IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Advanced Persistent Threat Protection
#
Compliance
#
Cybersecurity
Rise of cyber risk changing role of lawyers - study
Tue, 19th Sep 2023
Author image
By Catherine Knowles, Journalist
Follow us

Australian organisations face a rapidly evolving cyber threat landscape. While legal risks see lawyers on the front-line of defence, 38% of lawyers surveyed have not participated in a cyber crisis simulation and only 19% have a legal-specific incident response plan. There is an increasing concern that this represents a gap in preparedness.

These are the findings from a new report from global law firm Herbert Smith Freehills titled 'Cyber Ready? Australian Businesses Rise to the Challenge', which explores the impact of cyber incidents and the changing role of lawyers. The report analyses a landmark survey of over 120 legal leaders from Australian businesses, including more than 80 General Counsel.

Scanning commentary of the cyber threat landscape, Herbert Smith Freehills partner Cameron Whittfield, APAC Head of Cyber Security, says that as businesses build their cyber resilience, Australia's relative wealth and commitment to digitisation makes it a target for the next wave of cyber threat actors.

Whittfield explains, "Although the views of boards and CIOs have been shared widely, our survey results reflect the views of legal leaders who have a clear line of sight across the organisation, including the board."

"In-house legal leaders are attuned to managing risk and are often front-and-centre in any cyber crisis. They are a sound bellwether for risk."

"Australian businesses and their boards have never been under more scrutiny about their cyber resilience, as they respond to cyber security threats, compounded when many are responding to a dynamic and shifting business and regulatory environment."

Empowering legal teams

The report explains that for lawyers to effectively respond to cyber-attacks, they need to be empowered and activated to manage digital risks they need to be part of the preparatory work and be prepared for the myriad of legal issues that will unfold at pace.

"Many companies are preparing for attacks in ways that do not actually reflect the way the attack plays out," Whittfield adds.

The legal and regulatory risks are significant and acute. In our experience, the lawyers are front and centre when a cyber crisis unfolds. In fact, they often play a breach coach role, coordinating the response.

The survey respondents report on the balance of responsibility and incident response, and show a fundamental shift, with the incident response moving from IT professionals to lawyers, who are experienced in managing risk and crisis response.  

Whittfield explains, "In the first 24 hours, you don't want to be educating key internal stakeholders or building the plan as you execute it. Significant benefits come from clearly defined roles. Increasingly, as lawyers take up the role of breach coach, they are coordinating the response."

Positively, 58% of respondents have someone in their legal team specifically tasked with cyber and data issues. I am sure this is a material change from how legal teams used to be made up.

Pressure on boards

The report reflects on the role of regulators, who have sent directors a clear message on cyber resilience as threats increase. Survey respondents noted that their boards are bolstering cyber defences with three quarters of respondents saying their boards have been educated about cyber risks in the last twelve months, and one third with cyber expertise on the board.

"Expertise for the board is less about who sits on the board, than the information they are getting and the processes they are following. Boards need to understand the risk and the companys security posture, and based on this they can set the companys risk appetite. Understanding the answer to a question is as important as the question itself," Whittfield says. 

Boards have the most impact in the preparation phases. Effective preparation enables an organisation to fulfil its legal obligations, limit regulatory and litigation risks, as well as to protect individuals and shield a company from reputational damage, the study shows.

Whittfield continues, "We were somewhat surprised that many boards were still to run a cyber crisis simulation. Respondents confirmed that almost one-third had not held one, and a further 25% of respondents were unable to confirm one way or the other."

"This shows two things, the first being that boards have some work to do here. But we also appear to have a disconnect between actual cyber-attacks where the lawyers are often front and centre, and the preparation for these where the simulations are not being done or the lawyers are not involved.:

The survey shows that many boards are yet to form a view as to whether they would be open to paying an extortion demand, and two thirds of the respondents are unaware of their boards position on extortion payment. The researchers state, companies will be faced with this decision, so it remains important for them to assess the threshold question of whether they would be open to payment.

Reducing the attack surface

The report emphasises that one of the best ways to manage the risk of a data breach is to limit the attack surface.

"We must ask ourselves what data are we collecting, why are we collecting it, and when we are finished with it, why are we still holding it," Whittfield says.

42% of respondents remain concerned about their companys data retention practices, indicating that we still have work to do in this regard. It's a very challenging area, with companies looking to revisit and address legacy data collection practices.

This is a matter for legislators too. Many companies are constrained by outdated data retention obligations which do not reflect practices of the modern digital economy.

The survey was conducted between from 2 June to 3 August 2023. The survey was anonymous and promoted widely to leaders of in-house legal teams in Australia.

Related stories
GitHub's 2FA initiative helps secure software supply chain
Kyriba reveals $95 billion currency effect in global liquidity report
CompliantERP tops as 2024 Australian IT Small Business Champion
HP introduces AI-powered personal computers in Australia
AI tools linked to data exposure in 1 in 5 UK organisations
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Australian emergency services struggle with mobile tech failures