How General Counsel’s can prepare companies for cyberattacks

In this article from Lawyers Weekly, they highlight that understanding a company’s obligations in cases of a cybersecurity breach must be top priority for legal teams in 2022. It’s important that General Counsel’s prepare for cyberattacks and communicate this with companies.

 

general counsel's prepare for cyberattacks

 

THIS ARTICLE’S KEY TAKEAWAYS ARE:

  • Cyberattacks are inevitable, so General Counsel’s can prepare companies for them
  • Understand the extent of the risk of a security breach occurrence
  • Understand companies obligations in times of security breaches and prior to an occurrence
  • Company’s may be placed in moral dilemma’s, especially at times where they may be held to ransom
  • Due diligence is key before mergers and acquisitions

 

Who is at risk of cyberattacks?

Speaking to Lawyers Weekly, Accenture strategic partnerships global legal lead and cybersecurity lawyer Annie Haggar warned that every company is at risk of cyberattacks, regardless of whether it has a shopfront where it sells products physically or operates online.

She added that cyberattacks on companies are inevitable and it is a matter of “when”, not “if” – something she argued back in July 2021.

Corporate Counsel and General Counsel who advise clients from the private sector need to be aware that traditional businesses that previously were at lower risk are now at as much risk as any business that lives online,” Ms Haggar remarked.

“You can’t afford to not consider cyber risk now because it really does touch every part of the business and every part of being a legal practitioner.”

 

Company’s obligations & ethics

If a company suffers from a cyberattack legal professionals would need to consider the company’s obligations and how to respond to a data breach by understanding their obligations.

“The thing about cybersecurity is there are lots of different types of attacks because there are lots of different types of attackers,” Ms Haggar said.

“If you’re a cybercriminal and your sole intention is to make money, you might use ransomware to lock down someone’s computer system so they can’t continue to conduct business, in which case they might ask for a ransom payment to unlock the systems.”

In such circumstances, companies could face an ethical and moral dilemma about whether they should succumb to the threats and pay the ransom or risk having the cybercriminals release sensitive information online.

“For instance, if you are a healthcare company or someone who holds a lot of very sensitive personal information and the cybercriminal threatens to release all of that information online, that could have significant impacts, compared to if you are a restaurant and they threaten to release your secret recipe,” Ms Haggar said.

“While the latter would cause significant financial damage if it were released, it would not harm people’s lives as it would if the healthcare company’s customer data were released to the public.”

 

General counsel guidance

Legal departments could play a vital role in assisting companies in these situations by understanding the types of attackers who could be eyeing certain companies, the types of data a company may hold and value.

GCs could guide company executives through the decision-making process in cases of a cyber breach.

The next step would be for legal teams to provide scenario training for executives, including tabletop reviews, exercises to test different breach scenarios and decision-making practices, and consideration of stakeholders that should be included in the decision-making process.

Conducting workshops before breaches occur could prepare companies for data breaches, Ms Haggar said.

“We should implement the same risk management procedures in our cybersecurity preparation and planning as we do in other parts of our business.”

Recruiting technology security providers to ensure that IT systems are robust and having breach coaches on retainer who could provide cybersecurity training and workshops would prepare companies for these scenarios and equip them with the cyber skills required to detect and prevent attacks, including phishing attacks.

“If companies have a breach, they are not then having to find a lawyer and an incident response team,” Ms Haggar said.

“You’ve already got them set up with contracts in place, and they know your business and are prepared to help.”

 

Mergers and acquisitions

Ms Haggar also flagged that if a company is contemplating mergers and acquisitions, they would need to consider whether the company they are seeking to purchase has been subject to cyberattacks, and whether cybercriminals have stolen key intellectual property or trade secrets from that business.

“Previously when you bought a company, you just needed to look at how much money they made per year and what services or products they brought to the market,” she explained.

“But you now need to not only think about that but also whether this company has suffered cyberattacks that you could be held responsible for. There have been a couple of cases over the last few years where companies were undergoing cyberattacks during the merger or acquisition.”

She continued: “Some companies have been fined as the purchasing entity because they did not do their due diligence around the cyber security of the target company and investigate whether there had been any past breaches and what they needed to do to improve the security.”

Ms Haggar warned that the purchasing company could be held responsible for the cybersecurity arrangements of the business they intend to purchase.

 

Due Diligence

As such, she recommended that companies could conduct invasive testing as part of their due diligence including threat hunting, where they search for evidence of breaches and the attackers’ footprints in the system.

Other testing methods include red hat testing or adversary simulation where they impersonate an attacker to test a company’s defence capabilities.

“While these invasive testing methods are not the norm at the moment, I think it will become more common to conduct some limited form of threat hunting or cyber due diligence as part of due diligence during mergers and acquisitions,” Ms Haggar said.

CLICK HERE TO READ THE LAWYERS WEEKLY ORIGINAL ARTICLE

 

GREENFIELDS RECRUITMENT & SEARCH is a specialist In-House Legal Counsel, Company Secretary and Corporate Governance Executive Search & Recruitment firm. Partnering with a diverse range of clients, from ASX listed organisations, non-listed organisations, multinationals, boutiques and not-for-profits across all industry sectors. Learn more about us here.