As you will read in both our cover story “The era of no excuses” and the interview I did with VIA Rail’s Denis Lavoie in the Quebec report, the challenge of managing the various risks around cybersecurity is landing with a thud on the desks of in-house counsel.
During a recent panel at the Ontario Bar Association’s February conference in Toronto, Manju Jessa, assistant general counsel at RBC, moderated a discussion on managing outside counsel effectively. Jessa said one of the priorities for the bank is knowing how secure the information shared by RBC is when going back and forth to its external law firms. The concern, she said, is two-fold, including knowing how secure email in the firm’s communication is, but RBC also wants its law firms to let them know whether the firms are at risk of attack and what kind of data is potentially being breached.
Law firms are increasingly becoming targets by those looking for competitive intelligence or merely by virtue of who they are and who they represent.
Add that threat to the growing cybersecurity concerns keeping in-house counsel up at night. What I found interesting is that there wasn’t any followup on Jessa’s comments in the rest of the discussion. Rather, it evolved into more of the usual talk about improving relationships with in-house and outside counsel (or how to politely end them). But the fact cybersecurity concerns are bubbling to the top of the conference circuit is proof that cyber-risk is moving to an elevated level for many sophisticated in-house lawyers and it’s the boardroom.
As Lavoie told me, in the last two to three years, cyber-risk has become a larger concern at VIA. In November, VIA’s legal team went to its board of directors with a new proposal for cyber-insurance and Lavoie is working on it with the company’s broker to put a new policy in place. On the prevention side, he is working closely with the IT group to build an infrastructure process to protect against a cyberattack.
David Laliberte, general counsel of Groupe Média TFO, told us the same thing in the cover story when he said the board of his organization put it on the agenda to review the organization’s policy with respect to confidential information and how to protect it.
This fits with results of the Association of Corporate Counsel Foundation report: the State of Cybersecurity Report (2016), which found that not only were company and law department budgets growing in this area but 59 per cent of the CLOs surveyed expected their law department’s role in cybersecurity to increase.
According to the ACC Chief Legal Officers 2017 Survey, the rated importance of data breaches has increased by seven percentage points since the 2013-14 survey was conducted. For those in health care and education, it is of extreme importance likely because of the cost associated with a breach — both reputational and dollar value — but I find it hard to believe it’s not considered “extreme” for everyone.
If you aren’t already doing it, it’s probably a good game plan as in-house counsel to raise the level of involvement you have in managing the risk around cyber-threats. It’s no longer about knowing how to react to a breach; it’s about doing all you can to prevent it in the first place.