Key Cybersecurity Risk Management Considerations When Building a Corporate Legal Department

By: Chad Perlov

Businesses around the world are fighting a common battle against an exponentially growing wave of cybersecurity threats. In fact, 87% of organizations have already experienced an attempted exploit of an existing vulnerability, according to a recent Check Point Research security report. This battle only intensified in 2020, with Law360® Pulse reporting that 41% of business owners experienced an increase in cyberattacks since the start of the COVID-19 pandemic.

Despite this increase, an IDG Research Services survey found that nearly 78% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks, despite increased investments made in 2020 to deal with distributed IT and work-from-home challenges.

Given the increase in cybersecurity threats and the profound financial, legal and reputational harm a company may suffer due to a data breach, it is critical for in-house counsel to prioritize cybersecurity risk management as one of the first areas to address when building out a legal department. Below is a non-exhaustive list of key steps attorneys should consider when developing a cybersecurity risk management strategy.

1. Cybersecurity Program

The first step companies typically take to minimize risk is developing a company-wide program for protecting the security and privacy of information received or generated by the corporation and/or stored in company systems.

An attorney’s role in creating and advising on a cybersecurity program is far more involved than merely drafting policies and procedures for maintaining and securing the corporation’s confidential materials and non-public personal information. You should be prepared to advise on a wide range of technical, administrative and regulatory matters including:

• Risk assessments and data mapping
• Data retention and disposal compliance
• Incident response planning
• Data breach notifications
• Employee training and monitoring

Resources such as a cybersecurity resilience implementation plan offer a good starting point for understanding the underlying issues companies must address in order to implement an effective, yet practical, cybersecurity program.

2. Cybersecurity Insurance

Companies are increasingly relying on cybersecurity insurance as a critical tool for mitigating the financial risk associated with the failure of any administrative, technical or physical cybersecurity control measures. The corporate specialty division of German insurer Allianz recently reported a 950% increase in cyber-insurance claims from 2016 to 2019, and even greater acceleration last year with the shift to remote working, according to the Law360® service, with the average cost to a business of a cyberattack last year soaring to $13 million.

Before purchasing cybersecurity insurance, you should carefully assess the type and scope of coverage needed to address your company’s risk profile by, for example:

• Researching the possible damages and costs your company might suffer due to a data breach
• Tailoring the policy coverage to your company’s specific business needs
• Determining the extent to which your company should rely on the insurer’s risk mitigation resources when addressing a data breach (e.g., forensic analysis, public relations, identity theft and crediting monitoring)

3. Ransomware Response

Ransomware attacks have become a prevalent cybersecurity threat that pose significant legal and financial risks to organizations. On average, a new organization becomes a victim of ransomware every 10 seconds worldwide, according to an InfoSecurity® Magazine analysis. Without a thoughtful ransomware prevention and response plan, a company risks being doubly harmed by the attack itself and then by the litigation and regulatory consequences that may follow. 

Common examples of how corporate legal departments can play an active role in establishing and managing a ransomware framework include:

• Drafting ransomware policies and procedures
• Conducting ongoing training on preventing and responding to ransomware attacks
• Advising on the use of third-party technology to help detect and defend against attacks
• Implementing business continuity processes to minimize the risk of disruption

4. Cloud Hosting

A 2021 report in SecurityBrief found that more than 8 in 10 businesses are worried that their existing security tools don’t work at all—or have only limited functions—in the cloud, which explains why cloud security is a major concern at 75% of enterprises. Many companies have responded to these concerns by seeking to offload much of the risk and responsibility for cloud computing by outsourcing to third-party cloud vendors.

However, corporate legal professionals should be mindful of key data protection issues that companies typically address in their cloud computing contracts including, for example:

• The extent to which the cloud provider can access and/or use the company’s data
• Determining the cloud service provider’s authentication and access controls
• Whether the cloud service provider may subcontract its obligations to third parties
• The cloud service provider’s data retention and disposal policies
• Whether the cloud service provider is deploying appropriate disaster recovery and business measures
• Limiting data transfers and processing to specific equipment, locations or territories

5. Compliance Preparedness

A complex web of laws such as HIPAA, The Patriot Act and the General Data Protection Regulation (GDPR) have forced in-house counsel to prioritize cybersecurity compliance—and now a new generation of compliance requirements imposed by various states is coming online.

The most daunting of these is the California Privacy Rights Act (CPRA), which was the subject of a recent LexisNexis® webinar for in-house counsel. These increased regulatory requirements are especially burdensome for direct-to-consumer businesses. “Protecting our customers’ data is a top priority for us,” said Jill Savage, general counsel at subscription box company Misfits Market, in an interview with Law360. “But complying with the growing patchwork of state laws really does present a continued challenge for GCs of consumer-facing companies.”

Additional cybersecurity risk management resources, including practice notes, templates and checklists, are available to LexisNexis subscribers. To access these resources, start a Lexis+ free trial today.