Ninety-three percent of companies consider their general counsel a member of the executive management, up from 55 percent in 2010, according to Equilar’s General Counsel Pay Trends 2016. GCs have moved beyond solely advising on technical legal issues in large-scale organizations. GCs have long been at the table for strategic planning, compliance, risk management and cyber concerns. The more strategic influence of the chief legal officer is reflected in a median total direct compensation of $2.1 million at S&P 500 companies, per the Equilar 2016 study.
Advisen’s Sixth Annual Information Security and Cyber Risk Management Survey observes that as cyberrisk is increasingly seen as an enterprise-wide issue, “departments such as general counsel and risk management are now taking on larger roles.” The Equilar analysis goes further, reporting that over the next three years, 31 percent of New York Stock Exchange–traded companies expect to add a chief risk officer role to their general counsel’s responsibilities. The risk responsibility would be in addition to the corporate secretary and chief compliance officer roles that many GCs hold today.
Are GCs on a path to becoming the mega-risk officer in 2017 and beyond? If so, here are some key risk areas that GC–risk officers will have on their radar screen.
Cyberrisks Loom Large
Certainly cybersecurity threats will continue to be a major risk for organizations in 2017. Not a week goes by without a headline on a major bank or corporation cyber breach. A 2016 Cisco Security Report showed 65 percent of organizations feel they face a significant level of security risk. When hackers leak sensitive customer and corporate data or employee personal information, you can bet there are mega-risks and costs to be managed. Ransomware shutdown of corporate and healthcare systems can quickly wreak operational havoc.
Post-breach, brands take hits as customers back away, feeling the company is no longer a safe place to have their data. Crisis management and legal fees skyrocket as notice requirements, potential liabilities and risk management strategies are assessed. Incident response costs can include “help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions”, says the Ponemon Institute. Ponemon estimates the average consolidated cost of a breach last year was $4M.
Target’s gross costs were $252M, reduced to $105M after insurance payments and tax deductions. Yahoo can attest to the impacts of breach incidents, as their massive breach thrust Verizon’s purchase of the platform into question. Post-breach announcements also ignite shareholder and customer lawsuits, igniting large legal bills and settlements or judgments.
General Counsels and their teams are already very involved in cybersecurity risk management. The Ninth Annual Law Department Operations Survey reports that more than 75 percent of law departments have responsibility or meaningful influence on their companies’ cybersecurity. So, taking on broader cyber risk management duties may be right in the GC wheelhouse.
Cyber Regulatory Environment
Cyber regulations are bound to be a fact of life for GCs over the coming years. Barring last-minute changes, in January GCs at New York financial organizations must contend with new cybersecurity regulations. The groundbreaking cybersecurity regulation from the Department of Financial Services imposes cyber standards, including 72-hour breach notice, incident response plans and annual audits, for starters.
The Securities and Exchange Commission has fined investment advisors under the “safeguards rule” for inadequate cyberprotection of customer records. The SEC commented that “firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Experts do not predict national cybersecurity legislation will pass in 2017. Yet certainly the government will continue to press critical infrastructure industries to share information on cyberbreaches. Cyber standards legislation is expected at the state level. The New York cyber regulation is an example of this trend.
More Intellectual Property Theft in 2017
Data leaks and systems hostage taking are not the only cyber and breach risks the über GC–risk officer must watch. Deloitte’s Retail Cyber Risk Survey finds that 58 percent of respondents expect IP cyberthreats to increase in 2017, while 35 percent of the respondents in the 2016 SANS Incident Response Survey cite intellectual property as a data type that had been exfiltrated from their organization over the last year. In 2016, IP replaced customer data as the second most targeted data type, after employee information. SANS suggests that this reflects attackers’ shifting motivations to sell data on the lucrative dark web.
A company’s IP can include such assets as R&D, source code and manufacturing plans – not things you want in the hands of competitors, hackers or some nation-states. With 87 percent of S&P 500 companies’ total value consisting of intellectual property, risk managers must focus on IP cyberthreats. Of course, insider threats to IP also exist. Good practice is to have IT/infosec monitor unusual download activity to catch intruders exfiltrating data, or even employees planning to take IP with them to a new job.
Interestingly, the SANS study shows that 12 percent of organizations have seen legal data stolen via cyberattacks. Law departments, like law firms, are treasure troves of sensitive data and IP data for bad actors. One of the earliest FBI-reported law firm cyberattacks involved Chinese actors hacking into a law firm to gain an advantage in a merger and acquisition transaction. While law firms step up prevention and incident response capabilities post-Panama Papers, law departments need to do the same as they likely have the same data the firms do. The GC–mega risk officer will want to invest in heightened cyber risk precautions and training in the law department.
Privacy law is developing rapidly across U.S. states, Asia and of course in the European Union with the upgrade to the General Data Protection Regulation. Organizations house massive amounts of personal and health data on business customers, employees and consumers. It’s no secret that organizations will continue to face privacy risks for the foreseeable future. Industries that collect substantial personal data – healthcare, communications, financial and banking, and retail – have a higher degree of regulatory oversight and thus face more dire risk management challenges under the growing privacy regulations.
Forty-nine percent of the risk managers surveyed in the Advisen Report rate reputation damage due to privacy violation/loss of customer records as a high or extremely high risk. The survey also finds that for the first time in six years, “general counsel has surpassed information technology as the department most frequently responsible for assuring compliance with all applicable federal, state or local privacy laws, including state breach notification laws.” This trend supports the notion that GCs are on a path to become a GC– mega risk officer.
Though the IT team may be asked to conduct a privacy infraction investigation, or map the location and secure access controls for protected health information or personal data in organizations, regulatory compliance still requires a legal interpretation and judgment. If it wasn’t there already, nesting responsibility for assuring privacy compliance in the law department seems to make sense. Of course, some organizations place this responsibility in the hands of the chief compliance and ethics officer or even the chief privacy officer. Yet all roads usually lead to legal when things go bad. Negotiating regulatory settlements and managing litigation that can follow significant transgressions will likely end up on a GC’s desk.
Companies across the globe are striving to cope and create a mind-set of resiliency as they operate in a world full of data breach threats. As their business risks burgeon in the cyberprivacy regulatory areas, some may want to centralize where the overall risk management buck stops. Some companies may choose to place this under the care of the general counsel, the traditional guardian of the organization.
Published December 30, 2016.