2020 has been a year like no other. While it is fairly certain the world will successfully ride out the pandemic, it is also clear that the ‘past normal’ is behind us, and we need a new playbook. International General counsel shared their views with us on the changing role of in-house legal teams

Veta T Richardson: Companies need CLOs for cybersecurity oversight


President Xi Jinping has long emphasized the importance of cybersecurity in the rapidly growing, and digitizing, Chinese economy. The China Internet Security Law came into force on 1 June 2017, and provided clear requirements for the collection, use and protection of personal information.

A series of new measures followed. On 27 April 2020, the Chinese Cyberspace Administration and 11 other government agencies jointly announced the Measures on Cybersecurity Review to enhance the safety and security of Chinese citizens and businesses online.

But despite all these measures, China is not immune from large and small-scale hacking breaches, and other illegal cybersecurity attacks. As recently as March this year, the Ministry of Industry and Information Technology ordered Weibo to enhance its data security measures to better protect personal information, following allegations circulated on the Weibo platform that millions of users’ personal data (including phone numbers and addresses) was for sale on the “dark web”.

While Weibo has been keen to make clear that hackers did not breach any user accounts, it is nevertheless a salutary tale of the increasing danger of cybersecurity breaches, even on social media platforms with advanced security features.

The evidence goes beyond Weibo, though. For the first time, the Allianz Risk Barometer found that cyber incidents ranked as the most important global legal threat. Some 35% of Asia-Pacific risk management executives agreed.

With the threat of data breaches to both bottom line and reputation, it seems that business leaders worldwide are taking the challenge seriously. More and more, they are entrusting these matters to their chief legal officer (CLO).

The Association of Corporate Counsel (ACC) Foundation’s 2020 State of Cybersecurity Report, released just last month, found that 71% of respondents placed their CLOs in either a leadership role or as part of a team with cybersecurity responsibilities. In fact, considering what is at stake, and all the variables including regulations, legal issues, technical considerations and risk implications, no one is better suited to lead these efforts than the CLO and the legal department. In about one in five companies (17%), the CLO directly controls both the cyber and privacy functions.

The Cybersecurity Report, which covered 586 companies across 36 countries and 20 industries, helps put the threat into perspective. Forty percent of organizations surveyed say they experienced at least one data breach, and an average of 24 cyber incidents, in the past year. Additionally, employee cybersecurity training is increasing, and 36% of legal departments will increase their legal spend as a result of their cybersecurity approach (up from 33.8% in 2018).

The hands-on role of legal in cybersecurity is nothing new. ACC’s 2020 Chief Legal Officer Survey, for instance, found that: more than 75% of general counsel and CLOs run compliance; 36.4% run risk; and cybersecurity, risk and compliance were the three most common subjects that boards asked GCs about.

What’s encouraging about the Cyber-security Report finding is that increasing legal participation in cybersecurity is shifting cybersecurity away from strictly compliance-based policies and toward holistic, risk-based strategies.

Traditionally, cybersecurity has been the domain of IT, not legal. On the surface, this makes sense: IT deals with more technical aspects of this threat, and the quantitative approach that characterizes IT fits well into a compliance-based cybersecurity strategy – boxes to check, requirements to meet.

This approach worked well in an age when cybersecurity risks were a low priority for companies, in the era before big data. Today, digital data make up the DNA of business in any sector, or any country. Data breaches have evolved from being minor annoyances to major disruptions in a national or regional economy, as the above-mentioned Allianz study, and the experiences of countless corporations and countries, have found.

An in-house lawyer’s approach to cybersecurity is quite different. This approach is qualitative, with an eye on risk and an understanding of the laws and regulations that govern IT. All of a company’s stakeholders depend on its cyber safety, from customers to boards to employees. All of them look to the CLO for guidance in matters of risk, reputation and regulation. The more complicated the regulatory regime or vendor-client ecosystem, the more IT becomes a legal matter.

Additionally, when data breaches happen, it frequently falls on legal teams to address and mitigate the damage. The CLO sits at the hub of every function affected by a data breach. The ensuing legal compliance issues and possible litigation are obviously a legal function, but reputational and branding matters are also the responsibility of the CLO, and often risk. It falls on the CLO to co-ordinate those various functions in a single strategy, containing damage across departments, reassuring stakeholders, and ensuring compliance with the courts or data privacy regulations like the General Data Protection Regulation (GDPR).

In their role as advisers-in-chief, GCs have to guide the board and the C-suite through the fallout of a breach, which can have a serious impact on stakeholders at every level, as well as on the business’ bottom line.

The IT department is typically not designed to handle a range of tasks that span the entire organization, and to entrust them to any department beyond legal is courting disaster.

The sobering fact is that no cybersecurity program is foolproof. Cybersecurity programs exist to fend off disasters. A data breach can literally ruin a company (especially small to medium-sized businesses); it can ruin the lives of ordinary people who had entrusted their data to a company or institution.

More and more companies are realizing that staying true to their stakeholders and maintaining their bottom line are two problems with the same solution: a robust, agile legal team with a direct line to the C-suite and a broad, cross-function remit. Keep legal involved in cyber and you are already a step ahead of potential hackers.

Veta T Richardson is president and CEO of the Association of Corporate Counsel (ACC), a global legal association with more than 45,000 members in 85 countries employed by over 10,000 organizations.

Olivia Khor: Out-of-the-box thinking


Q1. How is the lockdown in Malaysia? What are the major legal issues you are facing right now?

At present, Malaysia is currently placed under the Recovery Movement Control Order (RMCO), which is slated to end on 31 December 2020. Thereafter, the government will analyse data on the covid-19 spread before deciding on the status of the RMCO.

Therefore, it is paramount for in-house counsel to actively engage with the various business functions to assist them in renegotiations, or in pre-empting any potential legal ramifications.

Here are some questions that organizations may have on potential legal issues that may impact them:

  • Can they rely on force majeure clauses, or can they simply terminate the contract for convenience by giving due notice under the contract?
  • Do they need to go through certain approval processes to get an extension of time from their client?
  • Are there any liquidated ascertained damages (LAD) clauses that they need to renegotiate and vary?
  • Can they negotiate for a longer subscription period of certain services that were not utilized during the lockdown?
  • Do they need to pay the difference if the client has engaged a third party to finish the work they couldn’t finish due to the lockdown?
  • Can they defer the start date of new joiners in employment contracts?

Q2. What can in-house counsel do to mitigate the impact of coronavirus on their business?

In-house counsel can step up to provide out-of-the-box ideas and recommendations to various business functions, so that their contractual rights can be exercised or stretched. Managing relationships with external parties (either clients or vendors) is very important in times like these to avert unnecessary legal claims.

In addition, organizations should start thinking about how to further automate or digitize processes to facilitate business. For example, adopting electronic signatures to ease contracting, and using technology to conduct virtual meetings, negotiations, training and conferences. With the increasing use of technology, organizations need to ensure that they have adequate and up-to-date cybersecurity safeguards to protect their digital infrastructure.

Generally, to survive the pandemic, both employees and business owners must be agile, willing to change, quick to identify opportunities in the midst of a crisis, and be accommodating towards business needs. Building trust among their key stakeholders is a critical enabler in helping organizations to adapt to these changes smoothly.

Q3. What should in-house legal teams be doing now to prepare for the next big disruptive event?

I think we should start thinking about how to further automate certain processes to make it easier for the business to deal with legal issues. For example, having more internally legal FAQs published in a database available to the masses, or exploring ways for contract consultations to be semi-automated. We can build in legal explanations and implications to each of the contract clauses in a standard contract template.

Also, I think embracing technology is very important. Virtual meetings are now a a norm, and in-house counsel should embrace that, and support the business in various negotiations, even via virtual meetings. I actually had such a negotiation with the other side’s counsel. Normally meeting each other is very difficult, but during the lockdown period, when we had this virtual meeting, we became nicer to each other, and we actually managed to close the contract immediately.

Arlene Lapuz-Ureta: Digitalisation in a post-covid era


Q1. What are the major legal issues and challenges companies will encounter as they come out of lockdown, and countries slowly open up?

The legal issue that arose in view of this pandemic, first and foremost, is that we have an existing law [in the Philippines] that provides for compliance with occupational safety and health standards. So, the first challenge there is for the employers, who are opening their businesses, is to provide the safe workplace that the law requires.

And since this law grants the worker the right of refusal to work if there is an imminent, dangerous situation in the workplace, such as, for instance, an employee being infected, these are matters that need to be seriously addressed in the Philippines by employers.

Secondly, of course, they know that under this law [employers] have to harmonize the rights granted to the worker with all kinds of hazards in the workplace, meaning they have the right to know if an employee was found positive for covid-19.

And this right conflicts with our data privacy law in the Philippines, which considers medical information relating to the health of an employee as sensitive personal information, the processing of which is prohibited. So now data privacy issues have cropped up, and these need to be addressed by in-house counsel, especially where there is also a mandate to adopt data protection measures pursuant to the law.

Given the pandemic, most employees are now working from home. Our National Privacy Commission, in fact, issued recent guidelines on general security measures that the organizations and individual employees working at home should be taking, not only during a pandemic, but also whenever there is a telecommuting arrangement implemented.

One last major item is that we encountered problems on authorization and execution of documents.

And one initiative that I actually made through our organization, the University of the Philippines Women Lawyers’ Circle, is to write and propose that our Supreme Court adopt electronic notarial rules. This was favourably acted upon and right now a sub-committee has been organized by our Supreme Court to study this.

Q2. What should in-house legal teams be doing now to prepare for the next big disruptive event?

There are a lot of initiatives that in-house counsel can take to ensure that we are prepared for future disruptive events.

First of all, in order not to be caught off guard in the future, it is imperative that in-house counsel use technology to help them in the legal work that still needs to be done, even during the covid-19 pandemic.

In the Philippines, not all legal counsel are provided with laptops, especially the smaller companies, and not even free access to their e-mails in their homes. In fact, some companies prohibit bringing their company-issued laptops home because of security issues.

Secondly, in-house counsel must now have all contracts and all legal documents digitally stored, and ensure that they can be accessed immediately so that there will be no need to go to the head office, in case there’s a need to access such important and vital documents.

Dessi Berhane Silassie: Prepare for the next transition


Q1. What are the major legal issues and challenges companies will encounter as they come out of lockdown, and countries slowly open up?

We are an information service and technology company, so our comfort space is in deep technology. But we’ve seen an acceleration of that movement as a result of covid-19. What we’re doing now is really engaging with our customers who are on that accelerated timeline, to help them get on board for the financial service institutions that we service.

For example, information security has been critical for several years, for lots of different reasons. But now they’re being forced into a new way of working without that readiness, that time to prepare, as critical institutions within our ecosystem present systemic risk. It’s important that, as a service provider, we provide them with that support.

I think I’m very lucky to be in Singapore. It’s been pursuing a digital strategy for over a decade. So, from a personal and work-from-home perspective, the transition to working from an office to the home was a very smooth one. And I think Singapore’s infrastructure lends itself very easily. It’s also a smaller country, and much more able to act with agility.

If I’m honest with you, I know it feels like a lifetime, but we’ve actually only been in this position for the past three to four months, if you ignore the beginning of the pandemic in January, when we all were still figuring out what were going to be the implications. And so, coming out to a new normal, for me – it is not all that clear what that new normal really means. I still think most people will be speculating as to the duration, and as to what will indeed remain a permanent impact, versus an emergency state or a transitional way of working.

So that’s what I’m really watching closely. And from our crisis management team perspective, really what we’re thinking about is how to prepare ourselves for the next six months, as well as 12, 24 and a much longer-term period. I think it’s that level of planning that we’ll need to embark on.

Q2. What should in-house legal teams be doing now to prepare for the next big disruptive event?

For me, this is not a question for in-house legal teams in isolation. This is what our businesses are thinking about right now. At the beginning of this pandemic, they were forced to look at their scenario analysis with less data than what they have today. So, they will be revisiting those scenario analyses and trying to understand what the next six, 12, 18, 24 months look like. And that’s what we should be doing.

I don’t know if it’s necessarily preparing for the next disruptive event. I think that we’re preparing for the next disruptive chapter of the current event, which, if you believe some research, is going to look like an accordion of lockdown and non-lockdown measures. So, what does that look like? What does the most likely business scenario analysis for your company, for your organization, look like? Seek to understand it with your businesses, and then understand what the legal, regulatory risk and compliance implications will be from an in-house perspective, so that you can correspondingly prepare for the response. I think there is a lot to be learned from the way that we behaved and responded in the preceding six months.

That data now needs to be reviewed. Now is the right time for us to look back, see what worked, what didn’t work. Tighten up our tool kits, our policies around that period, to ensure that it is ready to be tested again and again and again for future disruption, whether it’s covid-19-related or otherwise.