Understanding a company’s obligations in cases of a cybersecurity breach must be top priority for legal teams in 2022, according to a general counsel.
Speaking to Lawyers Weekly, Accenture strategic partnerships global legal lead and cybersecurity lawyer Annie Haggar warned that every company is at risk of cyberattacks, regardless of whether it has a shopfront where it sells products physically or operates online.
She added that cyberattacks on companies are inevitable and it is a matter of “when”, not “if” - something she argued back in July 2021.
“Corporate counsel and general counsel who advise clients from the private sector need to be aware that traditional businesses that previously were at lower risk are now at as much risk as any business that lives online,” Ms Haggar remarked.
“You can’t afford to not consider cyber risk now because it really does touch every part of the business and every part of being a legal practitioner.”
If a company suffers from a cyberattack legal professionals would need to consider the company’s obligations and how to respond to a data breach by understanding their obligations.
“The thing about cybersecurity is there are lots of different types of attacks because there are lots of different types of attackers,” Ms Haggar said.
“If you’re a cybercriminal and your sole intention is to make money, you might use ransomware to lock down someone’s computer system so they can’t continue to conduct business, in which case they might ask for a ransom payment to unlock the systems.”
In such circumstances, companies could face an ethical and moral dilemma about whether they should succumb to the threats and pay the ransom or risk having the cybercriminals release sensitive information online.
“For instance, if you are a healthcare company or someone who holds a lot of very sensitive personal information and the cybercriminal threatens to release all of that information online, that could have significant impacts, compared to if you are a restaurant and they threaten to release your secret recipe,” Ms Haggar said.
“While the latter would cause significant financial damage if it were released, it would not harm people’s lives as it would if the healthcare company’s customer data were released to the public.”
Legal departments could play a vital role in assisting companies in these situations by understanding the types of attackers who could be eyeing certain companies, the types of data a company may hold and value.
GCs could guide company executives through the decision-making process in cases of a cyber breach.
The next step would be for legal teams to provide scenario training for executives, including tabletop reviews, exercises to test different breach scenarios and decision-making practices, and consideration of stakeholders that should be included in the decision-making process.
Conducting workshops before breaches occur could prepare companies for data breaches, Ms Haggar said.
“We should implement the same risk management procedures in our cybersecurity preparation and planning as we do in other parts of our business.”
Recruiting technology security providers to ensure that IT systems are robust and having breach coaches on retainer who could provide cybersecurity training and workshops would prepare companies for these scenarios and equip them with the cyber skills required to detect and prevent attacks, including phishing attacks.
“If companies have a breach, they are not then having to find a lawyer and an incident response team,” Ms Haggar said.
“You’ve already got them set up with contracts in place, and they know your business and are prepared to help.”
Ms Haggar also flagged that if a company is contemplating mergers and acquisitions, they would need to consider whether the company they are seeking to purchase has been subject to cyberattacks, and whether cybercriminals have stolen key intellectual property or trade secrets from that business.
“Previously when you bought a company, you just needed to look at how much money they made per year and what services or products they brought to the market,” she explained.
“But you now need to not only think about that but also whether this company has suffered cyberattacks that you could be held responsible for. There have been a couple of cases over the last few years where companies were undergoing cyberattacks during the merger or acquisition.”
She continued: “Some companies have been fined as the purchasing entity because they did not do their due diligence around the cyber security of the target company and investigate whether there had been any past breaches and what they needed to do to improve the security.”
Ms Haggar warned that the purchasing company could be held responsible for the cybersecurity arrangements of the business they intend to purchase.
As such, she recommended that companies could conduct invasive testing as part of their due diligence including threat hunting, where they search for evidence of breaches and the attackers’ footprints in the system.
Other testing methods include red hat testing or adversary simulation where they impersonate an attacker to test a company’s defence capabilities.
“While these invasive testing methods are not the norm at the moment, I think it will become more common to conduct some limited form of threat hunting or cyber due diligence as part of due diligence during mergers and acquisitions,” Ms Haggar said.
To hear more from Annie Haggar and other GC and CCs about how legal teams could coach their clients for cyberattacks and the ethical and legal implications of paying a ransom, come along to the 2022 Corporate Counsel Summit.