General Counsel Must Address Cyber-Security

Preparing for cyber-attacks is now a critical part of overall risk management. The scope of cyber-threats and their potential impact on everything from corporate and executive reputation to long-term financial viability makes it clear that chief information security officers and their general counsel would do well to collaborate. This article outlines some initiatives that general counsel should undertake in order to approach enterprise risk management.

Cyber-security and legal now directly intersect via compliance and regulatory rules related to privacy, protection of personal information, and disclosure of risks. In 2011. the SEC issued guidelines stating that publicly-traded companies must not only disclose instances of cyber-theft or attack, but they must report even when they are at material risk of such an event. If legal is not aware of such risks due to poor communication with IT and IS departments, it is at risk of violating SEC guidelines.

Information security systems must be 100 percent successful in order to prevent breaches, while attackers need only be successful once. Realistically, cyber-breaches will occur – and are likely to have occurred already – in most large corporations. The ability to quickly triage alerts to pinpoint true threats is essential. So too is having the ability to assess the impact of a threat, discover which data is at risk, and halt a serious breach.

Having forensic capability greatly improves the ability to glean evidence that is court-admissible, in the event that a breach leads to litigation.