Awareness of and reaction to cyber threats is growing. Cyber security is increasingly a board issue, and regulators are increasingly expecting to see strong governance in relation to it.
Companies are grappling with what this means in practice, according to a straw poll of in-house lawyers this week. Two thirds wouldn’t feel confident explaining the split between legal and technical responsibilities for handling a hack, and did not know their role in their company's data crisis response plan. Around half do not have, or do not know if they have, a Chief Information Security Officer to turn to in their organisation.
Data protection is a key area of cyber risk, especially because the new European General Data Protection Regulation (GDPR) imposes much stricter requirements regarding how companies treat individuals’ data - including new breach notification requirements. Getting it wrong (or inaction) could expose you to significant fines - up to 4% of worldwide annual turnover for the worst data privacy failings.
As the saying goes: “in time of peace, prepare for war”. A checklist for in-house counsel includes:
· cyber governance;
· cyber strategy and policies;
· an incident response plan and playbook;
· investigations procedures and resources to deploy when needed;
· readiness to deal with the regulators;
· knowing your contractual rights and obligations; and
· plans to deal with litigation when the need arises.