Why General Counsels need to be at the head of the cybersecurity table – in planning and in crisis.
One of Shakespeare’s most famous quips comes from a Butcher in Henry VI: “The first thing we do, let’s kill all the lawyers.” But Shakespeare wrote this well before the digital age. When it comes to cybersecurity (not to mention ethics), killing off the lawyers is a bad idea.
Cybersecurity used to be an IT issue. But, now, in partnership with the entire C-Suite including the Chief Information Security Officer (CISO), the General Counsel must navigate the legal and regulatory landscape to ensure organizational cyber resiliency. Further, it’s a leading practice as well as a commercial imperative for the General Counsel to be involved not just in cyber crisis but also in cyber preparedness planning.
General Counsel’s Cyber Role
The GC is accustomed to assessing and mitigating risk across the company, and cyber is one such enterprise risk. The top 10 GC cyber responsibilities include:
- Reviewing and remaining current on regulations and regulatory consequences
- Briefing the directors on their roles and fiduciary duties
- Reviewing and drafting third party contracts to best manage risk
- Understanding and tracking the statutory notification requirements
- Understanding contractual obligations to keep information confidential in the event of a breach
- Reviewing and recommending cyber insurance coverage and policies
- Partnering with the rest of the C-Suite to craft a cyber incident response plan
- Exercising and updating the Incident Response (IR) Plan
- Meeting regularly with the CISO (and Chief Privacy Officer (CPO)) to talk about the organization’s data and how it’s protected
- Practicing personal and professional cyber hygiene – leading by example
GC is for Great Coordinator
Aside from providing sound legal counsel, the GC has to be particularly skilled at coordinating cyber efforts across the organization as well as with outside support teams. This is precisely why we advocate for the GC to be at the head of the table. Not only are there a great deal of regulatory issues that are ever-changing, but also the GC should examine relevant policies and procedures to ensure that the company steers clear of any unnecessary or unintended risk.
As the lead coordinator, the GC must partner with internal stakeholders to ensure that the organization avoids any landmines. These stakeholders include the communications team, HR, internal audit teams, and of course the CISO and CPO. The GC and CISO should run practice scenarios both by department and as an organization. It’s no longer a question of if an organization will be breached but rather when, so it behooves every company to plan and exercise for the inevitable – with the General Counsel at the helm to ensure privilege, regulatory compliance, and overall to protect the company.
During a crisis, the GC’s external coordination role significantly expands. Certainly, the GC should primarily manage any outside counsel engagements, but he or she should also be informed about and be involved with any efforts related to PR, incident response services, shareholder communication, and more. GC involvement becomes particularly important during a breach that constitutes any material losses, as well as any incident that requires law enforcement involvement. It is imperative that the GC be connected to the entire process from the planning phases through any major crises. Cyber resilience requires being prepared to be legally compliant.
Speaking the Same Language
It might be hard to believe that CISOs and General Counsels could ever speak the same language, but in fact they do. Both leaders are focused on identifying and managing risk while finding ways to translate that risk into terms the other can understand. In some ways, they comprise two sides of the same coin. One is protecting the organization from within the inside, the other while the other is protecting from the outside. Both are keenly focused on safeguarding the company’s crown jewels, its most important data.
Each member of the C-Suite needs to know what data the company has, how it’s protected, and what the requirements and implications are should that data be breached. The General Counsel is the clear leader to protect the company from legal and regulatory challenges in the event of a cybersecurity incident. If you’re a GC and don’t think you’re up to cyber-speed, join us at our Cyber Resolve seminar in NYC on May 1. Prefer private training for you and your executive team or your board? Contact us. We’ll bring the education to you.