July 18, 2024
GCs should coordinate closely with chief information security officers, boards, and business leaders to play a key role in challenging cybersecurity strategy, understanding cybersecurity capability, and supporting tactical uplifts to protect the strategic interests of the organization.
General counsel (GCs) are responsible for providing a critical lens into the consequence of poor cybersecurity. They provide a large part of the “so what?” when it comes to justifying cybersecurity investment. This includes mitigating the likelihood and impacts of regulatory sanction, as well as financial loss, reputational harm, personal liability for officers and directors, and other material impacts to an organization. To do this effectively, GCs should coordinate closely with chief information security officers (CISOs), boards, and business leaders to play a key role in challenging cybersecurity strategy, understanding cybersecurity capability, and supporting tactical uplifts to protect the strategic interests of the organization.
GCs also need to understand the risk management approach of their organization (sometimes considered the second line of defense) and the output from both compliance functions and audit (the third line of defense). This allows for critical challenge to the strategy laid out by the CISO and to provides a 360-degree view of cybersecurity investment and maintenance within an organization.
Complying with all regulation involving cybersecurity is increasingly challenging, especially for global organizations who fall under the jurisdiction of several agencies, and it is likely that certain requirements will not be met. As a result, determining the organization’s risk appetite becomes critical, and this duty falls within the GC’s purview.
GCs should also play an important role as a driver of cybersecurity culture. They have relationships across the enterprise and should hold workshops with each business unit to discuss cyber risks and challenges, and to promote the importance of cybersecurity. Internal issues often intersect and overlap, and ultimately all tie back to cyber and legal risks.
Determining Risk Appetite
Organizations, especially multinational organizations, are often required to comply with numerous cybersecurity-related regulations. It is the role of the GC to determine the organization’s cyber risk appetite and select which regulation to focus on and which frameworks to implement. Doing so first requires identifying what level of risk the organization is comfortable accepting, understanding that taking on some risk is inevitable, as 100% compliance across all cybersecurity-related regulation is nearly impossible.
Identifying the appropriate tolerance for risk involves overcoming operational resilience challenges for leadership and management teams. This includes determining where there is alignment and where there are differences (e.g., principle-based versus rule-based approaches); stakeholder involvement; and influence strategies versus control strategies.
Cyber-risk appetite should also consider cyberthreats presented from third-party connections. Part of this assessment is driven by the CISO, e.g., deciding how to mitigate cyber risks from vendors, but the GC is responsible for defining legal requirements the organization agrees to in advance of establishing a relationship with a third party. For example, determining who is liable in the event of a cybersecurity incident.
Possessing this collective information, GCs are positioned to decide how much cyber risk to assume, mitigate, and pass on, which then determines which regulation makes the most sense to comply with, helping remove a layer of complexity from the cyber-risk management process.
Promoting Collaboration Across the Enterprise
GCs, or their cybersecurity-focused team, should be meeting regularly with representatives across the organization to discuss cybersecurity challenges, threats and updates. This cross-organizational knowledge, guided by first-hand accounts of colleagues, should be used by GCs to promote cultural changes within the organization.
To establish consistent visibility, GCs should schedule a short, regular meeting with the CISO, and ensure participation from cybersecurity legal staff, aimed at discussing cybersecurity threat developments and potential regulatory ramifications. This regular meeting, combined with ongoing conversations with various business units across the organization, allows the GC to communicate important updates upward (e.g., to the board) and downward (e.g., to cybersecurity teams).
This process ensures critical information is accurately presented to all parties, regardless of level, creating efficient strategies to handle regulatory challenges and cyber-risk management practices. These relationships can be further defined and managed through table-top exercises that simulate real-world cybersecurity incidents. Instead of solely developing a cybersecurity incident response plan on paper, which is often a regulatory obligation, practicing this plan with a tangible example allows for gaps in the process to be identified, altered and corrected.
By stressing the importance of everyone’s role in mitigating cyberthreats and protecting against cyberattacks, from the C-suite to junior staff, GCs can reduce cyber risks and obtain the buy-in needed to implement cybersecurity enhancements, ultimately placing the organization in a better place to reach regulatory compliance.
Conclusion
The GCs role within cybersecurity is expanding and a recent development involves cybersecurity teams within the GC’s office starting to emerge. This highlights the critical role GCs play in managing the complexities of cybersecurity risk and regulation and further, it helps GCs stay current with cybersecurity developments and corresponding impacts.
The regulatory landscape can be daunting, with overlapping obligations and numerous agencies applying pressure to comply. But with a strategic policy focused on cybersecurity risk appetite and collaboration, GCs can lead the charge in streamlining efforts, implementing efficiencies, and building a cyber resilient organization.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. fticonsulting.com
Reprinted with permission from the July 18 2024 edition of Legaltech News © 2024 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.