Thirty-eight percent of legal departments expect to increase cyber-related budget
Legal departments are playing an increasingly important role in cybersecurity strategy, and chief legal officers in particular are often front and center, with 84 percent of CLOs now playing a key role in the cybersecurity strategy for their organization – up from 76 percent in 2020 – according to a new report.
The report by the Association of Corporate Counsel Foundation, in collaboration with Ernst & Young LLP also found that cybersecurity reports to the CLO in 38 percent of departments surveyed. In fact, 22 percent of companies now have a dedicated cybersecurity lawyer – up from just 12 percent in 2018, while 24 percent indicate that the CLO is a member of the cybersecurity incident response team.
Respondents report growing cross-functional collaboration among legal, IT, security, and other business units to anticipate and effectively respond to cybersecurity threats.
Cybersecurity is seen a regulatory compliance matter, making lawyers ideally suited for this responsibility, according to Susanna McDonald, VP and chief legal officer at ACC.
“The chief legal officer brings strategic and risk management skills and additional data to the table as well,” says McDonald. These skills allow lawyers to help prevent and, if need be, react to cybersecurity situations, she adds.
Businesses face many risks in the event of a data breach, with reputational damage, liability to data subjects, and business continuity being the top three areas of concern for survey respondents.
“Reputational damage can ultimately lead to a decline in revenues,” says McDonald. “It’s not just about liability to data subjects, but also potential fees and fines that businesses would have to pay to different regulatory agencies,” she adds.
The 2022 State of Cybersecurity Report: An Inhouse-Perspective also found that just 31 percent of legal departments say they are regularly involved in their company’s third-party risk management.
Thirty-eight percent of legal departments now say they are spending more as a result of their approach to cyber, compared to a year ago. This number has increased from just 23 percent in 2015. Fifty percent said this increase was mainly attributed to outside spend (among law firms, ALSPs, and consultants), while 25 percent said the increase was mainly attributed to inside spend (on legal resources exclusively devoted to cybersecurity)
Businesses should be doing more to train their employees in cybersecurity, according to McDonald, with the majority providing training only once per year, and as few as nine percent reporting that training is provided quarterly.
“Just about everybody said they are providing annual training, but I don’t think that is enough,” says McDonald. “Potentially harmful actors have become far more sophisticated with these attacks, making employees the primary target for them, thus increasing the risk to the organization. If organizations really want to get a handle on risk, they are going to have to engage with the employees with more robust training.”
The ACC surveyed 265 companies across 17 industries and 24 countries.