Key Ideas

• The General Counsel and General Counsel’s Office can play an important role in addressing organizations’ cybersecurity risk, both proactively and reactively. Cyber risk is such a dynamic and complex risk area that a GC should embrace the role and see it as an important contribution to their organization.
  
  
• This role differs from and complements the CISO’s role because the GC is consulted on many business decisions that the CISO is often not consulted on, including legal and regulatory compliance, corporate governance, investigations, mergers & acquisitions, contracts with third parties, new product reviews, engaging and terminating employees and contractors.
  
  
• The basic functions that all GC’s Offices should own are following and driving compliance with
  1. rapidly changing legal, regulatory and contractual cybersecurity requirements (which often vary by business sector); and
  2. evolving conditions to protect sensitive information under legal privilege or attorney work legal doctrines.
     
     
• The advanced roles that GC’s Offices should play, including
  1. playing an active role in their organization’s understanding of cyber risks it faces and voicing those risks to senior management;
  2. driving incident preparation including, improving incident response plans and helping to run tabletop exercises;
  3. co-leading incident responses with the CISO during breaches;
  4. leading post-breach assessments; and
  5. overseeing proactive cyber risk assessments.
     
     
• By playing these roles actively, the GC and GC’s Office can significantly improve the cyber risk posture of their organizations.