Last year’s ALM Intelligence report on cybersecurity and corporate counsel concluded that “legal departments can and should be playing a more strategic and proactive role in cybersecurity programs and processes.”
Since then, much has changed. First, cyber breaches have accelerated in frequency and severity. As laid out in this year’s ALM Intelligence report, Cybersecurity and Law Firms: Defeating Hackers, Winning Clients, ALM Intelligence forecasts that data breaches across all industry sectors will near 1,000 in 2016, an 18% increase from 2015.
Further, the scope and effects of cyberattacks have expanded, from a system-wide shutdown of Sony in 2015 to an internet-wide shutdown in 2016. As David Jones, director of sales engineering at IT company Dynatrace, explained about the recent cyberattack that affected Dyn, a company that operates DNS servers, the switchboards of the internet, “We’ve never really seen anything this targeted [that] impacts so many sites. Typically DDoS [distributed denial of service] attacks are targeted at individual sites. DNS is like a phone book: this is like someone is attacking the phone company and burning all the phone books at the same time.”
In short, cyberattacks can do more damage more quickly and more frequently than ever before.
In the face of this increased global threat, the importance of the corporate legal department cannot be overstated. Legal is the common denominator among regulatory requirements, breach notification, supply chain and contract management, and discovery hygiene. As stated in last year’s report, sample tasks legal can own include the following:
- Drafting of the cybersecurity incident response plan and membership on the cybersecurity response team
- Management of risk-shifting provisions in contracts, both as a vendor and for third-party vendors
- Creation of a data retention policy that complies with local and federal regulations
ALM Intelligence concluded that law departments often missed the opportunity to get to the table earlier and in a more robust fashion. Further, we found that corporate counsel should be proactive in involving themselves if the company does not include them in cybersecurity preparedness. One interviewee went so far as to argue, “If contract review is the only role for lawyers [in cybersecurity], the company is likely not in a great place in managing cybersecurity. Lawyers should be playing a much more strategic role than just contract drafting.”
Fast-forward to 2016. In the face of increased threats, ALM’s 2016 Cybersecurity and Corporate Counsel Survey indicates that corporate counsel are involving themselves less than ever before in cybersecurity protocol and preparedness.
Some key indications that law departments are distancing themselves from cybersecurity include the following:
- In 2015 and 2016, the majority of respondents said that their company performs a formal information privacy and security risk assessment (over 85%).
- Yet, 84% of respondents in 2015 said that the legal department is involved in the assessment, while only 47% of respondents in 2016 said that legal is involved.
- In 2015 and 2016, the majority of respondents indicated that they have a data protection team in place (over 65%).
- Yet, 84% of respondents in 2015 said that the legal department is represented on the team, while 56% of respondents in 2016 said that the legal department is represented.
- There has been a sharp drop in the number of respondents pursuing “fire drills,” defined as an incident response exercise conducted to provide practical experience in the event of an actual data breach, from 73% in 2015 to 58% in 2016.
- Similarly, legal has experienced a sharp drop in fire drill involvement, from 80% in 2015 to 57% in 2016.
- When asked how the company has increased readiness in handling potential security breaches, 35% of respondents in 2015 said they had hired more internal legal staff with cybersecurity expertise, compared with 16% in 2016. (Interestingly, the hiring of outside counsel remained level at 38%.)
- A significant number of respondents (30%) anticipate no change in legal spend as a result of increased data privacy and security risks, while last year a majority of respondents anticipated an increase to the legal budget, most frequently in the 3-5% range.
Here is a rundown:
Source: ALM Intelligence Second Annual Cybersecurity and Corporate Counsel Survey
Surprisingly, despite the increased threat and the lack of control and/or interest exhibited by the legal department, corporate counsel are slightly more comfortable with the company’s ability to withstand a cyberattack (from 73% in 2015 to 76% in 2016).
It is not clear why law departments have become less involved with cyber-preparedness. Survey respondents indicated that they believe cyberattacks are becoming less frequent in the industry (in stark contrast to both law firm respondents and the perceptions in most other industries).
Almost all law departments operate as a business unit, with a primary goal of becoming closer to the business as a “trusted advisor.” It seems remarkably shortsighted that these legal trusted advisors are not on board for what is considered to be a preeminent threat to both the global economy and to national security. Law departments, cybersecurity is your mandate too.
ALM Intelligence Notes
- Analyst Newsletter: Subscribe to the ALM Intelligence Analysts Brief, featuring the latest thinking from our analysts delivered straight to your inbox each week.
- Threat and Opportunity: Check out ALM Intelligence’s new report, Cybersecurity and Law Firms: Defeating Hackers, Winning Clients, for details on how vulnerabilities in law firms’ data security presents an existential threat, while increasing corporate demand for legal expertise in cybersecurity provides an emerging revenue growth opportunity.
- Firms Going Global: ALM Intelligence on the Global 100 is available here.
- Chinese Firms on the Up and Up: Our Asia 100 data shows that Chinese firms have seen dramatic growth over the past year.