Awareness of and reaction to cyber threats is growing. Cyber security is increasingly a board issue, and regulators are increasingly expecting to see strong governance in relation to it. ‎

Companies are grappling with what this means in practice, according to a straw poll of in-house lawyers this week. Two thirds wouldn’t feel confident explaining the split between legal and technical responsibilities for handling a hack, and did not know their role in their company's data crisis response plan. Around half do not have, or do not know if they have, a Chief Information Security Officer to turn to in their organisation.

Data protection is a key area of cyber risk, especially because the new European General Data Protection Regulation (GDPR) imposes much stricter requirements regarding how companies treat individuals’ data - including new breach notification requirements. Getting it wrong (or inaction) could expose you to significant fines - up to 4% of worldwide annual turnover for the worst data privacy failings.

As the saying goes: “in time of peace, prepare for war”. A checklist for in-house counsel includes:

· cyber governance;

· cyber strategy and policies;

· an incident response plan and playbook;

· investigations procedures and resources to deploy when needed;

· readiness to deal with the regulators;

· knowing your contractual rights and obligations; and

· plans to deal with litigation when the need arises.