Top Cybersecurity Priorities for General Counsel i

Top Cybersecurity Priorities for General Counsel in 2025 - 03 December 2024

As General Counsel you hold a pivotal role in strengthening enterprise-wide cybersecurity. While technical measures often fall under the purview of the Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs), your legal expertise and authority present very real opportunities to improve a company's cybersecurity posture and resilience.

Below are 15 Top Cybersecurity Priorities for General Counsel in 2025,¹ falling into three overarching categories: Governance, Validation and Drilling.

Governance: At the heart of every General Counsel's role, governance encompasses related policies, procedures, laws and regulations. It also includes engagement with senior management, the board of directors and third parties as well as contract management, insurance coverage and reporting.

Validation: General Counsels are not expected to step into the shoes of the CTO, CISO or CFO or Human Resources or Vendor Management. It is a General Counsel's responsibility to understand how their duties impact the company and the GC's own responsibilities when it comes to cyber risk management. Lean in and apply that important measure of accountability, not just across these functions but over your company's entire enterprise.

Drilling: Often overlooked or underdeveloped, drilling is critical within the technical areas but also in building organizational resilience. Exercising and drilling are the difference between incidents that dictate the victim company's actions and a company that systematically works through the incident as a Complete Cyber Crisis Team.

The hallmarks are strong cultures, resilience at the technical and non-technical / senior management levels, incident-agnostic restoration and recovery, understanding the interplay with third parties, including regulators, law enforcement, insurers, the media and public and evolving and maturing toward the next exercise, drill or…incident.

Top Cybersecurity Priorities for General Counsel

1. A Complete Cyber Crisis Team.

2. Drilling I: General Incident Response and Recovery.

3. Drilling II. Ransomware Resilience.

4. Drilling III. PII Breach Resilience.

5. Mandatory Reporting.

6. Cybersecurity Insurance.

7. Important and Critical Vendors.

8. Data Retention - Policy & Enforcement.

9. Board of Director and Executive Engagement.

10. Cybersecurity Culture.

11. Cybersecurity Policies.

12. BYOD Management.

13. User Access and Entitlements.

14. Technical Tests, Drills and Exercises.

15. A Qualified CISO.

1. A Complete Cyber Crisis Team.

Incident Response Teams (IRTs) lean too heavily on the Information Technology (CTO) and Cybersecurity (CISO) subject matter experts when the company's full suite of executives each has critical roles in establishing robust Cybersecurity Resilience. Play your part as Chief Counsel, ensuring that your company's major constituents are sitting at the table before, during and after any incident.

A Complete Cyber Crisis Team has three parts: Senior Leadership, the Technical Team, and External Support.

Aside from the General Counsel, Senior Leadership includes the Chief Executive Officer, COO, Chief Financial Officer and Human Resources. Each corporate makeup is different, but it also cuts across Compliance, Risk Management and Public Relations. Where Boards of Directors exist, their involvement is vitally important.

The CTO and CISO bridge this team with Technical Leadership, which is further comprised of security engineers and analysts. External Support includes your company's insurance carrier, outside legal counsel and forensic and cybersecurity experts. This Complete Cyber Crisis Team must practice, practice, practice its resilience. Accordingly, three cybersecurity priorities involve drilling where General Counsels should be familiar.

2. Drill I: General Incident Response and Recovery.

Resilient cybersecurity practices tend to be incident-agnostic. Scenarios bring incident-specific risks, such as navigating permissibility and sanctions during ransomware demands. But, General Counsels should be fluent with basic Incident Response and Recovery.

First, know what the CISO, CTO and Technical Leadership are focused on:

• Assessing scope, impact and recovery priorities,
• Containment, reviewing data backups and restoration,
• Testing and validating restored environments, and
• Post-incident forensics and security enhancements.

General Counsels should move beyond hearing about these processes to knowing what to do with the results and updates that come from them - during tests, desktop drills and incident response exercises - so they are nimble come incident time. During such times, focus on:

• The extent of the damage - financial, operational and reputational,
• The critical data, intellectual property or personal information compromised, and
• How recovery efforts are being prioritized.

Mandatory reporting and your ability to comply with the nuanced requirements will benefit from this full slate of information. Accordingly, General Counsels should know in advance how communication, engagement and coordination take place with:

• Internal stakeholders, including your Board of Directors and employees-at-large,
• Third parties, e.g., incident response, insurance carriers and outside counsel, and
• External constituents, including regulators, law enforcement, government agencies, customers and media.

Finally, General Counsels must pay attention to the highest value-add under their remits - physical and digital evidence preservation and attorney-client privilege - when and how to deploy each. Take note: Evidence preservation may challenge or even run counter to containment, eradication and recovery. General Counsels must confirm, well before any incident, that all employees and related vendors know not to delete, destroy or alter data.

3. Drill II. Ransomware Resilience.

In the painful event of ransomware, General Counsels must understand and have taken part verifying the ransomware incident playbook. In addition to the general steps noted, appreciate the Technical Leaders' ransomware checklist, including:

• Timing and engagement of the Complete Cyber Crisis Team,
• The use of outside negotiators and the steps communicating with hackers,
• Processes and validation techniques of de-encryption efforts, and
• The reliability of resurrecting offline backups.

Create and be fluent with your own Legal / Litigation Checklist, which beyond Mandatory Reporting and internal and external communication, includes:

• Procedures and training around evidence preservation,
• Initiation of attorney-client privilege,
• Timing and engagement of outside counsel,
• Executive and board reporting,
• The permissibility / impermissibility of ransom payments and navigating sanctions,
• The coordination and ability to effect ransom payments in cryptocurrency, and
• Given the triggering of mandatory reporting in many instances, coordination with law enforcement, regulators and external advisors.

4. Drill III. PII Breach Resilience.

Breaches that impact Personal Identifying Information (PII) bring specific protocols tied to the types of data and volume compromised. Given the high prevalence of PII in most breaches, it is incumbent on General Counsels to be familiar with:

• Document the information as it relates to the timing, nature of breach and data types compromised, e.g., PII, personal health information (PHI) or financial information, as well as quantity, i.e., the number of individuals, businesses and systems impacted.
• Assess relevant covenants with vendors, insurers and investors as well Mandatory Reporting requirements and what information these constituents should receive. This includes federal, state and, where applicable, foreign regulatory and law enforcements agencies, affected businesses and individuals and credit reporting agencies.
• Given the risk of litigation, regulatory scrutiny and reputation damage, the benefits of attorney-client privilege and working with outside counsel are critical. General Counsels should work through PII breach exercises, evaluating beforehand legal obligations under relevant data protection laws, e.g.,
  • New York State Department of Financial Services' Part 500,
  • California's Consumer Privacy Act (CCPA),
  • Healthcare Insurance Portability and Accountability Act (HIPAA),
  • Securities and Exchange Commission's (SEC's) Disclosure Rules, and
  • European Union's General Data Protection Regulation (GDPR).

5. Mandatory Reporting.

Mandatory Reporting are the legal obligations imposed on organizations to report certain types of cybersecurity incidents or breaches to relevant authorities or stakeholders within a specified timeframe. It also includes annual attestations and program reporting in, e.g., financial services and publicly traded companies. Incident reporting is designed to ensure timely notification and transparency when an organization experiences an incident that could potentially harm customers, employees, individuals, partners or critical infrastructure. Failure to comply with reporting requirements can result in fines, civil actions, penalties and other legal consequences. General Counsels should pay attention to the following:

• Know your federal and state regulatory requirements and the agencies to which your company is required to file a report or other disclosure. Agencies include the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure incidents, SEC, NYSDFS and European Data Protection Authorities under GDPR.
• Understand timing for such reporting. For example, SEC reporting is required both annually as to general program compliance and, in the event on an incident, within four (4) business days from the date of determining materiality; healthcare organizations must report breaches of PHI to the Department of Health and Human Services (HHS) within sixty (60) days; in New York, regulated financial institutions must certify their program annually and report incidents within 72 hours or 24 hours, with extortion payments (followed by a report within 30 days).
• Understand materiality, which bears on whether your company must report the incident. Considerations include the impact of financial loss or even potential financial loss; harm to operations, individuals, customers, vendors or reputation; or a likely adverse outcome such as litigation or regulatory action. Under NYSDFS Part 500, a ransomware incident or actual extortion payment is material.
  • For the SEC: Would a reasonable shareholder consider the incident important to her / his investment decision or as significantly changing the total mix of information available?
  • For HIPAA and HHS reporting: Have more than 500 individuals' PHI been affected?
  • For California's Consumer Protection Act: Have more than 500 residents' PII been affected?
• Lastly, understand the timeframe by when "materiality" must be determined. The SEC, for example, notes "without unreasonable delay."

6. Cybersecurity Insurance.

General Counsels should play a major role ensuring their companies are sufficiently covered by cybersecurity insurance. In addition to working with proven insurance brokers and carriers, General Counsels should take the time to understand the extent and limitations of coverage. Key practices include:

• Conduct, with Finance, a bottoms-up calculation to account for all costs that will align with coverage, including those tied to incident response and crisis management, deployment of third-party service providers, potential credit monitoring, public relations, ransom payments, legal fees, projected lost revenue, expenses due to system downtime, regulatory investigations, fines, penalties and third-party claims. Leverage incident response drills and scenarios to validate and refine these assumed costs.
• Understand exclusions and how your company can lower its premiums.
• Know your coverage for third-party incidents and supply chain disruptions; look for how climate-related events, acts of war and other acts of God are covered; and ensure coverage addresses the most likely root causes, i.e., the human factor, insider threats, negligence and failures to comply.
• Gain familiarity with your carrier's notification requirements, claims process and conditions for payout as well as the required use of any approved vendors.
• For multinational firms, validate appropriate breadth of global coverage.
• For financial institutions, incorporate highest losses into stress testing scenarios.
• Review your policy annually, and include your carrier in tabletop drills and exercises.

7. Important and Critical Vendors.

Earlier this year, CrowdStrike, the cybersecurity company, caused global IT outages due to a failed update to one of its programs on computers with Microsoft Windows. Among the many victims, Delta Airlines reported $500 million in losses due to the error. Around the same time, U.S. car dealerships lost more than $1 billion as a result of a ransomware attack on software provider CDK Global.

General Counsels play a critical role managing such third-party risks given the contractual nature of services and the control they have so that outsourced performance meets company risk management, risk tolerance and regulatory requirements:

• Partner with Vendor Management, IT, Operations and CISO and review a full inventory of third-party service providers, including the services performed, the measure of criticality, the data accessed and the reasons and contract renewal dates.
• Confirm contracts for mission critical vendors address company information security standards, warrants and notification, indemnification requirements.
• For global operations / services, confirm compliance with cross-border data transfer requirements and supply chains dependencies, including higher risk geographies.
• Validate that a Risk Management Framework, e.g., NIST or CIS Controls, is being applied to mission critical providers, including:
  • Vendor risk assessments and onboarding due diligence,
  • Third-party penetration testing and audit rights,
  • Insurance requirements,
  • Information security certifications, e.g., ISO 27001, SOC 2,
  • Access management controls, e.g., principle of least privilege, and reviews,
  • Integration with your company's GRC Program, and
  • Offboarding, including data deletion.

A material factor that led to the CrowdStrike and CDK Global incidents - concentration risk - is something General Counsels participating on Information Security Committees should challenge given the black swan possibilities. Ensure that the CIO and CISO teams have a plan, not only in place but also part of your company's periodic Tests, Drills and Exercises.

8. Data Retention - Policy & Enforcement.

Breaches, when they inevitably occur, must not exploit a larger data environment, or "threat surface," than necessary. Here, some considerations:

• Shrink your company's threat surface. Validate data and records retention policies capture applicable laws and regulations and designate roles within your company.
• In addition to a retention schedule, enforce it, reviewing it at least annually.
• Understand and confirm the classification of corporate data, including emails, employee files, customer records, IP and third parties, aligns with retention periods.
• As a senior cybersecurity stakeholder, understand the decisions surrounding archival vs. disposal methods and how they are deployed, e.g., on-premises or cloud (archiving) vs. destruction and deletion processes as well as the relationship with third-party service providers.
• Educate stakeholders that policy enforcement goes beyond compliance: operational costs are lower due to reduced storage volumes; network and systems performance are more optimal given lighter data loads; and, in the event of an incident:
  • Notification and reporting requirements are more manageable,
  • If required, the universe of credit monitoring is reduced, and
  • Litigation and reputation risks are similarly more contained.

9. Board of Director and Executive Engagement.

Typically serving as corporate secretaries, General Counsels play a unique role with Boards of Directors, CEOs and Senior Management. Companies of even modest size or complexity should have an Information Security Committee or equivalent body into which the CISO reports. As General Counsel, embrace the value you bring to this committee, your board and executive stakeholders.

Boards and committees should receive material information necessary to uphold their responsibilities. Reports should focus on strategic, business-aligned information, allowing members to appreciate risks, discuss and make informed decisions around investments and connect your company's cybersecurity risk tolerance with its goals. General Counsels should also help CISOs refine their reporting, avoiding information overload.

The CISO or CTO owns the creation and delivery of this reporting, but General Counsels can provide support so that this includes:

• Risk and maturity assessments, including top threats and risks (internal and external), mission critical systems and vulnerability and penetration testing outcomes;
• Compliance reports, capturing key regulations, industry standards, material compliance initiatives, areas of non-compliance, potential regulatory fines or penalties and audit results;
• Information Security Strategy and Roadmap, including AI and predictive analytics;
• Information Security Budget, including adopting other emerging technologies;
• Key Performance and Risk Indicators (KPIs, KRIs);
• Incident Response Plan and breach reports;
• Third-party risk reports, particularly for material vendors and partners; and
• Board action items, recommendations, budget approvals, material risk acceptances and training.

10. Cybersecurity Culture.

Similar to terms born from and embraced after 9/11 and compliance failures in the early 2000s - If you see something, say something, Tone at the Top and Culture of Compliance - Cyber Risk Management needs a cultural movement beyond the technical operators and into the corporate bloodstream enterprise-wide.

Destigmatizing victims is top of the list, and raising awareness remains priority number one. This means building up a company's employee base when it comes to both identifying trolling, phishing and malware behaviors and conducting one's self with sound cyber street smarts. General Counsels and their departments can lead by example - strong passwords, embracing multi-factor authentication, engaging in proper social media behaviors, avoiding unsecure networks and clickbait and complying with clean desk and clean desktop policies.

As cybersecurity leaders, General Counsels can also verify that training and policy enforcement addresses:

• Social Engineering that preys upon human emotions, trust and fatigue,
• Phishing and generative AI risks, e.g., vishing (deepfake voice and video),
• Business Email Compromises (BEC),
• Ransomware, including understanding one's role during an incident or other information security event,
• Insider threats, whistleblower protections as well as anonymous reporting capabilities, especially in the face of unintended mistakes,
• Privacy violations and intellectual property leaks, and
• Third-party risk management.

11. Cybersecurity Policies.

Cyber-related policies are expansive and fall under various functional leaders - IT, Information Security, Compliance, Human Resources and Legal. It starts with the Risk Assessment, an Information Security Framework (e.g., NIST, ISO 27001) and overall Information Security Policy. Technical aspects include Cloud Computing, Encryption, Identity and Access Management, Network, Systems and Application Security, Patch Management, Software Development and Threat Intelligence. General Counsels can support CISOs, ensuring such policies are communicated, managed, updated and enforced.

Zeroing in, General Counsels can lend credible weight to a program's effectiveness by educating themselves and enforcing similarly important hallmarks and reporting involving:

• Audit and Testing Program,
• Bring Your Own Device Policy,
• Business Continuity and Disaster Recovery Plan,
• Incident Response Plan,
• Clean Desk / Clean Desktop Policy,
• Communications and Email, including Social Media Policy,
• Data and Records Retention Policy,
• Information Security Committee and Governance,
• Model Risk Management, including AI, LLMs, Policy and their acceptable use,
• Password Management Policy,
• Physical Security Program,
• Privacy and Data Protection Policy,
• Remote Access Policy,
• Third Party Risk Management Policy,
• Education, Training and Awareness Program, and
• Whistleblower Policy.

Mindful there are standards and regulations specific to your industry too numerous to list, as lawyers for the company, General Counsels should have a full inventory of applicable laws. Some more well-known state, federal and international regulations beyond the CCPA, GDPR, HIPAA, NYSDFS Part 500 and SEC include:

• Children's Online Privacy Protection Act (COPPA),
• Cybersecurity Information Sharing Act (CISA),
• Gramm-Leach-Bliley Act (GLBA),
• Payment Card Industry Data Security Standard (PCI DSS), and
• Sarbanes-Oxley Act (SOX).

12. BYOD Management.

A host of challenges come with using personal devices (e.g., smartphones, laptops and tablets) in corporate settings:

• Intentional or accidental misuse,
• Inconsistent or stretched IT support,
• Confusion around data ownership,
• Barriers in enforcing retention requirements,
• Lack of standardization,
• Unsupported applications,
• Lost or stolen devices, and
• Employee offboarding issues.

For General Counsels, establish a clear Bring Your Own Device (BYOD) policy with your CISO and CIO and ensure your Third-Party Risk Management program includes both service providers and mobile applications. Look for how your company utilizes Mobile Device Management (MDM), encryption and virtual private networks (VPNs) to secure remote connections as well as enable remote wipe capabilities.

13. User Access and Entitlements.

One of the more technical controls, User Access and Entitlements occupies a top spot in root causes when it comes to insider threats and breaches via service providers. General Counsels must play a robust second-line-of-defense role, calling for periodic reports at the board and committee levels that related controls are operating as intended.

Best practices translate to users having appropriate access to systems and data based on their role, while minimizing risks tied to unauthorized or overly broad access. Additional controls to understand the basics of include:

• User Access Policy,
• Principle of Least Privilege,
• Role-Based Access Controls (RBAC),
• User Segmentation,
• Separation of Duties,
• Multi-Factor Authentication,
• Access Logging and Monitoring,
• Entitlement Reviews and Updates, and
• Automated Provisioning and De-provisioning.

14. Technical Tests, Drills and Exercises.

While enterprise-wide drills involving non-technical executives, boards of directors and service providers occur, technical tests, drills and exercises should also be taking place and on a more frequent basis. This includes various scenarios (e.g., phishing, human and third-party error, DDOS, ransomware and data breaches) and through the stages of an incident lifecycle - Identification, Detection, Protection, Response and Recovery - and the imperative step of timely addressing deficiencies.

As General Counsel and senior cybersecurity stakeholder, appreciate the scope of these tests and be sure they are reported to management, particularly their results, gaps and action plans, and include tests of mission critical third parties. Technical tests include:

• Vulnerability Assessments,
• Pen (Penetration) Testing,
• Red (offensive), Blue (defensive), Purple (collaborative) Team Exercises,
• Tabletop Exercises,
• Phishing / Vishing Simulations, and
• Business Continuity and Disaster Recovery (BC/DR) Drills.

15. A Qualified CISO.

A company that does not have a CISO or receive material information security services from a qualified vendor plays a dangerous game. The General Counsel can fulfill a critical role ensuring its company has assessed its size, complexity and the nature and scope of its activities and, at a minimum, begun incorporating commensurate controls.

A CISO and his/her Information Security Program should demonstrate the hallmarks described here and more. The CISO develops the program and in overseeing it:

• Leads information security operations and governance,
• Builds a cybersecurity strategy aligned with business goals,
• Justifies information security investments and stays abreast of emerging technologies,
• Collaborates with business, technology and GRC leaders,
• Conducts regular employee security awareness training,
• Reports cybersecurity issues and emerging threats to senior leadership and board,
• Ensures business resilience through testing, drills and exercises, and
• Demonstrates tangible information sharing, collaboration and threat intelligence.

Conclusion

General Counsels play an essential and unique role in advancing organizational cybersecurity. Your connectivity with the Board and senior-most management, your duties as chief legal officer for the company and the cross-functional dependencies with the CISO, CTO, CFO and other major players in the event of a cybersecurity incident reinforce the impact of establishing strong governance, validating even the more technical cyber-related controls and practicing, testing, drilling and maturing.

Paul Caulfield heads Ruddy Gregory's Financial Regulation and Cybersecurity Practice. In addition to his legal work, Paul has held positions in foreign financial services as Chief Risk Officer, Chief Compliance Officer, COO and Board Member. His cybersecurity work includes establishing global information security programs, implementing NYSDFS Part 500, compliance with Bank of Israel Directive 361, cross-border risk management with China's Personal Information Protection Law (PIPL) and Anti-Espionage Law and working with publicly traded companies in compliance with the Security and Exchange Commission's Cybersecurity Disclosure Rules. Paul is certified in Information Systems Security (CISSP) and Anti-Money Laundering (CAMS), holds his Series 24, 7 and 66 licenses and is an Adjunct Professor at Fordham University School of Law.

Contact:

Paul Caulfield

[email protected]

+1-212-495-9506

Public link

Please use the above public link if you want to share this noodl on another website.