Firms overlook key cybersecurity partners
Just 38% of companies say they are at least somewhat confident that their leaders grasp all the risks technology poses, a report from Hogan Lovells finds.
Firms are well-acquainted with the risk of data breach, and the ensuing investigation and litigation, but a report from Hogan Lovells shows that not enough are taking action to prevent a breach. The legal firm encourages companies to create crossfunctional teams that include executives and members of the legal team.
The firm surveyed 550 general counsels, legal team leaders, and executives, including chief information security officers, chief operating officers and chief executive officers. Although 61% say technology is a core part of their growth strategy, almost the same percent — 60% — only take a minor interest in monitoring technology risk, and just 38% of companies say they are at least somewhat confident that their leaders understand all the risks technology poses, the report found.
Out of the server room, into the boardroom
Hogan Lovells stresses that cyber risk is a boardroom issue. “Major strategic business decisions, such as investing in new technology, can create extra cyber risks and vulnerabilities. Second, regulators increasingly call on board directors to actively oversee technology risks,” according to the report.
The report encourages business leaders to engage privacy lawyers to help them design systems and processes that consider data protection from the start. Only 28% of companies say that they involve a data privacy specialist at the beginning of the decision-making process when they’re considering implementing new technology.
Related: 5 biggest privacy challenges companies will face in 2021
Incident response
In the event that a company does suffer a cybersecurity incident, small companies are particularly likely to flounder in their response. Only 59% of companies with under $500 million in revenue have an incident response plan, compared to over three-quarters of midsized companies and 98% of companies with more than $1 billion in revenue.
Related: The impacts of the SolarWinds cyber breach
One of the challenges to drafting an incident response plan is assembling a crossfunctional team. Most companies — 80% — know they need to get IT involved, and 63% bring in compliance teams. However, less than a third include members of their legal teams, and just 14% of companies have executives on their incident response teams.
“Creating a comprehensive plan requires silos to be broken down between management, technology teams, legal teams and privacy specialists,” according to the report.
Members of the legal team should be involved from beginning to end of the incident response process, from reviewing disclosures about data use and privacy policies, to communications to customers and the media, according to the report.
“If a major breach happens, key regulators will almost certainly need to be informed and, where possible, privilege should be maintained. So legal teams need to be involved in the response from the start,” Hogan Lovells wrote in the report.
Evaluate external risks
Companies’ own practices don’t represent their only risks. Although there have been several high-profile cases of companies that were exposed to a data breach through a third-party vendor, two-thirds of companies are reviewing only a small number of their suppliers’ cybersecurity practices. Just 27% say they review most of them, and 4% are committed to reviewing all of their vendors’ and partners’ cybersecurity policies.
READ MORE: