General counsel (GC) are increasingly involved in handling cyber security issues at board level, reflecting a more comprehensive shift towards effective risk management, research from Legal Business and PwC has revealed.
In a survey of corporate attitudes to cyber security risk this autumn, which garnered more than 800 responses from a broad mix of senior corporate managers, owners, legal and IT, nearly half (46%) of all GC respondents said they had delivered advice to the board on cyber and data security matters in the last year. Thirty five percent of GC respondents said this occurs on a quarterly basis.
Sixty five percent of respondents have an incident response plan for cyber attacks, of which 40% require legal to be involved at an early stage. Meanwhile, 68% of the GCs responding said that the legal department has assessed the extent to which the security of business operations is reliant on the services and operations provided by third parties.
However, on day-to-day threat assessment and management, the involvement of the in-house legal team is still minimal. Just 32% of respondents have a security risk register that is reviewed by the legal team, while only 33% of respondents said their legal teams were involved in the design of policies, procedures and processes for the assessment of security in the supplier base. Worse still, only 16% of legal teams are heavily involved in the drafting and review of security and contractual framework policies.
That said, GCs interviewed reported that cyber security has continued to move up the agenda and they would now play a more substantive role in the management of cyber risk issues. However, with only a fifth (21%) of respondents saying that their external legal advisers are very capable of handling a serious cyber security incident, the onus is on law firms to provide added value in this area.
‘I think in 2015, we will be talking about cyber security frequently,’ said Derek Walsh, group GC at RSA. ‘What we care about is what will be the interpretation of the rules and law firms can be very slow at doing that. I would suggest that lawyers get on the front foot with offering practical advice rather than repeating what the rules state because we can read those ourselves.’
For more on the survey, see ‘Insight report on cyber security – Anatomy of a breach‘