After capturing thoughts from more than 617 in-house counsel, at over 412 companies, in 33 different countries, the Association of Corporate Counsel (ACC) ‘State of Cybersecurity Report’ reveals best practices for preparation, crisis management, and breach response, as well as responses to a rapidly evolving regulatory climate.
Cybersecurity threat on the rise – a ‘new normal’?
Regardless of industry, locality, company size, and/or type, security incidents can happen anywhere, anytime, to anyone. According to the Identify Theft Resource Center (ITRC), there were more data breaches in 2017 than any recorded prior year, representing a 45 percent increase over 2016. In fact, 32 percent of in-house counsel surveyed have worked or currently work in a company that has experienced a data breach, and according to the latest results, respondents state that these breaches have been getting larger. The average size of a data breach increased 1.8 percent, per the Ponemon Institute.
As a result, and generally across all regions surveyed (Asia Pacific, EMEA [61 percent], Australasia, US, and Canada) an increasing number of companies are allocating more financial and physical resources towards cybersecurity, compared to 2017. When asked whether these companies are allocating more, less, or the same amount of company budget to cybersecurity compared with one year ago, 63 percent say the company budget would be more. Respondents who report that their company is allocating more money represent an 8 percent increase over two years ago, the last time ACC conducted a cybersecurity survey.
GDPR causing widespread change in security standards
An earlier 2018 ACC ‘Chief Legal Officer Survey’ found that data breaches and the protection of corporate data continued to be a major concern for CLOs.
Findings uncovered through the ACC Cybersecurity report, show that, with GDPR now in force as of 25 May 2018, more than 40 percent of respondents state that their company plans to review and change their data security standards (47 percent), breach notification procedures (45 percent), and incident response plans (43 percent) – to meet the standards set by the incoming regulation.
Implementation of EU GDPR varies significantly according to geographical location. Thirty-nine percent of respondents surveyed are in companies required to comply with GDPR. Fully 94 percent of EMEA companies are required to comply, compared with less than half in the other four regions surveyed. Moreover, larger companies are more likely to comply with GDPR than smaller companies. Two industries — IT/software/internet-related services and manufacturing — show greater than 50 percent required to comply with GDPR.
Corporate counsel expect their roles to increase
Many in-house lawyers anticipate their role in cybersecurity prevention and response, as well as their influence on cybersecurity budgets, to increase over the next 12 months. In fact, 63 percent of respondents noted growth in company funds dedicated to cyber incidents, compared to 53 percent in 2015. Chief legal officers and general counsel at large companies are also more likely to serve as members of a data breach response team (90 percent), compared with those at smaller companies.
When breaking this down into industry specific results, those in the professional, scientific, or technical services industry are most likely be in an organizational cybersecurity leadership role (48 percent) compared with in-house counsel in other industries, such as finance and banking (32 percent) or not-for-profit organizations (36 percent).
Company-wide preparation and awareness is vital
A data breach response plan and a team ready to respond are vital in mitigating the risks and costs of a cyberattack. One can label this increasing occurrence of data breaches ‘a new normal’; yet, whilst cyber threats and data breaches may be inevitable and unescapable, companies need to be proactive in mitigating threats and actual cyberattacks.
A reported 29 percent of respondents retain a forensic company to assist if a breach occurs, however, over half report that their employers do not retain such a company. Four-in-10 respondents report that their organizations conduct a companywide cybersecurity audit on an annual basis.
Six-in-10 respondents note that their companies maintain a data breach response team, with 90 percent including a member of the legal department in this team. Two-thirds of organizations have a data incident response plan, with larger companies more likely to have such a plan than smaller companies. Among companies that have data incident response plans, 79 percent updated it in the past 12 months.
Training and testing knowledge is also good common practice. For example, 61 percent of survey respondents report that their organizations have mandatory training on cybersecurity for all employees. Almost half of respondents report that their companies track mandatory requirements and attendance for all employees as a means to evaluate preparedness at the employee level (46 percent), followed by 36 percent who report that their company tests employee knowledge of training. With malware/phishing (36 percent) and employee error (20 percent) being the leading causes of recent data breaches, starting with employee training is a small but essential step towards thwarting breaches. While much of an in-house lawyer’s focus regarding cybersecurity errs towards response, involvement in the prevention phase may go a long way towards ensuring that a response is never needed.