Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

In-house legal and cyber experts must work together on cyber risk


As cyber threats put increasing pressure on in-house legal heads, it has become critical for legal and cyber security experts to work together to protect organisations from the growing risks of cyber attacks, an expert has said.

Cyber crime is one of the top three concerns for chief legal officers, according to a recent survey by the Association of Corporate Counsel – in which 37% of the participants identified it as their biggest worry. The survey results formed part of a report by the Financial Times (FT) on the critical role in-house lawyers can play in protecting the business.

Christian Toon, a cyber security expert of Pinsent Masons, said that the FT report underscores the critical intersection of legal and cyber security efforts in safeguarding organisations against sophisticated cyber threats.

“In-house counsel and cyber security leadership should come together to address cyber risk. In-house legal teams should have a strong cyber legal partner to support them in this space, because it’s something the organisation can’t afford to get wrong,” he said.

The report noted that the proportion of ransomware attacks in the financial sector jumped up from 55% in 2022 to 64% in 2023, and in-house legal teams have been actively participating in cyber attack simulation exercises to prepare for potential threats and are involved in decision-making regarding ransom payments.

Staff training and ensuring compliance with increasingly complex regulations are two other areas where in-house teams are playing a bigger role, according to the report. It said that mandatory cyber security training for employees has become common in many companies to address vulnerabilities and that the legal and cyber security teams are working together more and more on different fronts.

On the compliance front, as the report highlighted, the role of in-house legal counsel has become more significant and proactive in implementing an ever more complex array of global cyber security regulations. In addition to significant financial losses, cyber attacks are usually reportable offences that not only lead to huge fines by regulators, but also could result in litigation from customers that are affected by the incidents.

For example, across the EU, financial institutions and service providers are taking steps to ensure that their data and IT systems security incident process and controls meet the requirements of the Digital Operational Resilience Act (DORA), which will become effective in January 2025.

In the UK, the government is also working to update its cyber security frameworks. The National Institute of Standards and Technology (NIST) has consulted on its Cyber Governance Code of Practice, with the aim to enhance governance in cyber security control management systems and improve cyber resilience among companies in the UK. The NIST has also recently updated its Cyber Security Framework, guidance set out to help businesses understand their cyber security position with the concept of organisational profiles and tiers.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.