Our Co-Founder and Chief Marketing Officer, Sacha Kirk recently moderated a virtual fireside chat with Cyber Security Global Legal Counsel at Accenture Security, Annie Haggar.
During the discussion, Ms Haggar shared insights regarding some of the challenges of working in cyber security law, and how General Counsels and in-house legal teams can effectively respond to these challenges. In this article, we examine some of these insights.
To begin, it is worthwhile examining the current cyber security landscape in Australia. The most recent ACSC Annual Cyber Threat Report released in June 2020, revealed that cyber crime has become one of the most pervasive threats facing Australia, with the frequency, scale and sophistication of malicious cyber activity increasing significantly over the past 12 months. With the increase in cybercrime, phishing, spear phishing, and ransomware are among the most commonly used methods and also present the most significant threats to business and government operations. To that effect, the cyber threat landscape has intensified, and General Counsel (GC) and in-house lawyers have had to collaboratively devise cybersecurity strategies to safeguard their organisations.
Annie Haggar spoke of these changes and shared some methods through which GCs and in-house counsel can transform their approach to cyber security.
What are some challenges of working in cyber security law?
“Certainly, speed of change is the key one… it is changing hour by hour” – Annie Haggar
A key challenge for GCs and legal practitioners working in cyber security law is the speed of change. Digital advancement in combination with COVID-19 has not only transformed the cyber security landscape, but also accelerated the speed at which companies face security threats and targeted cyber attacks. The Australian Security Insights Report shows that 72% of Australian businesses reported an increase in the volume of attacks in the past 12 months, and 80% reported that the attacks had become more sophisticated.
According to Ms Haggar, building a methodology to stay up to date with the changes can assist lawyers to act proactively and provide the right legal advice to their clients when required. For example, being aware and keeping up to date with the business, client and regulatory risks and associated obligations ensures in-house counsel are equipped with sufficient knowledge to help them effectively do their job as a legal advisor and, further, to help devise a response or mitigation plan for potential threats.
What should legal should be watching for when it comes to cyber security?
“It is really important for in-house legal counsel to understand what that specific risk profile is for your business” – Annie Haggar
GCs and in-house lawyers need to be aware of the cyber security issues faced by their particular organisation because the type of business undertaken means the types of cyber security threats will be different. Further, the threat actors will be different, the methods of attack will be different and the types of things the threat actors might do to threaten the organisation will be different.
Accordingly, considering a question such as: “What are the crown jewels of my company?” can be helpful in assisting GCs and in-house counsel to identify what cyber criminals may target in their organisation and even perhaps the method through which the attacks may occur. As a result, GCs and in-house counsel can formulate and implement the most suitable strategies to defend, protect and help the organisation recover from potential cyberattacks.
Some examples shared by Ms Haggar include:
1. The cyber security risks associated with buying or merging with a company and migrating systems.
According to Deloitte, this is an essential element to consider while performing due diligence in order to assess the cyber health of each party, leverage standards and mitigate potential cyber risks before the final integration occurs.
2. The cyber security risks associated with employees that go rogue, are malicious or are even just careless with cyber security.
What are the security measures in place to mitigate these risks, as well as the disciplinary actions for repeat failures or lack of security?
3. The regulatory and legal obligations to report cyber security incidents and manage data privacy.
This is especially relevant to organisations that operate in multiple jurisdictions as the Laws that govern disclosure of cyber attacks and data privacy (for example, the GDPR or CCPA) are likely to be different and require different processes and response strategies between locations.
How can in-house lawyers support their organisation’s cyber security response?
“Do it all ahead of time… Have your plan and your team in place for when it happens… The rate of cyber-attacks and other issues are just so high at the moment, you really have to think about it as a when this happens to my business, not if.” – Ms Haggar
Being open-minded to learning about cyber security, devising a plan and recognising when they need help are some ways in-house lawyers can support their organisation’s cyber security response, said Ms Haggar. Again, she emphasised the importance of being proactive and preparing for potential risks so that when an incident does occur, there is a plan in place to manage and contain the damage.
Accordingly, building a ‘support team’ specifically for cyber issues, inclusive of a breach coach, incident responders and the IT team, ensure all bases are covered, and the individuals with the right expertise and skill sets can effectively respond to the issue when necessary. In essence, it is important to take a 360-degree approach to cyber security within their organisation and enlist the help of other experts to ensure their organisation is sufficiently and proactively safeguarded from cyber threats.
Conclusion
The insights shared by Ms Haggar were eye-opening and candidly revealed the double-edged sword of technological advancement. Namely, although technology has delivered growth and prosperity for many aspects of business and society, it has also meant that cyber security literacy and effective risk response and mitigation tactics have never been more important while navigating the digital environment. For legal professionals, this necessitates keeping up with the constant changes, taking a collaborative and holistic approach when identifying potential cyber threats, and proactively creating a response plan for when threats occur.
Interested in watching the full virtual fireside chat? View it here.