Legal teams must appreciate how cyber-security issues impact upon every part of the work they do, says one GC.
Across the board, Accenture Security global managed security legal lead and growth markets legal lead Annie Haggar said, lawyers are struggling to “really understand” the day-to-day implications of cyber-security concerns on the myriad aspects of daily legal practice.
Speaking recently on The Corporate Counsel Show, Ms Haggar – who was a finalist in the General Counsel of the Year and In-House Counsel of the Year categories at the 2020 Women in Law Awards – said that law departments must be taking time to properly appreciate how such concerns “touch every part” of the work that they do.
“You can’t afford to have security be an afterthought”, she stressed, when it comes to the services or products that businesses are developing. “It needs to be there from the get-go,” she said.
Legal counsel have to “change their way of thinking”, Ms Haggar submitted, and identified employment matters and M&A work as two examples that highlight the inextricable need to be on top of cyber-security concerns.
When it comes to thinking about the impact of cyber security on employment, counsel should think about phishing training, Ms Haggar suggested.
“Accenture runs a very comprehensive global phishing training program; all of our employees are subject to. If we fail phishing tests, we can then again put on security performance monitoring, and if we continue to fail, we can in fact have some of our IT and communication tools restricted, because we would be a serious risk to the company,” she detailed.
“So, employment lawyers and HR departments need to be thinking about how do they increase the awareness of cybersecurity issues, how can they implement phishing training, and then what will be the real outcomes of failure for people to come up to scratch on cybersecurity?
“If you continue to click on suspicious links you are the main risk to the company for introducing a ransomware risk or other type of breach, so that HR employment piece really needs to come into play.”
Mergers and acquisitions
Elsewhere, Ms Haggar continued, for teams doing mergers and acquisitions, cyber security is “coming to the forefront”, because regulators are starting to hold acquiring companies responsible for the cyber-security state and breaches of companies that they have acquired.
“It doesn’t matter if it is a reasonably recent acquisition, they are holding that new owner responsible,” she recounted.
“This has started back with Marriott a couple of years ago, where they suffered a major breach through an acquisition of Starwood, and they have been facing fines with GDPR and the UK commissioner for privacy said that one of the reasons why she was going to be fining the company was that they had failed to take reasonable steps to look at the cybersecurity of the company that was being acquired and to bring their cybersecurity up to scratch.
“Traditional due diligence for mergers and acquisitions wouldn’t normally have looked at cybersecurity and it’s an absolute must now. That should include not just looking at their security policies, but if possible, really doing an invasive test to see if they’ve got ongoing breaches, certainly any historical breaches, and looking at the cybersecurity culture of the company.”
This is fundamental, Ms Haggar added, because if there’s a company without cyber-security measures, with all the employees clicking on suspicious links all the time, “that’s going to be a significant risk that you’re bringing into the company”.
“You may want to consider some things that the target company would have to do prior to integration, such as a condition precedent to closure of any acquisition agreement that would bring their cybersecurity up to scratch before you start integrating your systems and integrating your personnel and really bringing that risk onto the books of the acquiring company,” she advised.
“There’s been several major breaches specifically occurring after acquisitions. Marriott’s just one example, but it can really devalue the value of the business that you’re buying, it can impact both the share price of the purchase business and the acquiring business, and then there can be also the regulatory considerations that come into that.”
In the same episode of The Corporate Counsel Show, Ms Haggar argued that upskilling in cyber security is “non-negotiable” for general counsel.
The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Annie Haggar, click below: