Listen to this article
In one of the US’s most serious cyber breaches, hackers last year stole the records of more than 140m customers of Equifax. The credit reporting agency’s stock fell 14 per cent on the day and it has since faced a wave of lawsuits and regulatory investigations.
This month, shares in Dixons Carphone fell 6 per cent after an attempt to hack almost 6m card records at the UK electrical goods retailer.
Such breaches demonstrate companies must do more to protect their digital assets and the high cost of failing to do so.
In-house lawyers provide a crucial line of defence in assessing, managing and mitigating legal and regulatory risks. As digital technology permeates businesses and hackers find new forms of attack, however, the job has become tougher.
“It’s an arms race,” says Rob Booth, general counsel of the Crown Estate, which runs a £13bn property portfolio on behalf of the UK monarchy.
Percentage of legal departments closely involved in responding to enterprise-wide data security risks, up from 11% in 2015
He says the danger of cyber breaches extends beyond the loss of business secrets and data to broader reputational damage and loss of trust: “The moment people lose that trust, your ability to partner and collaborate is undermined.”
Other general counsel have similar concerns. Some 72 per cent of legal departments put cyber threats at the top of their risk agenda, citing concerns about privacy and data security in particular, according to Grant Thornton’s 2017 Corporate General Counsel Survey of companies around the world.
Richard Buchband, general counsel at recruitment company ManpowerGroup, says the threat is “considerably greater today . . . With GDPR [General Data Protection Regulation] now in effect and many high-profile situations at other companies, those are attracting attention in the general counsel community.”
Mr Booth, who also takes responsibility for all information risk for the Crown Estate, says it receives millions of exploratory hits a week: “There are highly motivated people out there ranging in sophistication from the hacktivist to nation-state attacks,” he says.
He likens the nature and volume of the attacks to Hydra, the many-headed serpent in Greek mythology: “There are so many different directions they can come from and methodologies people will try to use to get into the system.”
As technology becomes more integral to businesses, their legal teams must strike a balance between helping the company keep up with rivals in digital applications while limiting the risk of a breach.
Jennifer Daniels, group general counsel at Colgate-Palmolive, says one of her most crucial tasks is to ensure that the consumer goods group “can adapt to changes in business, whether it be blockchain, artificial intelligence, robotics or the platform economy”.
Yet in-house lawyers know that technology also brings with it vulnerabilities and are alive to the growing threat. The Grant Thornton survey found that 58 per cent of legal departments were closely involved in responding to enterprise-wide data security risks, with almost a quarter having primary responsibility for managing these risks. This is an increase since 2015, when just 11 per cent of respondents reported having primary responsibility.
While shoring up technological “perimeter defences” is part of the response, Mr Buchband also worries about the vulnerabilities of humans when they are exposed to “social engineering”. This refers to hackers using techniques such as phishing, where seemingly genuine emails trick people into giving up their confidential information.
“One of the ways we can protect against that is through enhanced training,” he says. “And that fits in very nicely with the GC’s core areas of responsibility around ethics, compliance and training, which at ManpowerGroup is under my oversight.”
Corporate lawyers generally are implementing a range of measures to improve cyber security. In the Grant Thornton survey, most said they were adding data security policies or augmenting existing ones (72 and 62 per cent respectively). Almost 60 per cent said they were introducing monitoring programmes and more than half were implementing training and incident response plans.
Mr Booth at the Crown Estate advocates a combination of measures. These range from technological defences to online learning programmes and human resources, with an individual in every team assigned specific responsibility for information security.
The strongest form of defence is behavioural, says Mr Booth: “The best protection is to have a culture within your organisation that’s sophisticated enough to recognise a threat when it’s there and is diligent in reporting and passing on information.”
Nor is it sufficient merely to ensure that security practices are adhered to within a company’s own operations, especially when external partners are handling large amounts of its sensitive commercial data.
“Cyber security doesn’t stop at the door of your building,” says Mr Booth.