Why upskilling in cyber is non-negotiable for GCs
Cyber security has to be the “number one consideration” for legal teams. Without it, one general counsel says, nothing else the department works on matters.
Speaking recently on The Corporate Counsel Show, Accenture Security growth markets legal lead and global managed security lead Annie Haggar – who was a finalist for General Counsel of the Year at the 2020 Women in Law Awards – said that it is “absolutely right” to presume that, without effective cyber-security measures in place, a law department’s efforts on budget management, being a trusted business adviser and safeguarding the business against litigation won’t matter.
“If you think about the way that each business has to operate – and this will depend on the regulatory framework that each business operates in, the types of customers they have, the type of work that they do – if you aren’t trusted by your customers because you’ve had a cyberattack, you might as well not be in business,” she proclaimed.
“So, cyber needs to be the number one consideration for all legal counsel teams. They need to be thinking about how it’s touching each part of their organisation, they need to be working hand-in-hand with the people in their organisation who can help to drive change and improve things, because otherwise you’re going to find yourself facing potential customer lawsuits.”
For example, Ms Haggar noted, listed companies are seeing shareholder lawsuits coming up the pipeline against directors who have failed to put in place proper cyber-security measures.
“We’re seeing regulatory activity and then of course there’s the brand damage that happens when you have a major cyber-attack and records are lost. So, if you don’t focus on cybersecurity, you might as well not do any of your other work,” she surmised.
“It is the primary risk for businesses today, and the primary responsibility of the general counsel or the rest of the law department, to think about how to assess that risk and help to manage that risk with of course the help of the rest of the business.”
When asked if she thinks that Australian GCs and CLOs are doing enough to prioritise cyber security against the backdrop of all other urgent and competing interests for the law department, Ms Haggar acknowledged that it is “always a hard balance”.
“We know how much pressure GCs and CLOs are under to think about all the risks facing their business, but cyber is relatively new, it’s hard to upskill in it and also doing your day job at the same time, and I think that probably we are lagging behind a little. That might be because we have a lesser teacher culture out here and we’ve been less of the focus of major cyber-attacks,” she mused.
“Our colleagues who sit in Europe and North America probably feel this a little bit more because of the types of class action lawsuits and litigation action that happens over in those markets. But that doesn’t mean that it’s not applicable here, it doesn’t mean that we’re not going to need to focus here.”
Australia does suffer major attacks, she continued, and they are “impacting on our local business and the trust that our Australian and of course consumers and business partners have in the businesses operating here”.
“So, I think it’s really important that GCs and CLOs think about how they can up upskill in this area, think about the right partners that they can get to help them with that because outside counsel is a wonderful resource for that and if you think about where unique skill sets can be found you don’t have to develop them all yourself, you can put a good team around you to support you with these really critical issues and help you with that thinking,” Ms Haggar submitted.
The really interesting thing about cyber, she reflected, is that “it’s never the same thing twice”.
“The nature of the attack, the records that they’re after, the business that you run, all mean that the decisions you have to face as general counsel and as a business more generally when you’re facing cyber-attacks are different so you need tailored advice. And that means you need somebody who understands your business, understands the risks, and understands the cyber threat landscape to help coach you through and prepare you for these situations,” she explained.
As such, Ms Haggar stressed: “don’t try to do it alone”.
“There’s a wonderful community of cybersecurity lawyers working in private practice but also providers like Accenture who can come in and do consulting and do training to help organizations prepare. So, work with your teams and CSO and your executive to identify this as the number one risk and to take appropriate actions to get ready,” she said.
To listen to the full conversation with Annie Haggar, click below: