gamut of our European cybersecurity needs: fighting terrorism and organised crime; detection and prevention of hybrid threats; increasing the resilience of critical infrastructure; and research, innovation, and mass promotion of cybersecurity. The strategy sets out both tools and recommended actions.
The Commission has also recognised the need for a Joint Cyber Unit as a platform for structured and coordinated cooperation, and intends to build and maintain robust international partnerships. These partnerships would deter or respond to cyber attacks, and encourage EU cybersecurity standards in partner countries.
Building on that progress, how can Europe‘s general counsel (GC) and chief legal officers (CLOs) guide their organizations and help thwart cyber attacks? What role do they play in implementing best practices and regulations to keep protected information out of criminal hands? How do they win over multiple stakeholders to a new data protection regime?
The Association of Corporate Counsel (ACC) Foundation introduced its 2020 State of Cybersecurity Report, An In-house Perspective on 31 July, focusing on this question. Built on the results of the 2015 and 2018 editions of this survey, this report sheds light on the growing role that legal departments are playing in organization-wide cybersecurity policies and practices.
With responses from legal department decision-makers in 586 companies across 20 industries and 36 countries, the data included in this report provide a comprehensive understanding of how legal departments in organizations of different sizes engage in cybersecurity matters.
“As modern CLOs’ roles and responsibilities continue to expand, cybersecurity strategy and oversight is unquestionably one area where we see the largest growth,” said Susanna McDonald, vice president and CLO of ACC. “Between the ever-increasing frequency of attacks and substantial risk to the organization’s operations and brand, this comes as no surprise. CLOs bring a unique combination of legal training, strategic thinking, and risk analysis to the table to best help prevent and, if need be, react to cybersecurity situations. Today’s report is the latest evidence that businesses increasingly recognize the CLO’s strengths in this area and are adjusting accordingly.”
The 88-page report covers a broad range of cybersecurity activities:
- Legal department’s role,
- Policies and practices,
- Risk management,
- Breach and incident experience, and
- Working with government and law enforcement.
Some of the report’s highlights include:
The legal department’s role in cybersecurity
CLOs Lead Efforts On Cybersecurity
Seventy-one percent of organizations place their CLO in either a leadership role regarding cybersecurity strategy or as part of a team with cyber responsibilities. However, only 17 percent of organizations have their CLO directly oversee both cyber and privacy functions.
Legal Oversight Results In Risk-Based Compliance
The percentage of organizations with a risk-based cybersecurity program versus a compliance-based program increases when the CLO has both the cyber and privacy function oversight. In other words, the oversight of legal appears to be driving a more proactive approach to cybersecurity.
More In-House Counsel Dedicated To Cybersecurity
Eighteen percent of organizations have an in-house lawyer dedicated to cybersecurity, which is up from 12 percent in 2018. In a majority of cases, this lawyer is responsible for cyber across the enterprise and is in an executive level position in 56 percent of organizations. (Figure 1)
Policies and practices
Rise In Employee Training And Evaluation
Evaluation methods for company preparedness among employees have increased dramatically since 2018 along with the frequency of evaluations. Tracking mandatory training requirements and attendance is now in place for a majority of organizations and well over a third now conduct mock security events and tabletop exercises.
Cybersecurity Policies Are The Norm
For most of the cybersecurity policies listed, there has not been a significant change in those used over time. Most organizations have implemented password, social media, internet usage, and document retention policies but there has been a sharp increase over the past two years in the percentage of organizations employing data mapping, almost doubling over the course of five years.
Lawyers Are Included In Cybersecurity Response Teams
Seventy-six percent of organizations have a cybersecurity response team, up from 59 percent in 2018. A vast majority (83 percent) of those organizations have a senior staff lawyer or executive member of the legal department on that team. (Fig. 2)
Vendors Are Trusted Regarding Cyber Risks
Seventy-eight percent of organizations claim they are “somewhat” or “very” confident in their third-party vendors’ ability to protect them from cyber risks. This is a substantial increase in confidence from 2018 (62.1 percent).
Only A Minority Use Vendor Management Platforms
Fifteen percent of organizations are now using vendor management platforms, which is up from 9.1 percent in 2018. Usage increases substantially among larger legal departments. Nearly one quarter of departments with more than 25 staff are employing vendor management platforms and those with a dedicated cybersecurity counsel are more likely to utilize a platform regardless of the size of legal.
One Third Of Departments Will Increase Legal Expenditure
Thirty-six percent of departments say they will increase their legal expenditure as a result of their cybersecurity approach, which is up from 33.8 percent in 2018 and far up from 22.8 percent in 2015. A plurality of departments will allocate this increase in spend to outside costs (38.8 percent), but there is a clear and sizable shift toward allocating the increase to inside spend over time. (Fig. 3)
Breach and incident experience
Four In Ten Companies Suffered A Data Breach
Forty percent of organizations surveyed experienced at least one data breach over the past year, and an average of 24 cyber incidents overall. Organizations in the healthcare industry saw the highest number of incidents over the past year, with an average of 58.
Effects On Reputation And Company Brand Are The Main Concern
Damage to company reputation and brand still remains the top concern arising from a data breach for organizations. However, liability to data subjects has become the second greatest concern overall this year, with a dramatic increase from 2018. Sixty-two percent of organizations rated it among their top three concerns this year compared to just 20.3 percent in 2018.
One In Five CLOs Are In Charge Of Responding To A Data Breach
Typically, organizations assign an individual or group to coordinate a formal response to any data breach that occurs. This year, 21.2 percent of organizations assigned their CLO that responsibility, a significant increase from 4.6 percent in 2015. (Fig. 4)
Working with government/ law enforcement
Almost Half Work With Government To Address Risks
Forty-seven percent of organizations surveyed collaborate with law enforcement or government agencies to address cybersecurity risks. This is a large increase from only 27.1 percent in 2015. Organizations are also more likely to collaborate when the CLO oversees cybersecurity. Those who do not collaborate say that they do not have the resources or knowledge base to do so.
Only One In Six Participate In Information Sharing
Sixteen percent of organizations participate in an information sharing and analysis center to share cyber threat information with other organizations and the government. In 71 percent of cases, the legal department plays a role in that information sharing process.
GDPR: Majority Appointed A Data Privacy Officer
Among organizations required to comply with GDPR, 58 percent were required to appoint a data privacy officer (DPO). Among those not required to do so, 31 percent appointed a DPO anyway. In over half of those organizations the DPO is a full-time employee, reporting to the Legal Department. (Fig. 5)
The 2020 State of Cybersecurity Report, An In-house Perspective is available on the ACC website.