Cyber Security: General Counsels Take Responsibility
A global report on the cyber-related challenges facing in-house teams.
As cyber risks have grown in numbers and complexity, so too have their associated financial, legal, regulatory, and reputational risks. The 2017/18 Kroll and Legal Week Cyber Report examines how the responsibility of the general counsel is expanding to address these additional areas of risk.The Report shares insights on what general counsel around the world are doing, and should be doing, to adjust to this dynamic cyber risk landscape. The findings show that while GCs share common concerns, there are wide differences in their levels of responsibility for protecting, planning, monitoring, reporting, training, and responding to myriad elements of cyber security.
North America - 63% say roles have expanded in planning and responding to a cyber incident Most advanced in cyber resilience: On virtually every metric determined by the survey – from training and monitoring to insurance and planning – North America is ahead at least by a nose, sometimes by a distance. GCs from this region are the most involved in responding to cyber incidents and the least confident in their organization’s ability to detect one.
Europe - 27% of organizations have purchased cyber insurance GDPR and NIS are game changers: High percentages of European respondents often rank just behind America in their collective survey responses. However, in some areas, for example cyber insurance coverage (27%) and cyber training (57%), the gap is more notable. According to Kroll’s Andrew Beckett: “Roughly 75% of boards in Europe don't have anybody, either executive or non-executive, who understands cyber and the cyber threat, who could provide top level leadership.”
Middle East - 44% are very confident in their organization’s ability to detect a cyber incident Region varies in regulatory maturity: Although some Middle East countries have data protection or cyber security laws in place, the development of both, where applicable, is in its infancy. However, individuals’ expectations on how data should be handled – often reflecting the governance trends in their home countries – is shifting greater attention to cyber security. This in turn is driving more GCs to focus on cyber defense and to look for advice on preparing for GDPR compliance in relation to the data they hold on European operations or relating to European citizens.
China - 74% of respondents have a written and current cyber incident response plan Untested data protection law creates significant uncertainty: China’s first cyber security law became effective in June 2017. Notwithstanding the legal changes, China ranks near the global average in areas such as insurance, training, monitoring, and responsibility, although respondents (74%) almost match the U.S. (75%) in having a written and current cyber incident response plan.
South East Asia - 75% of GCs do not know if employee mistakes are covered by their cyber insurance policy Multiple jurisdictions add extra layer of complexity: General counsel in Southeast Asia, many of whom operate across multiple jurisdictions in the region, often struggle to maintain an up-to-date knowledge and understanding of the different cyber security and privacy laws and their implications for multinational businesses. That being said, responses from general counsel seem to indicate that cyber security decisions are made elsewhere in the business.
Sub Saharan Africa - 77% have no identified need for a breach notification partner Cyber security efforts have a ways to go: Awareness, education, protection, and acceptance of responsibility by GCs in sub-Saharan Africa are generally among the lowest of any region. Only 27% of general counsel have seen an expansion of their cyber responsibilities in the last year, compared to the global average of 43%, with 7% actually experiencing a decline. A lack of regulatory attention as well as minimal press coverage of incidents that do occur seem to keep cyber security lower the average GC’s priority list.
Latin America - No respondents have direct central responsibility for their organization’s incident response plan Confidence abounds in cyber security abilities: Respondents in Latin America registered the highest confidence in withstanding a cyber incident: 57% versus 20% for North America and only 7% for Southeast Asia. While such confidence may often be well-founded and entirely justified, in many Latin America countries, the responsibility for information security continues to remain with the IT team; moreover, the market is less mature with less data protection regulation in place, often making cyber security a lower priority for GCs than in some other regions.