Chief legal officers play key role in cybersecurity strategy: ACC report

Thirty-six per cent of legal departments plan to increase budget for cybersecurity

Chief legal officers play key role in cybersecurity strategy: ACC report
Susanna McDonald

More than 70 per cent of chief legal officers play a key role in cybersecurity strategies for their organizations, while 21 per cent are tasked with handling data breaches, according to a new global report from the Association of Corporate Counsel Foundation.

Eighteen percent of organizations have an in-house lawyer dedicated to cybersecurity, the biannual report found - which is up from 12 percent in 2018. In a majority of cases, this lawyer is responsible for cyber across the enterprise and is in an executive level position in 56 percent of cases.

“This really speaks to the recognition that privacy and cybersecurity policy are inextricably linked,” says Susanna McDonald, vice president and chief legal officer at the ACC. “Cybersecurity is a risk and compliance issue so it’s really in the wheelhouse of in-house counsel. The most common questions that general counsel get from their boards are about cybersecurity risk and compliance so if your board is asking these questions, you need to be able to effectively answer them.”

Seventy-six percent of organizations have a cybersecurity response team, up from 59 percent in 2018, the report found. A vast majority (83 percent) of those organizations have a senior staff lawyer or executive member of the legal department on that team.

“There are not too many companies that don’t have access to employee and customer data so organizations must protect that data, and regulatory schemes are growing and increasingly involving in-house counsel in order to be able to stay on top of that,” says McDonald.

The report also indicates that 36 per cent of legal departments plan to increase legal spend as a result of their cybersecurity approach – up from 33.8 per cent in 2018 and 22.8 per cent in 2015. As hackers become more sophisticated in their methods, organizations have to spend more money to implement sufficient protective tech solutions, according to McDonald.

Forty percent of organizations surveyed experienced at least one data breach over the past year and have also experienced an average of 24 cyber incidents, the report found. Organizations in the healthcare industry experienced the highest number of incidents over the past year with an average of 58.

Upon discovering a breach, in-house counsel are responsible for reporting it to the board and to regulatory agencies, and for working with the IT department to determine how to improve resistance to attacks.

“Five or ten years ago chief legal officers would tell me that the IT department is responsible for cybersecurity but that is no longer true today,” says McDonald. “Legal oversight leads to risk-based compliance and really coincides with the rise of cybersecurity policies.”

Damage to company reputation and brand still remains the top concern arising from a data breach for organizations. However, liability to data subjects has become the second greatest concern overall this year with a dramatic increase from 2018. Sixty-two percent of organizations rated it among their top three concerns this year compared to just 20.3 percent in 2018.

The ACC Foundation’s 2020 State of Cybersecurity Report surveyed 596 law departments across 36 countries and 20 industries from April to May.