As cyber threats evolve and the consequences of attacks become more damaging, General Counsel (GC) and in-house legal teams have an increasingly pivotal role to play in proactively managing and mitigating these risks. This includes everything from risk-assessing data breaches and reviewing contracts for cyber risk to understanding cyber insurance and managing regulators.
The impact of destructive cyber attacks such as ransomware has elevated cyber risk up the boardroom agenda. In our 25th Annual UK CEO Survey, 48% of UK CEOs say they are either extremely worried or very worried about cyber security risk and 64% said they are extremely concerned, or very concerned cyber risks could impact their ability to sell products and services.
This cyber risk often ultimately becomes legal risk and the serious financial, reputational and regulatory impact of attacks today requires legal teams to be able to clearly understand and articulate the legal and wider risks to the business and be driving the cyber strategy.
One of the most important roles for legal teams - and a reason why they should be engaged early on during planning - is in the heat of battle during cyber incident response, where the immediate priority is to identify what has been damaged or lost and the impact. Understanding the legal impact in the short and longer term is an integral piece of the breach response strategy.
For GCs and legal this includes advising on any mandatory breach or data loss notifications, such as those under GDPR to the appropriate supervisory authority, and ensuring they are done within the specified timeframe - in compliance with local and international laws and regulations. There may also be a requirement to notify data subjects - for example, customers and employees - directly if their personal information has been compromised by the attack and could lead to harm.
The cyber insurance market is also changing in response to the ongoing ransomware threat. As the cost of ransomware attacks grows, premiums and exclusions are rising and it is harder than ever to secure appropriate and affordable cover.
Legal can help assess these insurance policies to advise whether they sufficiently cover the business risks and are worth the premiums paid and, in the event of a cyber attack, assess whether the insurance policy covers a claim process to follow. Another option organisations are turning to is self-insurance - as primary cover, or to fill gaps in traditional policies - but this brings its own set of risks. Organisations must ensure they still have access to the key specialist services insurance cover would usually provide, such as incident response, forensics, legal, communications, crisis support and negotiators.
In 2022, 61% of UK organisations expect to see a rise in reportable ransomware incidents and ransomware groups are increasingly using so-called double extortion tactics with threats to leak sensitive information as well as disrupt business. This creates more risk of litigation from data subjects if their personal information is exposed.
Other litigation risks come from stakeholders and investors if the reputation and value of the organisation is damaged as a result of a cyber attack, particularly if the view is that the business did not do enough to prevent such an attack. And business or supply chain disruption could lead to breach of contract claims, for example in the event of delivery delays or failures.
Understanding the organisation’s data landscape is crucial to identifying and assessing these risks, looking at what type of personal data or other sensitive information your company holds, where it is collected and stored, which systems are most likely to be targeted and what impact would it have on the company if this data was lost or stolen. Armed with this information, the GC can support the business in managing these risks through appropriate systems and controls and start to create a defensible position in the event of a dispute.
Geopolitical-related cyber threat activity aligned with the strategic interests of certain countries is on the rise, and organisations can find themselves caught in this crossfire.
Legal has a key role to play in keeping up to date with these global geopolitical events and related cyber threats to identify the risk they pose. This includes assessing whether the organisation might become a target for attacks and whether there is a direct risk to operations in those countries in terms of potential data loss, business continuity and supply chain disruption.
There is also a regulatory impact and risk that needs to be factored in. For example, tougher cyber crime laws in response to geopolitical events - such as those in President Joe Biden’s cyber security Executive Order last year - now prevent organisations in some government and critical infrastructure sectors from paying cyber attack ransoms.
While legal has this increasingly pivotal role to play in managing cyber risk, that must be as part of a multidisciplinary approach across the organisation with clear and documented roles and responsibilities. Effective cyber breach response, for example, requires close collaboration between legal teams, IT and the wider business.
The reality for many in-house legal teams is that there will be some gaps in cyber and data expertise and resources either locally or internationally. Understand what skills are needed and bring in external support to help plug those gaps and create a coherent cyber incident response strategy. However, it’s important to ensure those partners are onboarded proactively, not during the middle of a crisis when you have 72 hours to respond to the regulator.