Co-founder of Infolock, a data risk transformation partner to clients in the financial services, health, manufacturing and public sectors.
In today’s increasingly regulated business climate, cyber risk—specifically data risk—is a top priority. The general counsel (GC) has a critical role to play in cyber and data risk preparedness.
As the legal officer of the company, the GC is responsible for ensuring that the organization complies with all applicable laws and regulations. They must ensure the organization has the appropriate policies and procedures in place to protect its data and operations. They need to monitor governance and oversight without complicating either function.
The GC also plays a key role in communicating cyber and data risk to the board of directors and senior management. They must be able to explain the risks in clear and concise terms and recommend practical steps that the company can take to mitigate those risks.
GC As “Chief Proactive Risk Management” Officer
In my almost 20 years running a data risk management consulting firm, I’ve come to understand that the GC’s role in cyber risk preparedness is:
1. Widely misunderstood and undervalued
2. Essential
Beyond board and C-suite (CEO, COO, CFO) awareness, the most important factor in overall cybersecurity outcomes is the involvement of and leadership from the chief legal officer’s/GC’s office. Without it, few organizations can build or maintain effective, layered defenses, and fewer still can successfully recover from a data breach or security crisis.
Four Steps To Better Prep
There are four specific steps that the GC can take to ensure improved cyber risk preparedness:
1. Understand your cyber risk and data risk profile.
Malicious insiders and external hackers are trying to steal your sensitive data to ransom it, knock it offline, sell it or otherwise compromise your organization. The GC must work with the CISO’s office and IT to identify the company’s most critical data assets and threats to those assets. The problem has always been: How do you get started?
One solution is to perform business unit data risk assessments (BUDRAs) to scope, discover, classify and analyze the sensitive data assets of a single business unit. When approaching this solution, start small. Investigate business processes and data assets that are:
•Business-confidential (trade secrets, proprietary intellectual property, unique know-how and specialized knowledge, for example)
• Contractually protected (such as M&A documentation, business partner confidential SLAs and internal SLAs)
•Regulated (like personal health information under HIPAA, personally identifiable information, payment card industry, California Privacy Rights Act, Virginia Consumer Data Protection Act, etc.). Review who has access to this data and why. Analyze how the data is collected, stored, processed, shared and deleted.
Recently, our team performed a BUDRA for a large regional retail bank with the support of the GC. The sensitive data we discovered and the clear gaps in awareness and protection we uncovered provided facts (not feelings) about underlying risks to the organization.
When done effectively, these assessments can lead to additional data risk assessment efforts with other critical business units. In this case, it helped create momentum with the bank’s senior executives and its board.
2. Develop and implement a data-focused cybersecurity plan.
The GC must be actively involved in driving the creation of a plan for cyber defense, data security, incident response, employee training, executive reporting and crisis communication.
Several years ago, we worked with a large transportation logistics company to create a data-centric cybersecurity program using our own security controls framework aligned with their existing information security management system (ISMS). At a certain point in our program development efforts, organizational leaders began to “tune out” of the process.
We’ve found that one effective way to combat that disengagement is to have the chief legal officer hold a workshop for senior leaders. In doing so, prepare the officer to focus on how each executive’s “focus area” is dependent on a mature, effective cybersecurity program. This can help encourage a surge of involvement from the very top, carrying your team through the process and over the finish line.
3. Communicate cyber risk to the board, senior executives and regulators.
The GC must be able to explain the company’s cyber risk in clear and concise terms, and they should recommend steps that the company take to mitigate those risks.
Consider the implementation of training cohorts to achieve this goal, and remember that participants will come from widely varied backgrounds and motivation levels. For example, one of our recent training cohorts (from an insurance carrier client) had course participants from across its legal, compliance, risk management, cybersecurity, IT and HR departments.
The organization had suffered a recent data breach. The audit committee’s investigation with an outside firm pointed to failures in how the organization managed and reported on risk.
In instances like these, build a baseline, shared understanding of why cybersecurity risk reporting and risk management efforts were critical in the scenario, what was required, who was responsible (and accountable), what needed to happen and when, how disclosures were to be made and what types of follow-up were required.
4. Network with peers, share information and stay current on cyber threats.
The GC is ultimately responsible, along with senior executives, for defining an organization’s risk appetite, tolerance levels and thresholds. The GC must “digitally transform” to the same extent organizations have digitally transformed their infrastructure and operations.
One way to support this transformation is through targeted organizational change management consulting. Even if a GC understands how their role has changed, they may lack a clear plan for “up-skilling” personally or redirecting the legal department to prioritize cybersecurity risk and concerns.
Assess their professional capabilities and knowledge as well as the organization’s structure, and perform an organizational network analysis (OAN). We’ve found it’s effective to devise a “get-better” plan (including detailed action steps and an overall program timeline) aimed at getting the team “leveled up” within a reasonable timeframe—nine months, based on my experience.
Wrapping Up
By taking these four steps, the general counsel/chief legal officer can help to ensure that the organization is prepared for cybersecurity threats and data risks. This proactive approach can help inform board members and senior executives, support better risk decision-making and protect the organization’s data, reputation and bottom line.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here