General Counsel / Heads of Compliance

What is the role of Heads of Compliance on cybersecurity?

What is the role of Heads of Compliance on cybersecurity?

General Counsel and Heads of compliance play a critical role when there’s a cybersecurity issue. Along with the communications professionals, these roles ensure that the Board is well positioned to make the best decision by providing independent counsel on the implications of those decisions.

The three phases of cybeesecurity (before, during, after) require different inputs from an organisation’s most senior lawyers and risk managers. Now that cyber risk is ranked as the number one risk to business, this needs to be high on the agenda of the GC/compliance team.

In our experience, the best thing to do is get broadly ready for how you’ll respond to a cyber issue, and then tailor your advice to the specifics of the incident.

The phases of cybersecurity and the role for lawyers and compliance
Before

Understanding the particular compliance aspects that relate to data and your organisation and industry will help inform which products and services to deploy. Understanding how the products and services work will allow you to decide if they fit with those requirements e.g. where are servers hosted? How is data stored? In our experience, lawyers and compliance leaders can add a huge deal to the selection of the right cybersecurity product or service as long as they are brought in early in the process.

The roles of compliance and legal will also help to inform your scenario plans. A dry run of a cybersecurity incident will throw up the kinds of challenges and tensions you are likely to encounter when the issue arises in real life. There will always be a healthy, natural tension between compliance and communications but it is best to know where this lies ahead of an incident.

During

If a cyber incident affects your organisation, then you’ll need to be at the heart of decisions that are made which will have regulatory and other implications. You’re best positioned to know what has to be reported and when and to whom. You’ll also be able to counsel on the courses of action available. The work done in this stage is often the bedrock of your recovery from the incident. Regulators want to know that you did the best you could given the circumstances – so making the right moves at this stage is essential.

After

Cyber incidents have a long tail and stakeholders have long memories. Some organisations have adopted a ‘lessons learned’ approach to their own data breaches and used it to lead their markets. What will your recovery plan be? Compliance will take you only so far – how will you thrive post-incident? How will the legal team and compliance work to drive the organisation forward?

The phases of cybersecurity and the role for lawyers and compliance

Before

Understanding the particular compliance aspects that relate to data and your organisation and industry will help inform which products and services to deploy. Understanding how the products and services work will allow you to decide if they fit with those requirements e.g. where are servers hosted? How is data stored? In our experience, lawyers and compliance leaders can add a huge deal to the selection of the right cybersecurity product or service as long as they are brought in early in the process.

The roles of compliance and legal will also help to inform your scenario plans. A dry run of a cybersecurity incident will throw up the kinds of challenges and tensions you are likely to encounter when the issue arises in real life. There will always be a healthy, natural tension between compliance and communications but it is best to know where this lies ahead of an incident.

During

If a cyber incident affects your organisation, then you’ll need to be at the heart of decisions that are made which will have regulatory and other implications. You’re best positioned to know what has to be reported and when and to whom. You’ll also be able to counsel on the courses of action available. The work done in this stage is often the bedrock of your recovery from the incident. Regulators want to know that you did the best you could given the circumstances – so making the right moves at this stage is essential.

After

Cyber incidents have a long tail and stakeholders have long memories. Some organisations have adopted a ‘lessons learned’ approach to their own data breaches and used it to lead their markets. What will your recovery plan be? Compliance will take you only so far – how will you thrive post-incident? How will the legal team and compliance work to drive the organisation forward?

Security solutions tailored to your specific needs

For SMEs

We provide products for start-ups and smaller accountants, insurers and retailers, medium-sized law firms and financial services companies, for schools and biotechs.

For Enterprises

We’re trusted to solve cyber-security for major organisations across the public, insurance, financial services, legal, pharmaceutical and accountancy sectors.

For SMEs

We provide products for start-ups and smaller accountants, insurers and retailers, medium-sized law firms and financial services companies, for schools and biotechs.

For Enterprise

We’re trusted to solve cyber-security for major organisations across the public, insurance, financial services, legal, pharmaceutical and accountancy sectors.