2020 has been a year like no other. While it is fairly certain the world will successfully ride out the pandemic, it is also clear that the ‘past normal’ is behind us, and we need a new playbook. International General counsel shared their views with us on the changing role of in-house legal teams
Veta T Richardson: Companies need CLOs for cybersecurity oversight
President Xi Jinping has long emphasized the importance of cybersecurity in the rapidly growing, and digitizing, Chinese economy. The China Internet Security Law came into force on 1 June 2017, and provided clear requirements for the collection, use and protection of personal information.
A series of new measures followed. On 27 April 2020, the Chinese Cyberspace Administration and 11 other government agencies jointly announced the Measures on Cybersecurity Review to enhance the safety and security of Chinese citizens and businesses online.
But despite all these measures, China is not immune from large and small-scale hacking breaches, and other illegal cybersecurity attacks. As recently as March this year, the Ministry of Industry and Information Technology ordered Weibo to enhance its data security measures to better protect personal information, following allegations circulated on the Weibo platform that millions of users’ personal data (including phone numbers and addresses) was for sale on the “dark web”.
While Weibo has been keen to make clear that hackers did not breach any user accounts, it is nevertheless a salutary tale of the increasing danger of cybersecurity breaches, even on social media platforms with advanced security features.
The evidence goes beyond Weibo, though. For the first time, the Allianz Risk Barometer found that cyber incidents ranked as the most important global legal threat. Some 35% of Asia-Pacific risk management executives agreed.
With the threat of data breaches to both bottom line and reputation, it seems that business leaders worldwide are taking the challenge seriously. More and more, they are entrusting these matters to their chief legal officer (CLO).
The Association of Corporate Counsel (ACC) Foundation’s 2020 State of Cybersecurity Report, released just last month, found that 71% of respondents placed their CLOs in either a leadership role or as part of a team with cybersecurity responsibilities. In fact, considering what is at stake, and all the variables including regulations, legal issues, technical considerations and risk implications, no one is better suited to lead these efforts than the CLO and the legal department. In about one in five companies (17%), the CLO directly controls both the cyber and privacy functions.
The Cybersecurity Report, which covered 586 companies across 36 countries and 20 industries, helps put the threat into perspective. Forty percent of organizations surveyed say they experienced at least one data breach, and an average of 24 cyber incidents, in the past year. Additionally, employee cybersecurity training is increasing, and 36% of legal departments will increase their legal spend as a result of their cybersecurity approach (up from 33.8% in 2018).
The hands-on role of legal in cybersecurity is nothing new. ACC’s 2020 Chief Legal Officer Survey, for instance, found that: more than 75% of general counsel and CLOs run compliance; 36.4% run risk; and cybersecurity, risk and compliance were the three most common subjects that boards asked GCs about.
What’s encouraging about the Cyber-security Report finding is that increasing legal participation in cybersecurity is shifting cybersecurity away from strictly compliance-based policies and toward holistic, risk-based strategies.
Traditionally, cybersecurity has been the domain of IT, not legal. On the surface, this makes sense: IT deals with more technical aspects of this threat, and the quantitative approach that characterizes IT fits well into a compliance-based cybersecurity strategy – boxes to check, requirements to meet.
This approach worked well in an age when cybersecurity risks were a low priority for companies, in the era before big data. Today, digital data make up the DNA of business in any sector, or any country. Data breaches have evolved from being minor annoyances to major disruptions in a national or regional economy, as the above-mentioned Allianz study, and the experiences of countless corporations and countries, have found.
An in-house lawyer’s approach to cybersecurity is quite different. This approach is qualitative, with an eye on risk and an understanding of the laws and regulations that govern IT. All of a company’s stakeholders depend on its cyber safety, from customers to boards to employees. All of them look to the CLO for guidance in matters of risk, reputation and regulation. The more complicated the regulatory regime or vendor-client ecosystem, the more IT becomes a legal matter.
Additionally, when data breaches happen, it frequently falls on legal teams to address and mitigate the damage. The CLO sits at the hub of every function affected by a data breach. The ensuing legal compliance issues and possible litigation are obviously a legal function, but reputational and branding matters are also the responsibility of the CLO, and often risk. It falls on the CLO to co-ordinate those various functions in a single strategy, containing damage across departments, reassuring stakeholders, and ensuring compliance with the courts or data privacy regulations like the General Data Protection Regulation (GDPR).
In their role as advisers-in-chief, GCs have to guide the board and the C-suite through the fallout of a breach, which can have a serious impact on stakeholders at every level, as well as on the business’ bottom line.
The IT department is typically not designed to handle a range of tasks that span the entire organization, and to entrust them to any department beyond legal is courting disaster.
The sobering fact is that no cybersecurity program is foolproof. Cybersecurity programs exist to fend off disasters. A data breach can literally ruin a company (especially small to medium-sized businesses); it can ruin the lives of ordinary people who had entrusted their data to a company or institution.
More and more companies are realizing that staying true to their stakeholders and maintaining their bottom line are two problems with the same solution: a robust, agile legal team with a direct line to the C-suite and a broad, cross-function remit. Keep legal involved in cyber and you are already a step ahead of potential hackers.
Veta T Richardson is president and CEO of the Association of Corporate Counsel (ACC), a global legal association with more than 45,000 members in 85 countries employed by over 10,000 organizations.
Olivia Khor: Out-of-the-box thinking
Q1. How is the lockdown in Malaysia? What are the major legal issues you are facing right now?
At present, Malaysia is currently placed under the Recovery Movement Control Order (RMCO), which is slated to end on 31 December 2020. Thereafter, the government will analyse data on the covid-19 spread before deciding on the status of the RMCO.