THE State of Cybersecurit y ReportTypes of data security specialists employed by company 51 ......

LEARN ABOUT the best practices, organizational roles, and experiences of in-house counsel in more than 800 organizations.

FIND OUT HOW top in-house lawyers mitigate the threat of breaches and safeguard their data.

DISCOVER INSIGHT from over 1,000 in-house lawyers in 30 countries.

CybersecurityTHE State of

An in-house perspective

acc Foundation:

Report

©2016 ACC Foundation. All rights reserved. For more information, go to www.acc-foundation.com. May not be distributed without expressed permission from ACC Foundation.

ACC FOUNDATION: STATE OF CYBERSECURITY REPORT IN-HOUSE COUNSEL PERSPECTIVES

Published by the ACC Foundation.

The ACC Foundation wishes to acknowledge with gratitude the contributions of Ballard Spahr LLP for its underwriting support of the State of Cybersecurity Report.

The ACC Foundation also wishes to recognize the following members of cybersecurity project advisory group for their contributions to the development of the State of Cybersecurity Report:

Phil N. Yanella, Ballard Spahr LLPKim Phan, Ballard Spahr LLPEdward J. Willey III, Dallas, TXKerry L. Childe, Richfield, MNNeal Dittersdorf, Intersections Inc.Jandria S. Alexander, The Aerospace Corporation

Atlanta | Baltimore | Bethesda | Delaware | Denver | Las Vegas | Los Angeles | New Jersey | New York Philadelphia | Phoenix | Salt Lake City | San Diego | Washington, DC | www.ballardspahr.com

Protecting What MattersCompanies process more information about their customers than ever before. And the consequences if that information is lost or inadvertently disclosed can be cat-astrophic. Our cross-disciplinary team of attorneys helps clients around the world mitigate risk, respond in the event of a crisis, and recover.

• Information Risk Management• Asset Inventories• Employee Training• Transactions/Vendor Management• Privacy and Consumer Marketing

Compliance

• Data Incident Response Plans• Network Intrusion/Data Breach

Response• Litigation• Investigations• Plan Assessment

2 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.

TABLE OF CONTENTS

Introduction 3Key Findings 5Project Overview & Interpreting the Data 9Executive Summary (full report only) 11Industry Trends (full report only) 30Overall Results (full report only) 38 Top concerns related to cybersecurity 39 Experienced a data breach 41 Year of breach 43 How did you find out about the breach? 45 Comments from experienced in-house counsel: 47

What you wish you’d known before breach? In-house counsel responsibilities regarding cybersecurity 49 Types of data security specialists employed by company 51 Location of cybersecurity central operations in company 53 Frequency company conducts cybersecurity audits 55 Entity conducted most recent cybersecurity audit 57 Audit of legal service providers for cybersecurity risk 59 Cybersecurity standards used in company 61 Cybersecurity policies in company 63 Legal department’s role on data breach response team 65 Cyber insurance 67 Amount of cybersecurity insurance coverage 69 Confidence in cybersecurity insurance coverage 71 Determining the amount of coverage needed 73 Expectations for changes in cyber insurance 74

coverage over next year Employee training 76 Evaluating preparedness at employee level 78 Retention of forensic company 80 Retention of outside counsel 82 Frequency legal department briefs board of 84

directors on cybersecurity Preference regarding cybersecurity role 86

and responsibilities Expectations of legal department’s cybersecurity 88

role over the next year Confidence third-parties are protecting company 90

from cybersecurity risk Confidence outside law firms are appropriately 92

managing data security

Third party notification requirements 94 (cybersecurity risks/breaches)

Termination of contractual relationship 96 due to cybersecurity risks

Termination of pending merger/acquisition 98 due to cybersecurity risks

Cybersecurity budget allocation trends 100 Law department spend changes related to cybersecurity 102 Allocation of increase in law department 104

spend on cybersecurity Law department budget dedicated to cybersecurity 106 First executive officer to be notified 108

when breach discovered From whom do you expect to be notified 111

of a data breach? Company primary point of contact during a breach 114 Company collaborates with law enforcement/other 117

government agencies to address cybersecurity risks? How was the system breached? 119 Type of information compromised during a breach 121 Role of encryption on breach incidence 123 Public notice 125 Regulatory/governmental notification 126 Comments from experienced in-house counsel: 128

Challenges faced in preserving lawyer-client privilege after a data breach and how to navigate them

Number affected by the breach 129 Length of time to resolve breach 131 Comments from experienced in-house counsel: 133

Resource most helpful in managing breach response Degree of change made to company policies post-breach 134 Comments from experienced in-house counsel: 136

Lessons learned and changes made following breach Insurance coverage of breach damages 138 Best practices: Comments from experienced 140

in-house counsel on best practices to manage cybersecurity risk and/or a breach

Demographic Profile 144Glossary of Key Terms 148

ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 3www.acc-foundation.com

INTRODUCTION

1ACC 2015 CLO Survey, executive summary, page 3. www.acc.com/legalresources/resource.cfm?show=1389460

he State of Cybersecurity Report is a special study published by the As-sociation of Corporate Counsel (ACC) Foundation. The ACC Founda-tion — a 501(c)(3) nonprofit organization — supports the efforts of the

Association of Corporate Counsel, serving the needs of the more than 40,000 cor-porate lawyers employed by over 10,000 organizations in 85 countries. Through the dissemination of cutting-edge research and surveys, the ACC Foundation developed an unprecedented study of the state of cybersecurity in the corporate sector. Considering the increasingly active role general counsel play in cyberse-curity strategy, risk assessment, and prevention, this report provides insight from more than 1,000 corporate lawyers. The largest study of its kind, the report aims to serve as a resource for corporations, lawyers, board of directors, and members of the public affected by one of the greatest challenges organizations face today — cybersecurity.

In an environment where data breaches are largely an inevitability, assiduous preparation is key. Threats to an organization’s information security are as varied as they are dangerous. Preventing, preparing, and responding to data breaches in real time is a chief concern for today’s general counsel (GC) and chief legal officers (CLOs), who are increasingly called on to guide their organizations and aid with thwarting such attacks. Knowing common practices, what works, and what your peers are doing is key in benchmarking and planning to protect your company from risk. Straddling business, IT, and legal, today’s GC/CLOs are uniquely po-sitioned to engage the multiple stakeholders that a robust data protection regime requires. Execution of incident response plans, protection of privilege, and com-pliance and notification requirements arising from a breach — these are just some of the unique functions that legal is charged with to manage when data is com-promised or lost. And with one in four CLOs/GC reporting a breach in the last two years1, the damage and repercussions of major cybersecurity incidents will heighten the legal department’s role in strategic planning and risk management as well as in responding to cybersecurity-related incidents.

Consumer exposure and privacy concerns have begun to weigh on government agencies and regulators as well. European regulators struck down the longstand-ing international Safe Harbor agreement, which had enabled American companies working in the European Union to transfer data painlessly. Various data protec-tion bills are working their way through the US Congress, including the Cyber-security Information Sharing Act recently passed by the Senate. And at a time of tension between the world’s largest economies over cybersecurity in general, the United States and China held a cybersecurity summit in September 2015, pledg-ing to ease off the burgeoning Internet arms race. Dealing with the dual threats of breach preparedness and compliance with cybersecurity laws is not trivial—it’s no wonder that data security is one of the leading issues that keep in-house counsel up at night.

T

50% of GC/CLOs want to increase their role and responsibilities when it comes to cybersecurity


The 2015 ACC Global Census of more than 5,000 in-house counsel in 73 countries found that in-house counsel considered cybersecurity one of the greatest challenges in complying with laws inside their jurisdiction, just behind privacy concerns, which ranked number one among all concerns.2 In short, data security is top of mind for in-house counsel. And rightly so — data theft is a growing risk. No single metric can capture the immense cost of data breaches, but by any measure they represent a large and growing threat to virtually any company doing business today. The Center for Strategic and International Studies estimates that “the likely annual cost to the global econo-my from cybercrime is more than US $400 billion.”3

Additionally, the average cost incurred per stolen record increased in 2015. The Ponemon Institute in its Cost of Data Breach Study: Global Analysis found that the average consolidated total cost of a data breach has risen 23 per-cent since 2013, clocking in at US $3.8 million.4 And the average cost for each stolen record has risen as well. Costs per stolen record have risen due to mounting financial consequences of losing customers due to security incidents — likely due to high-profile news reports and consumers’ increasing concern over the vulnerability of their data. Expenditures related to class-action lawsuits, compliance, damages, crisis management, and the necessity of foren-sic activities related to malicious data breaches have contributed to this rise in cost per compromised record as well.

No form of data is safe. Cybercriminals have come to value data that might otherwise seem difficult to monetize, such as personally identifiable information (PII), as it can be sold to third parties who specialize in exploiting such records. Data thieves have come to value data useful for long-term, insidious identity theft schemes over the “smash and grab” credit-card plots of yesteryear. Once compromised, it can take individuals years to recover and secure their information — or even to notice that it has been stolen in the first place. As such, safeguarding PII is a vital practice in maintaining the trust of the general public and regulators.

As more and more business data storage moves into cloud data storage servers, hackers have an ever-expanding trove of enterprise data to plunder. The theft of intellectual property has especially pernicious effects for indus-tries that depend on intellectual property (IP) protection. It disproportionately affects market leaders that invest in research and development, and it discourages innovation. Corporations must now contend with increasingly so-phisticated and well-resourced actors—targeting organizations rich in IP for strategic purposes or for competitors seeking to close the gap in proprietary manufacturing processes.

In keeping with the ACC Foundation’s goal of generating the most comprehensive reports of its kind, and cap-turing as large a segment of the in-house counsel population as possible, we have surveyed mainly GC and CLOs5 — hailing from 887 organizations in 30 countries — to chronicle information about cyber-related events that are not normally available to the public. The State of Cybersecurity Report therefore captures the thoughts of an unprecedented record number of in-house counsel. This survey also reveals best practices for preparation, crisis management, and breach response. Read on to find out what worked and what didn’t, why breaches happen, how to prepare, and how to react.

22015 ACC Global Census, page 8. www.acc.com/legalresources/resource.cfm?show=1411926 3Net Losses: Estimating the Global Cost of Cybercrime, June 2014. Center for Strategic and International Studies4 2015 Cost of Data Breach Study: Global Analysis. IBM and Ponemon Institute. https://securityintelligence.com/cost-of-a-data-breach-2015/ 5 GC and CLOs constituted 77 percent of the total set of respondents for a total of 776 GC/CLOs

INTRODUCTION


KEY FINDINGS


Employee error is the number-one cited cause of breaches Employee error is the most common reason for a breach. And while nearly half of all in-house counsel say that mandatory train-ing exists, few have a policy of testing knowledge or tracking at-tendance at these trainings. Lawyers in Canada are least likely to say their company has mandatory employee training (29 percent) compared with those in the US, which has the highest percentage reporting so (48 percent). Overall, 17 percent of in-house counsel say the data accessed during a breach was encrypted.

Thirty-six percent of all respondents reported employee error as the cause of a system breach when an audit was conducted by an outside auditor compared with 26 percent of respondents when an audit was conducted by internal staff.

Reputation: the top concern worldwide when it comes to cybersecurity Top concerns cited by in-house counsel include damage to repu-tation, loss of proprietary information, and economic damage. In Europe, the Middle East and Africa (EMEA), and Asia Pacific re-gions, government and regulatory action made the top three most cited primary concerns.

Data breaches are a reality for manyNearly one in three in-house counsel have experienced a data breach at their company. Nineteen percent say their current com-pany has experienced a data breach, while 10 percent say their for-mer employer did. Nearly half (47 percent) have recent experience, reporting the breach took place in 2014 or 2015. Forty-five percent of in-house counsel in companies with 5,000 or more employees say they either work or have worked at a company that experienced such a breach.

Company and legal department budgets are growing when it comes to cybersecurityDespite an overall trend toward insourcing, cybersecurity spend seems to be the exception for most law departments. Fifty-six per-cent of GC and CLOs say their company is allocating more money to cybersecurity than one year ago, and 23 percent say their legal department spend has increased as a result of company focus on cybersecurity. Among GC/CLOs who report an increase in de-

partmental spend, 53 percent say this is mainly outside spend, and 24 percent report spend as equally split between inside and out-side. Notably, just 8 percent of GC/CLOs have a portion of their departmental budget explicitly dedicated to cybersecurity-related issues despite the growing role of the legal department.

The expanding role of legal in the cyber arena Fifty percent of all GC and CLOs want to increase their role and responsibilities when it comes to cybersecurity. Though oversight of cyber-risk continues to sit firmly in the IT department, the legal role is also expanding, with 57 percent of GC and CLOs expecting their department’s role to increase in the coming year.

Cybersecurity insurance is becoming more common, and amount of coverage is risingHalf of all GC and CLOs surveyed say their company has cyber-security insurance, and for companies that have this insurance, 68 percent have coverage valued at US $1 million or more. One in four say they expect their company to increase coverage in the coming year, while 58 percent expect it to remain the same. Bare-ly 1 percent expect a decrease in cybersecurity coverage amounts. Among those who have experienced a breach, just 19 percent say the insurance policy fully covered the related damages.

Managing outside risk plays a significant role in preparing and preventingWith only 61 percent of GC/CLOs confirming that third parties are required to notify them should a breach occur, it appears out-side support and risk are high for many companies. Just one in four report that their company has retained a forensic company, and one in three have retained outside counsel to help should a cybersecurity event occur. This leaves companies searching for outside support in many instances where data has been compro-mised. And just 7 percent of all in-house counsel surveyed are very confident that their third-party vendors and affiliates are protect-ing the company from cybersecurity risks. Twenty-two percent are very confident their outside service providers are managing the security of client data.

KEY FINDINGS


Industry trendsThe healthcare industry continues to see the highest percentage of in-house counsel reporting they have experienced a data breach. Over half in the healthcare and social assistance industry say they have experienced a breach at their current or former employer compared with 31 percent of corporate counsel on average across all industries. In-house lawyers in the healthcare industry (75 percent) are most likely to report that their company has cyberse-curity insurance. In-house counsel in the healthcare industry are also most likely to say their vendors and third-party agents are re-quired to notify them of a breach (88 percent). Corporate lawyers in the retail industry have the highest percentage reporting that they proactively collaborate with law enforcement or other gov-ernment agencies to address cybersecurity risks (45 percent).

Waiting to change until after the breach can be costlyWe are clearly observing a dramatic increase in budget allocation toward cybersecurity issues across companies and legal depart-ments. A major reason may be due to the lack of prevention strat-egies implemented. Among those who have experienced a data breach, 74 percent say that their company is making at least some changes to their security policies as a result of the breach, and 58 percent report making moderate to significant changes.

KEY FINDINGS

Benchmarking the state of cybersecurityKey variables in prevention, preparedness, and response cross organizational boundaries and functional areas. However, sever-al items related to the legal department, both directly and indi-rectly, are excellent benchmarks for evaluating preparedness. The checklist in this section provides a summary of these items. Inside the report, benchmarks from more than 800 organizations can be found along with this checklist for comparison purposes. These items are commonly recommended as foundational best practices for the prevention or preparation of a data breach. While few have all of the items listed, it is useful to examine your practices in com-parison and take steps to plan for data security.

DATA BREACHES BY INDUSTRY*

Healthcare/Social Assistance

56%

Insurance 36%

Manufacturing 33%

Retail Trade 32%

IT/ Software/ Internet-Related Services

31%

*Industries with highest percentage shown

“I wish we had done a better job at educating employees on cybersecurity issues, how to recognize and what to do and to become more informed on various ways that data breaches occur and proactive ways that could eliminate or reduce exposure.”

Sample cybersecurity checklist with benchmarks. See full report for complete benchmarking checklist.

Cybersecurity Checklist

Organizational Prevention and Preparedness ü66% Organization conducts a cybersecurity audit of the entire organization at least annually

60% A member of the legal department is on the company’s data breach response team

55% Organization has cybersecurity insurance

44% Organization has mandatory training on cybersecurity for all employees

34% Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually

32% Organization retained outside counsel to assist you should a breach occur

27% Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks

24% Organization retains a forensic company to assist should a breach occur

Organizational Policies ü80% Password policy

73% Social media policy

71% Document retention policy

66% Website privacy policy

66% Employee manual acceptance policy

63% Internet privacy policy

55% Identity and access management

41% BYOD policy

17% Data map

Organizational Staffing ü46% Chief Infromation Officer (CIO)

24% Privacy/Security Manager

18% Chief Information Security Officer (CISO)

14% Chief Risk Officer (CRO)

13% Chief Privacy Officer (CPO)

11% Chief Security Officer (CSO)

Organizational Preparedness Evaluation ü41% Conduct cybersecurity audit of entire organization at least annually

34% Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk

33% Track mandatory training requirement and attendance for all employees

20% Test employees’ knowledge of mandatory training

17% Conduct mock security event

11% Conduct tabletop exercises

8% Review disciplinary actions for violations


KEY FINDINGS

Cybersecurity Checklist Self-Assessment Tool

Organizational Prevention and Preparedness üOrganization conducts a cybersecurity audit of the entire organization at least annually

A member of the legal department is on the company’s data breach response team

Organization has cybersecurity insurance

Organization has mandatory training on cybersecurity for all employees

Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually

Organization retained outside counsel to assist you should a breach occur

Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks

Organization retains a forensic company to assist should a breach occur

Organizational Policies üPassword policy

Social media policy

Document retention policy

Website privacy policy

Employee manual acceptance policy

Internet privacy policy

Identity and access management

BYOD policy

Data map

Organizational Staffing üChief Infromation Officer (CIO)

Privacy/Security Manager

Chief Information Security Officer (CISO)

Chief Risk Officer (CRO)

Chief Privacy Officer (CPO)

Chief Security Officer (CSO)

Organizational Preparedness Evaluation üConduct cybersecurity audit of entire organization at least annually

Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk

Track mandatory training requirement and attendance for all employees

Test employees’ knowledge of mandatory training

Conduct mock security event

Conduct tabletop exercises

Review disciplinary actions for violations


PROJECT OVERVIEW & INTERPRETING THE DATA


Project OverviewThis survey opened on August 31, 2015, and closed October 10, 2015. An email invitation to partic-ipate in the survey was delivered to 15,176 chief legal officers, general counsel, and assistant general counsel. Those holding the title of group general counsel and head of legal are included in the GC/CLO sample. The population includes members of ACC and nonmembers. A total of 1,015 respons-es were received; 760 were from ACC members, and 255 were from nonmembers. This represents an overall response rate of 7 percent. Seventy-seven percent identified as GC/CLO, and 14 percent are assistant general counsel. The remainder hold other titles not included in the GC/CLO group. Those not in the GC/CLO or AGC role may have been invited to complete the survey by their GC, CLO, or AGC on behalf of their organization. Participants represent 887 unique organizations as determined by their email address and/or pre-identified employer.

Interpreting the DataThe full report contains an introduction, key findings, executive report, and overall results. Al-though many pertinent topics are covered in the key findings, other thought-provoking findings are exhibited in the overall survey results. Overall results touch upon all survey questions, and responses from all respondents are stratified by a number of relevant segments such as region/coun-try; industry; company revenue; number of employees in the company; department size; GC/CLOs and those with other titles; ever worked where a cybersecurity breach has occurred; and company domestic only or global. By analyzing responses in this way, we are able to decrease the influence of overrepresentation across audience segments. Cross-tabulations were conducted in order to assess the influence of these segments of the survey population, and t-tests were used when appropriate to determine whether differences between groups or between time points were statistically significant at the .05 α level.

PROJECT OVERVIEW & INTERPRETING THE DATASE


EXECUTIVE SUMMARY


The present: Data breaches are a realityThirty-one percent of in-house counsel say that they have experi-enced a data breach either at a former employer or at their current company. Employee error is cited as the most common manner in which a breach occurred followed by inside jobs, phishing, and access through a third party.

Overall, nearly one in three in-house lawyers report they have worked or currently work in a company that has experienced a data breach. The healthcare industry continues to see the highest percentages reporting data breaches. Over half of the in-house counsel surveyed in the healthcare and social assistance industry report having experienced a data breach (56 percent) followed by 36 percent of lawyers in the insurance industry.

EXECUTIVE SUMMARY

EXPERIENCED A DATA BREACH IN CURRENT OR FORMER COMPANY

Don’t know

Not experienced breach

Work/worked where breach occurred

62%

31%

7%

HOW WAS THE SYSTEM BREACHED?

Employee error 24%

Inside job

Application vulnerability

15%

7%

Phishing

Malware

12%

12%

7%

Access through a third party

Ransomware (CryptoLocker)

1%

Lost laptop/device

Operating system vulnerability

9%

<1%

n=252

DATA BREACHES BY INDUSTRY*

Healthcare/social assistance

56%

Insurance 36%

Manufacturing 33%

Retail trade 32%

IT/software/Internet-related services

31%

*Industries with highest percentage shown


EXECUTIVE SUMMARY

Risk exposure, management, and mitigationThough the main cause of a data breach is employee error, many companies are focusing on raising employee awareness through mandatory training only. There is a lack of follow-up regarding confirmation that employees both attend and understand what they have learned.

Regionally there is some variation in the origin of a breach that may influence how companies manage or should manage risk at the organizational level. For example, the most commonly report-ed cause in the US was employee error with 25 percent of respon-dents, followed by inside job (14 percent) and phishing (13 per-cent). Within the EMEA region employee error is the main cause of a data breach with 25 percent, followed by malware (17 percent) and access through a third party (17 percent).

Lawyers in the Asia Pacific region have the highest percentage re-porting they have weathered a data breach at their current com-pany (23 percent), followed by the United States (20 percent). Ten percent in the US report experiencing a data breach at a former employer, followed by 9 percent of respondents in the Asia Pacific region. In-house counsel in the EMEA region are most likely to say they have never experienced a data breach.

CAUSE OF BREACH BY REGION

US

EMEA

Canada

Asia Pacific

Employee error

25%29%

25%15%

14%14%

Inside job8%

27%

13%

Phishing8%

12%

12%Access through

a third party 17%15%

10%14%

Lost laptop/device8%

4%

7%14%


15%

8%

Malware17%


EXECUTIVE SUMMARY

CLOs, GC and other in-house counsel are concerned with various aspects of data security and are increasingly focusing on expand-ing their role to assist in defending their organizations against a breach. Because of the growing number of both customer-facing and business-to-business (B2B) companies undergoing breaches of protected data and IP, it is no surprise that the legal department is becoming a prominent player in prevention, preparedness, and response to a cyberattack or data breach. This is reflected in the most immediate concerns of in-house counsel affected by a data breach. Damage to reputation or brand far outpaces other issues as the top concern.

Lawyers who have worked in companies that experienced data breaches did not rank the top two concerns any differently. How-ever a higher percentage of lawyers who have breach experience rank damage to reputation as a top concern (36 percent) than those who have not experienced a data breach (29 percent).

Damage to reputation/brand is the top concern among in-house counsel in all four regions examined, followed by loss of propri-etary information, economic damage, and government/regulatory action. Shareholder activity ranks lowest among the concerns list-ed for in-house counsel in all regions. Government and regulato-ry action is a high-ranking concern for in-house counsel in the EMEA and Asia Pacific regions, perhaps a result of strict privacy and data security laws.

MOST IMMEDIATE CONCERN RELATED TO DATA BREACH BY REGION

RANKING OF MOST IMMEDIATE CONCERNS RELATED TO DATA BREACH

1. Damage to reputation/brand2. Loss of proprietary information3. Economic damage 4. Government/regulatory action5. Business continuity6. Litigation7. Board (board of directors) concerns8. Executive liability9. Preservation of lawyer-client privilege10. Media coverage 11. Shareholder activity

US EMEACanada Asia Pacific

Damage to reputation/brand




Loss of proprietary information




Economic damageGovernment/

regulatory actionGovernment/

regulatory action

Economic damage


EXECUTIVE SUMMARY

Common approaches to cybersecurityThere is a wide disparity in how companies approach prevention and preparedness regarding cybersecurity. Four in ten GC/CLOs report that their company audits their organization’s current cyber risk at least annually, but less than half retain outside counsel in the event of a breach. While employing certified security experts such as the chief information security officer is becoming more common, few have hired such experts in addition to the CIO. Less than half of GC/CLOs report their organization employs a CIO.The majority have policies (such as social media policies) to protect the company from malicious attacks triggered by employee error, yet few actually track mandatory training or test the knowledge of employees on the policies and regulations in place to help them identify and prevent lower threshold attacks (such as phishing) that are commonly used to execute a data breach.

CLOs and GC play a significant role, want to expand itOver half of the CLOs and CG surveyed as part of this study have an organizational role when it comes to cybersecurity, with the remainder occupying a departmental role. One-third of GC/CLOs (35 percent) are in a leadership role at the organizational level, and 36 percent hold a departmental leadership role. Those in the pro-fessional, scientific, or technical services industry are most likely be in an organizational leadership role (45 percent) than in-house counsel in other industries such as finance and banking (35 per-cent), manufacturing (21 percent), or healthcare (36 percent). In-house counsel holding titles other than GC/CLO are most likely to hold departmental roles, with 35 percent reporting a leadership role in the department.

Over half of all in-house counsel want to broaden their role in cybersecurity Fifty-nine percent of GC, CLOs, and all other lawyers surveyed expect their law department’s role in cybersecurity to increase in 2016. This aligns with the desire of most in-house lawyers to main-tain or expand their current responsibilities when it comes to cy-bersecurity. Just over half (52 percent) prefer to increase their role and responsibilities, and 44 percent want to maintain their current involvement. Just 4 percent prefer to decrease their involvement.

These expectations do not vary among those who have and have not experienced a data breach. Among those who experienced a data breach in the past two years, 49 percent say they want to maintain their current level of responsibility. Forty-five percent of respondents say they would prefer to expand their role, while only 6 percent say they would prefer to decrease their role.

Those in larger departments and those in the Asia Pacific region are slightly more likely to anticipate their department’s role in cybersecurity increasing over the coming year. And the prefer-ences of in-house counsel who have experienced a breach appear to be somewhat related to views on their level of responsibility, with a smaller percentage of in-house lawyers who have worked/are working in a company that suffered a breach wanting to ex-pand their role (49 percent) than those who had not experienced a breach (54 percent).

PREFERENCE FOR CHANGE IN LEVEL OF INVOLVEMENT IN CYBERSECURITY AMONG THOSE WHO EXPERIENCED A BREACH IN PAST TWO YEARS

Maintain current role and responsibilities

Increase role and responsibilities

Decrease role and responsibilities

45%49%

6%

HOW WOULD YOU CHARACTERIZE YOUR RESPONSIBILITIES REGARDING CYBERSECURITY IN YOUR COMPANY?

I am in a leadership role in the legal department

36%

35%

35%

11%

21%

27%

3%

16%

I am in a leadership role at the organization level

I am part of a team in the organization that has been

designated with cybersecurity responsibilities

I am in a support role in the legal department

CLO/GC Other Title

“Outsource all handling of secured data to the extent practicable to vendors that meet high security standards, then invest heavily in protecting the remaining functions. Set up multiple means for detecting potential vulnerabilities and actual intrusion efforts. Train, train, train.”


EXECUTIVE SUMMARY

HOW WOULD YOU CHARACTERIZE YOUR RESPONSIBILITIES REGARDING CYBERSECURITY IN YOUR COMPANY?

I am in a leadership role at the organization level

I am part of a team in the organization that has been designated with cybersecurity responsibilities

1 employee

32% 33%30%

20%17%

20%24%

27% 28%

13%

38%35% 35%

31%

43%

4% 4% 3%

14%18%

2 to 9 employees 10 to 24 employees

25 to 49 employees

50 or more employees

I am in a leadership role in the legal department

I am in a support role in the legal department

Linear (I am in a leadership role at the organization level)

EXPANSION OF IN-HOUSE COUNSEL’S ROLE IN CYBERSECURITY

Overall CLO/GC vs Others Experienced a breach Region

All Responses

CLO/ GC Other Yes No US Canada EMEAAsia

Pacific

Percentage who expect the legal department’s role in cybersecurity to increase next year (n=868)

59% 57% 65% 59% 58% 58% 58% 58% 63%

Percentage who would prefer to expand their current level of involvement in cybersecurity (n=846)

52% 50% 57% 49% 54% 52% 48% 51% 53%

Number in law department


EXECUTIVE SUMMARY

Half of all GC and CLOs are on the data breach response teamA data breach response plan and a team ready to respond are vital in mitigating the risk of a cyberattack. Companies that maintain a data breach response team do tend to feature top legal officers in such teams, as roughly half GC and CLOs are a member of their company’s data breach response team (49 percent). Fewer in-house counsel not in a GC/CLO role are a part of such teams (29 percent).

A greater proportion of GC/CLOs heading legal departments with two to nine employees have a place on the data response team than in larger departments. Notably, GC and CLOs heading smaller de-partments of nine or fewer employees are more likely to say they never brief the board of directors on cybersecurity, and 46 percent say they brief the board on ad hoc basis.

IS A MEMBER OF THE LEGAL DEPARTMENT ON THE COMPANY’S DATA BREACH RESPONSE TEAM? (AMONG GC/CLOs)

Yes, GC/CLO

Yes, other member of legal department

No (no member of the legal department on team)

Company does not have a formal data breach response team


35%

42%

43%

55%

30%

43%

43%14%

1%

8%8%

33%7%

17%

28%

28%3%

37%7%

21%

25 to 49 employees

10 to 24 employees

2 to 9 employees

1 employee

“Be prepared; have a data breach response plan and do a tabletop exercise; have some internal security expertise and a trusted security/forensics vendor in advance; have detection systems to alert of an issue; consider segmentation of systems and data; have knowledgeable outside counsel in advance.”


EXECUTIVE SUMMARY

Prevention and preparationPrevention, preparation, and awareness are vital to closing the most common avenues for a breach or cyberattack. Not only is pre-paredness critical to minimizing risk and cost, but transparency may also be a regulatory requirement based on the nature of the breach and the data compromised. Companies should pay careful attention to planning and preparing for disclosure based on reg-ulatory standards. Thirty-one percent of in-house counsel in this study say they were required to notify a regulatory/governmental body when their company was the victim of a cyberattack.

Advanced implementation of standards and effective policies, consultation, and training are as vital to information and data se-curity as technical approaches because attacks often result from employee errors (24 percent), according to in-house counsel in this study. This is vital information that aligns with other major research. The 2015 global Ponemon Institute Research Study of the cost of cybercrime estimates that attacks by malicious code, Web-based attacks, and phishing/social engineering can take between 22 and 54 days to resolve at a technical level.6

The total impact of a breach can last much longer when it comes to litigation, customer turnover, and damage to brand. Among in-house counsel who have experienced a breach, 17 percent report that significant changes to company security policies took place

62015 Cost of Data Breach Study, p.15. IBM and Ponemon Institute.7ROI savings were over half a million US dollars when certified, compared to industry-leading standards. IBM and Ponemon Study, p. 21

after the breach. An additional 41 percent report moderate chang-es postbreach. Implementing changes proactively may decrease the amount of change required postbreach and may decrease the avenues through which breaches can occur.

Standards used to help cybersecurity planningCompanies use a variety of standards to address their cybersecu-rity needs. The International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Statement on Standards for Attestation Engagements (SSAE) are common in general. Regionally, there is some variation in what is most often cited as the company standard. In the United States, NIST and SSAE 16 are most often cited; in the EMEA and Asia Pacific regions, ISO programs are most common.7

CYBERSECURITY STANDARDS/FRAMEWORK BY REGION

US Canada EMEA Asia Pacific

n= 672 35 50 92

NIST 14% 6% 4% 1%

ISACA 3% 3% 6% 4%

SSAE 16 14% 9% 6% 1%

Six Sigma 2% 0% 2% 3%

SANS Critical Security Controls 2% 0% 0% 3%

ISO 177799 / 27001 13% 11% 30% 15%

COBIT 5 1% 0% 6% 2%

SSE-CMM 1% 0% 0% 1%

OWASP 1% 0% 0% 1%

Other - Please specify 5% 0% 2% 2%

None 5% 3% 10% 10%

Unsure 59% 74% 52% 68%

“I wish we had known to put more focus on prevention and have a response plan in place in advance.”


Policies, training, and security expertise play a vital role in prevention and preparationPreventive policies and training, employment of certified security experts, use of a common standard for preparedness, and miti-gating risk through third parties are all components in how com-panies address cybersecurity. Insurance coverage in the case of a breach is also a common practice among companies globally. And while most CLOs and GC are confident in the insurance cover-age their organization holds, and nearly all in-house counsel who participated in the Cybersecurity Survey claim to have at least one data protection policy in place, many are catching up on critical elements of data security and protection of intellectual property. A password policy, a social media policy, and a document retention policy are the data security policies most commonly cited by in-house lawyers as those their employer has implemented.

EXECUTIVE SUMMARY

More than six in 10 in-house counsel in the IT (67 percent), fi-nance and banking (63 percent), and insurance (65 percent) indus-tries say their company has identity and access management. Par-ticipants in companies with revenues of US $500 million or more are significantly more likely than those in companies with lower revenue to have many of these policies. The only policy those in companies with less revenue are more likely to have is an employee manual acceptance policy.

DOES YOUR ORGANIZATION CURRENTLY HAVE ANY OF THE FOLLOWING POLICIES IN PLACE?

Password policy 81%

Social media policy 75%



68%

74%


65%

Internet privacy policy 64%


57%

BYOD policy 42%

Data map 18%

PERCENTAGE “YES”

“It is great to have a written plan but you must be proactive and put things in place before a breach and have a proactive response and not reactionary. Test tactical aspects to make sure response team really knows their responsibilities.”


EXECUTIVE SUMMARY

As expected, CLOs, GC, and other in-house counsel who report experiencing a breach either at their current company or at a for-mer employer are significantly more likely to have a social media policy (84 percent to 71 percent), a bring-your-own-device (BYOD) policy (52 percent to 37 percent), identity and access management

DATA SECURITY POLICIES BY COMPANY ANNUAL REVENUE (US$)

Password policy78%

87%

66%

85%

68%

85%

69%

70%

59%

70%

54%

64%

69%

61%

36%

55%

15%

21%


Social media policy





BYOD policy

Data map

<$500 million $500 million or more

(65 percent to 55 percent), and a document retention policy (79 percent to 71 percent). Also, 70 percent of in-house participants in the US report having an employee manual acceptance policy. This is significantly higher than other regions — 51 percent in Canada, 50 percent in EMEA and 40 percent in Asia Pacific.


EXECUTIVE SUMMARY

Outside resources a key component of preparation for manyWhile participating lawyers report that their organization has many data security policies in place, over half of participants re-port that their organization has not retained a forensic company for support in case a breach occurs. About the same amount report that their company has not retained outside counsel to assist them should a breach happen.

Participating CLOs, GC, and other in-house counsel who work for companies that are global entities are significantly more likely than in-house lawyers at domestic organizations to report hav-ing retained both a forensic company (27 percent to 21 percent) and outside counsel (36 percent to 29 percent) after a data breach.

Again, those in companies with the highest revenue are more like-ly to report retaining both a forensic company and outside counsel.

In-house lawyers who work or worked in a company that experi-enced a breach are more likely than those who do not to say their organization has retained outside counsel (44 percent to 26 per-cent) and retained a forensic company (37 percent to 17 percent) to assist them should a breach occur.

HAS YOUR ORGANIZATION RETAINED A FORENSIC COMPANY IN CASE A DATA BREACH OCCURS?

No

Don’t know

Yes

HAS YOUR ORGANIZATION RETAINED OUTSIDE COUNSEL IN CASE A DATA BREACH OCCURS?

No

Don’t know

Yes

57%

24%19%

58%33%

9%

RETAINED OUTSIDE COUNSEL/FORENSIC SERVICES BY COMPANY ANNUAL REVENUE QUARTILE

Annual Revenue

<$100 million $100M-$499M $500M-$2.9 billion $3 billion or more

Company has retained forensic company 15% 22% 30% 42%

Company has retained outside counsel 22% 35% 40% 48%


The approach and execution of cybersecurity audits as a prevention tool varies across companiesWhether the most recent audit was conducted by internal staff, a trusted vendor, or an outside auditor, employee error consistently ranked as the top cause of a system breach by respondents. How-ever, there are several interesting differences.

Thirty-six percent of respondents report employee error as the cause when an audit was conducted by an outside auditor com-pared with 26 percent of respondents when conducted by internal staff.

Only 6 percent of respondents report an inside job as the cause of the system breach when an audit was conducted by an outside au-ditor, compared with 13 percent when conducted by internal staff.

Fifteen percent of respondents report phishing as the cause of the system breach when audited by internal staff compared with 9 per-cent of respondents when audited by an outside auditor.

Hiring internal cybersecurity profession-als is gaining momentum as a preventive measureStaffing expert security personnel is a critical component of gover-nance in relation to cybersecurity. According to the 2015 Ponemon Institute Study, and in line with many available frameworks to address cybersecurity at the organizational level, employment of

expert personnel is a vital activity one should use as a step toward reducing the cost of cybercrime. The incremental cost savings for employing such experts is estimated at US $1.5 million.

In-house counsel in larger departments are significantly more likely to report that their company employs specialized security experts. Those in companies with law departments of 25 or more employees more frequently report having a CIO, CSO, or CISO, for example. With most companies placing cybersecurity firmly in the hands of the IT department (82 percent say cybersecurity is housed in IT), the responsibility of the legal team may increase with regard to cybersecurity in smaller companies or smaller de-partments. Among in-house counsel working with none of the aforementioned specialized data security positions, 34 percent say they undertake a leadership role in data security at the organiza-tion level compared with 25 percent who have a CIO.

Among all information security positions studied, the CIO is the most common position among all organizations that have at least one specialized position, regardless of department size, though smaller legal departments are significantly less likely to have a CIO. The mix of staffing varies by department size, with the larg-est legal departments far more likely to have a CPO. The CISO is becoming more common in organizations with 10 or more in the legal department.

8 2015 Cost of Data Breach Study: Global Analysis. IBM and Ponemon Institute.

EXECUTIVE SUMMARY

MANNER SYSTEM WAS BREACHED BY HOW MOST RECENT CYBERSECURITY AUDIT WAS CONDUCTED AMONG THOSE WHO HAVE EXPERIENCED A DATA BREACH

15% 15%

6%

11%9%

7%

12%

8%

4% 4% 2% 4% 4%6%

9% 8%11%12%11%

6%

13%11%

9%

Internal staff Trusted vendor Outside auditor

26%

33%36%

Employeeerror

Phishing Inside job Lost laptop/ device


Malware Access through

a third party


Operating system

Don’t know/ Not sure


EXECUTIVE SUMMARY

Budget and spendIn almost every instance, respondents working in companies that have seen growth in dedication of funds to cybersecurity at the law department and/or organizational level are more likely to also say their company has policies and procedures commonly accept-ed as protection against a cyberattack. For example, 41 percent of in-house lawyers in companies that dedicated more budget to cy-bersecurity last year say their company tracks mandatory training, compared with 27 percent who report no organizational budget change on the topic. Thirty-seven percent of respondents in de-

partments that saw no increase in law department funding for cy-bersecurity say their organization never tests employee knowledge of cybersecurity, compared with 22 percent in in-house counsel working in companies that did increase departmental spend.

Companies spending more are more likely to have cybersecurity insurance and are more likely to be increasing the amount of their coverage. A greater percentage of in-house counsel in these com-panies report that their organization has retained outside counsel and/or a forensic company that can assist in the event of a breach.

ORGANIZATION SECURITY SPECIALISTS BY DEPARTMENT SIZE WHICH OF THE FOLLOWING DOES YOUR ORGANIZATION EMPLOY?

Chief Information Officer (CIO)

Privacy/Security Manager




Board-level committee devoted to cybersecurity


None of the above

46%73%

77%19%

23%27%

13%6%

36%45%

23%18%

19%29%

34%7%

11%

47%12%

8%14%

14%5% 24%

24%4%4%

6%15%

52%

5%3%

25%

67%

46%41%

40%38%


5%1%

25 to 49 employees

10 to 24 employees

2 to 9 employees

1 employee


EXECUTIVE SUMMARY

CYBERSECURITY STANDARDS/FRAMEWORK

Has your law department spend increased as a result

of your company's approach to cybersecurity?

Is your company allocating more, less, or the same

amount of (company) budget to cybersecurity compared

with a year ago?

Yes No Same More

Does your organization currently have any of the following policies in place? (Select all that apply)

Password policy Yes 85% 81% 79% 86%

Social media policy Yes 81% 74% 70% 81%

Document retention policy Yes 75% 72% 70% 78%

Website privacy policy Yes 72% 67% 65% 75%

Internet privacy policy Yes 68% 63% 62% 68%

Employee manual acceptance policy Yes 65% 66% 68% 68%

Identity and access management Yes 62% 57% 56% 63%

BYOD policy Yes 50% 41% 35% 49%

Data map Yes 26% 14% 14% 21%

None of the above Yes 1% 1% 1% <1%

Does your organization have cybersecurity insurance?

Yes 66% 44% 47% 57%

Self-insurance 3% 4% 4% 5%

Do you expect your company to decrease, maintain, or increase the amount of cybersecurity insurance coverage in the next year?

Decrease coverage 1% <1% 0% 1%

Maintain current coverage 50% 65% 70% 57%

Increase coverage 33% 23% 22% 28%

Has your organization retained a forensic company to assist you should a breach occur?

Yes 43% 19% 16% 33%

Has your organization retained outside counsel to assist you should a breach occur?

Yes 64% 24% 27% 41%

Does your organization have mandatory training on cybersecurity for all employees?

Yes 58% 39% 34% 56%

How often does your organization test employee preparedness/knowledge of cybersafety practices/data policies?

Never, company does not test knowledge of cybersecurity

22% 37% 44% 26%

Quarterly 5% 2% 0% 5%

Monthly 4% 1% 1% 2%

Semiannually 6% 3% 2% 5%

Annually 36% 25% 25% 33%

How does your organization evaluate company preparedness at the employee level? (Select all that apply)


Yes 44% 29% 27% 41%

Conduct mock security event Yes 25% 17% 9% 25%


Yes 25% 18% 15% 25%

Conduct tabletop exercises Yes 22% 9% 6% 18%

Review disciplinary actions for violations Yes 10% 8% 7% 9%


EXECUTIVE SUMMARY

It is clear that with greater revenue come more resources. Larg-er departments have the ability to specialize in their approach to cybersecurity, which may explain the variance in how in-house counsel describe their cybersecurity responsibilities in large and small departments. Thirty-three percent of respondents in the largest law departments say their department spend increased as a result of their company’s approach to cybersecurity, compared with just 21 percent in law departments of two to nine employees. This increase in spend has chiefly been outside spend (55 percent), with just 16 percent saying the increase was mainly inside spend. Respondents from the US and the EMEA region are more likely

than those in other regions to say law department spend rose last year. For the most part, lawyers in these regions characterize this increase as outside spend.

And, with greater resources, larger departments have the ability to specialize in their approach to cybersecurity. However, few in the top legal seat say that a portion of their budget is dedicated specif-ically to cybersecurity (8 percent). As seen in other findings, size affects the budget. The percentage of in-house counsel who report that a portion of their budget is dedicated specifically to cyberse-curity rises with organization size by revenue and employee count.

HAS YOUR LAW DEPARTMENT SPEND INCREASED AS A RESULT OF YOUR COMPANY’S APPROACH TO CYBERSECURITY?

Department Size

1 employee 2 to 9 employees 10 to 24 employees 25 to 49 employees 50 or more employees

n= 162 440 112 58 79

Yes 14% 21% 32% 29% 33%

No 81% 73% 59% 55% 39%

Don't know/Not sure 6% 5% 9% 16% 28%

LAW DEPARTMENT SPEND INCREASED AS A RESULT OF COMPANY’S APPROACH TO CYBERSECURITY BY REGION

25%

9%

31%

8%

US EMEACanada Asia Pacific

PERCENTAGE “YES”


EXECUTIVE SUMMARY

In-house counsel not confident in third-party protection despite reporting requirementsAccess through a third party is the fourth most common mech-anism for cybercriminals to execute a data breach; however, just 7 percent of respondents report the highest degree of confidence that their third-party affiliates/vendors protect them from cyber-security risks. The majority, 60 percent, report being somewhat confident, and 17 percent are not at all confident. There is little dif-ference among subgroups. And while a higher percentage report being very confident that outside law firms their company employs are appropriately managing the security of client data, it is only 22 percent. Just over half, 52 percent, are somewhat confident, and 10 percent are not confident at all.

Survey respondents who have worked for an organization that ex-perienced a breach are less confident in their outside law firms’ management of client data compared with those who have not ex-perienced a breach (14 percent to 9 percent). Another interesting significant difference: those responding in Asia Pacific are more likely than those in the US to report being very confident in the outside firms they employ when it comes to the security of client data, 35 percent to 20 percent.

Even without a high degree of confidence, 61 percent of GC, CLOs,

and other in-house counsel report that third-party agents and vendors are required to notify them of cybersecurity risks or ac-tual events. Only 15 percent state they do not require third-party agents and vendors to report cybersecurity events, but 24 percent say they are not sure if they are required to notify them. Nearly two-thirds (64 percent) of respondents in the US say third-party vendors are required to notify them if a breach occurs. This is sig-nificantly higher than the 40 percent in the EMEA region. Along the same lines, two-thirds of nonglobal entities report third par-ties’ being required to notify them compared with 57 percent of those with business and/or employees working abroad. And 64 percent of those in companies with 5,000 or more employees say third parties are required to notify them compared with 53 per-cent in companies of less than 100 employees.

Many respondents work for organizations that hire outside law firms to manage client data security. These respondents were asked about their degree of confidence in those outside law firms’ appropriately managing the security of their client data. Among respondents who experienced a data breach in the past two years, 75 percent said they had at least some degree of confidence in their outside law firms on this issue. Sixteen percent are not at all con-fident.

CONFIDENCE IN OUTSIDE LAW FIRM DATA SECURITY BY THOSE WHO EXPERIENCED A BREACH

14%

Not at all confident

20%

Very confident

54%

Somewhat confident

12%


9%

50%

24%

17%

Experienced a breach

Have not experienced a breach


Cybersecurity insurance becoming common, growing in coverage amount*

When asked whether they expect their company to decrease, maintain, or increase the amount of cybersecurity coverage in the next year, among those whose insurance did not cover damages, 41 percent reported an expectation to increase their cybersecurity coverage compared with 32 percent whose damages were covered. Among those whose insurance did not cover damages, 59 percent reported an expectation to maintain coverage compared with 32 percent whose damages were covered. No respondents reported an expectation to decrease coverage in the next year, regardless of whether they were protected from damages from a previous data breach.

In-house counsel who have worked in a company affected by a cy-bersecurity breach are no more likely to say their organization has cybersecurity insurance than those who have not. Among those respondents with awareness of their company’s cybersecurity in-surance status, 64 percent who report experiencing a breach either at their current company or at a previous one say they have cyber-security insurance; 57 percent who have not been in a company that experienced a data breach report their company has cyber-security insurance. Respondents without the GC or CLO title are twice as likely to lack awareness of their company’s cybersecurity status as GCs and CLOs (36 percent to 18 percent).

The same percentage (64 percent) of participating US lawyers aware of their company’s breach insurance status say their com-pany is indeed insured. This is significantly higher than 41 percent in Asia Pacific and slightly higher than the overall population who said their company has cybersecurity insurance.

By contrast, just one-quarter of in-house counsel in the manufac-turing industry aware of their company’s cybersecurity insurance status report that their organization is insured. This is much lower than in-house counsel who participated from other industries —

84 percent in IT, 76 percent in insurance, and 64 percent in finance and banking.

More than three-quarters (79 percent) of those GC, CLOs, and in-house counsel who are aware of the amount of coverage their com-pany carries report that their company’s cybersecurity insurance coverage is at least US $1 million. And respondents with awareness of their company’s coverage who work in companies with fewer than 100 employees are less likely to have that high of cybersecuri-ty coverage than those in companies with between 100 and 4,999 employees (58 percent to 84 percent). While that is a lot of cover-age, just 13 percent say they are extremely confident they have the right coverage for a cybersecurity event (answering nine or 10 on a confidence scale between one and 10). Even so, only 26 percent report they expect their company to increase cybersecurity cov-erage over the next year. A majority (58 percent) say they expect their organization to maintain the coverage as it is now. Fifteen percent are not sure of their company’s plans with regard to its cybersecurity insurance coverage. For comparison, 50 percent of IT management and security practitioners around the globe said their IT security budget will increase in the next two years, and 46 percent said it would remain the same.9

Among respondents who work for organizations with cybersecu-rity insurance, 70 percent report that their insurance did not cover the damages created by the data breach, while 30 percent say their insurance did cover the damages.

9 According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments of 1,825 IT management and security practitioners in 42 countries.

* Analysis of insurance-related questions exclude those who selected “Don’t know/Not sure” when asked if their company has cybersecurity insurance.

DID YOUR INSURANCE COVER THE DAMAGES?

Yes

No

30%

70%

EXECUTIVE SUMMARY

“The process of obtaining cybersecurity insurance is helpful, as the insurer will require certain policies and protections. This helps to get organizational ‘buy-in,’ as it is not management that is dictating these changes, but an outside carrier.”


EXECUTIVE SUMMARY

EXPECTATIONS FOR LEGAL DEPARTMENT’S ROLE AMONG THOSE WHO EXPERIENCED A DATA BREACH IN PAST TWO YEARS

Stay the same

Decrease

Increase

43% 55%

2%

DEGREE OF CHANGE IN SECURITY POLICIES POSTBREACH

There were no changes made

15%

Minimal changes were made

16%

Moderate changes were made

41%

Significant changes were made

17%

Don’t know/Not sure

12%

Looking ahead after a breach: lessons learned

POSTBREACH CHANGE

Many times it is only after a crisis has occurred that meaningful change takes place. Despite creating contracts with protectionist clauses, having policies that mandate training, and putting ex-perts on the ground to monitor the company environment, with-out holistic understanding and follow-up, the best-laid plans can fail at preventing what cybercriminals work hard to perfect. This is why tools and standards to plan and monitor progress are so important in prevention and preparedness as well as response to a cyberattack.

When asked to describe the degree of change made to their com-pany’s security policies following a cybersecurity breach, 74 per-cent said that at least some changes were made to their security policies; 15 percent say that no changes were made. Twelve percent of respondents are unsure if changes were made, though these re-spondents may work for organizations where changes are ongoing, making the specific degree of change unclear.

Generally, in-house lawyers who have worked in an organiza-tion that experienced a breach in the last two years plan to boost their role and their company’s general preparedness. When asked whether they expect their legal department’s role in cybersecurity to increase, decrease, or stay the same in the next year, 55 percent say they expect it to increase, while 43 percent expect it to stay the same. Only 2 percent expect a decrease.

Respondents were asked whether they expect their company to decrease, maintain, or increase its amount of cybersecurity insur-ance coverage in the next year. Among respondents whose com-pany experienced a data breach in the past two years, 59 percent say they expect to maintain their current level of coverage. Twen-ty-two percent of respondents say they expect to increase their coverage, and no one anticipated decreasing it.

COVERAGE EXPECTATIONS IN THE NEXT YEAR BY THOSE WHO EXPERIENCED A BREACH IN THE PAST TWO YEARS

59%

22%

Maintain current coverage


Increase coverage19%

(Decrease coverage, <1%)

“The business will be afraid to inform clients and drag its feet, but moving quickly is important.”

“Written policies and procedures and regular training and testing are key. Preparing ahead of time for what is the inevitable in today’s environment.”


EXECUTIVE SUMMARY

Benchmark checklistTracking practice and progress is an important step in ensuring that all is being done to thwart cyberattacks in any organization. The checklist provided highlights some key activities and actions undertaken to prevent, manage, and respond to cybersecurity risk.

This tool is useful in providing organizational leadership with a snapshot of what GC and CLOs report regarding their company and department and as a benchmark for the current state of cyber-security at the company and department level.

Cybersecurity Checklist Self-Assessment Tool

Organizational Prevention and Preparedness ü66% Organization conducts a cybersecurity audit of the entire organization at least annually

60% A member of the legal department is on the company’s data breach response team

55% Organization has cybersecurity insurance

44% Organization has mandatory training on cybersecurity for all employees

34% Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually

32% Organization retained outside counsel to assist you should a breach occur

27% Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks

24% Organization retains a forensic company to assist should a breach occur

Organizational Policies ü80% Password policy

73% Social media policy

71% Document retention policy

66% Website privacy policy

66% Employee manual acceptance policy

63% Internet privacy policy

55% Identity and access management

41% BYOD policy

17% Data map

Organizational Staffing ü46% Chief Infromation Officer (CIO)

24% Privacy/Security Manager

18% Chief Information Security Officer (CISO)

14% Chief Risk Officer (CRO)

13% Chief Privacy Officer (CPO)

11% Chief Security Officer (CSO)

Organizational Preparedness Evaluation ü41% Conduct cybersecurity audit of entire organization at least annually

34% Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk

33% Track mandatory training requirement and attendance for all employees

20% Test employees’ knowledge of mandatory training

17% Conduct mock security event

11% Conduct tabletop exercises

8% Review disciplinary actions for violations


OVERALL SURVEY RESULTS

INDUSTRY TRENDS


INDUSTRY TRENDS

What is your employer’s primary industry?

WHAT IS YOUR EMPLOYER’S PRIMARY INDUSTRY?

12% IT and related

10% Finance and banking

9% Manufacturing

8% Insurance

4% Not-for-profit organization

4% Retail trade

3% Healthcare/social assistance

3% Professional, scientific, technical services

47% Other

What is your employer's primary industry? Number

Information Technology/Software/Internet-Related Services 118

Finance and Banking 96

Manufacturing 88

Insurance 75

Not-for-Profit Organization (i.e., Charity, Environment) 40

Retail Trade 38

Healthcare/Social Assistance 34

Professional, Scientific, and/or Technical Services 31

Telecommunications 26

Educational Services 25

Real Estate/Rental and Leasing 24

Service Company and Organization 24

Energy 23

Accommodation/Food Services 19

Arts, Sports, Entertainment/Recreation 19

Advertising/Marketing/Public Relations 16

Construction/Engineering 16

Oil/Gas 16

Pharmaceutical/Medical Devices 16

Fast-Moving Consumer Goods/Consumer Services 15

What is your employer's primary industry? Number

Wholesale Trade/Distribution 15

Biotechnology/Life Sciences 14

Defense 13

Administrative/Business/Support Services 12

Chemicals/Plastics 12

E-commerce/Online Sales 12

Aviation/Aerospace 11

Prepared Food Stuff/Beverages 9

Transportation/Warehousing 9

Utilities 9

Agriculture/Forestry/Fishing/Hunting 8

Technical/Research and Development 8

Trade Association 7

Management of Companies/Enterprises (i. e., Holding Companies)

6

Mining/Quarrying 6

Broadcasting/Media 2

Public Administration/Government Regulation and Support 2

Waste Management, Remediation/Environmental Services 2

Intellectual Property 1

Other 62


INDUSTRY TRENDS

Ove

rall

Indu

stry

(o

nly

thos

e sh

own

wit

h ≥3

0 re

spon

ses

are

show

n; n

ot a

ll an

swer

s ar

e sh

own

in t

his

tabl

e of

top

line

resu

lts)

All

resp

onse

s

Fina

nce

an

d Ba

nkin

g

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

In

tern

et-

Rel

ated

Se

rvic

es

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sc

ient

ific,

and/

or T

echn

ical

Se

rvic

es

Ret

ail

Trad

e

How

wou

ld y

ou c

hara

cter

ize

your

res

pons

ibili

ties

rega

rdin

g cy

bers

ecur

ity in

you

r co

mpa

ny?

(Sel

ect

the

best

ans

wer

des

crib

ing

your

hig

hest

leve

l of r

espo

nsib

ility

)

I am

in a

lead

ersh

ip r

ole

at t

he o

rgan

izat

ion

leve

l30

%35

%36

%34

%28

%21

%29

%45

%27

%

I am

par

t of

a t

eam

in t

he o

rgan

izat

ion

that

has

bee

n de

sign

ated

with

cyb

erse

curi

ty r

espo

nsib

ilitie

s23

%21

%30

%29

%28

%23

%32

%21

%24

%

I am

in a

lea

ders

hip

role

in t

he le

gal d

epar

tmen

t36

%37

%30

%25

%30

%43

%26

%24

%35

%

I am

in a

sup

port

rol

e in

the

lega

l dep

artm

ent

6%4%

3%5%

9%6%

3%7%

11%

Oth

er, p

leas

e sp

ecify

:1%

1%0%

3%0%

0%0%

0%3%

Not

app

licab

le4%

2%0%

4%4%

8%11

%3%

0%

Whi

ch o

f the

follo

win

g do

es y

our

orga

niza

tion

empl

oy?

(Sel

ect

all t

hat

appl

y)

Chi

ef In

form

atio

n O

ffice

r (C

IO)

50%

49%

71%

34%

69%

55%

41%

48%

73%

Priv

acy/

Secu

rity

Man

ager

26%

22%

32%

39%

20%

23%

18%

38%

43%

Non

e of

the

abo

ve25

%16

%3%

23%

5%28

%31

%31

%5%

Chi

ef In

form

atio

n Se

curi

ty O

ffice

r (C

ISO

)19

%27

%41

%16

%30

%16

%10

%17

%38

%

Chi

ef R

isk

Offi

cer

(CRO

)17

%37

%26

%6%

39%

6%10

%17

%24

%

Chi

ef P

riva

cy O

ffice

r (C

PO)

16%

19%

56%

21%

32%

7%8%

10%

24%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

13%

17%

21%

22%

14%

9%5%

21%

3%

Boar

d-le

vel c

omm

ittee

dev

oted

to

cybe

rsec

urity

6%10

%15

%4%

7%6%

5%7%

5%

Whe

re is

cyb

erse

curi

ty p

rim

arily

hou

sed

in y

our

orga

niza

tion?

IT82

%73

%84

%72

%88

%92

%71

%79

%86

%

Lega

l5%

5%0%

8%3%

2%5%

7%3%

Ope

ratio

ns/A

dmin

istr

ativ

e5%

7%3%

10%

1%1%

16%

14%

0%

Com

plia

nce

2%4%

9%3%

4%1%

3%0%

8%

Hav

e yo

u ev

er w

orke

d fo

r co

mpa

ny t

hat

has

expe

rien

ced

a da

ta b

reac

h? F

or t

he p

urpo

ses

of t

his

surv

ey, a

dat

a br

each

is c

onsi

dere

d an

inci

dent

in w

hich

con

fiden

tial,

sens

itive

, or

priv

ate

data

/info

rmat

ion

is v

iew

ed, c

opie

d, s

tole

n, o

r tr

ansm

itted

by

an u

naut

hori

zed

entit

y or

indi

vidu

al.

Yes

(wor

k or

wor

ked

whe

re b

reac

h oc

curr

ed)

31%

28%

56%

31%

36%

33%

22%

29%

32%

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?


(Con

t’d)

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?

Ove

rall

Indu

stry

(o

nly

thos

e sh

own

wit

h ≥3

0 re

spon

ses

are

show

n; n

ot a

ll an

swer

s ar

e sh

own

in t

his

tabl

e of

top

line

resu

lts)

All

resp

onse

s

Fina

nce

an

d Ba

nkin

g

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

Inte

rnet

-R

elat

ed S

ervi

ces

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sci

entifi

c, an

d/or

Tec

hnic

al S

ervi

ces

Ret

ail T

rade

In w

hat

year

did

the

bre

ach

occu

r? (

Plea

se s

elec

t th

e m

ost

rece

nt if

mul

tiple

bre

ache

s.)

2015

26%

9%33

%21

%38

%19

%13

%25

%18

%

2014

21%

23%

11%

24%

13%

27%

50%

25%

27%

2013

17%

32%

33%

9%21

%12

%25

%25

%18

%

Befo

re 2

013

36%

36%

22%

45%

29%

42%

13%

25%

36%

How

did

you

lear

n of

the

bre

ach?

IT d

epar

tmen

t44

%48

%35

%47

%35

%54

%13

%38

%36

%

Oth

er -

ple

ase

spec

ify24

%22

%24

%16

%31

%4%

25%

50%

18%

Com

plia

nce

depa

rtm

ent

14%

22%

24%

19%

19%

0%13

%0%

18%

Thi

rd-p

arty

ven

dor

(i.

e., e

-fore

nsic

s, e-

billi

ng)

13%

4%12

%16

%12

%31

%13

%0%

18%

Out

side

gov

ernm

enta

l age

ncy

6%4%

6%3%

4%12

%38

%13

%9%

How

oft

en d

oes

your

org

aniz

atio

n co

nduc

t a

cybe

rsec

urity

aud

it of

the

ent

ire

orga

niza

tion?

At

leas

t an

nual

ly41

%55

%50

%50

%50

%27

%34

%46

%43

%

Who

con

duct

ed t

he m

ost

rece

nt c

yber

secu

rity

aud

it?

Inte

rnal

sta

ff40

%38

%35

%44

%32

%21

%36

%53

%27

%

Out

side

aud

itor

29%

33%

39%

32%

37%

43%

29%

27%

27%

Trus

ted

vend

or27

%27

%26

%21

%32

%36

%36

%20

%40

%

Doe

s yo

ur la

w d

epar

tmen

t an

d/or

IT d

epar

tmen

t au

dit

your

lega

l ser

vice

pro

vide

rs fo

r cy

bers

ecur

ity r

isk?

Yes

14%

24%

21%

7%16

%14

%3%

14%

39%

Wha

t st

anda

rd(s

) do

es y

our

orga

niza

tion

curr

ently

use

to

addr

ess

cybe

rsec

urity

? (S

elec

t al

l tha

t ap

ply)

ISO

177

799

/ 270

0114

%12

%0%

29%

20%

7%8%

25%

17%

Nat

iona

l Ins

titut

e of

Sta

ndar

ds a

nd

Tech

nolo

gy (

NIS

T)

12%

14%

24%

19%

21%

6%14

%18

%17

%

SSA

E 16

11%

20%

15%

26%

14%

3%6%

11%

6%

INDUSTRY TRENDS


Ove

rall

Indu

stry

(o

nly

thos

e sh

own

wit

h ≥3

0 re

spon

ses

are

show

n; n

ot a

ll an

swer

s ar

e sh

own

in t

his

tabl

e of

top

line

resu

lts)

All

resp

onse

s

Fina

nce

an

d Ba

nkin

g

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

In

tern

et-

Rel

ated

Se

rvic

es

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sc

ient

ific,

and/

or T

echn

ical

Se

rvic

es

Ret

ail

Trad

e

Doe

s yo

ur o

rgan

izat

ion

curr

ently

hav

e an

y of

the

follo

win

g po

licie

s in

pla

ce?

(Sel

ect

all t

hat

appl

y)

Pass

wor

d po

licy

81%

85%

88%

87%

93%

75%

69%

79%

74%

Soci

al m

edia

pol

icy

75%

74%

82%

65%

77%

75%

66%

79%

86%

Doc

umen

t re

tent

ion

polic

y74

%86

%76

%56

%83

%77

%77

%79

%86

%

Web

site

pri

vacy

pol

icy

68%

72%

68%

80%

69%

63%

80%

64%

77%

Empl

oyee

man

ual a

ccep

tanc

e po

licy

65%

74%

76%

66%

65%

57%

69%

68%

54%

Inte

rnet

pri

vacy

pol

icy

64%

64%

71%

63%

62%

63%

57%

54%

74%

Iden

tity

and

acce

ss m

anag

emen

t57

%63

%65

%67

%65

%45

%37

%54

%54

%

BYO

D p

olic

y42

%39

%59

%51

%58

%34

%43

%43

%40

%

Dat

a m

ap18

%18

%26

%14

%17

%16

%9%

25%

34%

Is a

mem

ber

of t

he le

gal d

epar

tmen

t on

the

com

pany

's da

ta b

reac

h re

spon

se t

eam

?

Yes,

I am

44%

60%

50%

52%

53%

27%

54%

57%

51%

Yes,

othe

r m

embe

r of

dep

artm

ent

17%

14%

32%

15%

30%

21%

6%7%

23%

Doe

s yo

ur o

rgan

izat

ion

have

cyb

erse

curi

ty in

sura

nce?

Yes

47%

52%

75%

72%

62%

15%

54%

50%

59%

Plea

se s

elec

t the

ans

wer

that

bes

t des

crib

es th

e le

vel o

f mon

etar

y co

vera

ge fo

r yo

ur c

ompa

ny's

cybe

rsec

urity

insu

ranc

e pl

an (i

n U

S$)?

(Con

vert

to U

S do

llars

usin

g th

e cu

rren

cy c

onve

rsio

n to

ol b

elow

)

Less

tha

n $1

mill

ion

17%

19%

29%

13%

13%

9%0%

8%31

%

$1 m

illio

n or

mor

e66

%58

%57

%77

%68

%73

%71

%92

%46

%

How

con

fiden

t ar

e yo

u th

at y

our

com

pany

has

the

rig

ht c

over

age

for

a cy

bers

ecur

ity e

vent

?

Mea

n6.

35.

96.

26.

46.

96.

87.

15.

85.

8

Med

ian

65.

56

77

88

5.5

6

Do

you

expe

ct y

our

com

pany

to

decr

ease

, mai

ntai

n, o

r in

crea

se t

he a

mou

nt o

f cyb

erse

curi

ty in

sura

nce

cove

rage

in t

he n

ext

year

?

Mai

ntai

n cu

rren

t co

vera

ge58

%63

%54

%51

%55

%75

%68

%62

%56

%

Incr

ease

cov

erag

e26

%28

%42

%30

%25

%17

%21

%31

%17

%

Don

’t kn

ow/N

ot S

ure

15%

9%4%

18%

20%

8%11

%8%

28%

(Con

t’d)

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?

INDUSTRY TRENDS


(Con

t’d)

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?

Ove

rall

Indu

stry

(o

nly

thos

e sh

own

wit

h ≥3

0 re

spon

ses

are

show

n; n

ot a

ll an

swer

s ar

e sh

own

in t

his

tabl

e of

top

line

resu

lts)

All

resp

onse

s

Fina

nce

an

d Ba

nkin

g

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

In

tern

et-

Rel

ated

Se

rvic

es

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sc

ient

ific,

and/

or

Tech

nica

l Se

rvic

es

Ret

ail

Trad

e

Doe

s yo

ur o

rgan

izat

ion

have

man

dato

ry t

rain

ing

on c

yber

secu

rity

for

all e

mpl

oyee

s?

Yes

45%

65%

75%

62%

65%

30%

33%

46%

47%

How

oft

en d

oes

your

org

aniz

atio

n te

st e

mpl

oyee

pre

pare

dnes

s/kn

owle

dge

of c

yber

safe

ty p

ract

ices

/dat

a po

licie

s?

Nev

er, c

ompa

ny d

oes

not

test

kno

wle

dge

of c

yber

secu

rity

32%

22%

10%

24%

17%

45%

33%

36%

32%

At

leas

t an

nual

ly34

%51

%55

%48

%49

%19

%30

%29

%46

%

Don

't kn

ow/N

ot s

ure

27%

21%

26%

20%

28%

30%

27%

18%

21%

How

doe

s yo

ur o

rgan

izat

ion

eval

uate

com

pany

pre

pare

dnes

s at

the

em

ploy

ee le

vel?

(Sel

ect

all t

hat

appl

y)Tr

ack

sman

dato

ry t

rain

ing

requ

irem

ent

and

atte

ndan

ce fo

r al

l em

ploy

ees

33%

53%

56%

35%

50%

19%

35%

21%

39%

Test

s em

ploy

ees’

kno

wle

dge

of m

anda

tory

tra

inin

g19

%30

%47

%22

%29

%10

%18

%14

%24

%

Con

duct

s m

ock

secu

rity

eve

nt17

%24

%24

%13

%31

%11

%15

%14

%24

%

Con

duct

s ta

blet

op e

xerc

ises

12%

15%

15%

9%27

%4%

6%7%

36%

Rev

iew

s di

scip

linar

y ac

tions

for

viol

atio

ns9%

10%

21%

10%

9%5%

12%

0%12

%

Has

you

r or

gani

zatio

n re

tain

ed a

fore

nsic

com

pany

to

assi

st y

ou s

houl

d a

brea

ch o

ccur

?

Yes

24%

25%

28%

22%

26%

19%

9%25

%48

%

Has

you

r or

gani

zatio

n re

tain

ed o

utsi

de c

ouns

el t

o as

sist

you

sho

uld

a br

each

occ

ur?

Yes

34%

31%

38%

38%

37%

33%

39%

22%

66%

Thi

nkin

g ab

out

your

rol

e an

d re

spon

sibi

litie

s re

gard

ing

cybe

rsec

urity

, wou

ld y

ou p

refe

r to

exp

and,

dec

reas

e, o

r m

aint

ain

your

cur

rent

leve

l of i

nvol

vem

ent?

Dec

reas

e ro

le a

nd r

espo

nsib

ilitie

s4%

1%3%

6%6%

1%3%

12%

3%

Mai

ntai

n cu

rren

t ro

le a

nd r

espo

nsib

ilitie

s44

%45

%53

%41

%54

%42

%50

%46

%52

%

Incr

ease

rol

e an

d re

spon

sibi

litie

s52

%53

%44

%53

%40

%56

%47

%42

%45

%

Do

you

expe

ct y

our

lega

l dep

artm

ent's

rol

e in

cyb

erse

curi

ty t

o in

crea

se, d

ecre

ase,

or

stay

the

sam

e in

the

nex

t 12

mon

ths?

Stay

the

sam

e40

%33

%45

%39

%50

%38

%55

%26

%43

%

Incr

ease

59%

65%

55%

59%

50%

60%

45%

74%

57%

INDUSTRY TRENDS


(Con

t’d)

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?

Ove

rall

(onl

y th

ose

sho

wn

wit

h ≥3

0 re

spo

nses

are

sho

wn,

no

t al

l ans

wer

s ar

e sh

own

in t

his

tabl

e o

f to

plin

e re

sult

s)

All

resp

onse

s

Fina

nce

and

Bank

ing

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

In

tern

et-R

elat

ed

Serv

ices

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sc

ient

ific,

and/

or

Tech

nica

l Ser

vice

sR

etai

l Tra

de

How

con

fiden

t ar

e yo

u th

at y

our

thir

d-pa

rty

affil

iate

s/ve

ndor

s pr

otec

t yo

u fr

om c

yber

secu

rity

ris

ks?

Not

at

all c

onfid

ent

17%

7%22

%17

%13

%23

%12

%31

%10

%

Som

ewha

t co

nfide

nt60

%68

%47

%66

%67

%54

%68

%46

%69

%

Very

con

fiden

t7%

16%

25%

6%4%

5%12

%12

%10

%

How

con

fiden

t ar

e yo

u th

at t

he o

utsi

de la

w fi

rms

your

com

pany

em

ploy

s ar

e ap

prop

riat

ely

man

agin

g th

e se

curi

ty o

f clie

nt d

ata?

Not

at

all c

onfid

ent

10%

11%

13%

13%

5%13

%0%

0%17

%

Som

ewha

t co

nfide

nt52

%46

%47

%55

%66

%47

%55

%65

%52

%

Very

con

fiden

t22

%28

%23

%13

%15

%26

%23

%13

%21

%

Are

thi

rd p

artie

s, su

ch a

s ve

ndor

s/ag

ents

, req

uire

d to

not

ify y

ou o

f cyb

erse

curi

ty r

isks

/bre

ache

s th

at t

hey

expe

rien

ce?

Yes

61%

71%

88%

63%

78%

49%

65%

60%

77%

Hav

e yo

u ev

er t

erm

inat

ed a

con

trac

tual

rel

atio

nshi

p be

caus

e of

cyb

erse

curi

ty r

isks

?

Yes

11%

24%

21%

9%15

%3%

9%4%

24%

Hav

e yo

u ev

er t

erm

inat

ed a

pen

ding

mer

ger/

acqu

isiti

on b

ecau

se o

f cyb

erse

curi

ty r

isks

?

Yes

1%3%

0%1%

2%1%

0%0%

0%

Is y

our

com

pany

allo

catin

g m

ore,

less

, or

the

sam

e am

ount

of (

com

pany

) bu

dget

to

cybe

rsec

urity

com

pare

d w

ith o

ne y

ear

ago?

Mor

e53

%67

%70

%54

%61

%52

%35

%67

%53

%

Has

you

r la

w d

epar

tmen

t sp

end

incr

ease

d as

a r

esul

t of

you

r co

mpa

ny's

appr

oach

to

cybe

rsec

urity

?

Yes

23%

25%

15%

37%

22%

22%

15%

31%

45%

Plea

se d

escr

ibe

the

incr

ease

in s

pend

:

Mai

nly

outs

ide

spen

d55

%58

%80

%41

%50

%63

%0%

25%

86%

Mai

nly

insi

de s

pend

22%

32%

0%30

%7%

19%

75%

50%

0%

Equa

lly s

plit

betw

een

insi

de a

nd o

utsi

de s

pend

23%

11%

20%

30%

43%

19%

25%

25%

14%

Is a

ny p

ortio

n of

you

r la

w d

epar

tmen

t's b

udge

t de

dica

ted

spec

ifica

lly t

o cy

bers

ecur

ity o

r re

late

d cy

ber

issu

es?

Yes

10%

7%9%

15%

9%9%

9%12

%26

%

Who

in y

our

orga

niza

tion

is t

he fi

rst

exec

utiv

e of

ficer

to

be n

otifi

ed o

nce

a br

each

is d

isco

vere

d?

Chi

ef In

form

atio

n O

ffice

r (C

IO)

26%

23%

33%

14%

36%

30%

27%

8%42

%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

23%

27%

12%

29%

13%

16%

36%

38%

10%

INDUSTRY TRENDS


Ove

rall

Indu

stry

(o

nly

thos

e sh

own

wit

h ≥3

0 re

spon

ses

are

show

n; n

ot a

ll an

swer

s ar

e sh

own

in t

his

tabl

e of

top

line

resu

lts)

All

resp

onse

s

Fina

nce

an

d Ba

nkin

g

Hea

lthca

re/

Soci

al

Ass

ista

nce

IT/S

oftw

are/

In

tern

et-

Rel

ated

Se

rvic

es

Insu

ranc

eM

anuf

actu

ring

Not

-for-

Profi

t O

rgan

izat

ion

Prof

essi

onal

, Sc

ient

ific,

and/

or T

echn

ical

Se

rvic

es

Ret

ail

Trad

e

From

who

m d

o yo

u ex

pect

to

be n

otifi

ed o

f a d

ata

secu

rity

bre

ach?

Chi

ef In

form

atio

n O

ffice

r (C

IO)

29%

31%

24%

18%

37%

41%

29%

15%

35%

Doe

s yo

ur c

ompa

ny c

olla

bora

te p

roac

tivel

y w

ith la

w e

nfor

cem

ent

or o

ther

gov

ernm

enta

l age

ncie

s to

add

ress

cyb

erse

curi

ty r

isks

?

Yes

27%

34%

39%

24%

31%

25%

10%

4%45

%

Who

in y

our

com

pany

is t

he p

rim

ary

poin

t of

con

tact

dur

ing

a br

each

(in

clud

ing

outs

ide

coun

sel)?

Chi

ef In

form

atio

n O

ffice

r (C

IO)

24%

20%

26%

15%

28%

28%

18%

23%

39%

How

was

the

sys

tem

bre

ache

d?

Empl

oyee

err

or24

%15

%50

%26

%38

%9%

29%

0%11

%

Insi

de jo

b15

%30

%13

%4%

14%

17%

14%

13%

0%

Acc

ess

thro

ugh

a th

ird

part

y12

%5%

13%

19%

10%

22%

14%

25%

22%

Phis

hing

12%

15%

6%11

%10

%13

%14

%0%

11%

Wha

t ty

pe o

f inf

orm

atio

n w

as c

ompr

omis

ed d

urin

g th

is b

reac

h? (

Sele

ct a

ll th

at a

pply

)

Oth

er p

erso

nally

iden

tifiab

le in

form

atio

n su

ch a

s ad

dres

s, na

tiona

l ide

ntifi

catio

n nu

mbe

r/SS

N, h

ealth

info

rmat

ion

44%

55%

72%

33%

71%

48%

43%

25%

33%

Was

the

info

rmat

ion

that

was

com

prom

ised

dur

ing

the

brea

ch e

ncry

pted

?

Yes

17%

16%

13%

21%

26%

14%

0%13

%33

%

Wer

e yo

u re

quir

ed t

o no

tify

a re

gula

tory

/gov

ernm

enta

l bod

y as

a r

esul

t of

a b

reac

h?

Yes

32%

37%

56%

15%

36%

10%

50%

13%

38%

How

man

y pe

ople

wer

e af

fect

ed b

y th

e br

each

(in

clud

ing

empl

oyee

s, cu

stom

ers,

etc.

)?

Less

tha

n 50

46%

35%

38%

42%

53%

52%

33%

38%

13%

50 o

r m

ore

39%

65%

44%

46%

42%

26%

50%

38%

75%

If th

e br

each

has

bee

n re

solv

ed, h

ow lo

ng d

id it

tak

e to

res

olve

? If

it ha

s no

t be

en r

esol

ved,

ple

ase

sele

ct t

hat

optio

n.

1 ye

ar o

r le

ss80

%79

%81

%80

%81

%68

%60

%10

0%67

%

Mor

e th

an 1

yea

r ag

o9%

16%

13%

20%

14%

9%20

%0%

11%

Des

crib

e th

e de

gree

of c

hang

e (if

any

) m

ade

to y

our

com

pany

's se

curi

ty p

olic

ies

or p

roce

dure

s fo

llow

ing

the

brea

ch.

The

re w

ere

no c

hang

es m

ade

15%

5%27

%12

%19

%13

%33

%13

%33

%

Cha

nges

wer

e m

ade

73%

85%

67%

77%

76%

70%

50%

88%

67%

Did

you

r cy

ber

insu

ranc

e po

licy

fully

cov

er a

ny d

amag

es r

elat

ed t

o th

e br

each

?

Yes

19%

10%

8%21

%22

%0%

40%

50%

17%

(Con

t’d)

Wha

t is

you

r em

ploy

er’s

prim

ary

indu

stry

?

INDUSTRY TRENDS






TOP CONCERNS

Rank your top concerns with regard to a data breach (e.g., what worries you most?). Top picks shown.Damage to reputation, loss of proprietary information, economic damage, and government/regulatory action are the concerns that were ranked first most often. This is fairly consistent across all subgroups.

1. Damage to reputation/brand

2. Loss of proprietary information

3. Economic damage

4. Government/regulatory action

5. Business continuity

6 Litigation

7. Board (board of directors) concerns

8. Executive liability

9. Preservation of lawyer-client privilege

10. Shareholder activity

11. Media coverage



Ove

rall

Hav

e yo

u ev

er

expe

rien

ced

a br

each

w

here

yo

u ar

e/ha

ve b

een

empl

oyed

?

Reg

ion

- O

ffice

loca

tio

nO

rgan

izat

ion’

s to

tal g

ross

rev

enue

for

the

last

fisc

al

year

(U

S $

)

All

resp

onse

sYe

sN

oU

SC

anad

aEM

EAA

sia

Paci

fic<

$100

m

illio

n$1

00M

-$49

9M$5

00M

- $2

.9 b

illio

n$3

bill

ion

or

mor

e

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

on

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Econ

omic

da

mag

eEc

onom

ic

dam

age

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Econ

omic

da

mag

e

Loss

of

prop

riet

ary

info

rmat

ion

Econ

omic

da

mag

e

Econ

omic

da

mag

eEc

onom

ic

dam

age

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Loss

of

prop

riet

ary

info

rmat

ion

Gov

ernm

ent/

regu

lato

ry

acti

on

Gov

ernm

ent/

regu

lato

ry

acti

on

Gov

ernm

ent/

regu

lato

ry

acti

on

Loss

of

prop

riet

ary

info

rmat

ion

Gov

ernm

ent/

regu

lato

ry

acti

on

Gov

ernm

ent/

regu

lato

ry

acti

on

Gov

ernm

ent/

regu

lato

ry

acti

on

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

onLi

tiga

tion

Econ

omic

da

mag

eEc

onom

ic

dam

age

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

eB

usin

ess

cont

inui

ty

TO

P C

ON

CE

RN

S (

MO

ST

FR

EQ

UE

NT

LY R

AN

KE

D N

UM

BE

R 1

)

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

tha

n 10

010

0-49

950

0-4,

999

5,00

0 or

m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 t

o 24

em

ploy

ees

25 t

o 49

em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

o

Loss

of

prop

riet

ary

info

rmat

ion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

on

Loss

of

prop

riet

ary

info

rmat

ion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onD

amag

e to

re

puta

tion

Dam

age

to

repu

tati

onEc

onom

ic

dam

age

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Dam

age

to

repu

tati

on

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Loss

of

prop

riet

ary

info

rmat

ion

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

on

Bus

ines

s da

mag

eEc

onom

ic

dam

age

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

eEc

onom

ic

dam

age

Gov

ernm

ent/

regu

lato

ry

acti

on

Loss

of

prop

riet

ary

info

rmat

ion

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

e

Gov

ernm

ent/

regu

lato

ry

acti

on

Econ

omic

da

mag

eEc

onom

ic

dam

age

Gov

ernm

ent/

regu

lato

ry

acti

onLi

tiga

tion

Gov

ernm

ent/

regu

lato

ry

acti

on

Loss

of

prop

riet

ary

info

rmat

ion



BREACH

Have you ever worked for a company that has experienced a data breach? For the purposes of this survey, a data breach is considered an incident in which confidential, sensitive, or private data/information is viewed, copied, stolen, or transmitted by an unauthorized entity or individual.Three in 10 report ever working for a company that has experienced a data breach. Those in larger companies were more likely to have experienced a breach. Among respondents who said they would like to decrease their role regarding cybersecurity, 42 percent have worked or currently work where a breach has occurred. This is higher than the percentage who would like to increase their cybersecurity role and have ever exprienced a breach at their current company (29 percent). Two-thirds of respondents who say their organization does not have cybersecurity insurance have never experienced a breach at their company.

EVER WORKED AT A COMPANY THAT HAS EXPERIENCED A BREACH

Don’t know7%

Yes (work/worked where data breach

occurred)31%

No (have not experienced a data breach)

62%



Ove

rall

CL

O/G

C v

s. O

ther

sR

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

ye

ar (

US

$)

All

resp

onse

sC

LO/G

CO

ther

tit

leU

SC

anad

aEM

EAA

sia

Paci

fic<

$100

m

illio

n$1

00M

-$49

9M$5

00M

- $2

.9 b

illio

n

$3

billi

on

or m

ore

n=88

469

418

762

832

4982

273

166

198

140

Yes

(wor

k/w

orke

d w

here

dat

a br

each

occ

urre

d)31

%31

%30

%32

%25

%27

%34

%23

%27

%36

%45

%

No

(hav

e no

t ex

peri

ence

d a

data

bre

ach)

62%

63%

60%

62%

63%

69%

61%

72%

69%

58%

46%

Don

’t kn

ow/N

ot s

ure

7%6%

10%

7%13

%4%

5%5%

4%7%

9%

*Pre

fer

not t

o an

swer

not

sho

wn

for

anal

ysis

purp

oses

Tota

l num

ber

of e

mpl

oyee

s in

o

rgan

izat

ion/

com

pany

Siz

e o

f yo

ur la

w d

epar

tmen

t (a

ll st

aff i

n al

l lo

cati

ons

)E

mpl

oyer

a

glo

bal e

ntit

y?

Em

ploy

er

a gl

oba

l en

tity

?

Less

th

an 1

0010

0-49

950

0-4,

999

5,00

0 or

m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 t

o 24

em

ploy

ees

25 t

o 49

em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

oYe

sN

o

n=13

822

528

322

617

246

010

660

8149

837

454

039

9

Yes

(wor

k/w

orke

d w

here

dat

a br

each

occ

urre

d)17

%23

%31

%45

%16

%30

%32

%52

%52

%32

%29

%21

%17

%

No

(hav

e no

t ex

peri

ence

d a

data

bre

ach)

75%

73%

62%

46%

74%

66%

57%

42%

40%

60%

65%

9%11

%

Don

’t kn

ow/N

ot s

ure

8%4%

7%9%

10%

4%11

%7%

9%8%

6%56

%61

%

*Pre

fer

not t

o an

swer

not

sho

wn

for

anal

ysis

purp

oses

(Con

t’d)

Hav

e yo

u ev

er w

orke

d fo

r a

com

pany

tha

t ha

s ex

peri

ence

d a

data

bre

ach?

For

the

pur

pos-

es o

f thi

s su

rvey

, a d

ata

brea

ch is

con

side

red

an in

cide

nt in

whi

ch c

onfid

entia

l, se

nsiti

ve, o

r pr

ivat

e da

ta/in

form

atio

n is

vie

wed

, cop

ied,

sto

len,

or

tran

smitt

ed b

y an

una

utho

rize

d en

tity

or in

divi

dual

.



In what year did the breach occur? (Please select the most recent if multiple breaches)Nearly two-thirds (64 percent) of those who have experienced a breach say it occurred in the past three years. Those in organizations with larger revenue and number of overall employees are more likely to report a breach occurring in the past couple of years. Fifty-seven percent who say their organization has not retained outside counsel for assistance in a possible breach report the breach occurred after 2012, compared with 72 percent of those working in companies who have retained outside counsel for this reason and experienced a breach within the same timeframe.

YEAR MOST RECENT BREACH OCCURRED

21%

2014

26%

2015

17%

2013

8%

2012

6%

2011

8%

2010

3%

2010

3%

2009

2%

2008

2%

2007

5%

2006

Retained outside counsel for cybersecurity?

Yes NoBreach occurred before 2013 28% 43%Breach occurred in 2013, 2014, or 2015 72% 57%



Ove

rall

CL

O/G

C v

s. O

ther

sH

ave

you

ever

ex

peri

ence

d a

brea

ch?

Reg

ion

- O

ffice

loca

tio

nO

rgan

izat

ion'

s to

tal g

ross

rev

enue

for

the

last

fisc

al y

ear

(US

$)

All

resp

onse

sC

LO/G

CO

ther

titl

eYe

sN

oU

SC

anad

aEM

EAA

sia

Paci

fic<

$100

m

illio

n$1

00M

- $4

99M

$500

M-

$2.9

bill

ion

$3 b

illio

n or

mor

en=

266

212

5426

50%

193

812

2860

4571

61

2005

5%6%

4%5%

0%5%

13%

17%

0%3%

11%

7%3%

2006

2%2%

2%2%

0%2%

0%0%

0%7%

0%1%

0%

2007

2%1%

2%2%

0%2%

0%0%

0%2%

4%0%

2%

2008

3%3%

4%3%

0%3%

0%0%

7%5%

2%1%

2%

2009

3%2%

4%3%

0%2%

0%0%

7%5%

0%1%

3%

2010

8%8%

6%8%

0%9%

0%17

%0%

17%

4%7%

5%

2011

6%6%

6%6%

0%4%

0%8%

7%10

%0%

3%3%

2012

8%9%

4%8%

0%9%

13%

0%7%

8%11

%6%

7%

2013

17%

16%

22%

17%

0%20

%13

%0%

14%

18%

16%

24%

13%

2014

21%

23%

15%

21%

0%20

%13

%42

%29

%12

%22

%21

%30

%

2015

26%

24%

33%

26%

0%25

%50

%17

%29

%13

%29

%28

%33

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=21

5288

100

2913

434

2940

155

107

2005

5%6%

6%5%

0%9%

0%0%

5%6%

4%

2006

0%6%

3%0%

0%4%

0%0%

0%1%

4%

2007

5%2%

0%1%

3%1%

3%0%

0%1%

2%

2008

0%4%

6%1%

7%2%

3%7%

0%3%

4%

2009

10%

4%1%

2%0%

3%0%

3%5%

2%3%

2010

19%

8%7%

6%7%

10%

3%0%

10%

8%7%

2011

19%

10%

2%5%

17%

4%9%

0%8%

4%9%

2012

5%10

%8%

8%14

%6%

15%

7%5%

9%7%

2013

14%

17%

17%

17%

14%

20%

9%10

%20

%13

%22

%

2014

5%17

%20

%25

%17

%20

%21

%31

%20

%24

%17

%

2015

19%

17%

30%

30%

21%

20%

38%

41%

28%

28%

22%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

In w

hat

year

did

the

bre

ach

occu

r? (

Plea

se s

elec

t th

e m

ost

rece

nt if

mul

tiple

bre

ache

s)



How did you learn of the breach?Among those who experienced a data breach, 44 percent say that the IT department informed them when it occurred, followed by a member of the compliance department (14 percent) and a third-party vendor (13 percent). Another 24 percent report they were informed by some other entity. Just 6 percent say they were informed by an outside governmental agency. Those in the Asia Pacific region are more likely to report they learned of the breach from the compliance department than those in other regions. Furthermore, the more employees in the company, the less likely respondents are to hear about the breach from the IT department. GC/CLOs were more likely to hear about the breach from the IT department than respondents with other titles.

HOW DID YOU LEARN OF THE BREACH?

44% IT department

14% Compliance department

13% Third-party vendor (i.e., forensics, e-billing)

6% Outside governmental agency

24% Other - please specify



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/G

CO

ther

tit

leYe

sN

oU

SC

anad

aEM

EAA

sia

Paci

fic<

$100

m

illio

n$1

00M

- $4

99M

$500

M-

$2.9

bill

ion

$3 b

illio

n or

mor

e

n=27

121

556

269

119

98

1228

6344

7064

IT d

epar

tmen

t44

%47

%34

%44

%0%

43%

13%

75%

46%

44%

41%

47%

47%

Com

plia

nce

depa

rtm

ent

14%

14%

13%

14%

0%12

%13

%0%

32%

13%

9%14

%14

%

Thi

rd-p

arty

ven

dor

(i.e.

, fo

rens

ics,

e-bi

lling

)13

%13

%13

%13

%0%

15%

0%17

%4%

11%

16%

11%

14%

Out

side

gov

ernm

enta

l age

ncy

6%5%

7%6%

0%6%

0%0%

4%5%

2%6%

8%

Oth

er -

ple

ase

spec

ify24

%21

%34

%23

%10

0%24

%75

%8%

14%

27%

32%

21%

17%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=22

5389

101

2813

535

3142

159

108

IT d

epar

tmen

t55

%47

%42

%43

%54

%39

%43

%58

%45

%46

%42

%

Com

plia

nce

depa

rtm

ent

14%

11%

15%

16%

14%

14%

17%

6%17

%14

%13

%

Thi

rd-p

arty

ven

dor

(i.e.

, fo

rens

ics,

e-bi

lling

)14

%15

%10

%15

%4%

16%

11%

10%

14%

13%

13%

Out

side

gov

ernm

enta

l age

ncy

0%2%

6%7%

7%5%

9%6%

2%6%

5%

Oth

er -

ple

ase

spec

ify18

%25

%28

%20

%21

%27

%20

%19

%21

%21

%28

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

did

you

lear

n of

the

bre

ach?



What is the most important thing you wish you had known before the breach that you know now as a result of your experience?Comments from in-house counsel center around having better prevention, training, and monitoring. Better detection of cyber-related threats, greater awareness of regulatory requirements, and having a plan in place to manage the breach before it occurs help decrease vulnerabilities. On a technical note, several in-house counsel note that they wish they would have known more about employee behavior, readiness to identify and respond to a potential threat, and the extent to which vulnerabilities exist at various levels in the organization. Below is a sample of best practices cited by in-house counsel.

Act fast and get out ahead of the news and the regulators.

Be prepared in advance; manage internal and external communi-cations in a controlled and organized fashion.

Better detection of long-term tiny leaks caused by viruses in client data.

Better due diligence on suppliers on cyber security issues.

Better understanding of the risk of fraud by a third party to enable circumvention of security controls.

Difficulty of getting law-enforcement cybercrimes assistance with investigation.

Employee training needed to increase on reporting of issues.

Extent of information encryption and retention level of unneces-sary information.

Full mapping of company data and data flows.

It is important to understand what third parties have processes that impact how information flows in the company’s IT systems.

How manual and automated processes can sometimes expose an organization to a breach if closer QA processes are not main-tained.

How much time is involved in responding to a breach.

How to perform due diligence for IT security issues in M&A.

How to properly scope an investigation to determine the scope of the breach.

How to quickly identify the third-party vendors involved in the breach.

How to train people properly.

I wish I had known the extent to which personal information was being shared by email.

I wish I had known what network vulnerabilities are considered unreasonable by the FTC.

I wish I had more clarity on how we protected client’s personally identifiable information.

Importance of enterprisewide sense of responsibility about all things data security.

In order to help law enforcement prosecute and sentence, you have to meticulously provide the value of the things stolen.

Interconnectedness of systems.

Internal threat vulnerabilities.

Lack of security protocols of IT equipment.

No firewall can give 100% protection.

Our PR department was not as prepared as the rest of the organi-zation to address the breach.

Requirements can vary significantly by state.

Risks associated with lack of policies and procedures related to removing old/stale user accounts.

Significant adverse consequences of self-reporting to regulators when it wasn’t mandatory.

That breaches can occur out of employee negligence and not just on the cunning of ‘hackers.’

That some employees working from home are on their own unen-crypted devices.

That we had no ability to detect it.

The amount of personal data maintained on the servers.

The extent of the vulnerability of our systems.

The extent to which our data security relied on third parties.

The importance of regular internal training on avoidance of phishing attacks.

The lack of checks and balances in our document management system.

The lack of governmental standards around what is ‘reasonable’ security program.

The PR reputational aspects.

The proper scope of a forensic investigation.

To do a better job at educating employees on cybersecurity issues, how to recognize and what to do and to become more informed on various ways that data breaches occur and proactive ways that could eliminate or reduce exposure.



To have cybersecurity insurance and a policy/plan in place in the event of a breach.

We need to make sure we have the appropriate monitoring tools in place.

What people take with them when they leave.

Whether or not to report the breach to the police.

Which employees had which access rights to which systems.

Who was accountable for the systems that allowed the breach.

Wish we would have had a corrective action plan at the ready.

Too many missteps and lost time in trying to fix the breach.

(Cont’d) What is the most important thing you wish you had known before the breach that you know now as a result of your experience?



How would you characterize your responsibilities regarding cybersecurity in your company? (Select the best answer describing your highest level of responsibility)Regarding cybersecurity, 30 percent of respondents characterize their role as one of leadership at the organiza-tion level. An organizational leadership role is more common among GC/CLOs; 35 percent report such a role compared with 11 percent of in-house counsel not in the GC/CLO role. Those without the GC/CLO title are more likely to report they have a support role in cybersecurity in their legal department. Those with a leadership role at the organizational level are more likely to say they would like to maintain their current role and responsibilities with regard to cybersecurity rather than increase their role (34 percent to 27 percent). In-house lawyers with a leadership role in the department are more likely to say they would prefer to increase their role in cybersecurity in their organization rather than maintain it (40 percent to 30 percent).

LEVEL OF RESPONSIBILITY REGARDING CYBERSECURITY IN COMPANY

30% I am in a leadership role at the organization level

23% I am part of a team in the organization that has been designated with cybersecurity responsibilities

36% I am in a leadership role in the legal department

6% I am in a support role in the legal department

1% Other, please specify

4% Not applicable



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=95

473

621

527

054

866

634

4992

285

181

211

154

I am

in a

lead

ersh

ip r

ole

at t

he

orga

niza

tion

leve

l30

%35

%11

%33

%29

%31

%24

%24

%27

%35

%34

%29

%19

%

I am

par

t of

a t

eam

in t

he

orga

niza

tion

that

has

bee

n de

sign

ated

with

cyb

erse

curi

ty

resp

onsi

bilit

ies

23%

21%

27%

24%

22%

26%

18%

20%

11%

24%

22%

28%

21%

I am

in a

lead

ersh

ip r

ole

in t

he le

gal

depa

rtm

ent

36%

36%

35%

34%

37%

33%

44%

33%

55%

34%

37%

36%

42%

I am

in a

sup

port

rol

e in

the

lega

l de

part

men

t6%

3%16

%4%

7%6%

6%10

%4%

3%4%

4%12

%

Oth

er, p

leas

e sp

ecify

1%1%

1%1%

1%1%

3%2%

0%2%

0%<1

%1%

Not

app

licab

le4%

3%9%

4%5%

4%6%

10%

2%2%

3%3%

5%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=14

823

330

425

317

649

212

165

9454

139

7

I am

in a

lead

ersh

ip r

ole

at t

he

orga

niza

tion

leve

l34

%35

%32

%20

%32

%33

%30

%20

%17

%26

%35

%

I am

par

t of

a t

eam

in t

he

orga

niza

tion

that

has

bee

n de

sign

ated

with

cyb

erse

curi

ty

resp

onsi

bilit

ies

22%

24%

23%

23%

20%

24%

27%

28%

13%

23%

23%

I am

in a

lead

ersh

ip r

ole

in t

he

lega

l dep

artm

ent

36%

34%

35%

39%

38%

35%

35%

31%

43%

38%

34%

I am

in a

sup

port

rol

e in

the

le

gal d

epar

tmen

t3%

3%5%

11%

4%4%

3%14

%18

%7%

4%

Oth

er, p

leas

e sp

ecify

1%1%

1%1%

2%1%

0%2%

1%1%

1%

Not

app

licab

le3%

3%4%

6%3%

3%5%

6%9%

5%3%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

wou

ld y

ou c

hara

cter

ize

your

res

pons

ibili

ties

rega

rdin

g cy

bers

ecur

ity in

you

r co

mpa

ny?

(Sel

ect

the

best

ans

wer

des

crib

ing

your

hig

hest

leve

l of r

espo

nsib

ility

)



Which of the following does your organization employ? (Select all that apply)Half of GC/CLOs and other in-house lawyers responding to the survey say their company has a chief information officer (CIO). Approximately a quarter report their company has a privacy/security manager, and 19 percent say their company employs a chief information security officer (CISO). Also prevalent are chief risk officers (17 per-cent), chief privacy officers (16 percent), and chief security officers (13 percent) with respect to cybersecurity. Just 6 percent say their organization has a board-level committee devoted to cybersecurity issues. Those in companies with cybersecurity insurance (24 percent) or self-insurance (26 percent) are more likely to employ a CISO than those without cybersecurity insurance (13 percent). Similarly, those with cybersecurity insurance (29 percent) and self-insurance (47 percent) say they have someone in a privacy/security manager role at their company. A third of respondents who say they do not have cybersecurity insurance say their company has none of these data/informa-tion security roles.

ORGANIZATION EMPLOYS THE FOLLOWING


50%

None of the above 25%

Privacy/Security manager 26%


19%

Chief Risk Officer (CRO) 17%


16%


13%

Board-level committee devoted to cybersecurity

6%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=96

274

321

427

255

267

235

5092

289

180

214

153

Chi

ef In

form

atio

n O

ffice

r (C

IO)

50%

46%

62%

62%

44%

50%

49%

50%

51%

28%

47%

71%

72%

Priv

acy/

Secu

rity

Man

ager

26%

24%

31%

34%

20%

24%

34%

34%

29%

19%

22%

31%

37%

Chi

ef In

form

atio

n Se

curi

ty O

ffice

r (C

ISO

)19

%18

%24

%26

%16

%20

%11

%36

%16

%8%

17%

24%

43%

Chi

ef R

isk

Offi

cer

(CRO

)17

%15

%22

%22

%13

%14

%14

%22

%28

%10

%8%

21%

30%

Chi

ef P

riva

cy O

ffice

r (C

PO)

16%

14%

21%

21%

12%

14%

34%

8%17

%10

%9%

15%

37%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

13%

12%

19%

15%

11%

13%

11%

26%

8%6%

7%16

%33

%

Boar

d-le

vel c

omm

ittee

dev

oted

to

cybe

rsec

urity

6%5%

8%6%

5%5%

3%4%

8%4%

4%6%

8%

Non

e of

the

abo

ve25

%27

%15

%14

%30

%25

%26

%16

%24

%41

%28

%11

%5%

*Mul

tiple

res

pons

es p

ossib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=15

023

630

825

017

949

612

464

9254

240

2

Chi

ef In

form

atio

n O

ffice

r (C

IO)

19%

38%

55%

74%

24%

47%

67%

77%

73%

55%

44%

Priv

acy/

Secu

rity

Man

ager

15%

17%

29%

36%

15%

25%

29%

36%

40%

30%

19%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

3%12

%20

%35

%5%

14%

34%

45%

38%

22%

16%

Chi

ef R

isk

Offi

cer

(CRO

)7%

13%

17%

26%

6%14

%19

%27

%41

%15

%18

%

Chi

ef P

riva

cy O

ffice

r (C

PO)

6%11

%12

%30

%4%

12%

23%

19%

46%

16%

15%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

2%7%

13%

27%

4%8%

18%

23%

46%

16%

10%

Boar

d-le

vel c

omm

ittee

dev

oted

to

cyb

erse

curi

ty3%

6%5%

8%3%

5%7%

13%

5%6%

5%

Non

e of

the

abo

ve59

%29

%18

%8%

52%

24%

11%

6%1%

18%

33%

*Mul

tiple

res

pons

es p

ossib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

(Con

t’d)

Whi

ch o

f the

follo

win

g do

es y

our

orga

niza

tion

empl

oy?

(Sel

ect

all t

hat

appl

y)



Where is cybersecurity primarily housed in your organization?A large majority (82 percent) of in-house counsel report that cybersecurity is primarily housed in the IT depart-ment in their company. Nine in 10 (89 percent) who say their legal department never briefs the board of directors on the subject of cybersecurity say cybersecurity is primarily housed in IT. In fact, 84 percent who report their organization does not have a board-level committee dedicated to cybersecurity say that responbility is primarily housed on IT. This is higher than the 75 percent who report their company does have a board-level committee dedicated to cybersecurity and say cybersecurity is housed in IT.

LOCATION CYBERSECURITY HOUSED IN COMPANY

5% Legal

5% Operations/Administrative

4% Other - please specify

2% Compliance

2% Don’t know/Not sure

82% IT



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=94

172

920

926

854

765

935

5091

283

178

212

152

IT82

%83

%78

%82

%82

%81

%83

%78

%87

%78

%88

%84

%82

%

Lega

l5%

5%4%

4%5%

5%0%

4%1%

5%6%

5%3%

Ope

ratio

ns/A

dmin

istr

ativ

e5%

6%3%

4%6%

5%3%

8%8%

8%2%

3%5%

Oth

er, p

leas

e sp

ecify

4%4%

5%3%

4%4%

9%4%

2%6%

2%3%

4%

Com

plia

nce

2%2%

3%3%

2%3%

0%2%

1%2%

1%4%

3%

Don

't kn

ow/N

ot s

ure

2%1%

6%3%

2%1%

6%4%

1%1%

0%1%

4%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=14

423

130

224

817

448

712

163

9153

439

1

IT74

%82

%85

%81

%82

%83

%84

%87

%70

%82

%83

%

Lega

l4%

6%4%

5%5%

3%8%

5%4%

5%4%

Ope

ratio

ns/A

dmin

istr

ativ

e11

%6%

4%3%

10%

5%2%

0%7%

5%5%

Oth

er, p

leas

e sp

ecify

5%4%

4%4%

2%5%

2%5%

7%3%

5%

Com

plia

nce

3%1%

3%2%

1%3%

2%3%

2%2%

3%

Don

't kn

ow/N

ot s

ure

3%0%

1%4%

1%1%

1%0%

10%

3%1%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Whe

re is

cyb

erse

curi

ty p

rim

arily

hou

sed

in y

our

orga

niza

tion?



How often does your organization conduct a cybersecurity audit of the entire organization?Four in ten respondents report that their organziation conducts a companywide cybersecurity audit on an annual or more frequent basis. Thirty-eight percent are unsure if their company conducts one. Those who say their or-ganization has cybersecurity insurance are more likely to work in a company that conducts cybersecurity audits annually than those who say their company does not have such insurance (43 percent to 30 percent). And those who say their company has retained a forensic company for possible breaches are also more likely than those who have not retained such a company to say their organization conducts an annual cybersecurity audit (41 percent to 33 percent).

HOW OFTEN DOES YOUR ORGANIZATION CONDUCT A CYBERSECURITY AUDIT OF THE ENTIRE ORGANIZATION?

4%

Two times per year

5%

Quarterly

32%

Annually

5%

Every two years

11%

Organization does not conduct a

security audit

6%

Other - please specify

38%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=86

167

118

725

650

961

634

4884

263

168

193

138

Qua

rter

ly5%

6%2%

5%5%

4%6%

10%

6%6%

5%7%

3%

Two

times

per

yea

r4%

4%4%

3%5%

4%0%

2%5%

3%5%

5%1%

Ann

ually

32%

35%

21%

35%

31%

36%

24%

21%

15%

37%

36%

32%

25%

Ever

y tw

o ye

ars

5%6%

2%5%

5%5%

0%4%

4%4%

5%7%

4%

Org

aniz

atio

n do

es n

ot c

ondu

ct

a se

curi

ty a

udit

11%

12%

10%

9%13

%11

%15

%13

%13

%19

%15

%4%

7%

Oth

er -

ple

ase

spec

ify6%

6%4%

6%5%

6%6%

6%4%

4%5%

9%7%

Don

't kn

ow/N

ot s

ure

38%

32%

57%

38%

37%

34%

50%

44%

54%

27%

28%

36%

54%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=13

121

428

022

316

145

110

760

7948

936

0

Qua

rter

ly3%

6%8%

2%5%

6%3%

7%0%

5%5%

Two

times

per

yea

r4%

5%5%

2%3%

5%5%

2%1%

3%5%

Ann

ually

33%

37%

35%

24%

30%

36%

27%

28%

23%

30%

34%

Ever

y tw

o ye

ars

3%6%

3%6%

5%5%

4%10

%0%

4%5%

Org

aniz

atio

n do

es n

ot

cond

uct

a se

curi

ty a

udit

24%

12%

10%

4%20

%11

%6%

7%4%

11%

12%

Oth

er -

ple

ase

spec

ify3%

5%8%

6%2%

4%15

%8%

6%7%

5%

Don

't kn

ow/N

ot s

ure

30%

29%

32%

56%

34%

33%

41%

38%

66%

40%

34%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

oft

en d

oes

your

org

aniz

atio

n co

nduc

t a

cybe

rsec

urity

aud

it of

the

en

tire

orga

niza

tion?



Who conducted the most recent cybersecurity audit?Of those who say audits are conducted, 40 percent report that the most recent audit was done by internal staff. Twenty-nine percent report it was done by an outside auditor, and nearly the same amount say it was done by a trusted vendor. In-house counsel in smaller companies are more likely to report use of internal auditors versus those in large companies of 500 or more employees. Among lawyers who say the most recent breach they experi-enced was due to employee error, 39 percent say their most recent audit was conducted by internal staff, 33 percent by an outside auditor, and 25 percent by a trusted vendor.

WHO CONDUCTED MOST RECENT CYBERSECURITY AUDIT?

Outside auditor

29%

Trusted vendor

27%


4%

Internal staff40%



Ove

rall

CL

O/G

C v

s. O

ther

sH

ave

you

ever

ex

peri

ence

d a

brea

ch?

Reg

ion

- O

ffice

loca

tio

nO

rgan

izat

ion'

s to

tal g

ross

rev

enue

for

the

last

fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er t

itle

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

m

ore

n=43

437

261

135

253

335

1221

2713

896

113

54

Inte

rnal

sta

ff40

%39

%41

%44

%39

%37

%25

%57

%48

%43

%35

%38

%35

%

Out

side

aud

itor

29%

31%

21%

27%

30%

30%

42%

19%

33%

31%

34%

25%

31%

Trus

ted

vend

or27

%27

%26

%24

%27

%30

%25

%24

%15

%23

%26

%35

%22

%

Don

't kn

ow/N

ot s

ure

4%2%

11%

4%4%

4%8%

0%4%

2%4%

2%11

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=59

124

160

9073

248

5633

2423

519

3

Inte

rnal

sta

ff53

%42

%36

%34

%47

%39

%34

%36

%42

%39

%40

%

Out

side

aud

itor

25%

31%

29%

31%

23%

32%

34%

21%

25%

28%

32%

Trus

ted

vend

or22

%26

%29

%29

%26

%27

%29

%30

%25

%28

%26

%

Don

't kn

ow/N

ot s

ure

0%2%

6%6%

4%2%

4%12

%8%

6%1%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Who

con

duct

ed t

he m

ost

rece

nt c

yber

secu

rity

aud

it?



Does your law department and/or IT department audit your legal service providers for cybersecurity risk?Just 14 percent of in-house counsel say their company audits their legal service providers. Just 3 percent of those in Canada say their law or IT department audits their legal service providers for cybersecurity risk. That is signifi-cantly less than those reporting in other regions. Only 14 percent of those in companies that carry cybersecurity insurance report that their IT or law department audits their legal service providers for cybersecurity risk. How-ever, 22 percent who say their organization has retained a forensic company and 19 percent who say their compa-ny has retained outside counsel in case of a breach also audit their legal service providers for cyber risk.

LAW OR IT DEPARTMENT AUDIT LEGAL SERVICE PROVIDERS FOR CYBERSECURITY RISK?

Yes14%

No58%


11%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st

fisc

al y

ear

(US

$)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

m

ore

n=89

069

619

126

052

763

034

5090

270

171

200

145

Yes

14%

12%

19%

16%

11%

13%

3%16

%18

%13

%13

%12

%19

%

No

75%

80%

58%

73%

78%

76%

91%

80%

74%

81%

81%

77%

61%

Don

't kn

ow/N

ot s

ure

11%

8%24

%11

%11

%11

%6%

4%8%

6%6%

12%

19%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=13

422

028

723

616

646

011

461

8550

237

5

Yes

17%

9%13

%16

%10

%12

%13

%23

%22

%13

%15

%

No

72%

86%

79%

64%

84%

78%

78%

59%

49%

74%

77%

Don

't kn

ow/N

ot s

ure

11%

5%8%

20%

6%10

%9%

18%

28%

13%

8%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Doe

s yo

ur la

w d

epar

tmen

t an

d/or

IT d

epar

tmen

t au

dit

your

lega

l ser

vice

pr

ovid

ers

for

cybe

rsec

urity

ris

k?



What standard(s) does your organization currently use to address cybersecurity? (Select all that apply)Most GC/CLOs and other in-house counsel do not know what standards their organization uses to address cyber-security. And just 6 percent say that their company employs none of standards provided. ISO 177799/27001, the National Institute of Standards and Technology (NIST), and SSAE 16 standards are most popular. Those working in companies that are global entities are significantly more likely than those working in domestic-only companies to report that their company uses ISO 177799/27001. Twice as many in-house counsel in EMEA report using ISO 177700/27001 than in any other region. And just 6 percent in companies with fewer than 100 employees report using NIST, half as much as those in larger companies in the other regions.

STANDARDS USED TO ADDRESS CYBERSECURITY

ISO 177799/27001 14%

SSE-CMM 1%

NIST 12%

OWASP 1%

SSAE 16 11%


4%

ISACA 3%

None 6%

COBIT 5 2%


60%

SANS Critical Security Control

2%

Six Sigma 2%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=94

473

120

827

054

867

235

5092

283

179

211

149

ISO

177

799/

2700

114

%14

%16

%16

%11

%13

%11

%30

%15

%10

%22

%17

%15

%N

atio

nal I

nstit

ute

of S

tand

ards

and

Te

chno

logy

(N

IST

)12

%12

%12

%14

%10

%14

%6%

4%1%

11%

11%

15%

13%

SSA

E 16

11%

11%

13%

13%

10%

14%

9%6%

1%12

%15

%12

%8%

Info

rmat

ion

Syst

ems A

udit

and

Con

trol

Ass

ocia

tion

(ISA

CA

)3%

3%3%

2%3%

3%3%

6%4%

3%2%

4%3%

Six

Sigm

a2%

2%2%

3%1%

2%0%

2%3%

2%1%

2%2%

SAN

S C

ritic

al S

ecur

ity C

ontr

ols

2%2%

4%2%

2%2%

0%0%

3%3%

0%3%

4%

CO

BIT

52%

2%2%

1%2%

1%0%

6%2%

2%1%

1%4%

Ope

n W

eb A

pplic

atio

n Se

curi

ty

Proj

ect

(OW

ASP

)1%

2%1%

1%1%

1%0%

0%1%

2%1%

1%1%

SSE-

CM

M1%

1%<1

%1%

1%1%

0%0%

1%<1

%2%

1%1%

Oth

er -

Ple

ase

spec

ify4%

4%5%

4%4%

5%0%

2%2%

5%7%

4%1%

Non

e6%

6%5%

4%7%

5%3%

10%

10%

12%

7%2%

1%

Don

't kn

ow/N

ot s

ure

60%

60%

61%

60%

62%

59%

74%

52%

68%

53%

50%

64%

68%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

10

010

0-49

950

0-4,

999

5,00

0 or

m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 to

24

empl

oyee

s25

to 4

9 em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

o

n=14

323

430

624

417

748

712

163

8953

239

4

ISO

177

799/

2700

16%

14%

18%

15%

10%

14%

18%

14%

19%

18%

10%

Nat

iona

l Ins

titut

e of

Sta

ndar

ds

and

Tech

nolo

gy (

NIS

T)

6%13

%13

%12

%10

%11

%14

%13

%16

%10

%14

%

SSA

E 16

4%14

%14

%10

%8%

12%

14%

8%15

%12

%10

%In

form

atio

n Sy

stem

s Aud

it an

d C

ontr

ol A

ssoc

iatio

n (IS

AC

A)

1%3%

3%3%

2%3%

2%3%

2%4%

2%

Six

Sigm

a1%

2%2%

3%2%

2%2%

2%3%

3%1%

SAN

S C

ritic

al S

ecur

ity C

ontr

ols

3%2%

1%4%

1%2%

3%5%

2%2%

3%

CO

BIT

51%

2%1%

3%1%

1%2%

3%3%

2%2%

Ope

n W

eb A

pplic

atio

n Se

curi

ty

Proj

ect

(OW

ASP

)2%

2%1%

1%1%

2%1%

0%3%

1%2%

SSE-

CM

M0%

1%1%

1%1%

1%0%

0%2%

1%<1

%

Oth

er -

Ple

ase

spec

ify4%

5%6%

2%3%

5%3%

5%1%

4%5%

Non

e15

%8%

4%2%

14%

5%2%

2%1%

5%7%

Don

't kn

ow/N

ot s

ure

64%

52%

57%

69%

58%

60%

58%

62%

67%

61%

59%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

(Con

t’d)

Wha

t st

anda

rd(s

) do

es y

our

orga

niza

tion

curr

ently

use

to

addr

ess

cybe

rsec

urity

? (S

elec

t al

l tha

t ap

ply)



Does your organization currently have any of the following policies in place? (Select all that apply)A majority of respondents have basic policies in place to reduce cybersecurity risk. The most common are pass-word and social media policies along with document retention policies. The only policies that are not used by a majority are a data map and BYOD guidelines.

POLICIES ORGANIZATION HAS IMPLEMENTED

Password policy 81%

BYOD policy 42%

Social media policy 75%

Data map 18%


74%

None of the above 1%


68%


3%


65%


64%


57%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

CLO

/ G

CO

ther

tit

leYe

sN

oU

SC

anad

aEM

EAA

sia

Paci

fic<

$100

m

illio

n$1

00M

- $4

99M

$500

M-$

2.9

billi

on

$3

billi

on

or

mor

e

n=93

572

420

626

854

367

235

5092

279

178

211

147

Pass

wor

d po

licy

81%

80%

84%

84%

80%

82%

71%

86%

75%

76%

81%

86%

88%

Soci

al m

edia

pol

icy

75%

74%

79%

84%

71%

75%

74%

72%

77%

65%

73%

85%

86%

Doc

umen

t re

tent

ion

polic

y74

%72

%82

%79

%71

%73

%66

%66

%73

%65

%68

%85

%84

%

Web

site

pri

vacy

pol

icy

68%

67%

76%

71%

67%

67%

60%

64%

76%

69%

70%

71%

69%

Empl

oyee

man

ual a

ccep

tanc

e po

licy

65%

66%

61%

68%

64%

70%

51%

50%

40%

69%

69%

65%

56%

Inte

rnet

pri

vacy

pol

icy

64%

64%

67%

67%

64%

62%

54%

64%

73%

59%

60%

69%

73%

Iden

tity

and

acce

ss m

anag

emen

t57

%56

%63

%65

%55

%57

%63

%72

%48

%52

%58

%59

%71

%

BYO

D p

olic

y42

%42

%46

%52

%37

%45

%40

%38

%35

%34

%40

%50

%61

%

Dat

a m

ap18

%17

%20

%18

%18

%20

%14

%12

%10

%13

%19

%16

%27

%

Non

e of

the

abo

ve1%

1%0%

<1%

1%1%

3%0%

1%1%

1%<1

%0%

Don

't kn

ow/N

ot S

ure

3%2%

3%1%

2%3%

3%2%

1%3%

2%<1

%1%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

10

010

0-49

950

0-4,

999

5,00

0 or

m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 to

24

empl

oyee

s25

to 4

9 em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

o

n=14

023

130

424

317

448

312

062

8952

739

0

Pass

wor

d po

licy

71%

78%

84%

86%

72%

80%

90%

87%

87%

81%

81%

Soci

al m

edia

pol

icy

59%

66%

78%

88%

57%

75%

88%

85%

84%

77%

72%

Doc

umen

t re

tent

ion

polic

y67

%61

%76

%87

%61

%71

%85

%82

%90

%74

%74

%

Web

site

pri

vacy

pol

icy

61%

68%

71%

70%

57%

72%

65%

73%

73%

72%

65%

Empl

oyee

man

ual a

ccep

tanc

e po

licy

65%

65%

68%

60%

64%

68%

57%

63%

64%

63%

67%

Inte

rnet

pri

vacy

pol

icy

56%

58%

66%

72%

50%

66%

69%

68%

78%

67%

61%

Iden

tity

and

acce

ss m

anag

emen

t49

%55

%55

%67

%44

%56

%58

%76

%75

%60

%54

%

BYO

D p

olic

y26

%40

%43

%55

%26

%41

%55

%47

%66

%43

%42

%

Dat

a m

ap12

%16

%15

%25

%10

%16

%23

%26

%31

%19

%15

%

Non

e of

the

abo

ve2%

1%<1

%0%

2%<1

%0%

0%0%

<1%

1%

Don

't kn

ow/N

ot S

ure

5%3%

1%2%

4%2%

1%2%

3%2%

3%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

(Con

t’d)

Doe

s yo

ur o

rgan

izat

ion

curr

ently

hav

e an

y of

the

follo

win

g po

licie

s in

pla

ce?

(Sel

ect

all t

hat

appl

y)



Is a member of the legal department on the company’s data breach response team?Sixty-one percent of respondents say that they themselves or another member of their department is on the data breach team. Nine percent say that no member of the legal department is on the data breach team, while 30 per-cent say their company has no formal data breach response team. Forty-nine percent of CLOs/GC say they are a member of the data response team compared with 29 percent of all other respondents. The highest percentage of respondents saying they are a member of their data breach team come from the US with 49 percent, compared with the lowest percentage (28 percent) coming from the EMEA region.

MEMBER OF LEGAL DEPARTMENT ON DATA BREACH TEAM?

Yes, I am or someone else is

Less than $50,000

Company does not have a formal data breach response team

61%

30%

9%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=92

472

020

026

454

066

535

5092

278

177

208

145

Yes,

I am

or

som

eone

els

e is

61%

61%

63%

69%

57%

65%

54%

40%

43%

53%

62%

69%

74%

Yes,

I am

44%

49%

29%

47%

44%

49%

34%

28%

27%

49%

55%

42%

34%

Yes,

othe

r m

embe

r of

dep

artm

ent

17%

12%

35%

22%

13%

17%

20%

12%

16%

4%7%

26%

41%

No

mem

ber

of d

epar

tmen

t on

da

ta b

reac

h re

spon

se t

eam

9%9%

8%8%

10%

7%9%

18%

9%9%

11%

5%8%

Com

pany

doe

s no

t ha

ve a

form

al

data

bre

ach

resp

onse

tea

m30

%31

%29

%23

%34

%27

%37

%42

%48

%38

%27

%26

%18

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

or

gani

zati

on/c

ompa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

10

010

0-49

950

0-4,

999

5,00

0 or

m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 to

24

empl

oyee

s25

to 4

9 em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

o

n=13

923

030

223

817

447

911

960

8652

138

7

Yes,

I am

or

som

eone

els

e is

43%

62%

61%

72%

42%

60%

76%

77%

78%

62%

61%

Yes,

I am

41%

56%

47%

31%

41%

51%

40%

35%

27%

40%

49%

Yes,

othe

r m

embe

r of

dep

artm

ent

2%6%

14%

41%

1%9%

36%

42%

51%

21%

12%

No

mem

ber

of d

epar

tmen

t on

da

ta b

reac

h re

spon

se t

eam

6%9%

12%

6%16

%8%

7%3%

5%9%

8%

Com

pany

doe

s no

t ha

ve a

form

al

data

bre

ach

resp

onse

tea

m50

%30

%27

%22

%42

%32

%17

%20

%17

%30

%31

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Is a

mem

ber

of t

he le

gal d

epar

tmen

t on

the

com

pany

’s da

ta b

reac

h re

spon

se t

eam

?



Does your organization have cybersecurity insurance?Forty-seven percent of respondents say that their organization has cybersecurity insurance, while 26 percent say their organization does not have insurance. One in five were not certain of their company’s cybersinsurance sta-tus. Smaller law departments and organizations with lower revenues tend to be more likely to have cybersecurity insurance. The highest percentage of respondents to report having cyberinsurance comes from the US with 53 percent, compared with the lowest percentage (25 percent) in the Asia Pacific.

DOES YOUR ORGANIZATION HAVE CYBERSECURITY INSURANCE?

Yes47%


22%

No26%

Self-insurance4%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=87

568

219

125

752

063

835

4684

263

171

197

140

Yes

47%

50%

37%

53%

44%

53%

37%

30%

25%

53%

57%

49%

36%

No

26%

28%

19%

24%

29%

26%

29%

33%

30%

29%

30%

25%

19%

Self-

insu

ranc

e4%

4%7%

6%3%

5%3%

2%6%

2%4%

4%11

%

Don

't kn

ow/N

ot s

ure

22%

18%

36%

17%

24%

16%

31%

35%

39%

16%

9%22

%33

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

728

922

816

544

911

559

8449

936

5

Yes

32%

61%

52%

38%

45%

53%

45%

44%

29%

45%

50%

No

41%

27%

26%

19%

32%

28%

22%

25%

14%

24%

30%

Self-

insu

ranc

e2%

2%3%

9%3%

3%5%

5%13

%5%

3%

Don

't kn

ow/N

ot s

ure

25%

10%

19%

34%

20%

16%

28%

25%

44%

25%

17%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Doe

s yo

ur o

rgan

izat

ion

have

cyb

erse

curi

ty in

sura

nce?



Please select the answer that best describes the level of monetary coverage for your company’s cybersecurity insurance plan (in US $).Two-thirds of those who report their company has a cybersecurity insurance plan say the coverage is US $1 mil-lion or more. Those in companies with the highest annual company revenue were most likely to be unsure of the company’s amount of coverage.

AMOUNT OF CYBERSECURITY INSURANCE COVERAGE

16% Don’t know/Not sure

9% Less than $50,000

2% $50,000 to $99,999

5% $100,000 to $499,999

2% $500,000 to $999,999

66% $1 million or more



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

en=

355

295

5911

520

329

810

1317

132

8178

42

Less

tha

n $1

,000

0%0%

0%0%

0%0%

0%0%

0%0%

0%0%

0%

$1,0

00 t

o $4

,999

1%1%

2%2%

<1%

1%0%

0%0%

2%2%

0%0%

$5,0

00 t

o $9

,999

3%3%

2%3%

3%3%

0%0%

0%3%

2%3%

2%

$10,

000

to $

14,9

993%

2%3%

4%1%

3%0%

0%0%

3%1%

5%0%

$15,

000

to $

19,9

99<1

%<1

%0%

0%<1

%<1

%0%

0%0%

0%0%

1%0%

$20,

000

to $

29,9

991%

1%2%

2%1%

1%0%

0%6%

1%1%

0%7%

$30,

000

to $

39,9

990%

0%0%

0%0%

0%0%

0%0%

0%0%

0%0%

$40,

000

to $

49,9

99<1

%<1

%0%

1%0%

<1%

0%0%

0%0%

0%1%

0%

$50,

000

to $

99,9

992%

2%2%

1%3%

2%20

%0%

6%0%

4%3%

5%

$100

,000

to

$499

,999

5%5%

3%5%

4%4%

10%

8%6%

8%2%

0%5%

$500

,000

to

$999

,999

2%2%

3%2%

2%2%

10%

0%0%

4%1%

3%0%

$1 m

illio

n or

mor

e66

%68

%56

%61

%67

%67

%50

%62

%59

%67

%75

%72

%48

%

Don

't kn

ow/N

ot s

ure

16%

14%

27%

19%

15%

15%

10%

31%

24%

12%

10%

13%

33%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=36

120

123

7263

210

4421

1719

215

9

Less

tha

n $1

,000

0%0%

0%0%

0%0%

0%0%

0%0%

0%

$1,0

00 t

o $4

,999

6%1%

1%0%

2%1%

0%0%

0%0%

3%

$5,0

00 t

o $9

,999

3%3%

2%3%

0%3%

7%5%

0%3%

3%

$10,

000

to $

14,9

996%

1%2%

4%3%

2%2%

0%6%

2%3%

$15,

000

to $

19,9

990%

0%0%

1%0%

<1%

0%0%

0%1%

0%

$20,

000

to $

29,9

993%

1%0%

4%2%

<1%

0%10

%6%

1%2%

$30,

000

to $

39,9

990%

0%0%

0%0%

0%0%

0%0%

0%0%

$40,

000

to $

49,9

990%

0%1%

0%0%

0%2%

0%0%

0%1%

$50,

000

to $

99,9

993%

3%2%

3%3%

1%2%

5%6%

3%2%

$100

,000

to

$499

,999

6%8%

2%3%

5%6%

2%0%

0%5%

4%

$500

,000

to

$999

,999

11%

2%1%

1%6%

1%2%

0%0%

3%2%

$1 m

illio

n or

mor

e50

%68

%74

%60

%68

%67

%70

%67

%35

%68

%64

%

Don

't kn

ow/N

ot s

ure

14%

13%

15%

21%

11%

17%

11%

14%

47%

16%

16%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Plea

se s

elec

t th

e an

swer

tha

t be

st d

escr

ibes

the

leve

l of m

onet

ary

cove

rage

for

your

com

pany

’s cy

bers

ecur

ity

insu

ranc

e pl

an (i

n U

S $)

. (C

onve

rt t

o U

S do

llars

usi

ng t

he c

urre

ncy

conv

ersi

on t

ool b

elow

)



How confident are you that your company has the right coverage for a cybersecurity event?Just 13 percent of those in organizations with cybersecurity insurance are extremely confident (choosing 9 or 10 out of a scale of 10) in the amount of coverage they have in case of a breach. But only 9 percent are not confident at all (choosing 1 or 2 out of a scale of 10).

CONFIDENCE COMPANY HAS RIGHT CYBERSECURITY COVERAGE

20%

22%

9%

4%

7%

14%

6%

2%

1%

15%

1 Not at all confident

2 3 4 5 6 87 9 10 Extremely confident



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3

billi

on

or

mor

e

n=38

131

862

128

208

315

1114

2012

995

8548

1- N

ot a

t al

l con

fiden

t1%

1%0%

2%<1

%1%

0%0%

0%2%

1%1%

0%

22%

2%3%

3%2%

3%0%

0%0%

3%2%

2%2%

36%

6%10

%3%

8%6%

27%

14%

0%8%

6%5%

2%

47%

7%6%

5%8%

7%9%

7%10

%5%

12%

7%6%

520

%21

%13

%21

%18

%19

%27

%21

%5%

19%

22%

21%

17%

615

%14

%18

%13

%16

%14

%9%

14%

25%

11%

17%

15%

15%

714

%14

%13

%16

%12

%16

%0%

0%10

%15

%9%

15%

17%

822

%21

%27

%23

%22

%22

%18

%36

%30

%25

%16

%24

%31

%

99%

9%6%

11%

8%9%

0%7%

10%

8%9%

7%6%

10 -

Ext

rem

ely

confi

dent

4%4%

3%3%

5%4%

9%0%

10%

5%5%

2%4%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=34

127

140

7667

225

4623

2021

216

4

1- N

ot a

t al

l con

fiden

t0%

2%1%

0%0%

2%0%

0%0%

1%1%

26%

3%1%

3%1%

3%0%

9%0%

1%4%

315

%7%

4%5%

13%

5%4%

0%5%

8%5%

40%

9%6%

8%6%

8%7%

13%

0%8%

7%

512

%21

%21

%20

%21

%19

%24

%17

%20

%17

%23

%

612

%14

%14

%16

%13

%16

%15

%17

%5%

17%

13%

718

%9%

17%

14%

15%

14%

9%13

%25

%14

%13

%

824

%20

%22

%28

%21

%20

%33

%17

%35

%25

%20

%

912

%10

%9%

4%4%

11%

4%13

%5%

9%7%

10 -

Ext

rem

ely

confi

dent

3%5%

4%3%

4%4%

4%0%

5%1%

7%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

con

fiden

t ar

e yo

u th

at y

our

com

pany

has

the

rig

ht c

over

age

for

a cy

bers

ecur

ity e

vent

?



Please describe how your company determined the amount of insurance needed for effective coverage.In determining the amount of insurance coverage, the following were common approaches used by companies:• worked with an insurance broker • based coverage levels on contractual requirements• benchmarked similar markets/organizations • conducted risk analysis• based coverage on number of records and cost of breach

Examples shared by in-house respondents are listed below.

A full study was carried out to determine the cyber risks we face, what controls we have in place, what mitigations plans we need to put in place, and the residual risk that we want to insure.

Cyberinsurance attorney.

Comparison of coverage levels and premiums.

Advice of our insurance broker based on our operations.

Amount required to meet contractual requirements from cus-tomers.

Analysis of 10 largest customers’ exposure.

Analysis of risks/threats taken by outside risk management firm.

As the leading cybersecurity consulting company, size and num-ber of clients and fast-changing nature of business risks deter-mine ever-increasing levels of coverage.

Assessment of likely damages that would follow an incident.

Audited by independent brokers.

Based on availability and premiums, weighed against likely expense associated with a breach.

Based on how much our customers required us to have contractually.

Benchmark comparisons with other similar companies and considering our size and potential losses.

Broker provided weighted risks, amounts of prior settlements, etc. for analysis.

CIO made decision.

Combination of availability and what company was willing to afford.

Combination of size of our business and availability in the market.

Contractual liability.

Cost of rectification/mitigation and likely damages.

Cross-functional committee.

Customer/vendor requirements.

Deep-dive analysis and risk assessment of company and compar-ison to market.

Discussion with agent, IT, comparable for like industries, and outside counsel.

Established by government insurer.

Estimated average direct sales online + estimated costs of notifi-cation/legal compliance/fines/penalties + consideration of indus-try-related average cost of breach surveys + comfort margin.

Estimated the cost to respond on a per-record basis.

Highest level available given PCI compliance.

It is incorporated in our E&O coverage; we have had no claims or losses so we felt the coverage was sufficient to meet our realistic needs.

Legacy coverage. We are reassessing the coverage and amounts.

Likeliest body of data that could be breached, factoring in reason-ably likely containment abilities and the likely costs associated with same.

Market study of coverage taken by competitors and similar busi-nesses but adjusted for our business model.

Number of policyholders times various stress-test scenarios.

Our IT team worked with me and our broker.

Our risk management department conducted a comprehensive review.

Ponemon study.

Risk management based on industry and company.

What coverage was affordable.

Working with our CFO and insurance provider, we used a formu-la to determine adequate coverage.



Do you expect your company to decrease, maintain, or increase the amount of cybersecurity insurance coverage in the next year?The majority of respondents (58 percent) expect their company to maintain their current cybersecurity coverage for the next year. Twenty-six percent expect an increase in coverage, while less than 1 percent expect a decrease. In-house lawyers in the US and EMEA most frequently cite expectations for a rise in coverage. Twenty-eight per-cent of respondents in the US and 29 percent in the EMEA region expect an increase in coverage next year, while only 8 percent in Canada expect an increase.

EXPECTATIONS FOR COMPANY’S CYBERSECURITY INSURANCE FOR THE UPCOMING YEAR


15%

Decrease coverage

<1%

Maintain current

coverage58%

Increase coverage

26%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=40

533

371

134

223

336

1314

1913

896

9350

Dec

reas

e co

vera

ge<1

%1%

0%1%

<1%

<1%

0%0%

0%1%

0%0%

2%

Mai

ntai

n cu

rren

t co

vera

ge58

%58

%61

%57

%59

%56

%69

%64

%68

%62

%56

%56

%60

%

Incr

ease

cov

erag

e26

%27

%21

%29

%26

%28

%8%

29%

16%

26%

30%

28%

18%

Don

't kn

ow/N

ot S

ure

15%

14%

18%

13%

15%

15%

23%

7%16

%12

%14

%16

%20

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or m

ore

1 em

ploy

ee2

to 9

em

ploy

ees

10 to

24

empl

oyee

s25

to 4

9 em

ploy

ees

50 o

r m

ore

empl

oyee

sYe

sN

o

n=41

129

146

8472

233

5126

2322

217

8

Dec

reas

e co

vera

ge0%

0%1%

1%0%

<1%

0%4%

0%1%

0%

Mai

ntai

n cu

rren

t co

vera

ge66

%62

%52

%61

%69

%59

%51

%35

%61

%56

%61

%

Incr

ease

cov

erag

e17

%26

%31

%21

%17

%28

%29

%35

%17

%27

%25

%

Don

't kn

ow/N

ot S

ure

17%

12%

16%

17%

14%

12%

20%

27%

22%

16%

14%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Do

you

expe

ct y

our

com

pany

to

decr

ease

, mai

ntai

n, o

r in

crea

se t

he a

mou

nt o

f cyb

erse

curi

ty in

sura

nce

cove

rage

in t

he n

ext

year

?



Does your organization have mandatory training on cybersecurity for all employees?Respondents are split over mandatory cybersecurity training at their place of work. Forty-five percent report they have mandatory training at their workplace for all employees, and 49 percent report there is no such training. About half of those in the US report there is mandatory cybersecurity training at their office. This is a significant-ly higher percentage than in other regions. Companies with the highest revenues, most employees, and largest law departments are more likely to have mandatory training.

MANDATORY CYBERSECURITY TRAINING FOR ALL EMPLOYEES

Yes45% No

49%


7%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=86

366

919

126

050

363

534

4888

257

170

198

139

Yes

45%

43%

51%

47%

42%

48%

29%

35%

31%

40%

42%

48%

54%

No

49%

51%

40%

46%

52%

46%

59%

58%

61%

52%

54%

46%

40%

Don

't kn

ow/N

ot s

ure

7%6%

9%7%

7%6%

12%

6%8%

7%4%

6%6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

121

528

622

815

844

611

358

8548

936

3

Yes

31%

47%

44%

51%

28%

45%

52%

48%

62%

44%

45%

No

62%

48%

50%

41%

67%

48%

39%

48%

29%

48%

49%

Don

't kn

ow/N

ot s

ure

7%6%

6%8%

5%7%

9%3%

8%7%

6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Doe

s yo

ur o

rgan

izat

ion

have

man

dato

ry t

rain

ing

on c

yber

secu

rity

for

all e

mpl

oyee

s?



How does your organization evaluate company preparedness at the employee level? (Select all that apply)While 45 percent say mandatory training is in place, fewer are able to say whether employees understand or know how to respond to a threat. One in three in-house counsel report that their company tracks attendance for mandatory training as a means to evaluate preparedness at the employee level, while 19 percent test knowledge acquired during mandatory training. Seventeen percent report their company conducts mock security events. Forty-four percent of CLOs/GC do not know what efforts their organization undertakes to evaluate company pre-paredness. Those in smaller law departments and in companies with fewer employees have the highest percentage of in-house counsel without direct knowledge of this topic, indicating legal may not play a signifiant role in this matter in these departments.

HOW DOES YOUR ORGANIZATION EVALUATE COMPANY PREPAREDNESS AT THE EMPLOYEE LEVEL?


33%


19%

Hold mock security event 17%

Conduct tabletop exercises 12%

Review disciplinary actions for violations 9%

Other, please specify 4%

Don’t know/Not sure 43%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=91

470

520

426

352

967

235

5092

275

174

207

144

Hol

d m

ock

secu

rity

eve

nt17

%18

%17

%22

%14

%18

%6%

22%

23%

11%

14%

25%

28%

Test

em

ploy

ees'

know

ledg

e of

m

anda

tory

tra

inin

g19

%19

%20

%24

%18

%20

%17

%16

%15

%17

%14

%22

%32

%

Rev

iew

dis

cipl

inar

y ac

tions

for

viol

atio

ns9%

8%11

%13

%7%

8%3%

18%

11%

6%10

%11

%13

%

Trac

k m

anda

tory

tra

inin

g re

quir

emen

t an

d at

tend

ance

for

all e

mpl

oyee

s33

%32

%36

%41

%29

%35

%31

%26

%29

%29

%29

%37

%40

%

Con

duct

tab

leto

p ex

erci

ses

12%

11%

15%

15%

11%

12%

14%

8%11

%6%

11%

16%

22%

Oth

er, p

leas

e sp

ecify

4%4%

3%2%

4%4%

6%2%

3%4%

6%4%

1%

Don

't kn

ow/N

ot S

ure

43%

44%

39%

34%

46%

42%

49%

48%

47%

48%

45%

36%

33%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=13

622

729

823

716

747

311

961

8851

338

3

Hol

d m

ock

secu

rity

eve

nt7%

14%

18%

26%

8%15

%23

%33

%28

%19

%15

%

Test

em

ploy

ees'

know

ledg

e of

m

anda

tory

tra

inin

g13

%20

%16

%27

%13

%16

%24

%28

%40

%19

%20

%

Rev

iew

dis

cipl

inar

y ac

tions

fo

r vi

olat

ions

4%4%

13%

9%2%

10%

8%8%

14%

7%10

%

Trac

k m

anda

tory

tra

inin

g re

quir

emen

t an

d at

tend

ance

fo

r al

l em

ploy

ees

26%

32%

34%

38%

20%

34%

34%

39%

48%

30%

36%

Con

duct

tab

leto

p ex

erci

ses

4%8%

11%

21%

3%10

%18

%25

%25

%12

%13

%

Oth

er, p

leas

e sp

ecify

4%3%

5%3%

2%3%

8%5%

0%4%

4%

Don

't kn

ow/N

ot S

ure

50%

44%

41%

37%

57%

43%

35%

33%

28%

46%

39%

(Con

t’d)

How

doe

s yo

ur o

rgan

izat

ion

eval

uate

com

pany

pre

pare

dnes

s at

the

em

ploy

ee le

vel?

(Sel

ect

all t

hat

appl

y)



Has your organization retained a forensic company to assist you should a breach occur?One in four in-house counsel say their organization has retained a forensic company to assist in the event of a data breach. Lawyers working in the US and companies with US $3 billion or more in annual revenue were the most likely to have a forensic company on retainer. Companies with fewer than 100 employees were the least likely to have retained a forensic company.

ORGANIZATION RETAINING A FORENSIC COMPANY IN CASE OF A BREACH

Yes24%

No57%


19%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=84

465

918

225

249

762

932

4583

258

167

190

132

Yes

24%

25%

22%

37%

17%

26%

19%

20%

18%

15%

22%

30%

42%

No

57%

61%

41%

45%

64%

59%

56%

58%

48%

73%

69%

50%

28%

Don

't kn

ow/N

ot s

ure

19%

14%

37%

18%

19%

16%

25%

22%

34%

12%

9%20

%30

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

620

927

821

816

144

010

456

8147

135

9

Yes

10%

17%

27%

36%

14%

22%

30%

39%

41%

27%

21%

No

83%

68%

55%

34%

80%

63%

47%

27%

14%

51%

66%

Don

't kn

ow/N

ot s

ure

7%14

%18

%30

%6%

16%

23%

34%

46%

22%

14%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Has

you

r or

gani

zatio

n re

tain

ed a

fore

nsic

com

pany

to

assi

st y

ou s

houl

d a

brea

ch o

ccur

?



Has your organization retained outside counsel to assist you should a breach occur?One in three in-house counsel work in an organization that retains in-house counsel to assist in the event a breach. Lawyers who have worked or currently work in a company that experienced a breach are far more likely to say their organization has retained outside counsel (44 percent) compared with those who have not directly expe-rienced a breach (26 percent). In-house lawyers in the US are more likely to have retained outside counsel for this purpose than those in all other regions. Lawyers in larger law departments, in larger companies as determined by annual company revenue and number of employees, and in domestically focused companies (as opposed to global) all have a higher percentage of lawyers who report that their company retains outside counsel to help in the event of a breach.

ORGANIZATION RETAINS OUTSIDE COUNSEL IN CASE OF BREACH

Yes33%

No58%


9%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

066

418

224

850

163

531

4484

264

165

189

130

Yes

33%

33%

35%

44%

26%

35%

29%

23%

26%

22%

35%

40%

48%

No

58%

63%

40%

50%

65%

58%

65%

61%

64%

73%

62%

52%

36%

Don

't kn

ow/N

ot s

ure

9%4%

25%

6%9%

8%6%

16%

10%

5%2%

7%15

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

528

121

416

044

610

856

7747

436

2

Yes

13%

26%

37%

49%

15%

32%

47%

52%

48%

36%

29%

No

83%

68%

57%

36%

82%

62%

45%

27%

26%

53%

65%

Don

't kn

ow/N

ot s

ure

5%6%

6%16

%3%

6%7%

21%

26%

11%

6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Has

you

r or

gani

zatio

n re

tain

ed o

utsi

de c

ouns

el t

o as

sist

you

sho

uld

a br

each

occ

ur?



How frequently does the legal department brief the board of directors on the subject of cybersecurity?Most in-house counsel report that their legal department briefs the board of directors on cybersecurity on an ad-hoc basis. One in five GC/CLOs say the department never updates the board of directors. A slightly higher per-centage of in-house lawyers in the US say they brief the board on a regular basis (yearly or quarterly) than those in other regions.

FREQUENCY LEGAL DEPARTMENT BRIEFS BOARD OF DIRECTORS ON CYBERSECURITY

0%

Weekly

19%

Never

1%

Monthly

11%

Quarterly

11%

Yearly

40%

Ad hoc (as needed)

4%


14%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

866

219

225

550

363

434

4685

261

166

197

138

Nev

er19

%20

%16

%17

%22

%19

%26

%17

%22

%26

%20

%13

%12

%

Wee

kly

0%0%

0%0%

0%0%

0%0%

0%0%

0%0%

0%

Mon

thly

1%1%

0%1%

1%1%

0%2%

4%1%

1%1%

1%

Qua

rter

ly11

%11

%13

%13

%9%

13%

9%2%

8%7%

12%

18%

12%

Year

ly11

%12

%6%

15%

10%

12%

6%9%

4%8%

16%

14%

10%

Ad

hoc

(as

need

ed)

40%

44%

27%

36%

42%

39%

32%

43%

44%

47%

44%

37%

28%

Oth

er, p

leas

e sp

ecify

4%5%

3%5%

4%4%

9%7%

2%3%

4%5%

7%

Don

't kn

ow/N

ot s

ure

14%

7%36

%13

%12

%12

%18

%20

%16

%8%

4%13

%29

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

128

422

415

644

411

159

8648

336

3

Nev

er22

%25

%22

%10

%28

%22

%14

%7%

3%19

%20

%

Wee

kly

0%0%

0%0%

0%0%

0%0%

0%0%

0%

Mon

thly

1%1%

2%<1

%1%

2%0%

0%1%

1%1%

Qua

rter

ly6%

9%14

%13

%6%

11%

15%

20%

9%9%

14%

Year

ly9%

13%

10%

12%

10%

11%

11%

15%

10%

12%

9%

Ad

hoc

(as

need

ed)

54%

41%

39%

32%

50%

41%

40%

24%

27%

38%

43%

Oth

er, p

leas

e sp

ecify

2%5%

4%5%

2%3%

10%

5%5%

4%5%

Don

't kn

ow/N

ot s

ure

6%7%

11%

28%

4%10

%11

%29

%44

%17

%8%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

freq

uent

ly d

oes

the

lega

l dep

artm

ent

brie

f the

boa

rd o

f dir

ecto

rs o

n th

e su

bjec

t of

cyb

erse

curi

ty?



Thinking about your role and responsibilities regarding cybersecurity, would you prefer to expand, decrease, or maintain your current level of involvement?The majority of in-house counsel would like to expand their role and responsibilities when it comes to cybersecu-rity. Those not in the GC or CLO role were slightly more likely to desire a greater role compared with GC/CLOs.

PREFERENCE REGARDING CYBERSECURITY ROLE AND RESPONSIBILITIES

Decrease role and

responsibilities

Maintain current role and responsibilities

Increase role and responsibilities

4%

44%52%



Ove

rall

CL

O/G

C v

s O

ther

sH

ave

you

ever

ex

peri

ence

d a

brea

ch?

Reg

ion

- O

ffice

loca

tio

nO

rgan

izat

ion'

s to

tal g

ross

rev

enue

for

the

last

fisc

al y

ear

(US

$)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=84

665

518

824

749

562

733

4790

260

164

196

134

Dec

reas

e ro

le a

nd r

espo

nsib

ilitie

s4%

3%7%

5%3%

4%9%

2%0%

6%4%

3%3%

Mai

ntai

n cu

rren

t ro

le a

nd

resp

onsi

bilit

ies

44%

47%

36%

46%

43%

44%

42%

47%

47%

36%

48%

51%

49%

Incr

ease

rol

e an

d re

spon

sibi

litie

s52

%50

%57

%49

%54

%52

%48

%51

%53

%58

%48

%46

%48

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

421

627

721

915

344

610

758

7947

835

3

Dec

reas

e ro

le a

nd

resp

onsi

bilit

ies

2%5%

3%5%

3%5%

3%3%

3%4%

4%

Mai

ntai

n cu

rren

t ro

le a

nd

resp

onsi

bilit

ies

40%

40%

47%

47%

35%

46%

52%

36%

51%

42%

47%

Incr

ease

rol

e an

d re

spon

sibi

litie

s57

%55

%49

%48

%63

%50

%45

%60

%47

%53

%49

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Thi

nkin

g ab

out

your

rol

e an

d re

spon

sibi

litie

s re

gard

ing

cybe

rsec

urity

, wou

ld

you

pref

er t

o ex

pand

, dec

reas

e, o

r m

aint

ain

your

cur

rent

leve

l of i

nvol

vem

ent?



Do you expect your legal department’s role in cybersecurity to increase, decrease, or stay the same in the next 12 months?In addition to growth in their individual role, a majority of in-house counsel expect their legal department’s role in cybersecurity to increase. Four in 10 believe the department’s role will remain the same. Those in larger com-panies were slightly more likely to say they expect their department’s role to grow in the coming year.

EXPECTATIONS OF LEGAL DEPARTMENT’S CYBERSECURITY ROLE OVER THE NEXT YEAR

Stay the same40%

Increase59%

Decrease1%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=86

867

419

125

250

864

633

4889

265

164

203

139

Dec

reas

e1%

1%2%

2%1%

1%0%

2%0%

1%1%

2%1%

Stay

the

sam

e40

%42

%34

%40

%41

%41

%42

%40

%37

%40

%43

%40

%39

%

Incr

ease

59%

57%

65%

59%

58%

58%

58%

58%

63%

60%

57%

58%

60%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

522

028

322

915

745

211

658

8348

836

5

Dec

reas

e0%

1%1%

1%1%

1%3%

0%1%

1%1%

Stay

the

sam

e42

%42

%43

%34

%40

%43

%40

%34

%29

%38

%43

%

Incr

ease

58%

57%

56%

65%

59%

56%

58%

66%

70%

61%

56%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Do

you

expe

ct y

our

lega

l dep

artm

ent’s

rol

e in

cyb

erse

curi

ty t

o in

crea

se, d

ecre

ase,

or

stay

the

sam

e in

th

e ne

xt 1

2 m

onth

s?



How confident are you that your third-party affiliates/vendors protect you from cybersecurity risks?Sixty-seven percent of respondents are at least somewhat confident that their third-party/outside vendor will protect them from cyber risks. Seventeen percent are not at all confident, while 15 percent are unsure. Twen-ty percent of those who have experienced a breach are not at all confident they will be protected, compared with 15 percent of those who have not experienced a breach. Respondents in the EMEA region are the least confident with 27 percent, while 71 percent of those in Canada say they are at least somewhat confident in being protected. There is not a large degree of variation in confidence of outside vendors across organization revenue, size, or law department size.

CONFIDENCE THIRD PARTIES ARE PROTECTING COMPANY FROM CYBERSECURITY RISK?

60%

Somewhat confident

17%


7%

Very confident

15%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

166

018

825

249

864

334

4985

263

168

188

133

Not

at

all c

onfid

ent

17%

16%

19%

20%

15%

17%

21%

27%

11%

15%

21%

16%

19%

Som

ewha

t co

nfide

nt60

%62

%54

%60

%61

%60

%65

%53

%62

%62

%57

%59

%62

%

Very

con

fiden

t7%

7%8%

6%9%

8%6%

4%6%

8%9%

6%6%

Don

't kn

ow/N

ot s

ure

15%

15%

19%

14%

15%

14%

9%16

%21

%15

%13

%19

%13

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

522

027

422

015

944

311

158

7747

536

5

Not

at

all c

onfid

ent

14%

17%

18%

18%

21%

14%

21%

24%

14%

19%

15%

Som

ewha

t co

nfide

nt64

%65

%55

%60

%60

%62

%54

%60

%60

%60

%60

%

Very

con

fiden

t8%

6%8%

8%6%

8%8%

7%6%

6%9%

Don

't kn

ow/N

ot s

ure

14%

12%

19%

14%

12%

16%

17%

9%19

%15

%15

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

con

fiden

t ar

e yo

u th

at y

our

thir

d-pa

rty

affil

iate

s/ve

ndor

s pr

otec

t yo

u fr

om c

yber

secu

rity

ris

ks?



How confident are you that the outside law firms your company employs are appro-priately managing the security of client data?Seventy-four percent of respondents are at least somewhat confident that their outside law firms are appropriately managing their data security. Ten percent are not at all confident, and 15 percent are unsure. Among those who have experienced a data breach, 14 percent are not at all confident, compared with 9 percent of those who have not experienced a data breach. Eighteen percent of respondents are not at all confident in the EMEA region, while only 1 percent report this lack of confidence in the Asia Pacific region. A higher percentage of respondents in higher revenue and larger companies report this lack of confidence in their outside law firms’ data management.

CONFIDENCE YOUR OUTSIDE LAW FIRMS ARE APPROPRIATELY MANAGING CLIENTS’ DATA SECURITY?

52%

Somewhat confident

10%


22%

Very confident

15%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=81

563

417

824

447

160

735

4983

236

161

187

133

Not

at

all c

onfid

ent

10%

10%

10%

14%

9%11

%14

%18

%1%

10%

9%11

%14

%

Som

ewha

t co

nfide

nt52

%53

%51

%54

%50

%54

%43

%47

%47

%50

%58

%53

%49

%

Very

con

fiden

t22

%22

%22

%20

%24

%20

%26

%24

%35

%22

%20

%20

%24

%

Don

't kn

ow/N

ot s

ure

15%

15%

16%

12%

17%

15%

17%

10%

17%

19%

13%

16%

13%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=11

220

526

621

914

342

510

957

7847

033

3

Not

at

all c

onfid

ent

9%8%

10%

13%

12%

8%10

%19

%12

%11

%9%

Som

ewha

t co

nfide

nt51

%56

%50

%52

%51

%52

%54

%60

%51

%51

%54

%

Very

con

fiden

t24

%23

%20

%22

%22

%23

%23

%11

%24

%22

%22

%

Don

't kn

ow/N

ot s

ure

16%

14%

19%

12%

15%

17%

13%

11%

13%

15%

15%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

con

fiden

t ar

e yo

u th

at t

he o

utsi

de la

w fi

rms

your

com

pany

em

ploy

s ar

e ap

prop

riat

ely

man

agin

g th

e se

curi

ty o

f clie

nt d

ata?



Are third parties, such as vendors/agents, required to notify you of cybersecurity risks/breaches that they experience?Sixty-one percent of respondents say that third parties are required to notify them if they become aware of a breach. Fifteen percent said they were not required to be notified. Regionally, the highest percentage of respondents saying they required notification were from the US (64 percent), while the lowest came from the EMEA region with 40 percent. Fifty-seven percent of respondents who work for companies that conduct business internationally were required to be notified, compared with 66 percent of those in companies that are not global entities. Larger organizations and those with higher revenues also tend to have a slightly high-er percentage of respondents saying they require notification.

THIRD PARTIES REQUIRED TO NOTIFY YOU OF CYBERSECURITY RISKS/BREACHES THEY EXPERIENCE?

Yes61% No

15%


24%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=84

965

619

024

850

063

834

4885

263

163

189

136

Yes

61%

61%

63%

65%

59%

64%

56%

40%

56%

60%

63%

65%

65%

No

15%

16%

12%

13%

17%

13%

18%

25%

22%

14%

20%

15%

10%

Don

't kn

ow/N

ot s

ure

24%

23%

25%

22%

24%

24%

26%

35%

21%

26%

17%

20%

24%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=13

121

327

222

215

744

310

858

7947

636

1

Yes

53%

63%

63%

64%

50%

64%

58%

64%

68%

57%

66%

No

17%

13%

17%

10%

19%

15%

14%

12%

4%16

%14

%

Don

't kn

ow/N

ot s

ure

31%

24%

20%

26%

31%

20%

28%

24%

28%

27%

20%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Are

thi

rd p

artie

s, s

uch

as v

endo

rs/a

gent

s, r

equi

red

to n

otify

you

of c

yber

secu

rity

ris

ks/b

reac

hes

that

th

ey e

xper

ienc

e?



Have you ever terminated a contractual relationship because of cybersecurity risks?Eleven percent of respondents report terminating a contractual relationship due to cybersecurity risks. The vast majority (71 percent) have not, while 18 percent are unsure. A higher percentage of those who have experienced a data breach report that they have terminated a contractual relationship due to cyber concerns (16 percent) than those who have not experienced a breach (9 percent). More respondents in the US have terminated a contract (13 percent) than those in the Asia Pacific (4 percent). Respondents in companies with higher revenues also tend to be more likely to have terminated a contract due to cyber concerns than lower-revenue-generating organizations.

EVER TERMINATED CONTRACTUAL RELATIONSHIP DUE TO CYBERSECURITY RISKS?

No71%

Yes11%


11%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=84

465

518

625

149

863

933

4784

263

162

190

133

Yes

11%

11%

11%

16%

9%13

%6%

9%4%

9%12

%12

%15

%

No

71%

74%

60%

62%

78%

70%

79%

66%

74%

82%

81%

71%

49%

Don

't kn

ow/N

ot s

ure

18%

15%

30%

22%

14%

17%

15%

26%

23%

9%7%

17%

36%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

227

222

115

744

010

858

7747

435

8

Yes

6%10

%13

%12

%6%

11%

10%

17%

16%

9%13

%

No

86%

81%

71%

55%

86%

75%

67%

50%

35%

71%

72%

Don

't kn

ow/N

ot s

ure

9%8%

17%

33%

8%13

%23

%33

%49

%20

%15

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Hav

e yo

u ev

er t

erm

inat

ed a

con

trac

tual

rel

atio

nshi

p be

caus

e of

cyb

erse

curi

ty r

isks

?



Have you ever terminated a pending merger/acquisition because of cybersecurity risks?Only 1 percent of respondents report ever terminating a pending M&A due to cybersecurity risks. Eighty-nine percent say they have not, while 11 percent are unsure. There is little variation across regions, organiza-tional revenue, company, or department size.

EVER TERMINATED PENDING MERGER/ACQUISITION DUE TO CYBERSECURITY RISKS?

No89%

Yes1%

Don’t know/Not sure18%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=83

665

018

324

549

563

133

4684

257

162

188

133

Yes

1%1%

1%<1

%1%

1%0%

2%2%

1%0%

1%2%

No

89%

92%

75%

90%

91%

90%

82%

87%

86%

94%

96%

93%

71%

Don

't kn

ow/N

ot s

ure

11%

7%25

%9%

9%10

%18

%11

%12

%5%

4%6%

27%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

421

027

121

915

843

310

657

7947

335

2

Yes

1%1%

0%2%

1%<1

%0%

0%5%

1%<1

%

No

95%

94%

92%

77%

93%

94%

87%

82%

57%

87%

92%

Don

't kn

ow/N

ot s

ure

4%5%

8%21

%6%

5%13

%18

%38

%12

%8%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Hav

e yo

u ev

er t

erm

inat

ed a

pen

ding

mer

ger/

acqu

isiti

on b

ecau

se o

f cyb

erse

curi

ty r

isks

?



Is your company allocating more, less, or the same amount of (company) budget to cybersecurity compared with one year ago?Fifty-three percent of respondents say that their company is allocating more of their budget toward cybersecurity than one year ago. Twenty-five percent are maintaining the same spend, 1 percent are decreasing their budget allocation, and 20 percent are unsure. Fifty-seven percent of respondents who have experienced a breach say their company is allocating more money, compared with 51 percent of those who have not experienced a breach. The highest percentage of respondents saying their company is allocating more money toward cybersecurity come from the US with 56 percent, while the lowest percentage of respondents come from the Asia Pacific region with 40 percent. A higher percentage of respondents in lower-revenue organizations, smaller companies, and smaller law departments report allocating more money to cybersecurity compared to those in their larger counterparts.

IS YOUR COMPANY ALLOCATING MORE, LESS, OR THE SAME AMOUNT OF (COMPANY) BUDGET TO CYBERSECURITY COMPARED WITH ONE YEAR AGO?

25%

Same

1%

Less

53%

More

20%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

966

718

925

450

265

234

4783

266

167

195

138

Less

1%1%

2%1%

1%1%

0%4%

0%1%

1%0%

4%

Sam

e25

%28

%18

%22

%29

%26

%26

%15

%27

%34

%29

%22

%12

%

Mor

e53

%56

%45

%57

%51

%56

%47

%51

%40

%50

%57

%56

%59

%

Don

't kn

ow/N

ot s

ure

20%

16%

35%

20%

20%

17%

26%

30%

34%

15%

13%

22%

25%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

427

822

816

344

111

457

8148

636

1

Less

1%<1

%1%

1%0%

1%0%

2%2%

1%<1

%

Sam

e46

%29

%21

%15

%39

%28

%18

%7%

9%22

%30

%

Mor

e35

%57

%58

%55

%42

%53

%63

%67

%54

%53

%53

%

Don

't kn

ow/N

ot s

ure

17%

13%

20%

29%

19%

18%

18%

25%

35%

23%

17%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Is y

our

com

pany

allo

catin

g m

ore,

less

, or

the

sam

e am

ount

of (

com

pany

) bu

dget

to

cybe

rsec

urity

com

-pa

red

with

one

yea

r ag

o?



Has your law department spend increased as a result of your company’s approach to cybersecurity?Law department spend has not increased for the majority (69 percent) of respondents due to their company’s approach to cybersecurity. However, larger law departments with 50 or more employees were far more likely to report an increase in spend (33 percent) than respondents in much smaller law departments, reporting a 14 to 21 percent increase in spend. The Asia Pacific region had the lowest percentage of respondents re-porting an increase in spend (8 percent), while the EMEA region had the highest percentage reporting an increase in spend (31 percent).

LAW DEPARTMENT SPEND INCREASED DUE TO COMPANY’S CYBERSECURITY APPROACH?

No69%

Yes23%


9%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

466

318

825

250

164

434

4886

264

167

195

137

Yes

23%

23%

23%

27%

20%

25%

9%31

%8%

17%

24%

28%

31%

No

69%

73%

54%

67%

72%

67%

76%

58%

83%

77%

72%

67%

52%

Don

't kn

ow/N

ot s

ure

9%5%

23%

6%9%

8%15

%10

%9%

6%4%

5%17

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

327

822

516

244

011

258

7948

236

0

Yes

14%

17%

27%

28%

14%

21%

32%

29%

33%

26%

19%

No

77%

77%

68%

57%

81%

73%

59%

55%

39%

65%

74%

Don

't kn

ow/N

ot s

ure

9%5%

5%15

%6%

5%9%

16%

28%

10%

7%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Has

you

r la

w d

epar

tmen

t sp

end

incr

ease

d as

a r

esul

t of

you

r co

mpa

ny’s

appr

oach

to

cybe

rsec

urity

?



Please describe the increase in spend:Among respondents who reported an increase in spend, 55 percent attributed this increase to outside spend, while 22 percent reported the increase was mainly inside spend. Growth in inside spend outpaced increases in outside spend in smaller companies with fewer than 100 employees (47 percent compared with 35 percent), while those in companies with 5,000 or more employees reported a much larger increase in outside spend than inside spend (62 percent compared with 17 percent).

HOW WAS THE INCREASE IN SPEND ALLOCATED?

Equally split23%

Mainly outside spend55%

Mainly inside spend22%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=18

514

738

6791

152

314

642

3953

39

Mai

nly

outs

ide

spen

d55

%53

%63

%58

%51

%59

%33

%43

%33

%48

%64

%47

%64

%

Mai

nly

insi

de s

pend

22%

23%

16%

22%

20%

22%

0%14

%33

%31

%13

%26

%15

%

Equa

lly s

plit

betw

een

insi

de a

nd

outs

ide

spen

d23

%24

%21

%19

%30

%19

%67

%43

%33

%21

%23

%26

%21

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=17

3373

6020

9233

1624

118

66

Mai

nly

outs

ide

spen

d35

%61

%51

%62

%60

%53

%55

%50

%63

%53

%59

%

Mai

nly

insi

de s

pend

47%

21%

21%

17%

20%

23%

15%

31%

21%

22%

20%

Equa

lly s

plit

betw

een

insi

de

and

outs

ide

spen

d18

%18

%29

%22

%20

%24

%30

%19

%17

%25

%21

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Plea

se d

escr

ibe

the

incr

ease

in s

pend

:



Is any portion of your law department’s budget dedicated specifically to cybersecurity or related cyber issues?The vast majority of respondents (83 percent) reported that no portion of their law department budget is dedicated specifically to cybersecurity. A higher percentage of respondents from larger law departments and organizations with higher revenues report having at least some portion of their budget dedicated to cyberse-curity, but the majority of respondents in all cases report no such budget allocation. Respondents in the Asia Pacific region are the least likely to report a cyber-related budget allocation with only 1 percent, while the US had the highest percentage claiming some budget allocation to cyber with 11 percent.

ANY PORTION OF LAW DEPARTMENT BUDGET DEDICATED TO CYBERSECURITY?

No83%

Yes10%


7%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

366

218

825

050

064

634

4785

263

168

195

137

Yes

10%

8%14

%11

%8%

11%

3%4%

1%6%

10%

10%

20%

No

83%

90%

62%

83%

85%

81%

88%

89%

94%

91%

88%

84%

64%

Don

't kn

ow/N

ot s

ure

7%2%

24%

6%6%

7%9%

6%5%

3%2%

6%16

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

721

227

722

516

044

011

059

8048

335

6

Yes

7%6%

9%16

%4%

8%11

%25

%16

%11

%7%

No

91%

91%

86%

69%

94%

88%

80%

63%

58%

80%

88%

Don

't kn

ow/N

ot s

ure

2%3%

5%14

%2%

4%9%

12%

26%

8%5%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Is a

ny p

ortio

n of

you

r la

w d

epar

tmen

t’s b

udge

t de

dica

ted

spec

ifica

lly t

o cy

bers

ecur

ity o

r re

late

d cy

ber

issu

es?



Who in your organization is the first executive officer to be notified once a breach is discovered?Twenty-six percent of respondents listed their CIO as the first executive officer to be notified in times of a breach, followed by the president/chief executive officer (CEO) with 23 percent. These two positions are generally the first two to be notified regardless of department size, revenue, and region.

FIRST EXECUTIVE OFFICER TO BE NOTIFIED WHEN BREACH DISCOVERED


26%

President/Chief Executive Officer

(CEO)23%

Chief Information Security Officer

(CISO)9%

A vice president in your company

9%

Chief Compliance Officer

4%


3%


3%

Chief Financial Officer (CFO)

2%

Chief Technology Officer (CTO)

2%


Chief Communications

Officer (CCO)

Board-level committee devoted to

cybersecurity



1%

<1%

<1%

7%

11%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

666

319

025

549

665

235

4989

263

169

192

136

Chi

ef In

form

atio

n O

ffice

r (C

IO)

26%

26%

26%

29%

25%

26%

29%

16%

31%

16%

30%

34%

31%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

23%

25%

12%

16%

27%

23%

17%

24%

20%

39%

22%

15%

4%

A v

ice

pres

iden

t in

you

r co

mpa

ny9%

9%9%

8%9%

10%

11%

10%

1%10

%13

%6%

7%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

9%8%

11%

11%

7%9%

3%22

%6%

4%7%

10%

21%

Chi

ef C

ompl

ianc

e O

ffice

r4%

5%3%

5%4%

4%3%

2%4%

<1%

6%6%

3%

Chi

ef P

riva

cy O

ffice

r (C

PO)

3%3%

4%3%

3%3%

9%2%

3%4%

2%3%

3%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

3%3%

3%3%

2%3%

0%6%

1%3%

1%4%

5%

Chi

ef T

echn

olog

y O

ffice

r (C

TO)

2%2%

0%2%

2%2%

6%0%

1%3%

2%1%

0%

Chi

ef F

inan

cial

Offi

cer

(CFO

)2%

2%1%

1%3%

2%3%

2%6%

2%2%

4%0%

Chi

ef R

isk

Offi

cer

(CRO

)1%

1%1%

2%1%

1%3%

0%4%

2%0%

2%1%

Boar

d-le

vel c

omm

ittee

dev

oted

to

cyb

erse

curi

ty<1

%1%

0%1%

<1%

<1%

0%2%

1%1%

0%1%

0%

Chi

ef C

omm

unic

atio

ns O

ffice

r (C

CO

)<1

%<1

%1%

0%1%

<1%

0%2%

1%1%

1%0%

0%

Oth

er -

ple

ase

spec

ify7%

7%8%

9%6%

7%3%

4%9%

8%8%

7%7%

Don

't kn

ow/N

ot s

ure

11%

7%22

%10

%10

%10

%14

%6%

10%

8%7%

8%17

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Who

in y

our

orga

niza

tion

is t

he fi

rst

exec

utiv

e of

ficer

to

be n

otifi

ed o

nce

a br

each

is d

isco

vere

d?



Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

821

428

122

115

944

511

059

7948

236

1

Chi

ef In

form

atio

n O

ffice

r (C

IO)

10%

22%

31%

33%

11%

28%

35%

36%

22%

27%

24%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

55%

26%

20%

4%51

%23

%8%

2%0%

18%

29%

A v

ice

pres

iden

t in

you

r co

mpa

ny6%

9%12

%6%

9%10

%6%

8%6%

8%10

%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

3%7%

7%17

%4%

6%14

%19

%23

%10

%8%

Chi

ef C

ompl

ianc

e O

ffice

r2%

3%5%

6%1%

4%7%

5%5%

5%3%

Chi

ef P

riva

cy O

ffice

r (C

PO)

4%3%

2%4%

1%3%

5%2%

3%3%

3%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

0%3%

2%5%

1%2%

4%0%

10%

4%1%

Chi

ef T

echn

olog

y O

ffice

r (C

TO)

2%3%

1%<1

%3%

2%0%

0%0%

2%1%

Chi

ef F

inan

cial

Offi

cer

(CFO

)1%

2%3%

1%2%

3%2%

0%0%

2%2%

Chi

ef R

isk

Offi

cer

(CRO

)1%

2%1%

1%1%

1%1%

2%4%

1%1%

Boar

d-le

vel c

omm

ittee

de

vote

d to

cyb

erse

curi

ty1%

<1%

<1%

<1%

1%1%

0%0%

0%<1

%<1

%

Chi

ef C

omm

unic

atio

ns

Offi

cer

(CC

O)

2%<1

%<1

%0%

1%<1

%1%

0%0%

<1%

1%

Oth

er -

ple

ase

spec

ify5%

9%7%

7%8%

8%4%

10%

8%7%

7%

Don

't kn

ow/N

ot s

ure

8%9%

9%15

%6%

9%13

%17

%20

%11

%9%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Who

in y

our

orga

niza

tion

is t

he fi

rst

exec

utiv

e of

ficer

to

be n

otifi

ed o

nce

a br

each

is d

isco

vere

d?



From whom do you expect to be notified of a data security breach?When a data breach occurs, 29 percent of respondents expect to be notified by their chief information officer, followed by the president/CEO (12 percent) or their chief information security officer (11 per-cent). These expectations are generally conistent across law departments, revenue, and region. Eight percent of respondents report not having a single point of contact they expect to be notified by in the event of a data breach.

FROM WHOM DO YOU EXPECT TO BE NOTIFIED OF A DATA BREACH?


29%

Chief Privacy Officer (CPO) 3%

Other - Write in 6%

President/Chief Executive Officer (CEO)

12%

IT Director/Head of IT 2%

Company does not have a single point of contact in the

case of a breach8%


11%

Chief Financial Officer (CFO) 2%


A vice president in your company

8%

Chief Technology Officer (CTO)

1%

Privacy/security specialist or manager

7%


Chief Security Officer (CSO) 5%

Outside Counsel <1%

Chief Legal Officer (CLO) 4%

Chief Accounting Officer (CAO)

<1%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=85

866

618

925

250

065

734

4789

263

169

194

134

Chi

ef A

ccou

ntin

g O

ffice

r (C

AO

)<1

%<1

%0%

<1%

<1%

<1%

0%0%

0%1%

1%0%

0%

Out

side

Cou

nsel

<1%

<1%

1%0%

<1%

<1%

0%0%

0%0%

1%0%

1%

Chi

ef In

form

atio

n O

ffice

r (C

IO)

29%

30%

24%

32%

28%

29%

29%

26%

29%

22%

34%

38%

25%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

12%

13%

6%5%

16%

12%

9%13

%10

%21

%12

%4%

2%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

11%

10%

13%

12%

10%

10%

6%19

%8%

5%9%

12%

20%

A v

ice

pres

iden

t in

you

r co

mpa

ny8%

8%6%

9%7%

9%9%

9%0%

7%12

%8%

7%

Priv

acy/

secu

rity

spe

cial

ist

or

man

ager

7%7%

7%10

%5%

7%6%

4%8%

7%5%

6%10

%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

5%5%

2%4%

4%4%

3%6%

7%4%

4%5%

7%

Chi

ef L

egal

Offi

cer

(CLO

)4%

1%14

%4%

5%4%

0%2%

4%2%

2%7%

5%

Chi

ef P

riva

cy O

ffice

r (C

PO)

3%2%

5%5%

2%3%

9%2%

3%2%

2%3%

7%

Chi

ef F

inan

cial

Offi

cer

(CFO

)2%

2%1%

2%2%

1%0%

2%2%

2%1%

2%0%

IT D

irec

tor/

Hea

d of

IT2%

3%0%

2%2%

2%3%

0%0%

4%2%

1%0%

Chi

ef R

isk

Offi

cer

(CRO

)1%

1%1%

1%<1

%1%

3%0%

3%1%

1%2%

0%

Chi

ef T

echn

olog

y O

ffice

r (C

TO)

1%2%

0%<1

%2%

1%3%

0%0%

2%1%

1%0%

Oth

er -

Wri

te in

6%6%

6%7%

5%5%

6%6%

11%

8%5%

5%5%

Com

pany

doe

s no

t ha

ve a

sin

gle

poin

t of

con

tact

in t

he c

ase

of a

br

each

8%8%

9%6%

8%8%

9%9%

10%

9%9%

7%5%

Don

't kn

ow/N

ot S

ure

3%2%

6%2%

2%2%

6%2%

3%2%

1%2%

5%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

From

who

m d

o yo

u ex

pect

to

be n

otifi

ed o

f a d

ata

secu

rity

bre

ach?



Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

921

428

222

116

044

711

158

7848

136

4

Chi

ef A

ccou

ntin

g O

ffice

r (C

AO

)1%

1%0%

0%1%

<1%

0%0%

0%<1

%<1

%

Out

side

Cou

nsel

0%0%

1%0%

1%<1

%0%

0%0%

<1%

<1%

Chi

ef In

form

atio

n O

ffice

r (C

IO)

13%

29%

34%

32%

21%

30%

42%

28%

18%

31%

26%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

36%

12%

7%3%

34%

8%4%

2%1%

10%

14%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

4%9%

11%

17%

5%9%

15%

26%

18%

11%

10%

A v

ice

pres

iden

t in

you

r co

mpa

ny7%

7%10

%6%

8%9%

5%5%

8%7%

9%

Priv

acy/

secu

rity

spe

cial

ist

or

man

ager

5%8%

8%5%

3%9%

5%9%

6%7%

7%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

1%5%

4%7%

1%4%

6%3%

12%

5%4%

Chi

ef L

egal

Offi

cer

(CLO

)2%

2%5%

5%1%

4%5%

5%10

%5%

3%

Chi

ef P

riva

cy O

ffice

r (C

PO)

2%2%

2%6%

1%3%

5%3%

5%2%

4%

Chi

ef F

inan

cial

Offi

cer

(CFO

)1%

4%1%

1%1%

2%1%

0%0%

1%2%

IT D

irec

tor/

Hea

d of

IT5%

3%1%

0%4%

2%0%

0%0%

1%3%

Chi

ef R

isk

Offi

cer

(CRO

)1%

1%1%

<1%

1%<1

%2%

0%3%

1%1%

Chi

ef T

echn

olog

y O

ffice

r (C

TO)

2%1%

1%<1

%1%

2%0%

0%0%

2%1%

Oth

er -

Wri

te in

8%6%

6%5%

8%6%

2%9%

6%6%

6%

Com

pany

doe

s no

t ha

ve a

si

ngle

poi

nt o

f con

tact

in t

he

case

of a

bre

ach

12%

8%6%

7%9%

9%5%

9%3%

7%9%

Don

't kn

ow/N

ot S

ure

2%1%

2%5%

1%2%

3%2%

10%

4%1%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

From

who

m d

o yo

u ex

pect

to

be n

otifi

ed o

f a d

ata

secu

rity

bre

ach?



Who in your company is the primary point of contact during a breach (including outside counsel)?Twenty-four percent of respondents say the primary point of contact during a breach is their chief information of-ficer, followed by the president/CEO (10 percent). Again, these points of contact do not dramatically differ across regions or company revenues; however, corporate counsel in smaller companies and law departments are more likely to list the president/CEO as their primary point of contact than the chief information officer. Smaller orga-nizations are less likely to have a CIO on staff, potentially explaining this finding. Fourteen percent of in-house counsel do not have a primary point of contact in their organization during a data breach.

COMPANY PRIMARY POINT OF CONTACT DURING A BREACH


24%

IT/IT department 2%

President/Chief Executive Officer

(CEO)10%



9%

Chief Accounting Officer (CAO) 1%

A vice president in your company 7%

Board-level committee devoted to

cybersecurity0.30%

GC/CLO 5%

Other - Write in 7%

Chief Security Officer (CSO) 5%

Company does not have a single point of contact

in the case of a breach14%


4%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=84

465

318

825

149

564

135

4988

262

164

193

133

Chi

ef In

form

atio

n O

ffice

r (C

IO)

24%

25%

19%

25%

25%

24%

23%

20%

30%

19%

25%

34%

22%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

10%

11%

6%6%

13%

10%

9%8%

10%

17%

14%

3%3%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

9%8%

15%

10%

8%9%

9%16

%7%

5%6%

9%22

%

A v

ice

pres

iden

t in

you

r co

mpa

ny7%

8%5%

8%7%

8%17

%4%

0%7%

12%

5%5%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

5%5%

3%4%

4%4%

6%8%

3%4%

2%8%

4%

GC

/CLO

5%5%

3%6%

4%5%

0%2%

3%5%

4%6%

2%

Chi

ef P

riva

cy O

ffice

r (C

PO)

4%3%

9%4%

4%4%

6%2%

5%3%

2%4%

8%

Chi

ef R

isk

Offi

cer

(CRO

)2%

2%2%

2%2%

2%0%

2%2%

3%1%

2%2%

IT/IT

dep

artm

ent

2%2%

1%1%

3%2%

0%2%

1%5%

2%1%

0%

Chi

ef A

ccou

ntin

g O

ffice

r (C

AO

)1%

1%1%

1%<1

%1%

0%0%

2%1%

1%1%

1%

Boar

d-le

vel c

omm

ittee

dev

oted

to

cyb

erse

curi

ty<1

%1%

0%1%

<1%

<1%

0%0%

2%1%

0%0%

0%

Oth

er -

Wri

te in

7%8%

6%8%

6%7%

9%4%

10%

8%7%

7%6%

Com

pany

doe

s no

t ha

ve a

sin

gle

poin

t of

con

tact

in t

he c

ase

of a

br

each

14%

14%

13%

15%

14%

14%

14%

16%

11%

16%

18%

11%

11%

Don

't kn

ow/N

ot s

ure

10%

8%17

%7%

9%9%

9%14

%13

%5%

5%10

%14

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Who

in y

our

com

pany

is t

he p

rim

ary

poin

t of

con

tact

dur

ing

a br

each

(inc

ludi

ng o

utsi

de c

ouns

el)?



Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=12

621

027

821

915

943

910

857

7847

835

3

Chi

ef In

form

atio

n O

ffice

r (C

IO)

11%

24%

28%

27%

14%

27%

31%

23%

17%

25%

23%

Pres

iden

t/C

hief

Exe

cutiv

e O

ffice

r (C

EO)

29%

11%

6%1%

28%

9%1%

0%1%

9%12

%

Chi

ef In

form

atio

n Se

curi

ty

Offi

cer

(CIS

O)

4%6%

9%16

%3%

6%19

%16

%19

%9%

9%

A v

ice

pres

iden

t in

you

r co

mpa

ny7%

8%9%

4%6%

10%

4%2%

5%7%

7%

Chi

ef S

ecur

ity O

ffice

r (C

SO)

0%5%

5%6%

1%5%

5%7%

9%5%

4%

GC

/CLO

4%5%

6%2%

5%5%

4%5%

0%4%

5%

Chi

ef P

riva

cy O

ffice

r (C

PO)

5%3%

3%6%

2%3%

6%7%

8%3%

5%

Chi

ef R

isk

Offi

cer

(CRO

)1%

2%3%

2%3%

2%1%

2%5%

2%1%

IT/IT

dep

artm

ent

4%5%

1%0%

4%3%

0%2%

0%1%

3%

Chi

ef A

ccou

ntin

g O

ffice

r (C

AO

)2%

<1%

<1%

1%1%

1%1%

0%0%

1%1%

Boar

d-le

vel c

omm

ittee

de

vote

d to

cyb

erse

curi

ty2%

<1%

0%<1

%1%

1%0%

0%0%

<1%

<1%

Oth

er -

Wri

te in

8%7%

8%7%

8%7%

7%11

%4%

7%8%

Com

pany

doe

s no

t ha

ve a

si

ngle

poi

nt o

f con

tact

in t

he

case

of a

bre

ach

18%

16%

12%

13%

20%

13%

14%

14%

9%16

%12

%

Don

't kn

ow/N

ot s

ure

5%6%

11%

15%

6%9%

8%12

%23

%10

%9%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Who

in y

our

com

pany

is t

he p

rim

ary

poin

t of

con

tact

dur

ing

a br

each

(inc

ludi

ng o

utsi

de c

ouns

el)?



Does your company collaborate proactively with law enforcement or other governmental agencies to address cybersecurity risks?Twenty-seven percent of in-house lawyers surveyed work for companies that practively collaborate with law enforcement to address cybersecurity risks, while 45 percent do not. A much higher percentage of respon-dents who work in companies with 5,000 or more employees say they practively collaborate with law en-forcement compared with only 17 percent of those in companies with 100 or fewer employees. Respondents in companies with larger revenues are also more likely to report collaboration with law enforcement than those in companies with lower revenues.

COMPANY COLLABORATES WITH LAW ENFORCEMENT/OTHER GOVERNMENTAL AGEN-CIES TO ADDRESS CYBERSECURITY RISKS?

No45%

Yes27%


28%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=78

461

017

123

846

259

631

4383

242

150

181

126

Yes

27%

27%

29%

39%

21%

28%

29%

21%

22%

19%

24%

31%

48%

No

45%

48%

31%

36%

51%

46%

35%

49%

43%

53%

60%

40%

21%

Don

't kn

ow/N

ot s

ure

28%

25%

40%

25%

29%

26%

35%

30%

35%

28%

16%

29%

31%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=11

419

326

220

514

940

210

154

7644

432

9

Yes

11%

20%

32%

39%

17%

24%

35%

33%

54%

30%

23%

No

63%

53%

43%

29%

64%

49%

35%

28%

11%

40%

52%

Don

't kn

ow/N

ot s

ure

26%

27%

25%

32%

19%

28%

31%

39%

36%

30%

25%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Doe

s yo

ur c

ompa

ny c

olla

bora

te p

roac

tivel

y w

ith la

w e

nfor

cem

ent

or o

ther

gov

ernm

enta

l age

ncie

s to

ad

dres

s cy

bers

ecur

ity r

isks

?



How was the system breached?Among those who have experienced a data breach, 24 percent report employee error as the main cause, followed by inside job (15 percent) and phishing (12 percent). Respondents in smaller companies overwhelmingly report employee error and inside job as the most common causes of a system breach, while there is wider variation in how a breach occurred reported by in-house counsel in larger companies.

HOW WAS THE SYSTEM BREACHED?

Employee error 24%


1%

Inside job 15%

Operating system vulnerability

<1%

Phishing 12%


3%

Access through a third party

12%


9%

Lost laptop/device 9%


7%

Malware 7%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=23

218

448

232

0%18

17

1226

5943

5850

Empl

oyee

err

or24

%27

%15

%24

%0%

25%

29%

25%

15%

31%

26%

24%

18%

Insi

de jo

b15

%14

%21

%15

%0%

14%

14%

8%27

%24

%9%

16%

8%

Acc

ess

thro

ugh

a th

ird

part

y12

%11

%15

%12

%0%

12%

0%17

%15

%10

%12

%7%

18%

Phis

hing

12%

13%

8%12

%0%

13%

0%8%

12%

8%12

%12

%12

%

Lost

lapt

op/d

evic

e9%

9%10

%9%

0%10

%14

%8%

4%3%

9%12

%16

%

Mal

war

e7%

7%10

%7%

0%8%

0%17

%0%

7%14

%7%

6%

App

licat

ion

vuln

erab

ility

7%8%

4%7%

0%7%

14%

0%15

%7%

9%14

%2%

Ran

som

war

e (C

rypt

oLoc

ker)

1%1%

0%1%

0%0%

0%0%

8%0%

2%0%

0%

Ope

ratin

g sy

stem

vul

nera

bilit

y<1

%1%

0%<1

%0%

1%0%

0%0%

0%2%

0%0%

Oth

er -

ple

ase

spec

ify3%

3%2%

3%0%

3%14

%0%

0%3%

2%3%

2%

Don

't kn

ow/N

ot s

ure

9%7%

15%

9%0%

9%14

%17

%4%

7%2%

5%18

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=19

4781

8024

122

2923

3413

396

Empl

oyee

err

or32

%30

%22

%21

%25

%24

%24

%22

%26

%21

%29

%

Insi

de jo

b37

%17

%11

%13

%29

%14

%14

%9%

15%

14%

18%

Acc

ess

thro

ugh

a th

ird

part

y5%

15%

11%

11%

8%14

%3%

17%

12%

12%

10%

Phis

hing

5%9%

16%

13%

8%15

%14

%9%

6%12

%11

%

Lost

lapt

op/d

evic

e0%

6%10

%14

%0%

10%

14%

4%15

%11

%8%

Mal

war

e0%

4%10

%9%

8%7%

3%13

%9%

9%5%

App

licat

ion

vuln

erab

ility

5%6%

14%

3%4%

7%21

%4%

0%7%

8%

Ran

som

war

e (C

rypt

oLoc

ker)

0%0%

1%1%

4%1%

0%0%

0%2%

0%O

pera

ting

syst

em

vuln

erab

ility

0%2%

0%0%

0%1%

0%0%

0%0%

1%

Oth

er -

ple

ase

spec

ify11

%0%

2%3%

4%2%

0%4%

3%3%

2%

Don

't kn

ow/N

ot s

ure

5%11

%2%

14%

8%6%

7%17

%15

%11

%6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

was

the

sys

tem

bre

ache

d?



What type of information was compromised during this breach? (Select all that apply)Of those who experienced a data breach, 44 percent reported that “other personally identifiable information” was compromised during the breach, followed by “email/password/username” with 18 percent and “trade secrets” with 11 percent. Ten percent of respondents were unsure of the type of information compromised. Trade secrets were more commonly reported by lawyers in companies with fewer than 100 employees (30 percent) than those in larger companies (8 to 11 percent). There is not a large degree of variation in the type of information compromised across region, revenue, or law department size.

TYPE OF INFORMATION COMPROMISED DURING THIS BREACH

Other personally identifiable

information 44%

Email/password/username

18%

Trade secrets 11%

Credit card/debit card number

10%


9%


10%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=25

520

253

255

0%19

88

1328

6144

6660

Oth

er p

erso

nally

iden

tifiab

le

info

rmat

ion

such

as

addr

ess,

natio

nal i

dent

ifica

tion

num

ber/

SSN

, hea

lth in

form

atio

n

44%

43%

45%

44%

0%43

%63

%38

%43

%39

%50

%47

%38

%

Emai

l/pas

swor

d/us

erna

me

18%

19%

17%

18%

0%18

%0%

15%

29%

23%

20%

17%

12%

Trad

e se

cret

s11

%11

%8%

11%

0%10

%0%

23%

14%

16%

11%

9%8%

Cre

dit

card

/deb

it ca

rd n

umbe

r10

%9%

11%

10%

0%12

%13

%0%

4%8%

20%

5%12

%

Oth

er -

ple

ase

spec

ify9%

9%8%

9%0%

10%

0%8%

0%8%

18%

8%3%

Don

't kn

ow/N

ot s

ure

10%

9%11

%10

%0%

10%

25%

15%

4%10

%9%

8%12

%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=20

5087

9324

130

3130

4014

710

4

Oth

er p

erso

nally

iden

tifiab

le

info

rmat

ion

such

as

addr

ess,

natio

nal i

dent

ifica

tion

num

ber/

SSN

, hea

lth

info

rmat

ion

35%

46%

44%

43%

42%

43%

55%

40%

40%

38%

52%

Emai

l/pas

swor

d/us

erna

me

20%

18%

25%

12%

25%

23%

6%13

%13

%18

%19

%

Trad

e se

cret

s30

%8%

11%

8%21

%11

%6%

10%

8%14

%6%

Cre

dit

card

/deb

it ca

rd

num

ber

10%

6%9%

12%

13%

9%10

%3%

15%

10%

10%

Oth

er -

ple

ase

spec

ify0%

12%

15%

3%8%

11%

10%

3%5%

10%

7%

Don

't kn

ow/N

ot s

ure

10%

10%

9%10

%0%

12%

3%10

%13

%11

%9%

*Mul

tiple

res

pons

e po

ssib

le. P

erce

ntag

es m

ay s

um to

gre

ater

than

100

%.

(Con

t’d)

Wha

t ty

pe o

f inf

orm

atio

n w

as c

ompr

omis

ed d

urin

g th

is b

reac

h? (

Sele

ct a

ll th

at a

pply

)



Was the information that was compromised during the breach encrypted?Seventeen percent of in-house counsel report that information was compromised despite the data being encrypt-ed. This percentage was markedly higher for law departments consisting of only one lawyer (26 percent) and for companies with fewer than 100 employees (26 percent). There was also a fair degree of variation across regions, with the highest percentage of respondents in Canada reporting compromised information even with data en-cryption (29 percent). In contrast, only 15 percent of respondents from the EMEA region and 17 percent in the US reported that the information compromised during the data breach was encrypted.

INFORMATION COMPROMISED DURING THIS BREACH ENCRYPTED?

No64%

Yes17%


19%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=22

618

046

226

0%17

77

1323

5842

5650

Yes

17%

18%

13%

17%

0%17

%29

%15

%22

%17

%17

%20

%14

%

No

64%

66%

54%

64%

0%66

%43

%54

%57

%66

%76

%70

%58

%

Don

't kn

ow/N

ot s

ure

19%

16%

33%

19%

0%18

%29

%31

%22

%17

%7%

11%

28%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=19

4580

7723

116

2825

3413

192

Yes

26%

24%

15%

13%

26%

17%

7%20

%18

%18

%16

%

No

53%

60%

71%

62%

70%

64%

79%

60%

50%

59%

72%

Don

't kn

ow/N

ot s

ure

21%

16%

14%

25%

4%19

%14

%20

%32

%24

%12

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Was

the

info

rmat

ion

that

was

com

prom

ised

dur

ing

the

brea

ch e

ncry

pted

?



What public notice was legally required as a result of the breach?Among those who indicated that public notice was required as a result of a data breach experienced, most in-house counsel say those affected, including patients, clients, employees, and consumers, were notified via letter. Several cited notification to states or attorney general offices where required. Web notification is also cited. Some lawyers indicate no notice was required due to the nature of the breach (employee only) or the small number affected. Examples shared by in-house respondents are listed below.

30 days.

Affected individuals, HHS, state regulators.

Certain state notice requirements were satisfied.

Claim at court.

Consumer notice.

Individual notification, publication, regulator notice.

Letter to parties breached.

Letter to policyholders and ID theft protection.

Letters to attorney general’s office.

Local US states notification.

Media distribution, website disclosure.

No mandatory data breach reporting in Australia as yet.

No public notice was required, just individual notice.

Nothing, as we are a private company.

Notice requirements varied by state, and we did not have a size that was eligible for substitute public notice.

Notice to individuals in certain US states.

Notification to affected consumers per state breach notification laws.

OAIC investigation.

Report to privacy commissioner, notify person affected.

Reporting to Office of Civil Rights and Adult Protective Services.

Significant on behalf of the third party.

State law requirements and HIPAA requirements.

Substitute notice by publication nationwide and on all company website home pages.

Varies by state and if feds ask company to delay notice.

We gave public notice regardless of the requirement.

Website.



Were you required to notify a regulatory/governmental body as a result of a breach?Thirty-one percent of in-house lawyers say they were required to notify a regulatory/governmental body as a result of a breach. Only 16 percent of respondents in organizations with fewer than 100 employees were required to do so, compared with up to 33 percent in larger organizations. Twenty-nine percent of lawyers in organizations generating less than US $100 million report having to notify a regulatory body compared with 39 percent in orga-nizations with more than US $3 billion in revenue. Canada had the highest percentage of respondents stating this requirement, while the EMEA region had 25 percent of respondents claiming this requirement.

REQUIRED TO NOTIFY REGULATORY/GOVERNMENTAL BODY AS RESULT OF A BREACH?

No62%

Yes31%


6%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=23

518

649

235

0%18

48

1225

5942

5954

Yes

31%

32%

29%

31%

0%31

%50

%25

%28

%29

%29

%27

%39

%

No

62%

63%

57%

62%

0%61

%50

%67

%72

%61

%71

%69

%52

%

Don

't kn

ow/N

ot s

ure

6%4%

14%

6%0%

8%0%

8%0%

10%

0%3%

9%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=19

4680

8523

122

2923

3813

796

Yes

16%

33%

33%

32%

26%

30%

38%

35%

34%

26%

41%

No

74%

59%

65%

61%

65%

66%

59%

61%

53%

68%

53%

Don

't kn

ow/N

ot s

ure

11%

9%3%

7%9%

5%3%

4%13

%7%

6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Wer

e yo

u re

quir

ed t

o no

tify

a re

gula

tory

/gov

ernm

enta

l bod

y as

a r

esul

t of

a b

reac

h?



What challenges did you face in preserving lawyer-client privilege after the data breach, and how did you navigate these?In-house counsel mentioned a wide variety of challenges when preserving lawyer-client privilege after a data breach. A frequently cited challenge stems from controlling the flow of information via email and through outside counsel or forensic experts assisting in the response to the breach.

A sample of challenges cited by in-house counsel is listed below.

All emails, including the legal department emails, were breached — so the obvious concerns about privilege were had, i.e., use of privileged communications in litigation, media, etc.

Challenge is keeping the circle of people who know about the in-cident during the initial investigation process small and mindful of the privilege.

Controlled investigation. Controlled communication about the matter. Advised internal clients. Difficult to control individual consumer interactions with company personnel on site.

Correspondence with forensic firm and what they had to share with credit card brands.

Data breach response plan addresses communication plan in-cluding attorney-client privilege, and it was still challenging.

Dealing with external law firm to manage this risk.

Employees forwarding privileged information to people who should not have it. We specifically note on our privileged doc-uments that they should not be given or forwarded to anyone without our permission.

Ensure that an attorney from the legal department is on the initial strike force/team when a breach occurs.

Having to share forensics reports with credit card companies and various states attorneys general.

Inability to be involved in all technical assessment/evaluation meetings and actions between employees and third-party consul-tants; we determined that not all information needed to be priv-ileged, but otherwise all reports from third parties were directed to legal for review/distribution.

Investigation was conducted by outside counsel under attor-ney-client privilege to discover all facts and assess needed re-sponse and potential liability. Couldn’t locate laptop to determine if breached by forensics, so had to assume. Not registered or encrypted so couldn’t wipe remotely.

It is difficult because facts aren’t privileged.

IT reported to legal and responded based on privileged advice.

Lack of knowledge in the company as to what lawyer-client privi-lege is. Took steps to explain.

Legal took over the internal investigation, planning, and briefing and locked down all communications on the subject to try to preserve lawyer-client privilege.

Maintaining privilege with outside forensics investigation, board communications, and law enforcement communications.

Making sure all involved understood process to protect privilege.

Needed to be careful with communications with breach victims; where privilege was an issue, nonlawyer staff made the contact.

Only that I was acting as general counsel and privacy officer. Breach had to be subject to a HIPAA risk assessment to deter-mine if it was reportable to HHS and if patient notification was necessary. This was performed and documented outside of the attorney-client privilege.

Proliferation of internal communications.

The challenge we had to face was exactly to preserve lawyer-client privilege, because the data breach was caused by a former in-house counsel. We navigate through this by filling a suit for NDA violation, and we reported to the local bar ethics committee.

We asserted privilege where possible; did not end up being an issue.

We cooperated fully and did not rely on attorney-client privilege defense.

We weren’t concerned with preserving attorney-client privilege with the breach in question.

Working through outside counsel.



How many people were affected by the breach (including employees, customers, etc)?Most breaches affected a small number of individuals, according to in-house counsel who have experienced a data breach. Forty-six percent of the time, fewer than 50 people were affected. As one would expect, fewer people tend to be affected in smaller companies, while more people tend be affected in larger companies. Fifty-six percent of respondents in companies with fewer than 100 people said that fewer than 50 people were affected, compared with 34 percent in companies with 5,000 or more employees.

NUMBER OF PEOPLE AFFECTED BY BREACH

5%

50 to 99

2%

10,000 to 49,999

46%

Less than 50

1%

5,000 to 9,999

11%

100 to 499

0.30%

50,000 to 99,999

6%

500 to 999

1%

100,000 to 499,999

2%

1 million or more

10%

1,000 to 4,999

0%

500,000 to 999,999

15%




Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=22

017

545

220

0%17

48

1026

5641

5746

Few

er t

han

5046

%47

%40

%46

%0%

41%

63%

70%

62%

50%

51%

53%

30%

50 o

r m

ore

39%

38%

42%

39%

0%43

%25

%10

%27

%30

%44

%40

%46

%

Don

’t kn

ow/N

ot s

ure

15%

14%

18%

15%

0%16

%13

%20

%12

%20

%5%

7%24

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=18

4576

7624

115

2724

3012

790

Few

er t

han

5056

%53

%51

%34

%42

%54

%30

%50

%30

%46

%47

%

50 o

r m

ore

28%

33%

38%

47%

33%

35%

56%

33%

50%

35%

43%

Don

’t kn

ow/N

ot s

ure

17%

13%

11%

18%

25%

11%

15%

17%

20%

19%

10%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

How

man

y pe

ople

wer

e af

fect

ed b

y th

e br

each

(inc

ludi

ng e

mpl

oyee

s an

d cu

stom

ers)

?



If the breach has been resolved, how long did it take to resolve? If it has not been resolved, please select that option. Among in-house counsel who experienced a breach and report that it has been resolved, most say it took under a year to do so. Eighty percent report that it took one year or less to resolve the data breach. Breaches were slighly more time consuming in the EMEA region, where 11 percent of in-house counsel say it took up to two years to resolve the breach.

LENGTH OF TIME IT TOOK TO RESOLVE BREACH

7%

Within 2 years

80%

1 year or less

1%

Within3 years

<1%

Within 4 years

<1%

5 years or more

3%

Has not been

resolved

9%

Don’t know/

Not sure



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3

billi

on

or

mor

e

n=22

518

045

225

0%17

87

927

5641

5947

One

yea

r or

less

80%

82%

71%

80%

0%79

%86

%67

%85

%77

%83

%92

%68

%

With

in t

wo

year

s7%

7%7%

7%0%

7%0%

11%

4%5%

10%

5%6%

With

in t

hree

yea

rs1%

1%4%

1%0%

2%0%

0%0%

2%2%

0%2%

With

in fo

ur y

ears

<1%

1%0%

<1%

0%1%

0%0%

0%0%

2%0%

0%

Five

yea

rs o

r m

ore

<1%

1%0%

<1%

0%0%

0%0%

4%0%

0%0%

0%

Has

not

bee

n re

solv

ed3%

3%2%

3%0%

2%14

%0%

0%5%

2%2%

2%

Don

't kn

ow/N

ot s

ure

9%7%

16%

9%0%

9%0%

22%

7%11

%0%

2%21

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=18

4580

7824

116

3024

3112

894

One

yea

r or

less

78%

76%

86%

77%

83%

81%

77%

83%

71%

79%

80%

With

in t

wo

year

s11

%7%

6%6%

0%7%

13%

0%10

%6%

7%

With

in t

hree

yea

rs0%

2%0%

1%0%

2%3%

0%0%

1%2%

With

in fo

ur y

ears

0%0%

1%0%

0%1%

0%0%

0%1%

0%

Five

yea

rs o

r m

ore

0%0%

1%0%

0%1%

0%0%

0%0%

1%

Has

not

bee

n re

solv

ed0%

4%3%

3%8%

3%3%

0%0%

2%3%

Don

't kn

ow/N

ot s

ure

11%

11%

3%13

%8%

6%3%

17%

19%

11%

6%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

If th

e br

each

has

bee

n re

solv

ed, h

ow lo

ng d

id it

tak

e to

res

olve

? If

it ha

s no

t be

en r

esol

ved,

ple

ase

sele

ct t

hat

optio

n.



Please describe what resource was most helpful in managing the breach response?In-house counsel cite a variety of helpful resources when managing a data breach including internal and external IT specialists, outside counsel and forensics experts, internal multidisciplinary teams, and internal chief security.

Sample resources cited by in-house counsel are listed below.

A thorough forensics investigation and identification of the ap-propriate steps for remediation.

Association of Corporate Counsel resources.

Beazley, our insurance carrier, had recommended counsel, credit reporting agencies, forensics, etc. — very good resources, very responsive.

Being open and timely with customer and early engagement to help mitigate.

Chief information security officer/legal.

Chief privacy officer.

Chief security officer.

Chief security officer and local law enforcement.

CISO and internal well-prepared response team, including media relations.

Collaborative effort of IT and HR.

Company’s IT security officer and cyberforensics.

Contacting the vendor who received the information, have him return all material (delete it from his computers), and his CEO signed a confirmation that no information has been retained by his company.

Cooperation of employees in relevant functions.

Cybercrime unit of the US Attorney’s office.

Encryption.

External assistance — appointment of CIO.

External IT providers.

Federal and local authorities.

Forensic consultant and outside law firm.

Forensic data analysis.

Forensic expert advice on future prevention.

Former government employee acting as internal security officer.

Good internal communications and collaboration among various departments.

Great internal systems that identified the breach and addressed the problem immediately; ongoing IT and legal coordination; experienced outside counsel.

Guidelines from the Office of Australian Information Commissioner.

Having an established incident response team.

Having an outside call center for those impacted.

Incident response readiness team that has practiced via tabletop exercises and experienced in-house privacy counsel.

In-house privacy counsel.

Insurance company.

Internal compliance team.

Internal IT security team and trusted security/forensics vendor.

Internal management team.

IT and HR teams.

IT department, outside law enforcement.

IT forensic to identify source and restore firewall with updated username/password.

IT monitoring (software and personnel) and all-hands-on-deck IT response.

Notification service.

Office of Australian Information Commissioner guidelines.

Our incident response team (internal members).

Our legal department’s knowledge and experience in dealing with such incidents.

Outside consultant.

Partnering with our head of corporate security, who himself is related to the FBI contacts.

Secret Service, outside counsel, internal resource.

Skilled forensic technician, who was aided by a special agent from the FBI.

Subject matter experts and a single center point of contact.

The company liquidators.

The information security department as well as local manage-ment and operations staff.

The legal department drafted the cybersecurity policy, so we had a good framework on how to deal with the situation.

The vendor took responsibility and ran the response.

Third-party review team to review data diverted and determine if any confidential data was involved.

Utilized experts through our cybersecurity insurance carrier.

Well-managed press release and hotline.

Well-trained privacy officer.



Describe the degree of change (if any) made to your company’s security policies or procedures following the breach?Three of four in-house counsel who have experienced a data breach say that at least some changes were made to their company’s security policies following the breach. Lawyers in the EMEA region were most likley to make significant changes after a breach compared with those in the Asia Pacific region, who were most likely to say no changes were made (19 percent).

DEGREE OF CHANGE MADE TO COMPANY’S SECURITY POLICIES POSTBREACH

There were no changes made

15%

Minimal changes were made

16%

Moderate changes were made

41%

Significant changes were made

17%


12%



Ove

rall

CL

O/G

C v

s.

Oth

ers

Hav

e yo

u ev

er

expe

rien

ced

a br

each

?R

egio

n -

Offi

ce lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

yea

r (U

S $

)

All

resp

onse

sC

LO/

GC

Oth

er

title

Yes

No

US

Can

ada

EMEA

Asi

a Pa

cific

<$1

00

mill

ion

$100

M-

$499

M$5

00M

-$2.

9 bi

llion

$3 b

illio

n or

mor

e

n=23

018

050

230

0%18

08

1227

5942

5850

The

re w

ere

no c

hang

es m

ade

15%

16%

14%

15%

0%16

%13

%0%

19%

14%

21%

12%

14%

Min

imal

cha

nges

wer

e m

ade

16%

14%

20%

16%

0%17

%25

%0%

11%

15%

17%

16%

16%

Mod

erat

e ch

ange

s w

ere

mad

e41

%43

%34

%41

%0%

37%

38%

58%

59%

42%

33%

53%

36%

Sign

ifica

nt c

hang

es w

ere

mad

e17

%18

%10

%17

%0%

17%

0%25

%7%

14%

21%

16%

18%

Don

't kn

ow/N

ot s

ure

12%

9%22

%12

%0%

12%

25%

17%

4%15

%7%

3%16

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal e

ntit

y?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=19

4781

7923

119

2925

3413

393

The

re w

ere

no c

hang

es m

ade

11%

15%

12%

20%

17%

13%

24%

24%

9%15

%15

%

Min

imal

cha

nges

wer

e m

ade

16%

19%

17%

13%

9%19

%17

%8%

12%

10%

25%

Mod

erat

e ch

ange

s w

ere

mad

e58

%30

%46

%38

%57

%39

%28

%48

%41

%47

%34

%

Sign

ifica

nt c

hang

es w

ere

mad

e5%

19%

17%

16%

9%17

%24

%8%

21%

17%

15%

Don

't kn

ow/N

ot s

ure

11%

17%

7%13

%9%

12%

7%12

%18

%12

%11

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Des

crib

e th

e de

gree

of c

hang

e (if

any

) m

ade

to y

our

com

pany

’s se

curi

ty p

olic

ies

or p

roce

dure

s

follo

win

g th

e br

each

?



Please provide examples of changes your company made following the data breach.Many respondents report that technical changes were made following the data breach. The tightening of access points, encryption, and more controlled access and storage of records/email are all frequently noted. In addition, several lawyers say enhanced employee training, policy changes, more frequent training exercises, and more strin-gent contract management were key changes made based on experience with a data breach.

Sample changes cited by in-house counsel are listed below.

Additional security software, more emphasis on upgrading tech-nology, more stringent user access policies, network segmenta-tion.

Adoption of information security protocols.

All mobile devices inventoried, encryption software installed, all employers re-educated about importance of registering devices, encryption, password protection, prompt notice if device lost or stolen, can now wipe remotely because all devices registered. New policies developed.

Amended the third party system access procedures.

Auditing of obsolete databases, review of effectiveness of vulner-ability scanning.

Authentication and encryption for external devices.

Banking protocols were amended.

Better monitoring of relevant external service provider (provides website service).

Changed application that had vulnerability. Took down public access points.

Changed procedures to minimize human error.

Changed security protocol internally and implemented new secu-rity procedures for all employees.

Changed vendor, went to point to point credit card system, hired IT security specialist.

Changes were made in how employees processed certain credit card transactions.

Company protocols increased; laptops are encrypted. Conducts phishing exercises.

Delegated authority process was tightened to prevent lone wolf fraud.

Deployment of two-factor authentication; hiring internal security team; addressing on ongoing basis the potential points of risk; employee training.

Developed extensive data security SOPs.

Developed Information Security System. Hired personnel for this purpose. Hired outside security assessment company to conduct audits.

Documents required to be locked up; sensitive documents not retained at all unless necessary.

Dual authentication log-in; additional IT screening and moni-toring mechanisms, some employee training (though sporadic), more IT policies for employees.

Employee policies and handbook were updated to clearly state that they had no expectation of privacy in their use of our sys-tems.

Employees were given more training on handling personally identifiable information.

Encrypting at-home devices.

Encryption mandated for all laptops.

Encryption cards and one time passwords, tighter VPN and tighter access to the supercomputer.

Enhanced employee agreements.

Exit audit of materials prior to employees leaving.

Hired new executive to lead/coordinate efforts.

Hiring IT Security expert.

Implementation of new policy on Data Security and Confidenti-ality. Issue of new Code of Conduct.

Improved server firewalls; implemented regular email tests to employees to reduce risks of phishing succeeding with employees; improved junk filters.

Increase firewall.

Increased education of staff regarding already existing rules; strengthened centralized IT.

Increased penetration testing; two factor authentication; business continuity planning; increased employee communication; in-creased resources and tools.

Issues related to the management of servers in overseas offices were tightened down, specifically including access. In my role, I am attempting to implement a more permanent and policy-based change that is followed and used on a routine basis.

Logging and monitoring.

Mandatory encryption of all devices.

More frequent password changes and more complexity required; more robust ‘whitelisting’ software implemented.

More robust individual training; rules about transporting PHI in personal vehicles; scanning and electronically transferring PHI versus moving paper in autos.

New controls, new protocols, enhanced education of employees.

New identity protection procedures for board members.

New intrusion detect software. New password protocols. Segrega-tion of highly valuable trade secrets.

Password confirmations and secondary sign-in.



Password policies were enforced more rigorously.

Placing better controls with respect to employee access.

Plan developed to manage data breaches. Vendor access reviewed.

Proper processes for approving EFTs, checking confirmation of payments.

Regular patching regime of OS and applications.

Review of access rights globally.

Site-by-site data audits and retention policy audits, with massive destruction of hoarded but unnecessary data.

Social media policy and controls.

Started to include specific breach responsibilities in contractual negotiations (i.e., who is responsible for what cost should a breach occur).

Training, additional firewalls, tokenization.

Two-factor authentication required. Random phishing testing of employees. More stringent password rules (strength, frequency of change).

Updated contractual language with vendor related to data securi-ty and notification of breaches. Updated policies for transmission of data.

USB policy.

We hired a head of information security, started conducting audits, upgraded technology safeguards, used a third party to process credit cards so they were no longer stored.

(Cont’d) Please provide examples of changes your company made following the data breach.



Did your cyberinsurance policy fully cover any damages related to the breach?Among corporate counsel who say their company was insured against a data breach, 46 percent report that their company’s policy did not fully cover the damages from the breach. Only 19 percent say they were fully covered against the damages, while 34 percent are not sure if damages were fully covered. In-house counsel in the US were the least likely to report that their cybsersecurity insurance fully covered damages from a data breach (17 percent), compared with other regions on average (33 percent).

CYBERINSURANCE POLICY FULLY COVERING BREACH DAMAGES

No46%

Yes9%Don’t know/

Not sure34%



Ove

rall

CL

O/G

C v

s. O

ther

sH

ave

you

ever

ex

peri

ence

d a

brea

ch?

Reg

ion

- O

ffice

lo

cati

on

Org

aniz

atio

n's

tota

l gro

ss r

even

ue fo

r th

e la

st fi

scal

ye

ar (

US

$)

All

resp

onse

sC

LO/

GC

Oth

er t

itle

Yes

No

US

Oth

er<

$100

m

illio

n$1

00M

-$49

9M$5

00M

-$2.

9 bi

llion

$3 b

illio

n

or m

ore

n=10

885

2310

80%

8918

3019

3518

Yes

19%

18%

26%

19%

0%17

%33

%10

%32

%29

%11

%

No

46%

51%

30%

46%

0%49

%33

%37

%58

%51

%39

%

Don

't kn

ow/N

ot s

ure

34%

32%

43%

34%

0%34

%33

%53

%11

%20

%50

%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

Tota

l num

ber

of e

mpl

oyee

s in

org

aniz

atio

n/co

mpa

nyS

ize

of y

our

law

dep

artm

ent

(all

staf

f in

all l

oca

tio

ns)

Em

ploy

er a

glo

bal

enti

ty?

Less

than

100

100-

499

500-

4,99

95,

000

or

mor

e1

empl

oyee

2 to

9

empl

oyee

s10

to 2

4 em

ploy

ees

25 to

49

empl

oyee

s50

or

mor

e em

ploy

ees

Yes

No

n=7

2043

3611

5917

1110

6145

Yes

29%

5%26

%14

%36

%17

%18

%9%

30%

25%

13%

No

14%

55%

44%

53%

27%

47%

53%

64%

30%

41%

56%

Don

't kn

ow/N

ot s

ure

57%

40%

30%

33%

36%

36%

29%

27%

40%

34%

31%

Tota

l10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%10

0%

(Con

t’d)

Did

you

r cy

ber

insu

ranc

e po

licy

fully

cov

er a

ny d

amag

es r

elat

ed t

o th

e br

each

?



Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.Best practices cited by lawyers who have experienced a data breach cover a wide array of topics and approaches to cybersecurity.

Common themes include having a written and well-practiced incident response plan guided by accepted stan-dards, more in-depth prevention systems and policies with regular employee training, ongoing review of risk and policies (including regular audits), closer control and review of vendor and third-party contracts, and regular review and updates to systems and approaches to cybersecurity. Employing experts such as a CIO or CISO and quick response were also mentioned often.

See below for a sample of best practices cited by in-house counsel.

(1) Always monitor who has access to sensitive data, and educate and train the employees (on things like social engineering hacking attempts, etc.), as oftentimes humans are the least secure means of defense and the biggest vulnerability point — trust but verify — monitor users after training them. (2) Create user administration controls to limit who has access to sensitive data. (3) Track and monitor the systems with automated tools that log and report activity; automated tools can help find issues and close security holes. (4) Keep antimalware software updated by main-taining security patches. (5) Have clear policies and procedures in place for employees, consultants, and outside vendors, and strictly enforce those policies. (6) Have a data breach response plan in place so you are prepared if a breach occurs.

Review all supplier contracts, and verify we have appropriate reps and warranties, coupled with carve-out of breach remediation costs from LOL. For critical items, we also ask the vendor for an indemnity. 2) As a software company, we develop code and use third-party code in our products. We implement robust in-bound licensing controls to ensure that we do not use code that contains legal risks (e.g., ‘copy left’ restrictions under the GNU GPL) or operational risks (e.g., code known to have vulnerabilities, such as the OpenSSL/Heartbleed virus). 3) We hired a CISO to perform companywide assessments of our risk profile, to assist us in implementing best practices (including penetrating testing of our systems and employee training), and to raise awareness at the board level of the risks (and prophylactic best practices) to minimize any impact.

A good broker working with you to obtain cyberliability cover-age is essential. The broker can identify the best carriers from which to obtain coverage. Coverage for an incident is more than just reimbursement of monetary spend; it must include a crisis management team to help the company put into place a plan to deal with the fallout. Also, having someone from the in-house legal department dedicated as the go-to person for the IT team is essential to help with the management of any breaches.

Act as if you’ve already been breached.

As a financial services trade association, our members have formed peer groups that meet with and collaborate with FSISAC, etc. The industry’s federal regulators are collaborating with industry trades on educational events.

As this survey has already hinted, a multidisciplinary approach both for preventing breaches (training, audits, contractual lan-guage, etc.) and for responding to breaches.

Awareness of third-party security (or lack thereof).

Back up to a cloud system that is geographically remote from your office. Maintain current contact information for all staff.

Be prepared; have a data breach response plan and do a tabletop exercise; have some internal security expertise and a trusted security/forensics vendor in advance; have detection systems to alert of an issue; consider segmentation of systems and data; have knowledgeable outside counsel in advance.

Bringing back the war stories of others from attending live/inter-active events focused on security/data breach issues.

Cannot invest too much in training everybody in workforce about their duties to safeguard nonpublic info regardless of role or function.

Choose the right information security standard and framework for your business; understand your risk profile and discuss with all parts of the business. Establish a risk tolerance level and make risk assessment an integral part of your operating culture. Be prepared for and plan for the worst.

Clear guidance to employees on personal devices.

Close management of data to (I) minimize the amount/type of sensitive data on-boarded, (ii) ensure data is stored and trans-mitted in an encrypted format, and (iii) ensure data is securely deleted/destroyed once no longer needed.

Communication to employees about where to report a breach, potential breach, and what is a breach.

Companies experiencing a breach should: (1) already have an ongoing relationship with cyber risk management company like ours so ‘Red Team’ can immediately go into action. If no agree-ment already in place, then immediately retain one to conduct breach analysis and forensics.

Complete readiness: (1) response vendors with SLAs, (2) written procedures on what to do vis-a-vis the 47 states — this would in-clude templates for responses; (3) designated response teams with a templated project plan; (4) tabletop exercises with changing fact patterns.



Conduct a deep-dive analysis into your information governance (what you have, do we need it, where it is, who has access, why do they have access, how is it stored, how is it accessed).

Conduct a tabletop exercise at least twice a year.

Continuous review and improvement of security processes. Never stop evaluating them and improving them.

Cooperation with law enforcement.

Cyber/privacy insurance; focus on educational opportunities for board, management, and employees to raise awareness; develop-ing and testing a response plan.

Cybersecurity insurance is not always useful (expensive and with deductibles that do not cover most common damages for IT frauds). If a serious breach happens, the internal security measures are the most important thing for the organization, including a business continuity plan. To have clear guidelines for the internal users of our systems and make sure those rules are followed. To have CSO and people dedicated to DP and PCI compliance. Risk management department and DPO to follow up on risks identified until those are closed.

Data logs are your friend, but the information collected and stored varies, as do log retention policies. Most companies (or external IT resources) collect basic information (IP address and date/time) and retain logs for some period of time, but they may be overwritten almost instantly or retained for months or years. Additional information can also be helpful: geographic location of the server, equipment and OS, and user name. This could be the difference between quickly identifying the source of a breach and hiring an outside forensics firm.

Don’t sign form business associate agreements without carefully considering whether any modifications are necessary for your business (e.g., is time to report breaches reasonable in view of the statutory requirements?).

Easier to manage in the USA than abroad. Even getting an in-country audit report is not comforting. When there is shared data internationally, this is a problem. Our solution was to move everything to the cloud. Our CIO is satisfied that this is the best current security solution for shared data.

Employ individuals who are knowledgeable and experienced. Chief information security officer should report to legal, not IT.

Employ outside counsel immediately. Issue a companywide hold notice. Inform insurance immediately. Inform CEO and board immediately.

Employee training and vigilance are the best defense.

Encouragement/requirement that any potential breaches report-ed immediately.

Ensure all business units handling data understand the types of consumer data that trigger breach notification requirements, as those categories are broadening beyond the types of sensitive financial and health data previously understood to be the only triggers under state law. Emphasize the importance of encrypting all databases containing personal data.

Ensure that the board is appropriately briefed, and anticipate questions and place cybersecurity in the right place in the risk hierarchy — i.e., one of many significant risks that can arise in a large and complex business operation.

Ensure you have a dedicated team that can put aside their daily work to focus on the current breach.

Exceed industry standards in all respects.

External audit every 6-12 months.

For a small company, we have taken pains to make sure that our IT group is extremely well trained. We send them to training constantly in order to stay up on the latest. We do not allow thumb drives by employees or any visitors. We conduct training annually, and this is important enough that it’s done as a group at a hotel. We don’t rely on computer training for this. It’s done in person by a trainer, and our corporate officers/principals stand up and speak and/or attend to emphasize the importance of cybersecurity.

Have a crisis management team in place. Ensure effective com-munications among all crisis team members. Manage the risks and the message well.

Have a forensics firm and outside counsel lined up in advance. Talk to everyone you know with any influence to try to get Con-gress to address the morass this industry has become.

Have a shared responsibility between IT and legal. Get the board and CEO to acknowledge that preparedness does not mean “breach roof.”

Have cybersecurity insurance. Going through that application process will often highlight many shortcomings within an organization. Additionally, it will force conversations within departments and offices relating to how cybersecurity risks are being handled and addressed.

Having a well-documented plan in place, with outside ven-dors identified and tabletop exercises conducted in the last few months, has raised our confidence level that we are prepared should an event occur.

Hire an external auditor to audit the current state of your IT sys-tems so that you can properly assess your risk. Do not rely upon your internal IT staff to provide accurate risk assessment.

Hire an outside law firm to manage outside PEN testing to enable you to assert attorney-client privilege.

Hiring a chief information officer.

I feel very strongly about the benefits of working with the federal government if you are a critical infrastructure company.

Immediate notification once breach was discovered and prompt internal escalation. Quick assessment of nature and scope of breach. Regular communication and collaboration of breach response team.

Important to map existing insurance coverage for gaps.

(Cont’d) Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.



In the midstream energy industry, biggest threat is through con-trol room, so that is where we focus our efforts on security.

Increase management awareness.

Invest in a cybersecurity/compliance manager.

ISO27001 certification has provided a good yardstick to assess level of cybersecurity protection.

It is critical for the in-house legal team to have a good under-standing of the material cybersecurity risks to the business, not simply rely on the IT department to take care of the risks.

It is vitally important to have a cybersecurity response plan in place and to practice in the event of an actual breach. Having the key employees and departments engaged may provide a company better response time to minimize damage and work through any communication plans effectively.

IT staff continually monitors our systems and traffic for unusual events or PSAs.

Key is for company to have a cross-functional oversight commit-tee in place to address cybersecurity and privacy risks. Represen-tatives on committee should include CIO, chief privacy officer, legal representative (if CPO not part of legal), compliance, and key business areas (e.g., finance, HR).

Learned most from a near miss; network monitoring system operated by a contracted provider was disabled. Resulted in a malware hack; no data loss or breach. However, it highlighted the vulnerability of relying on systems put in place without regular audit and training of personnel monitoring those systems.

Legal counsel should endeavor to become familiar with common threats and investigate its IT people on their cybersecurity and how they address such threats. Both IT and legal should attend seminars and learn from the experts the various cyberthreats, what can be done to reduce them, and develop a plan to address the issues if the threats prove real. Get a team in place proactively, especially and outside cybersecurity IT expert to help identify and quickly plug the breach, and possibly conduct a mock breach.

Maintain a list of customers who have a contractual right to know in the event of breach.

Make sure that people know what their jobs are and with whom they are supposed to communicate.

Multiple-factor authentication, close vendor oversight, constant monitoring, practice, and testing.

My best practical suggestion is to have the legal department re-view and enhance the company’s cybersecurity policy and to have a clear line of communication on who should be notified and who has authority to make high-level decision in the case of a breach.

Need to be aware of what is actually happening on the ground in remote offices.

Need to have a plan and test it (tabletop and other simulations). Need to designate who owns what relationships and nurture relationships with outside providers so as to be ready in the event

of a breach. Need to have the right terms in vendor agreements (including standards, cooperation, indemnification, shutdown triggers, etc.). Need to be able to defend the reasonableness of what amounts are and are not spent on data security and privacy. Need to pay attention to data in all forms — hard copies too.

Negotiate reasonable terms with e-commerce and merchant banking providers to ensure reasonable transparency/audit-ability/control of security aspects of the relationship, proper notice, reasonable sharing of obligations in the event of a breach, reasonable allocation of risk and responsibility relative to the circumstances/causes of any breach are unauthorized disclosure. Steer clear of flat refusals to address confidentiality, privacy, and data breach liability matters in indemnification and/or limitation of liability situations. Establish clear SLAs and KPIs with agreed response times and penalties.

Never undervalue any data breach. It can lead to serious penalties and to major reputational damage, no matter the (even little) im-portance or sensitivity of the information leaked. It simply shows the weakness of security, and that is serious business.

Our best practice is PAYMENT CARD INDUSTRY COMPLI-ANCE and using outside vendor to host data.

Our company culture from top down is concerned about cyberse-curity. It’s a prime concern from the board and a top concern.

Our security department sits and presents at every quarterly board meeting. They are integrated into our day-to-day, and the CEO and president have a strong relationship with the section.

Pay attention to customer’s needs in terms of what they expect in terms of cybersecurity

Prepare your board for increased costs anticipated.

Preparedness is key — if we had not been proactive, could have been much worse.

Quarterly audits and staff retraining.

Read and edit each subcontractor and vendor agreement care-fully to determine how much protection each one will offer with regard to your company’s data.

Regular meetings (monthly) with IT for sensitivity training on security requirements required by HIPAA and other state laws.

Regularly perform external penetration testing. Prohibit em-ployees from downloading software without security risk review. Annual employee and new hire training.

Review cyberinsurance policy to know what it covers. Have a team and vendors ready to go with a plan.

Routine internal and external audits are critical to manage cyber-security risk/and or a breach.

Sensitive data is not accessible from offsite or via any Internet connection. Access is limited to onsite only network by a limited number of people with passwords that must be changed every ninety (90) days.




Smaller organizations like ours (28 employees, $5 million annual revenue, but with law dept. of three attorneys due to nature of business) typically run into management resistance regarding ex-penditures for more formal and robust cybersecurity programs. Instead, our organization, and I believe others similarly situated, rely almost exclusively on local outside vendors that are them-selves less sophisticated than they should be. As general counsel, this has been an ongoing source of tension with the CEO for the past 10 years.

Start with insider risk; easier to control than external risk, and it’s possible to make significant improvements.

Stay on top of new information regarding cybersecurity risk and/or breach daily using the Internet.

Surfacing a breach is often the most difficult task. Therefore, developing a culture of compliance with staff is critical so they can identify issues quickly and notify the appropriate parties in a timely manner.

Take the risk seriously and communicate risks and provide edu-cation to employees.

Take the time to build and test your company’s cyber crisis plan. Have a strong PR team on retainer that is familiar with your industry, and have holding statements ready to go. Have a credit monitoring and ID theft prevention vendor on retainer, such as AllClearID, so you can move fast. Have clear decision lines so it’s not a cluster of voices and opinions when you need to move swiftly. Identify who your company’s spokesperson will be ahead of time and who will appear before Congress or some other public forum, if needed. Be brutally honest in picking someone who will do well with this — don’t just focus on the executive’s role. Practice and get that person some media training so they are prepared. Document your information security and privacy programs so you can readily produce evidence of training, audits, investigations, notifications, etc. A good eGRC tool like Archer can be invaluable in keeping things organized.

Test vendors rigorously and regularly. Hire the best consultants and counsel. Prepare for breach, and educate the board.

The ability to track what was potentially disclosed and whether it was actually accessed are the two most critical and difficult things to assess.

The fact that companies have not standardized vendor require-ments for cybersecurity is a major issue. Our customers have varying standards, questionnaires, and audit requirements, and it can be very burdensome to comply or respond to so many different requirements. Any standardization in this area would be welcome and could have significant economic benefits for both buyers and sellers.

The importance of maintaining litigation privilege is paramount.

The need to have experts who know your company and its sys-tems ready before the breach occurs.

The scope of the breach tends to broaden rather than lessen over time.

The simplest things often cause the breach. Focus on those first. Passwords, cutting off access to terminated employees, monitor-ing systems to make sure large amounts of data are not down-loaded by employees (rogue employee issue), do not have a failure point of one.

Tokenization. Communication between legal and IT regarding vendors.

Top on the response plan list should making contact with your cyberinsurance carrier. Often, they must manage the process and vendors (through their counsel).

Training, training, training — and not a mandatory 20-minute video. Something real that people can touch, feel, and relate to.

Understand the key contact points for vendors who may be involved in a data breach, and you can quickly address the issue with the right stakeholders.

Understand what your cyberinsurance policy covers and doesn’t cover.

Understand your particular risks. Require two-factor authentica-tion. Conduct regular audits and penetration testing. Make sure the CEO and board are engaged.

Use experts.

Use incident response platforms. Get away from spreadsheets and email.

Utilizing outside vendor to stage a mock exercise to test security measures.

We do periodic tests — hacking attempts of our firewall and other security measures to see whether they are truly secure. We also require vendors who will handle proprietary/confidential data or PII to have similar measures and do SSAE-compliant audits annually.

Work with regulators; keep them apprised of suspicious phishing attempts. Work with IT to get ahead of the cyber requirements for government contracting.

Work with your local FBI.

You are best served by a product-enabled managed service to protect your environment.




DEMOGRAPHICPROFILE


DEMOGRAPHIC PROFILE

What was your organization’s total gross revenue for the last fiscal year, including affiliates and subsidiaries in US dollars? (Convert to US dollars using the currency conversion tool below.)

Is your employer a global entity with employees or business operations outside of the country in which your company is headquartered?

Overall Region - Office location

All responses US Canada EMEA Asia Pacific

n= 853 602 30 46 74

<$100 million 34% 36% 27% 24% 34%

$100M-$499M 22% 24% 20% 15% 14%

$500M-$2.9 billion 25% 24% 37% 22% 34%

$3 billion or more 19% 16% 17% 39% 19%

Total 100% 100% 100% 100% 100%


All responses


n= 965 659 34 49 92

Yes 58% 55% 65% 86% 57%

No 42% 45% 35% 14% 43%

Total 100% 100% 100% 100% 100%


DEMOGRAPHIC PROFILE

What is the total number of employees in your organization/company, including all departments and locations?

What best describes the size of your law department (including all lawyers, paralegals, specialists, and support staff in all locations)?


All responses


n= 964 662 35 49 89

Less than 100 16% 16% 9% 10% 16%

100-499 25% 26% 29% 16% 21%

500-999 10% 10% 11% 10% 11%

1,000-4,999 22% 24% 23% 18% 21%

5,000-9,999 7% 7% 9% 6% 9%

10,000-49,999 12% 10% 14% 24% 12%

50,000-99,999 4% 3% 6% 10% 6%

100,000 or more 3% 3% 0% 4% 3%

Total 100% 100% 100% 100% 100%


All responses US Canada EMEA Asia Pacific

n= 975 669 34 50 92

1 employee 19% 20% 18% 12% 11%

2 to 9 employees 52% 53% 53% 44% 58%

10 to 24 employees 13% 12% 18% 14% 12%

25 to 49 employees 7% 6% 3% 10% 9%

50 or more employees 10% 8% 9% 20% 11%

Total 100% 100% 100% 100% 100%


Headquarters Region

Overall Region-Office location

All responses US Canada EMEA Asaia Specific

n= 867 671 35 50 92

US 76% 94% 6% 16% 11%

Canada 4% <1% 86% 0% 1%

Europe 8% 4% 6% 58% 10%

Former Soviet republic 0% 0% 0% 0% 0%

Middle East/North Africa 1% 0% 0% 20% 0%

Sub-Saharan Africa <1% <1% 0% 2% 0%

South/Latin America 1% 0% 0% 0% 0%

Asia Pacific — excluding Aus/NZ 2% 1% 0% 2% 7%

Australia/New Zealand 8% 1% 3% 0% 70%

Other country/not provided <1% <1% 0% 0% 0%

Prefer not to answer 1% <1% 0% 2% 2%

Total 100% 100% 100% 100% 100%

Office Region

Overall Region-Office location

All responses US Canada EMEA Asaia Specific

n= 862 672 35 50 92

US 78% 100% 0% 0% 0%

Canada 4% 0% 100% 0% 0%

Europe 4% 0% 0% 74% 0%

Former Soviet republic 0% 0% 0% 0% 0%

Middle East/North Africa 1% 0% 0% 24% 0%

Sub-Saharan Africa <1% 0% 0% 2% 0%

South/Latin America 1% 0% 0% 0% 0%

Asia Pacific — excluding Aus/NZ 1% 0% 0% 0% 8%

Australia/New Zealand 10% 0% 0% 0% 92%

Other country/not provided <1% 0% 0% 0% 0%

Prefer not to answer <1% 0% 0% 0% 0%

Total 100% 100% 100% 100% 100%

DEMOGRAPHIC PROFILE


GLOSSARY OF INFORMATION SECURITY TERMS



Access control: A combination of policies, models, and mecha-nisms that regulate access to system resources and protect system resources against unauthorized user access. Mechanisms include software, biometrics devices, and physical security measures.

Active attack: An intentional attempt to alter, disable, or de-stroy a system, its operations, resources, or data.

Advanced persistent threats: A covert network attack, usual-ly through multiple attack vectors (e.g., cyber, physical, and decep-tion) and often occurring over an extended period of time.

Administrator account: A user account with credentials that confer full privileges on a computer and/or throughout a network.

Antispyware: A type of program designed to prevent and de-tect unwanted spyware program installations and to remove those programs if installed.

Antivirus: Software used to prevent, detect, and remove mali-cious applications such as computer worms, viruses, and Trojan horses from systems, servers, and endpoints. Once an infected file has been detected, it can be either repaired or quarantined so that the viral code does not execute. When a new virus is discovered, a unique string of code is extracted and added to a database with other information about the virus.

Attack attribution: Determining the identity or location of an attacker or the attacker’s intermediary.

Attack signature: Rules or patterns in the heading of a packet or in the pattern of a group of packets that distinguish legitimate traffic from attacks or classes of attacks on a Web application and its components.

Authentication: Verifying the identity or other attribute of a user logging onto a computer system or the integrity of a trans-mitted message.

Authorization: The granting or denying of access rights to a user, program, or process.

Back door: Typically unauthorized hidden software or hardware mechanism used to circumvent security controls to gain access to a computer system.

Biometrics: The science and technology of measuring and ana-lyzing biological data. The term usually refers to automated tech-nologies for authenticating users through characteristics such as fingerprints, eye retinas or irises, voice patterns, facial patterns, and hand measurements.

Blacklist: A list of people or programs that are blocked or denied privileges within or access to a system or service.

Botnet: A network of hundreds or thousands of computers in-fected with malicious code that work together to perform tasks as-signed by the network controller. These tasks are either automated or assigned through a control channel such as Internet relay chat.

Brute force attack: A method of accessing a computer or net-work by attempting multiple combinations of numeric and/or al-phanumeric passwords.

Buffer overflow attack: A method of accessing a computer or network by sending more input than can be placed into a buffer or data holding area to crash a system or to insert specially crafted

code that allows the attacker to gain control of the system.

Business continuity plan: A plan to help ensure that business processes can continue during an emergency or disaster. In the context of information security, the plan will detail the restoration of critical IT processes and operations as well as designing an ar-chitecture that prevents, detects, and isolates security breaches and reroutes network traffic in the event of a circuit failure.

Category: A restrictive label that can be applied to classified or unclassified information to limit access or to trigger heightened security measures.

Certificate: A set of data that uniquely identifies an entity, con-tains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.

Clear text: Information that is not encrypted.

Cloud computing: Technology that uses the Internet and shared central remote servers, rather than local servers or personal devic-es, to store data and applications. Centralizing data storage, pro-cessing, and bandwidth improves efficiency.

Compartmentalization: Organizing resources into groups that are isolated from each other and controlling the means of exchanging information between groups. When networks are compartmentalized, filtering devices such as firewalls are used to partition a network into zones.

Computer security incident: Any unlawful, unauthorized, or unacceptable action that involves a computer system or computer network. This can include theft of trade secrets, email spam, unau-thorized intrusions into computing systems, or denial-of-service attacks.

Containers: Isolated user-space instances that share an operat-ing system kernel and may share files as well.

Credentials: A data object that supports a claim of identity or authorization that is generally intended to be used more than once.

Cross-Site Scripting (XSS): A prevalent security vulnerability in websites and Web applications where data that is inputted by a user is sent to the browser without proper validation or sanita-tion. In an XSS attack, an attacker exploits this vulnerability by inputting malicious code, which is injected on the website. Users become victims by visiting or clicking on a link to the compro-mised website. Injected code may cause the compromised website to display inappropriate images, redirect users to a malicious web-site or cause malicious files to be automatically downloaded onto a user’s computer.

Data breach: This term is defined differently under various laws and regulations, but generally it is the unauthorized disclosure of sensitive or privileged information to a party that is not authorized to access the information.

Data integrity: The process of preventing accidental deletion or corruption of data in a database.

Data loss prevention (DLP): A strategy for preventing data loss due to insider threats by ensuring end users cannot send or otherwise share confidential information outside of the corporate network.


Data mining: The process of analyzing large amounts of data, usually through an automated process, to uncover facts, patterns, relationships, trends, and anomalies with the goal of using the in-formation to predict data subjects’ behavior.

Defense-in-depth: A comprehensive security strategy involving the coordinated use of multiple security countermeasures to pro-tect the integrity of an organization’s information assets.

Digital forensics: The specialized techniques used to collect, re-tain, and analyze potential evidence in digital form for investiga-tive purposes in such a way that chain of custody is preserved and can be proven.

Digital rights management: Any access control technology used to protect, license, and otherwise restrict the use of propri-etary software, hardware, or content.

Digital signature: A data string that is added to a digital message to guarantee its integrity. The string is created by hashing the orig-inal message into a few lines, known as a message digest, and then encrypting it with the signatory’s private key. Message recipients can determine whether a message has been modified by hashing it into a message digest, decrypting the signature with the sender’s public key, and comparing the two message digests.

Disruption: An event that causes an unscheduled interruption in processes or operations for an unusual or unacceptable length of time.

Distributed denial of service attack: The introduction of code into a trusted component or software that will be distributed to other companies. The infected computers can then be instruct-ed remotely to send a flood of network traffic to a target. Over-whelming the target system causes delays and outages, thus mak-ing its resources — websites, applications, email, voicemail, etc. — unavailable to legitimate users.

Encryption: Encoding information and messages so they are un-usable, unreadable, or indecipherable without a key or password.

End-to-end security: Safeguarding information in an informa-tion system from point of origin to point of destination.

Enterprise: An organization such as a business or company.

Enterprise risk management: The process of planning, orga-nizing, leading, and controlling the activities of an organization to minimize the risk to its assets.

Exploit: A method or a program that automates a method that targets a software vulnerability to compromise the integrity, avail-ability, or confidentiality of information or services.

Firewall: Software applications on a network gateway server that are used to keep a network secure. A firewall can be used to sepa-rate internal network segments and public Web servers to prevent unauthorized access to private network resources from outside the network. A firewall can also be used to protect internal network segments from unauthorized use by someone within the network.

Forensics: A structured investigation of computer systems, net-works, wireless communications, and storage devices to identify, collect, preserve, and analyze data that can be presented as evi-dence in court.

Honeypot: A system or system resource created to attract poten-tial intruders. The goal is to distract intruders from the real target and to gain information about the intruder and the attack.

Identity and access management (IAM): A system of man-aging access to information and applications in internal and exter-nal applications systems. IAM generally has four components: au-thentication, authorization, user management, and a central user repository that stores and delivers identity information to services and verifies credentials submitted by users.

Incident response: A process or set of activities including im-pact and scope measurement and remediation that addresses the immediate and direct effects of a cyberincident and provides short-term recovery.

Insider threat: A threat that originates within an organization.

Intrusion prevention systems (IPS): A device or software used to prevent intruders from accessing systems and halt mali-cious or suspicious activity. An IPS will identify malicious activity, log information about it, attempt to stop it, and report it. This is in contrast to an Intrusion Detection System, which merely detects and notifies but takes no further action.

Investigation: A systematic inquiry into a threat or incident us-ing digital forensics and other examination techniques to collect evidence and determine specifically what has transpired.

Internet protocol (IP) address: A unique number that devices use to identify and communicate with one another on a computer network using the IP standard. All devices on a network, including routers, computers, printers, and Internet fax machines, must have their own IP addresses.

Intrusion: A security event or events where an unauthorized en-tity gains or attempts to gain access to a system or system resource by circumventing the system’s security protections.

Key: A string of bits used by an algorithm to produce encrypted text from a string of unencrypted text or to produce decrypted text from a string of encrypted text.

Local Area Network (“LAN”): A group of computers and as-sociated devices that are connected to the same server by hardware and software communications facilities to share resources, such as information, and peripheral devices, such as printers and mo-dems. Typically the devices and server are all in a small geographic area.

Malware: Malicious software intended to do harm, such as dis-rupting computer operations, stealing confidential information, or gaining access to computer systems. Malware includes viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, spyware, and browser helper objects.

Multifactor authentication: A type of authentication based on more than one component. For example, something a user knows, such as a password, would serve as one component and would be combined with something the user has, such as a fingerprint or debit card, which is another component. To access a network, the user must have all the required components.



Network: A group of computers and associated devices that are connected by hardware and software communications facilities in order to share resources, such as information, and peripheral de-vices, such as printers and modems.

Network-based incident response: A set of disciplines, tech-nologies, and processes for responding to incidents that focuses on attempts to block breaches at the network perimeter or firewall.

Passive attack: Unauthorized monitoring of system activities without altering the system or its resources, data, or operations. Examples include traffic analysis, monitoring unencrypted com-munications, decrypting weakly encrypted traffic, and capturing passwords or other authentication information.

Password: A data value, usually a string of characters, that a user presents to a system to authenticate the user’s identity or verify ac-cess authorization. A password is generally kept secret and paired with a user identifier, such as a user name. Authentication or ver-ification occurs when the inputted password is matched with the password held by the access control system for the relevant user identifier.

Packet capture (“pcap”): Using an application programming interface to capture “packets” of information crossing a network in order to diagnose a network problem or to spot-check for ma-licious activity.

Patch: A software modification or the act of modifying software. A patch generally fixes a vulnerability or bug but may also enhance the software or introduce a new feature.

Patch management: The application of patches to installed software systems on an organization’s computers.

Penetration testing: The practice of testing a system for vulner-abilities. Tests are either automated with software applications or performed manually.

Permission: An authorization to perform some action on the system.

Persistent data: Data stored on a local hard drive or other de-vice that remains in storage when the device is turned off.

Phishing: An attempt to illegally gather personal and/or financial information from targets by sending them a message that appears to be from a trusted source. A phishing message typically includes at least one link to a fake website, designed to mimic the site of a legitimate business and trick the target into providing information that can be used for identity theft or online financial theft.

Plaintext: Unencrypted and otherwise readable text or messages. Plaintext is the input in the encryption process and output of the decryption process.

Port: Packets of information transmitted on the Internet are sep-arated into separate streams, or virtual ports, based on type. Each packet is assigned a number based on the port, which allows the receiving system to recognize what it is receiving. For example, secure online data is generally assigned to Port 443. A physical port is a connection point between a computer and an external or internal device.

Privilege: Authorization to perform a security-related function to a computer’s operating system.

Protocol: A set of rules for communications that computers use when sending signals among themselves.

Proxy server: An intermediary server between an Internet user and the Internet.

Radio frequency identification: A system that wirelessly transmits identity or other information stored in a tag using radio waves. The system consists of a transponder (the tag), an antenna, and transceiver. The antenna and transceiver are often combined into one reader. The antenna transmits a signal using radio waves that activates the transponder, which then transmits data back to the antenna.

Ransomware: A type of malware designed to lock or encrypt files on the infected computer system and display messages de-manding a fee to unlock the system.

Red Team: A group of white-hat hackers authorized to attack an entity’s computer systems using the same tactics that malicious hackers would use. Instead of damaging systems or stealing infor-mation, the Red Team reports its findings to the entity to help it understand threats to its security.

Redundancy: A system design in which a component is duplicat-ed so that if it fails, there will be a backup.

Remote access: The ability of a user to control a computer or device on an organization’s network or the Internet regardless of where the user is.

Risk assessment: The process of systematically identifying an organization’s valuable resources and threats to those resources, quantifying loss exposure based on frequency of loss and cost of occurrence, and making recommendations on how to allocate available resources to defend against or mitigate loss exposure.

Rootkit: An intruder uses this tool to gain administrator-level access to a computer. These tools are generally difficult to detect and are installed by cracking a password or through a known vul-nerability to access a remote computer.

Router: A computer-networking device that forwards data pack-ets across a network via routing. The device acts as a junction be-tween two or more networks transferring data packets.

Safeguards: Physical, administrative, or technical countermea-sures to avoid, detect, counteract, or mitigate security risks to a computer system or network.

Scanning: Inspection of a computer or network for vulnerabili-ties or security holes.

Security analytics: The study of trends, patterns, and associa-tions in large sets of disparate data to measure its importance in managing risk and making sound decisions.

Security information and event management: Tools de-signed to detect, consolidate, analyze, and deliver information about data breaches from network monitoring and threat-detec-tion devices.



Situational awareness: The capability to perceive different se-curity threats and events, comprehend the meaning of an organi-zation’s cybersecurity status, and project its future status to better position security mechanisms.

Sniffing: The use of software to intercept and read all the packets of data traveling on a network. This can be done to monitor net-work traffic. Communications appear in clear text unless they are encrypted.

Spam filtering: A software process that deletes or diverts sus-pected spam or junk mail based on criteria defined in spam filters.

Spoofing: Either receiving a communication by masquerading as the legitimate recipient or sending a communication by masquer-ading as the legitimate sender. “IP spoofing” refers to sending a network packet that appears to come from a source other than the actual source.

Spyware: A broad category of malicious software designed to in-tercept or take partial control of a computer’s operation without the consent of its owner or user. Spyware is typically bundled as a hidden component of other programs that users download from the Internet. Its purpose is generally to collect information about a user, such as Internet browsing habits, login information, and payment information and transmit it to third parties.

System integrity: The condition of a system where it is perform-ing its intended functions without degradation or being impaired by changes or disruptions to its environments.

Tabletop exercise: An activity where personnel responsible for emergency management are gathered to discuss various simulated emergency situations.

Threat intelligence: A collection of focused information on po-tential threats and gaps in security based on artifacts related to threats such as associated files and communication protocols.

Token: A device that generates a random number that changes at regular intervals. This number is used, generally with a user name and password, to authenticate an individual.

Traffic: Packets of information being transmitted over a network.

Trojan horse: A malicious computer program or application that has a seemingly legitimate function but also contains an un-expected and usually destructive function that circumvents secu-rity mechanisms. They are distinguishable from viruses because they do not replicate themselves. For a Trojan horse to spread, us-ers must invite the program onto their computers, for example by opening an infected email attachment.

Verification: The process of checking the truth of an assertion by examining evidence or testing. For example, during authenti-cation, a user’s identity is verified by examining the identification information that the user presents.

Validation: To officially approve data structures, relationships, or systems that depend on verified items. For example, a public-key certificate is validated to confirm the relationship between an iden-tity and a key by verifying the digital signature on the certificate.

Virus: A self-replicating computer program that executes itself and inserts copies of itself into other computer programs, data files, or the boot sector of the hard drive, thereby altering the way a computer operates. Viruses often have a harmful purpose, such as corrupting or deleting data, using the user’s email program to spread itself to other computers, or taking up available hard-drive space.

Virtual Private Network (VPN): A means of securely ac-cessing a private network remotely while connected to a public network. To connect to a VPN, a user first connects to the public network through an Internet service provider and then uses client software on the user’s device to initiate a secure connection with client software on the private network’s server. Once the connec-tion is established, the device has the same functionality, access, and security as it would if it were on the private network.

Volatile data: Data that is stored in registries, cache, and ran-dom access memory or exists in transit but is lost when a computer is no longer on.

Vulnerability: A security flaw, glitch, or weakness in software or an operating system that can lead to security concerns. Vulner-abilities can be caused by, among other things, weak passwords, bugs in software, software misconfigurations, a computer virus or other malware, a script code injection, or an SQL injection. They exist in all software and operating systems and can be exploited by malicious parties.

Vulnerability assessment: The process of identifying, measur-ing, and prioritizing security vulnerabilities in an organization or system. Generally the assessment involves cataloging assets and resources in a system, assigning a value to those resources, identi-fying potential threats to each resource, and eliminating or miti-gating the most serious threats to the most valuable resources.

White hat hacker: A person who attempts to compromise the security of a computer system to ultimately improve its security.

Whitelist: An application whitelist is a set of administrator-ap-proved programs that are allowed to run on a system. All other programs are blocked from running by default.

Worm: A standalone malware program that self-replicates and self-propagates, spreading from system to system. Unlike a virus, a worm does not require a host file to spread. A typical result is that the worm consumes too much system memory or network band-width, which overwhelms servers, network servers, or individual computers.

Zero-day attack: An attack that exploits a previously unknown vulnerability in software or hardware (a “zero-day vulnerability”). “Zero day” refers to the time that elapses between when the vul-nerability is made public and the first attack.


ACC FOUNDATION: STATE OF CYBERSECURITY REPORT IN-HOUSE COUNSEL PERSPECTIVES

Published by the ACC Foundation.

The ACC Foundation – a 501(c)(3) nonprofit organization – supports the efforts of the Association of Corporate Counsel, serving the needs of the in-house bar through the dis-semination of research and surveys, leadership and professional development opportunities, and support of diversity and pro-bono initiatives. The ACC Foundation partners with corporations, law firms, legal service providers, and bar associations to assist in the furtherance of these goals.

1025 CONNECTICUT AVENUE, NW SUITE 200, WASHINGTON, DC 20036 USA TEL +1 202.293.4103

WWW.ACC-FOUNDATION.COM

©2016 ACC Foundation. All rights reserved. For more information, go to www.acc-foundation.com.

Date post:	09-Sep-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times