You’re a general counsel, not an IT director, right? Well, sort of. The legal department has become the place where, to use a cliché, the buck stops when it comes to data leaks and cybersecurity in general. The problem is, most general counsel aren’t trained in the minutiae of how computer networks are put together, and what sort of defenses they have. Or not.
Take a deep breath. The people at the firm Morrison & Foerster have boiled down what GCs and other in-house lawyers need to know about maintaining cybersecurity. First, a couple of stats about why it’s important. In a recent survey, 86 percent of executives say that they’ve had to deal with a cyber incident or data theft, loss, or attack in the past year. And, even worse, one in five feel they’re unprepared for that kind of crisis.
“These attacks used to considered the domain of the technologists, but now people understand there’s no technical fix and we need a culture of compliance where security is everyone’s responsibility,” says John Carlin, chair of MoFo’s global risk and crisis management group.
So, what are those three steps?
- Know the law. You don’t have to be an expert, says Zoë Newman of risk consultant Kroll. “But you should be fluent in the kinds of cyber risks that your company faces, including the relevant law and regulations. Like fraud, cybersecurity should be part of an enterprise-wide risk assessment.” Spend some time with the IT team and learn about what they do, and ask them if there are pain points to be addressed.
- Have a plan and a team to act on it. Make sure the plan lays out clear steps and responsibilities. Document everything, and then some. And have a communications tree ready. What kind of off-band access do execs have to reach one another and the crisis team?
- Conduct drills. Do them regularly; that way your crisis team and company management will regard dealing with a crisis as part of their job. Plus, it will build team cohesion.