KROLL/LEGAL WEEK CYBER REPORT 2017/18
As cyber risks have grown in numbers and complexity, so too have their associated financial, legal, regulatory, and reputational risks. The 2017/18 Kroll and Legal Week Cyber Report examines how the responsibility of the general counsel is expanding to address these additional areas of risk.
The Report shares insights on what general counsel around the world are doing, and should be doing, to adjust to this dynamic cyber risk landscape. The findings show that while GCs share common concerns, there are wide differences in their levels of responsibility for protecting, planning, monitoring, reporting, training, and responding to myriad elements of cyber security.
63% say roles have expanded in planning and responding to a cyber incident
Most advanced in cyber resilience
On virtually every metric determined by the survey – from training and monitoring to insurance and planning – North America is ahead at least by a nose, sometimes by a distance. GCs from this region are the most involved in responding to cyber incidents and the least confident in their organization’s ability to detect one.
27% of organizations have purchased cyber insurance
GDPR and NIS are game changers
High percentages of European respondents often rank just behind America in their collective survey responses. However, in some areas, for example cyber insurance coverage (27%) and cyber training (57%), the gap is more notable. According to Kroll’s Andrew Beckett: “Roughly 75% of boards in Europe don't have anybody, either executive or non-executive, who understands cyber and the cyber threat, who could provide top level leadership.”
44% are very confident in their organization’s ability to detect a cyber incident
Region varies in regulatory maturity
Although some Middle East countries have data protection or cyber security laws in place, the development of both, where applicable, is in its infancy. However, individuals’ expectations on how data should be handled – often reflecting the governance trends in their home countries – is shifting greater attention to cyber security. This in turn is driving more GCs to focus on cyber defense and to look for advice on preparing for GDPR compliance in relation to the data they hold on European operations or relating to European citizens.
74% of respondents have a written and current cyber incident response plan
Untested data protection law creates significant uncertainty
China’s first cyber security law became effective in June 2017. Notwithstanding the legal changes, China ranks near the global average in areas such as insurance, training, monitoring, and responsibility, although respondents (74%) almost match the U.S. (75%) in having a written and current cyber incident response plan.
75% of GCs do not know if employee mistakes are covered by their cyber insurance policy
Multiple jurisdictions add extra layer of complexity
General counsel in Southeast Asia, many of whom operate across multiple jurisdictions in the region, often struggle to maintain an up-to-date knowledge and understanding of the different cyber security and privacy laws and their implications for multinational businesses. That being said, responses from general counsel seem to indicate that cyber security decisions are made elsewhere in the business.
77% have no identified need for a breach notification partner
Cyber security efforts have a ways to go
Awareness, education, protection, and acceptance of responsibility by GCs in sub-Saharan Africa are generally among the lowest of any region. Only 27% of general counsel have seen an expansion of their cyber responsibilities in the last year, compared to the global average of 43%, with 7% actually experiencing a decline. A lack of regulatory attention as well as minimal press coverage of incidents that do occur seem to keep cyber security lower the average GC’s priority list.