Company chief legal officer’s (CLO) roles and responsibilities are expanding with growth seen in cybersecurity strategy and oversight, says a report released by the Association of Corporate Counsel (ACC) Foundation.
The ACC Foundation, in collaboration with Ernst & Young, released the “2022 State of Cybersecurity Report, An In-house Perspective”. The data in the report represents 265 companies across 17 industries and 24 countries, providing a comprehensive understanding of how legal departments of different sizes engage in cybersecurity matters.
Tanya Khan, the ACC’s vice president and managing director of Australia and Asia-Pacific, told Asia Business Law Journal that cybersecurity strategy and oversight is unquestionably one area which has seen the largest growth in a CLO’s responsibilities.
“Between the ever-increasing frequency of attacks and substantial financial and reputational risk to the organisation’s operations and brand, this comes as no surprise,” said Khan.
“CLOs bring a unique combination of legal training, strategic thinking and risk analysis to the table to best help prevent and, if need be, react to cybersecurity situations. This report is the latest evidence that businesses increasingly recognise the CLO’s strengths in this area and are adjusting their approach accordingly.”
The report covers a broad range of cybersecurity activities, including the legal department’s role, policies and practices, risk management, and breach and incident response. In general, it shows that:
- 84% of companies now give the CLO a key role in the organisation’s cybersecurity strategy;
- 20% more companies now require annual cybersecurity training for all employees compared with 2020;
- 31% of legal departments say they are regularly involved in their company’s third-party risk management;
- 38% of legal departments say they are spending more as a result of their approach to cyber, compared to a year ago; and
- Damage to reputation, liability to data subjects and business continuity are the top three areas of concern resulting from a data breach.