- Roughly 84% of chief legal officers say that they have at least some cybersecurity-related responsibilities, an increase of eight percentage points from two years ago, according to a report from the Association of Corporate Counsel Foundation and Ernst & Young.
- Along those lines, 22% of companies now employ an in-house counsel with responsibility for cybersecurity, a rise of 10 percentage points since 2018, the report found. More than half of these lawyers (56%) are in senior-level positions.
- Overall, 38% percent of legal departments said that their spending has increased compared to a year ago as a result of their company’s approach to cybersecurity.
The 2022 State of Cybersecurity Report from the ACC Foundation and EY highlights that cybersecurity is a key area increasingly under the purview of legal chiefs.
One-fifth of CLOs have the cybersecurity function report directly or indirectly to them, while nearly 40% of chief legal officers are part of a team with cybersecurity responsibilities.
In a similar vein, another 24% of legal chiefs report being members of cybersecurity incident response teams.
The data included in the report represents survey responses from 265 legal department decision-makers across 17 industries and 24 countries. The online survey was conducted from mid-June through late July.
Susanna McDonald, VP and CLO of ACC, called the report “the latest evidence that businesses increasingly recognize the CLO’s strengths in this area and are adjusting their approach accordingly.”
“CLOs bring a unique combination of legal training, strategic thinking, and risk analysis to the table to best help prevent and, if need be, react to cybersecurity situations,” McDonald said in a prepared statement.
Dave Burg, EY’s Americas Cybersecurity Leader, noted the increased cybersecurity responsibilities for legal chiefs come amid an ever-changing legislative and regulatory landscape.
Burg said in a statement that it is surprising “any organization would exclude their CLO from helping to develop, shape and execute an organization’s cybersecurity risk management strategy.” Roughly 16% of those surveyed indicated that the CLO has no responsibilities in cybersecurity.
Of the companies employing in-house counsel with responsibility for cybersecurity, roughly half (48%) are responsible for coordinating cyber strategy across the enterprise, the report found.
Another 29% of such lawyers are embedded within cybersecurity/IT and work directly with technical resources.
The in-house lawyers dedicated to cybersecurity are more prevalent at larger companies.
About 42% of companies with revenue larger than $3 billion employ an in-house counsel focused on cybersecurity compared to 18% of companies with a revenue under $100 million having a lawyer dedicated to the function.
Additionally, cybersecurity training for employees is mandatory in nine out of 10 organizations, the ACC Foundation and EY report found.
Nearly two-thirds of such organizations (63%) require mandatory training on an annual basis — a 20-point increase compared to 2020.
“The potential reputational damage, liability to data subjects, and effect on business continuity are the top concerns resulting from a data breach and therefore, the results show a significant increase in the number of companies that now require regular cybersecurity training for all staff,” the report said.