Cyber readiness: a UK perspective

A survey of UK-based cyber lawyers has revealed what many legal leaders consider to be the key cyber security risks they expect to face in the next 12 months. It also highlights how some organisations' cyber-focused priorities may not match the threats they face.

Respondents identified aged data stores, inadequate policies and procedures, poor executive engagement and reliance on third-parties as the most likely causes of a cyber incident.

Despite these fears, just 35 percent are reviewing the security or privilege settings applied to important or sensitive data and just 20 percent of respondents claim their organisation has a Board member with specific cyber expertise.

Most respondents also suggested that the threat of cyber-attack has increased materially over the past year. Perhaps as a result, respondents reported unanimously that their organisation has cyber-specific insurance in place. Additionally, whilst it is encouraging that almost two-thirds (65 percent) include their legal experts as part of a crisis response team, most respondents admitted that their organisations do not have a specific legal cyber incident response plan.

"Many organisations will have incident response and crisis management plans in place that recognise the support that legal teams will need to provide during incidents and that they will need to have a seat at the table. Yet, in many cases, that's where it ends. The question then is whether the legal teams themselves know what they'll need to do," says Andrew Moir, partner and global head of cyber and data security at Herbert Smith Freehills.

Respondents were asked what cyber priorities had been identified by their organisation. Amongst the top answers were 'reducing data footprint' and recruiting personnel with relevant experience and expertise. Some acknowledgement was also given to addressing third-party risk and educating Board members about the importance of cyber security.

"Any organisation that has suffered a cyber-attack or data breach will tell you that it throws a spotlight on the organisation’s data footprint. It means that better education about - and implementation of - document retention and destruction policies are vital to appropriately mitigate cyber risk and data loss," adds Miriam Everett, partner and global head of data and privacy.

Against this backdrop, respondents indicated that more should be done to help them in the event of a cyber-attack. Asked what this meant, most highlighted a need for more support and better-directed initiatives from regulators. Some noted that this could include guidance on integrating cyber risks with other types of risk.

Peter Dalton, partner in Herbert Smith Freehills's cyber and data security practice, concludes: "When it comes to an organisation's security strategy, regulators emphasise that it is critical for the Board to take responsibility for key decisions surrounding posture and strategy. Regulators expect to see active engagement from Boards on cyber security strategy and governance. Legal teams should ensure that the Board regularly receives cyber and regulatory briefings, and is pro-active in setting the strategic direction of the organisation in relation to its cyber and data security posture. Then the Board needs to have sufficient oversight to ensure it is effectively implemented throughout the organisation."