The ACC Foundation: State of Cybersecurity Report 2018, a study of more than 600 in-house counsel internationally published by the Association of Corporate Counsel (ACC) Foundation reported — among other findings — that two-thirds of counsel expect their roles in bolstering cybersecurity to increase, compared with 55 per cent of counsel in 2015.
Such a presumption is likely due, the ACC wrote, to the fact that data breaches have become ubiquitous.
“Cybercrime is widespread, aggressive, growing and increasingly sophisticated, and it poses major implications for national and economic security,” the ACC wrote.
According to the Identify Theft Resource Centre, there was a 45 per cent increase in data breaches in 2017 from 2016, with such breaches fast becoming a “new normal”.
“While cyberthreats and data breaches may be inevitable and unescapable, companies need to be proactive in mitigating threats and actual cyberattacks,” the report said.
“A growing number of companies view their general counsel as the ‘go-to’ person for handling compliance issues related to data breaches. And why not? Preventing, preparing and responding in real time is a chief concern for today’s general counsel and chief legal officers, who are increasingly called on to guide their organisations and aid in thwarting such attacks.”
The report also found that thirty-two per cent of respondents have worked or currently work in a company that has experienced a data breach, amplifying the need for in-house counsel to take a greater role in combating such attacks.
Correspondingly, there has been an increase — 35 per cent up from 27 per cent in 2015 — in corporate counsel who work for companies that proactively engage with law enforcement agencies to address cyber risks.
But while company budgets for cybersecurity is growing — respondents said, on average, that five per cent of company budgets are allocated to cyber issues, and 63 per cent say their company’s allocation has increased this past year — only six per cent of in-house counsel said they have high levels of confidence in their company’s protection processes.
56 per cent said they are somewhat confident, and 21 per cent are not at all confident in the levels of protection provided.
In response to the findings, respondents outlined numerous best practices and lessons to help mitigate cybersecurity risks and breaches.
“First, mandatory training is clearly an important component, including testing employee knowledge,” the report conveyed.
“Second, at the organisation level, a cyber response team with personnel from different departments is critical, with an emphasis on obtaining buy-in from all levels of management.”
“Third, cybersecurity insurance is an essential tool to cover any costs associated with a breach as well as access to experts who will be more knowledgeable about the latest regulations and able to provide tools to reduce possible exposure,” the report concluded.