Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Legal departments must be involved in cyber incidents from the get-go

In-house counsel should be the first port of call for an incident response team when their organisation falls prey to a cyber attack, according to a cyber security expert.

user iconMalavika Santhebennur 26 March 2024 Corporate Counsel
expand image

Ahead of his session at the Corporate Counsel Summit 2024, Redacted Information Security director and principal consultant Remy Coll said that a cyber attack could have legal implications from the beginning to the end of the incident.

As such, it is vital for in-house legal teams to be involved in the response team, he insisted.

“Whenever these incidents occur, corporate counsel is usually not involved until the later stages,” Coll told Lawyers Weekly.


“But they should be the first team that is involved in a cyber security incident as soon as it has been raised within an organisation.”

At the summit, Coll will share insights on how in-house counsel can help organisations prepare for cyber security threats as well as the changing obligations around data security and privacy.

Safeguarding against legal implications

If the incident response team channels its communication through corporate counsel, Coll explained, it could be argued that the incident response activity becomes legal privilege, should the organisation be subject to legal action at a later stage.

“If it was conducted through the in-house counsel, it will make it easier for the organisation to defend itself because some parts of the incident response that may not necessarily be relevant can be held under legal privilege when the prosecutor is picking the case apart,” Coll said.

“Therefore, involving corporate counsel in the incident response process is absolutely key for an organisation.”

Furthermore, in-house counsel also has a significant role to play across many threat vectors through the use of documents such as employment agreements.

The agreements could include clauses, which inform employees that they will be monitored when using the organisation’s system, and highlight that it is exclusively for employees and not for external use.

“This is so that if litigation or criminal prosecution happen further down the track, the attacker cannot claim that they did not know they were not allowed in the network,” Coll said.

“Corporate counsel would have provided that legal statement. This should be at the forefront of login forms and entry points into those systems.”

Moreover, when an internal compromise has occurred, the response team must seek legal advice for chain of custody and evidence as a lot of cyber security personnel may not be familiar with how electronic evidence should be presented in court.

“If an attacker is prosecuted by the Australian Federal Police (AFP) or if it is ever raised in torts court, then they can show that the evidence is accurate and has not been tampered with. It also shows the actions of the attacker,” Coll said.

Beware of the most common threat

It is also important for in-house lawyers to be aware of the vulnerabilities present in an organisation.

For example, Coll said that while there is significant media coverage around ransomware, business email compromise (BEC) is the largest vulnerability and results in the greatest financial loss in an organisation.

BEC is a type of email fraud where cyber criminals target organisations and attempt to scam them out of money or goods by tricking employees into revealing important business information often by impersonating trusted senders.

It could also involve a cyber criminal gaining access to a business email address and then sending out spear phishing emails to clients and customers for information and payments.

According to the Australian Signals Directorate Cyber Threat Report 2022–2023, the total self-reported BEC losses to ReportCyber were almost $80 million.

The report also stated that there were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

“Corporate counsel should be paying attention to BEC because it’s a threat vector that can be used across both low capability groups (which we’ll call things like insiders) all the way up to higher-tier threat groups such as criminal organisations and nation states,” Coll concluded.

To hear more from Remy Coll about how corporate counsel could help their organisations get their house in order for emerging cyber threats, come along to the Corporate Counsel Summit 2024.

It will be held on Thursday, 2 May at The Star, Sydney.

Click here to buy tickets and don’t miss out!

For more information, including speakers and agenda, click here.

This summit is produced by Captivate Events. If you need help planning your next event, email director Jim Hall at This email address is being protected from spambots. You need JavaScript enabled to view it.

You need to be a member to post comments. Become a member for free today!