General Counsels’ Role in Maintaining Cybersecurity: Three Critical Steps

21 Feb 2019

While crises of one form or another have always plagued companies, the intensity and regularity of cybersecurity attacks have surged, with 86 percent of the executives surveyed for one study reporting that they’ve encountered a cyber incident or data theft, loss, or attack in the past year.

Given that statistic, it’s no wonder that cyberattacks were cited as the number one company-crisis concern of the senior executives surveyed for a global 2018 Crisis Management Benchmarking Report prepared by Morrison & Foerster and Ethisphere, with one out of five executives reporting that they feel unprepared for this type of crisis. And there’s no doubt that a company’s general counsel is one of the executives chiefly responsible for maintaining a company’s cybersecurity as well as its preparedness for a cybersecurity attack.

“These attacks used to be considered the domain of the technologists, but now people understand there’s no technical fix and we need a culture of compliance where security is everyone’s responsibility,” says John Carlin, chair of Morrison & Foerster’s Global Risk and Crisis Management Practice Group and co-chair of the National Security Practice Group.

Here’s how GCs can help their companies to foster that culture and fulfill their own cybersecurity responsibilities.

1.  Know the Relevant Law

Responsibility for your company’s cyberattack prevention and preparedness “doesn’t mean you have to be an expert in cybersecurity” or take cyber courses, says Zoë Newman, a managing director of the business intelligence and investigations practice at the corporate investigations and risk consulting company Kroll. “Just like you don’t have to be an accounting expert to manage fraud risks. But you should be fluent in the kinds of cyber risks that your company faces, including the relevant law and regulations. Like fraud, cybersecurity should be part of an enterprise-wide risk assessment.”

So, while a general counsel’s responsibility for her company’s cybersecurity likely wouldn’t require her to head back to school, “the GC needs to have enough education to be able to understand what the risks are—to ask the right questions of the chief technology officer,” says Newman. “That means the GC needs to be spending as much time with the IT team as they do with the CFO, the head of sales, or the CEO.”

And companies with limited in-house legal and IT resources should enlist the help of outside counsel and tech consultants who specialize in cybersecurity.

That leads us to the next critical cybersecurity responsibility that falls within the purview of most companies’ GCs: assembling a dream team.

2.  Have a Written Plan and Assemble a Dream Team To Execute It

Not surprisingly, when the executives who participated in MoFo’s global 2018 Crisis Management Benchmarking Report were asked which crises they had written plans for, cyber breaches were cited the most often (67%).

To help ensure the adequacy of such a documented crisis response plan, make sure it includes clearly articled steps for addressing as many eventualities as you can imagine, according to Todd Cioni, Vice President and Chief Ethics Officer at CareFirst.

Cioni also suggests that response plans:

  • Be over-documented, since the pressure involved in a real crisis likely will be even greater than you imagine;
  • Take into account the speed of the documented response, since a crisis can grow or be contained within hours; and
  • Address how the companies’ executives are going to reach people if company systems—or facilities—are inaccessible. What off-band communication options do you have?

Cyberattack response plans also must necessarily list and assign specific responsibilities to “all key members of the company,” Carlin says. They must also list and assign specific roles to consultants outside the company whose assistance will be critical. According to Carlin, that list must necessarily include outside counsel, a crisis public relations firm, and “other vendors, either to surge resources to address customer response or to respond to a potential DDoS [distributed denial-of-service] attack.”

“You can compare this with a football game,” says Christopher Martin, Associate General Counsel at The Boston Consulting Group. “What makes a good GC is an ability to field the best possible team for the 90 minutes.”

3.  Conduct Drills

Frequently conducting table-top exercises, or “drills,” are critical to cyber breach preparedness, experts say.

Monzo Bank, for example, regularly stress tests its cyber security defenses, according to Dean Nash, the digital bank’s Chief Risk Officer. Sometimes that means paying “hackers” to penetrate its computer systems.

“We try to make these crises everyday occurrences,” says Nash. “There’s constantly some stress scenario going on. It’s important to create an environment where it is common and casual to deal with crises rather than rare and stressful.”

The point of these exercises is to see if the in-house and outside members of the company’s crisis management plan respond quickly and efficiently to the simulated attack. The drills also help a company’s stakeholders to evaluate the effectiveness of their risk management procedures and training.

Christine Wong, a partner in Morrison & Foerster’s Investigations and White Collar Defense practice, says the drills she participated in back when she served as the head of compliance at a major multinational company served yet another purpose: They provided an opportunity to build connections.

“Design them so people across the business have a chance to talk and get to know each other. That makes it more likely that in the thick of a crisis, information will flow the way it is designed,” Wong says.

And make sure your company’s drills evolve in tandem with technology.

“You cannot drill and then put your plan on a shelf,” Carlin says.

Executed correctly, cybersecurity-breach drills can inspire confidence in the company’s cyber resilience, according to the executives who responded to MoFo’s 2018 Crisis Management Benchmarking Report. Nearly two-thirds (64 percent) of the executives who reported being “very confident” in their crisis management plans conducted drills on key risk areas at least once a year.

To learn more about increasing confidence in your company’s ability to manage all types of risk, read Morrison & Foerster’s global 2018 Crisis Management Benchmarking Report.

Is Your Role Being Redefined?

In our digital age, the likelihood of your company being hit by a crisis is higher than ever. These days, companies’ GCs need to be ready to right the ship and steer the company to safety. Are you prepared?

This post is part of a thought leadership series, “The GC {Re}Defined,” which explores how technology is reshaping the role of the GC.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.