n May, the Association of Corporate Counsel (ACC) Foundation released its “State of
in-house lawyers (based in 33 countries), the report also includes many comments from the respondents. Amar Sarwal, ACC’s chief legal officer and senior vice president of advocacy and legal services, agreed to dig into the data and help us understand what it tells us.
Legal BlackBook: When did the Association of Corporate Counsel first start releasing cybersecurity reports, and how many have there been (including the one you’ve just put out)?
Amar Sarwal: ACC released its first global cybersecurity report in 2015, responding to heightened interest from our members and their stakeholders. This year’s edition is the second in the series. On the basis of these reports, ACC has now conducted two Cybersecurity Summits, and it has weighed in on the advocacy front as well. And, given the significant burden that data security issues impose on day-to-day in-house practice, ACC is likely to do quite a bit more.
LBB: This report is full of interesting statistics. What statistic surprised you the most?
AS: According to the feedback from our in-house counsel respondents, boards of directors don’t seem to be requiring updates on cybersecurity issues as regularly as prosecutors and regulators would prefer. Government officials and other stakeholders believe that more board involvement would ensure that the pressing need for data security would be more effectively addressed. In my view, the jury is out as to whether that sort of top-down approach would work, but there’s little doubt that regulatory officials at every level have been insistent about boards taking closer hold of the reins.
LBB: If you were a new general counsel at a small to midsize company, what would you focus on first, as you assessed your new company?
AS: On page 28 of the Executive Summary, the report provides a self-assessment tool that canvasses the various best practices in the cybersecurity arena. Ensuring that your new company has made the necessary investments on those fronts is quite critical. Otherwise, your first few years at the organization could get a bit hairy.
LBB: If you were an experienced general counsel at a large corporation, what would grab you?
AS: The same self-assessment tool should benefit large companies as well. That said, highly regulated companies have pressures up and down their supply chains that go way beyond that tool, which would be considered table stakes in their world. Even so, large companies should be quite concerned that smaller and midsize companies aren’t as far along as they need to be—at least with respect to what most consider to be leading practices.
LBB: If I asked you to pick a few statistics that seem to capture the reality we’re facing right now in this area, which ones would you choose?
AS: Three in particular come to mind, none of which should be surprising to your readers, but all of which serve to underscore the importance of the issues you cover. First, one in three respondents indicated that either their current company or a previous employer had experienced a data breach, which likely understates the true number of breaches, as many victims have little idea that bad actors have been successfully penetrating their defenses. Second, amidst this onslaught, two-thirds of in-house counsel expect to see the legal function’s responsibilities in the cybersecurity sphere to increase over the coming years.
I’m not sure that it’s a good idea to rely too much on legal—and, in fact, one could argue that the growing effort to do so is a reflection of the inability to solve the problem otherwise. Nevertheless, there is little doubt that many companies expect their general counsel to understand access control mechanisms as well as they might understand how to shepherd an important business transaction or regulatory investigation. Finally, and fortunately, hand in hand with this increased responsibility is an expectation by two-thirds of respondents that budgets devoted to cybersecurity issues will increase over the next year. Of course, more resources are certainly necessary, but companies should take care not just to throw money down rabbit holes.
LBB: Do you see grounds for optimism in any of the survey’s findings?
AS: Thanks for the great question, he mumbles sarcastically. While I generally agree with Andy Dufresne, who reminded us in “The Shawshank Redemption” that hope is a good thing, I think we’re still in the early stages of this epidemic. Our enemies are far more nimble than companies or governments. It will take a sea change in attitudes or approaches on a variety of fronts to make me more optimistic—a sea change that’s simply not reflected in our report, or any other of which I’m aware.
LBB: One statistic that was surprising and disturbing was the number of times respondents chose “don’t know.” It was understandable—even predictable—that they would choose this for many questions about the EU’s new General Data Protection Regulation. And they did. But overall, 25 percent also answered that they don’t know if third-party vendors are generally required to cooperate with them during investigations of cyber incidents [p. 81]. And 39 percent don’t know if their company conducts security audits of vendors [p. 82, 23]. What do you make of this?
AS: Great point! It’s a constant, and disturbing, theme in this report that can be somewhat explained by the fact that not all legal departments are involved in assessing, monitoring or addressing cybersecurity risks and threats. Instead, their companies expect other functions to take the lead, to the exclusion of legal. Either way, it’s simply not a good thing in this environment not to know the answer to those questions.
LBB: You also included lots of interesting comments from respondents. Which three did you find most noteworthy in response to the question “What is the most important thing you wish you had known before the breach that you know now as a result of your experience?” [p.88]?
AS: The comments are quite enlightening, generally conveying the sense that companies are not yet fully equipped to deal with these issues, particularly in terms of how the organization is structured or designed, but also in understanding how to deal with the actual nature of the threat. Though there are many, three noteworthy comments would include the respondent who noted that her client had a policy prohibiting the use of unencrypted drives but had never audited for compliance; the respondent who mused that ex post fines were 10 times the amount of what would have been effective ex ante measures; and the respondent who reminded us how difficult it can be to get senior leadership to understand the underlying issues and devote adequate time and resources to addressing them.
LBB: What were some other comments you found particularly revealing?
AS: One of the most powerful comments in the report comes from a respondent who wishes that the Secret Service had informed them of the breach more contemporaneously, rather than almost two years later. That respondent quite appropriately suggests that the company would have been able to mitigate the harm, had it known sooner. Government officials and other stakeholders need to end their more adversarial approach and instead recognize that we’re all in this together. Of course, punish the bad actors—those companies that don’t even meet a minimum level of preparedness. But it is also important to find ways to support good companies that are trying to do their best.
Beyond that useful reminder, there were many, many comments about the importance of employee training. And, to a point, I agree—modern professionals need to be cognizant of data security risks. But I think it is grossly optimistic to expect training to yield a significant impact. Most employees have far too much on their minds to keep the latest and greatest in phishing attacks front and center. Instead, organizations need to deeply understand how information flows within their business model and ensure that there are impenetrable guardrails around those flows.
LBB: On June 1, you will be leaving ACC after an eight-year run. As you consider the challenges that general counsel have faced during your tenure, where does cybersecurity rank? Is it among the more demanding risks that have confronted them?
AS: Maintaining the confidentiality of important customer, employee or commercial information definitely ranks at or near the top of challenges that general counsel have faced. That said, I’m not a big fan of the hype machine. Over the past two decades, general counsel have been confronted with multiple instances of fraud that go to the heart of the underlying businesses or the apparent difficulty in navigating the international business environment without violating the Foreign Corrupt Practices Act, among many, many other things. It’s never really been an easy job.
As for myself, going forward, I will be a stay-at-home dad with my five children.
Also not an easy job.