Philipp Rosenauer
Partner Legal, PwC Switzerland
As cyber threats evolve and the consequences of attacks become more damaging, General Counsel (GC) and in-house legal teams have an increasingly pivotal role to play in proactively managing and mitigating these risks. This includes everything from risk-assessing data breaches and reviewing contracts for cyber risk to understanding cyber insurance and managing regulators. The impact of destructive cyber attacks such as ransomware has elevated cyber risk up the boardroom agenda.
This cyber risk often ultimately becomes legal risk, and the serious financial, reputational and regulatory impact of attacks today requires legal teams to be able to clearly understand and articulate the legal and wider risks to the business and to drive the cyber strategy.
Front and centre of incident response
One of the most important roles for legal teams – and a reason why they should be engaged early on during planning – is in the heat of battle during cyber-incident response, where the immediate priority is to identify what has been damaged or lost and the impact. Understanding the legal impact in the short and longer term is an integral piece of the breach response strategy.
For GCs and Legal Departments this includes advising on any mandatory breach or data loss notifications, such as those under GDPR, to the appropriate supervisory authority, and ensuring they are done within the specified timeframe – in compliance with local and international laws and regulations. There may also be a requirement to notify data subjects – for example, customers and employees – directly if their personal information has been compromised by the attack and could lead to harm.
The cyber-insurance market is also changing in response to the ongoing ransomware threat. As the cost of ransomware attacks grows, premiums and exclusions are rising, and it is harder than ever to secure appropriate and affordable cover.
Legal can help assess these insurance policies to advise whether they sufficiently cover the business risks and are worth the premiums paid and, in the event of a cyber attack, assess whether the insurance policy covers a claim process to follow. Another option organisations are turning to is self-insurance – as primary cover, or to fill gaps in traditional policies – but this brings its own set of risks. Organisations must ensure they still have access to the key specialist services insurance cover would usually provide, such as incident response, forensics, legal, communications, crisis support and negotiators.
Data and the growing litigation risk
In 2022, reportable ransomware incidents are expected to increase, and ransomware groups are increasingly using so-called double extortion tactics with threats to disclose sensitive information while disrupting business operations. This increases the risk of litigation with affected individuals if their personal information is exposed.
Other litigation risks come from stakeholders and investors if the reputation and value of the organisation is damaged as a result of a cyber attack, particularly if the view is that the business did not do enough to prevent such an attack. And business or supply chain disruption could lead to breach of contract claims, for example in the event of delivery delays or failures.
Understanding the organisation’s data landscape is crucial to identifying and assessing these risks, looking at what type of personal data or other sensitive information your company holds, where it is collected and stored, which systems are most likely to be targeted and what impact it would have on the company if this data were lost or stolen. Armed with this information, the GC can support the business in managing these risks through appropriate systems and controls and start to create a defensible position in the event of a dispute.
Keeping ahead of geopolitical conflict
Geopolitical-related cyber-threat activity aligned with the strategic interests of certain countries is on the rise, and organisations can find themselves caught in the crossfire.
Legal has a key role to play in keeping up to date with these global geopolitical events and related cyber threats to identify the risk they pose. This includes assessing whether the organisation might become a target for attacks and whether there is a direct risk to operations in those countries in terms of potential data loss, business continuity and supply chain disruption.
There is also a regulatory impact and risk that needs to be factored in. For example, tougher cyber-crime laws in response to geopolitical events – such as those in President Joe Biden’s cyber-security Executive Order last year – now prevent organisations in some government and critical infrastructure sectors from paying cyber-attack ransoms.
Your PwC Joint Crisis Center
Crisis management: we help your business navigate through complexity and uncertainty
Breaking down silos
While Legal has this increasingly pivotal role to play in managing cyber risk, that must be as part of a multidisciplinary approach across the organisation, with clear and documented roles and responsibilities. Effective cyber-breach response, for example, requires close collaboration between legal teams, IT and the wider business.
The reality for many in-house legal teams is that there will be some gaps in cyber and data expertise and resources either locally or internationally. Understand what skills are needed and bring in external support to help plug those gaps and create a coherent cyber-incident response strategy. However, it’s important to ensure those partners are onboarded proactively, not during the middle of a crisis when you have 72 hours to respond to the regulator…
#social#
Contact us
