Australian in-house counsel leaders call for improved legal cyber security processes
A survey of over 160 in-house legal leaders found that 80% respondents felt that the cyber threat to their organization has increased in the last 12 months. In their Cyber Risk Survey, the global law firm Herbert Smith Freehills reported that Australian companies are grappling with cyber resilience, with preparatory measures still needing improvement. A reported 58% of legal leaders believed their company would only seriously improve data risk management following a cyber attack.
Taking a proactive approach by enhancing cyber security posture can protect an organization from a range of potential risks, including phishing attacks, insider threats, data breaches and ransomware attacks. And, as the perceived threat of cyber security continues to rise, the legal department is at the front and centre of the response.
Why has the perception of risk increased?
Australian organizations are becoming increasingly concerned with cyber risk, according to the report. Evolving technological capabilities, increasing data volumes and confounding transactions with a plethora of third parties means businesses’ supply chains are subject to growing cyber vulnerability.
The areas where they can be attacked have broadened and become harder to spot, and the majority of respondents are now concerned about class action risk. Many are anxious about the real prospect of regulatory intervention and lasting harm to their reputation.
This report comes almost a year after the release of the Australian Government’s 2023–2030 Cyber Strategy, which prioritizes critical infrastructure protection, client data security and regulatory compliance. The aim is to position Australia as a global cyber leader by 2030.
In July 2024, the Department of Home Affairs admitted minimal progress in improving public sector cyber security under the Horizon 1 Action Plan. But the government has shown commitment by appointing an Expert Advisory Board, establishing a National Office of Cyber Security, introducing legislation to boost information sharing and mandating ransom payment disclosures.
Top 3 aspects of cyber risk causing the greatest concern
Reputational risk
The surveyed organizations are most concerned about reputational risk. Reputation is intrinsically linked to a business’ survival, and a vital task for boards is putting the company in a strong position to withstand reputational damage in the event of a cyber incident.
Businesses must be prepared to make difficult judgment calls in the aftermath of an incident. According to the report, a “good response” incorporates accountability, transparency and empathy — guiding principles in protecting reputation and reestablishing trust. In-house counsel play an integral role in framing disclosures and disseminating accurate information, with values-based communications undeniably connected with a company’s public license to operate.
Third-party risk
Second only to reputational risk in the key cyber concerns identified by respondents was third-party risk. Taking into account the interconnectedness of business relationships, it’s not just the companies you work with directly you need to consider — it’s also the companies they deal with, their business partners, and so on.
Many organizations share sensitive business information with third and even fourth-party service providers while conducting business. When looking at third-party risk, it is vital to understand how data is shared and managed by these external parties. Building a robust supply chain includes thorough due diligence, comprehensive onboarding and enforceable standards in supplier contracts.
Underinvestment in systems and infrastructure
When considering cyber threats, the third most significant concern for the legal leaders surveyed is underinvestment in systems and infrastructure. Herbert Smith Freehills reports that many incidents could have been avoided with basic IT hygiene. Keeping software updated by swiftly rolling out patches and deploying company-wide multi-factor authentication systems lowers the number of vulnerabilities cyber criminals can exploit.
This is affirmed in the latest Australian Signals Directorate Cyber Threat Report 2022-2023, which encouraged organizations to ensure regular cyber hygiene measures like using cloud services. Moreover, the Australian government’s cyber security reforms stress the accountability of business leaders to strengthen their infrastructure, particularly cyber security in the legal sector, which handles sensitive data.
Is cyber security solely an IT risk?
The IT team and associated experts play an undoubtedly critical role in building cyber resilience and addressing incidents. Of those surveyed, 79% reported they see cyber security risks as owned by their Chief Information Officer (CIO) or Chief Information Security Officer (CIS), an understanding reflected by their strategies. The report states that, in the past 12 months, the top three cyber risk priorities have been:
- Updating IT security infrastructure.
- Updating relevant policies, procedures or response plans.
- Staff engagement and/or education.
These strategies fall directly under the responsibility of an organization’s IT security department. Although both the report and its respondents believe cyber security is, at its core, an IT risk, putting IT at the centre of cyber resilience can be a hindrance. Over-reliance on the IT team can result in gaps in the enterprise-wide preparation needed to face cyber threats. Like any other risk, boards, executives and legal leaders need to understand cyber security so they can contribute to discussions and respond to threats meaningfully.
The evolving role of legal teams in addressing cyber threats
Evident in Herbert Smith Freehills’ survey last year, and reinforced in 2024, senior counsel are increasingly at the forefront in the immediate aftermath of an incident. When evaluating the operational impact of a security breach, reviewing compromised data, ensuring regulatory compliance, drafting communications and helping the company engage with stakeholders, legal expertise is integral.
But in-house counsel are rarely also an organization’s legal cyber security team and are therefore not responsible for implementing technical standards to improve their company’s cyber security posture. Rather, they can monitor the legal risks to ensure their business complies with its legal obligations.
The importance of legal advisers in a cyber crisis is not lost on many survey respondents. Should a cyber incident occur, 75% regard the legal department as “central” to the business’ crisis response. That being said, over 80% of respondents do not have a legal team budget dedicated to cyber risk and 59% do not have a specific legal cyber incident response plan in place.
Cyber processes still need work
Despite growing concerns surrounding legal industry cyber security, the survey’s data reveals that many companies are still not engaging in essential preparatory efforts. One of the most striking revelations was that 58% of respondents indicated it would take a cyber attack to spur their organization into meaningful improvements in data risk management. But, as the report pointed out, preemptive actions are required. Robust cyber security measures are needed to proactively detect and respond to cyber risks.
Dedicated incident responders
Among the concerns raised by survey respondents was a lack of expertise within in-house counsel. Only 14% of companies have a resource in their legal department specializing in or dedicated to cyber security and data management.
That said, Herbert Smith Freehills argued that a dedicated in-house team member might not be the most efficient way forward. Rather a trusted external adviser could support a more effective incident response, especially if their expertise derives from cross-disciplinary experience. However, the use of a preferred adviser must be managed in the context of any insurance policies, and 80% of respondents said they would not engage any law firms from their insurer’s panel, with cited issues including concerns about independence and conflict of interest.
Simulated cyber incident
Simulating a cyber incident in a life-like environment is a key way to comprehensively test a company’s incident response capabilities, according to the report. Participants have a risk-free opportunity to determine roles and responsibilities. They are able to practice delegations and decision-making, and gain insights into weaknesses in their organization’s cyber resilience.
But in spite of that, the survey states that some companies are still only paying attention to cyber preparedness when an attack occurs. Although 70% of boards have been educated about cyber risk, only 40% have participated in a simulation exercise. Meanwhile, over half of legal teams have never participated in a cyber simulation.
Data management in the spotlight
Understanding your organization’s data footprint and identifying vulnerabilities is vital. Immediately after a data breach occurs, companies are faced with the challenge of detecting and analyzing compromised data. Achieving data accuracy is therefore critical, yet only 27% of the survey’s respondents reported satisfaction with their organization’s data collection and retention practices.
During cyber attacks, where time is of the essence, understanding your information repository and being able to isolate and extract data is especially important. And as many businesses who have experienced large-scale data breaches know, too much data can be an encumbrance. According to the report, 75% of organizations are taking steps to review their data collection and holding practices, while 78% are focusing their efforts on reducing aged data stores.
How Dazychain can help your team address legal industry cyber security threats
Dazychain is here to make life easier for legal teams while keeping sensitive information secure and helping to protect your organization’s reputation. With Dazychain, you can give external legal firms structured permissions to access the information they need. Our software stores all your communications and documents in one place, so there’s no need for third-party platforms that can complicate things.