5 Ways Legal and Cybersecurity Teams Should Collaborate
The role of the legal department shouldn’t be overlooked when it comes to enhancing the resilience of the security profile for any company or business. Legal and cybersecurity teams need to work more in concert to bring their expertise and talents to bear on the complex and always evolving world of information security.
Typically, legal and cybersecurity (or IT) departments have been siloed from one another in organizations, both large and small. But the need to change that has changed as rapidly as the ever-evolving digital environment itself.
It’s more important than ever for Chief Legal Officers and their teams to engage and develop relationships with CISOs, reach out to IT teams and keep a pulse on all things cybersecurity related to better handle their responsibilities. Legal’s role (in most organizations) is to report to the Board of Directors and/or enterprise risk management teams about the threats present, their potential impact, and the mitigation measures needed to answer them. Legal’s role is to arm decision-makers with what they need to know.
It’s a role that has become more important. The SEC has detailed new cybersecurity rules to this effect, including three primary inclusions in the new set of guidelines:
Adding cyber expertise to the board
Disclosing the board’s role in cyber risk oversight
Disclosing “material” cyber incidents
With these stipulations, it’s clear that legal and cybersecurity teams need to intertwine more than before. Today we’re discussing five areas where legal teams need to become more involved with their organizations’ cybersecurity efforts.
Stay Ahead of Threats: Talk to one of our experts to begin adding tailored security solutions paired with innovative technologies to safeguard your business.
1. Third-Party Risk Management
Vulnerabilities throughout the supply chain, from vendors or partners, is a major concern for cybersecurity teams. A breach there could impact your organization. Managing effective relationships throughout your network starts with legal, and its oversight of the procurement process, contract review and the development of standard contractual clauses.
Legal needs to know what to look for and what to include in contracts as part of third-party risk management. Which clauses are necessary to ensure data security? Where are your organizational liabilities? What are the security ramifications? What’s the review process for the potential partner’s security ecosystem? Working with IT and security to nail down the language and specifics in these arrangements is critical.
2. Data Compliance
Legal should have a firm grasp on the framework your organization uses to handle data. When was the last time the data policy on your company’s website was updated? Are you familiar with new and emerging data privacy regulations, like General Data Protection Regulation or the California Consumer Privacy Act?
Working closely with your security team will help add context and detail to these issues. Legal teams need to understand their organization’s data policy comprehensively, and be able to provide proof that the organization is demonstrating and upholding everything in that policy.
3. Data Governance
You have a policy for data compliance, but do you know the ins and outs of how that data is stored, handled and what becomes of it once a vendor or partner relationship ends? Because of liability issues, every business needs to understand what data inside their environment has regulatory compliance or contractual obligations attached to it.
Legal should be able to answer those questions and more. Where is the data stored, where is it processed, who ‘owns’ it, how is it handled? Understanding encryption and handling requirements gives clear visibility into how the data is ultimately secured.
4. Incident Response
Often viewed as strictly an IT responsibility, legal teams should be involved with any incident response team. Legal provides coverage of several critical elements in incident response and needs to lead the way in a number of specific areas.
Legal should make the ultimate determination of what defines a data breach and how it interacts with any cyber insurance policies in place. If one is judged to have occurred, what are the legal obligations and ramifications? Legal should have a firm handle on who needs to be notified — customers yes, but also which authorities and employees — and should be at the forefront in crafting the organizational response.
5. Security Awareness Training
As with any organizational educational effort, legal should have a big role in developing an effective program to educate their employees both on cyber security practices and regulations or trends specific to their industry. Working with the security team, legal can implement a training program that ensures everyone is aware of the potential risks and covers essential points governing contractual, regulatory and compliance obligations.
For instance, if working in the healthcare industry (or adjacent) it’s vital to consider HIPAA compliance, or adding a module covering it, into cybersecurity training efforts. The legal department itself should be aware of the many phishing ploys that have a legal connotation — such as patent trolling — that could end up on their plate directly.
Critical Compliance for Startups: Pursuing SOC 2 compliance for startups should be a high priority due to the requirements set by potential customers, vendors, and investors.
Align Your Legal and Cybersecurity Teams with Inversion6
From fractional CISOs to full-service MSSP services, Inversion6 has decades of experience as a risk management solutions provider that helps organizations define strategy, deploy the right technology, and protect them from the digital disruption facing every business.
Our team of experienced CISOs have extensive backgrounds in communicating with business leaders and always present security questions through a lens that makes sense to you. From guiding CEOs to what they need to know to helping CFOs gauge the pros and cons of cyber insurance, our team will give you the concise and relevant details to inform your decisions.
Legal teams and their leaders need grounded, factual information to provide to their own board or enterprise risk management teams. At Inversion6, we always provide the unvarnished truth about your cybersecurity risk:
What the risk entails
The likelihood of an incident related to that risk
The impact of a potential incident
And how to mitigate the threat
Connect with Inversion6 for more insight into how you can align your legal and cybersecurity personnel to strengthen your security profile and provide your business leadership with the information it needs.