image
image

Two-thirds of businesses know about the risk of a regulatory investigation or litigation following a data breach. But our data shows that many are not doing enough to mitigate it. Where are they going wrong, and what can they do to get it right?

Most boards only oversee technology risk and how it is managed to a 'minor extent'

60%

of boards only oversee technology risk “to a minor extent”

Only 9%

of boards oversee technology risk “to a significant extent” (they oversee management of a broad range of technology risks and deem them to be as important as traditional risks)

Just 37%

of businesses are more than “somewhat confident” that their senior executives understand the risks associated with technology.

Q. How actively does the supervisory/non-executive board oversee technology risk and how it is managed?

Q. How confident are you that your senior executives understand the risks associated with the technology your business is developing and deploying?

Cyber risk is a boardroom issue

Senior management and the board need to play an active role in overseeing how cyber risks are managed.

Why is that? First, major strategic business decisions, such as investing in new technology, can create extra cyber risks and vulnerabilities. Second, regulators increasingly call on board directors to actively oversee technology risks.

“Data breaches have happened for many years. But what’s new, especially for those in Europe, is that collective or class action litigation now follows.”

Christine Gateau | Partner, Hogan Lovells

Just 38% of businesses are more than “somewhat confident” that their senior executives understand the risks associated with technology

Q. How confident are you that your senior executives understand the risks associated with the technology your business is developing and deploying? Please rank on a scale from one to five, with one being not at all confident and five being very confident.

“Technology risk should be a priority for C-level executives. This is a key priority for us as we fulfil our strategic goal to go big on data and digital.”

Matthew Owens | Global Head of Legal, Digital, Novartis

Businesses have not mastered privacy by design

Companies can unknowingly break data privacy regulations when they develop or update new products that handle personal data. So privacy lawyers need to work alongside product teams on new product development from the start. This is called privacy by design, and not enough businesses are practicing it.

Data privacy specialists are rarely involved at the outset of the development of and implementation of new technology that gathers and/or processes personal data

Q. Generally speaking, at what stage are data privacy specialists involved in the development and implementation of new technology that gathers and/or processes data/personal data?

Perfecting the incident-response plan

“The legal team has focused on training and raising awareness across the business about cybersecurity risks. We have also established certain protocols about how to respond as soon as we learn of a breach. This goes beyond what we are required to do from a legal perspective to address what we should do from an ethical perspective.”

Matthew Owens | Global Head of Legal, Digital, Novartis

Larger businesses are much more likely to have cybersecurity incident-response plans

Q. Does your business have a technology failure crisis-management playbook or other such document that guides how you should respond to such an event?

UK and U.S. businesses are most likely to have cybersecurity incident-response plans

Q. Does your business have a technology failure crisis-management playbook or other such document that guides how you should respond to such an event?

Creating a comprehensive plan requires silos to be broken down between management, technology teams, legal teams, and privacy specialists.

But there is a collaboration gap.

Legal teams are seldom involved in developing cyber incident-response plans

Q. Which of the following teams are involved in the creation of your company’s cyber incident-response plan?

If a major breach happens, key regulators will almost certainly need to be informed and, where possible, privilege should be maintained. So legal teams need to be involved in the response from the start. You may also want the legal team to review communications to customers and the media. This puts you in a much better position if there is a subsequent regulatory investigation or litigation.

“We haven't had a major cyber event, but if one occurs, the cat is out of the bag and you're inevitably going to have a lot of litigation risk at that point,” says the Head of Litigation at a public company. “But by simply having lawyers and litigators looped in immediately you can to an extent mitigate that risk in real time. You may for example be able to keep things under privilege to some extent and will know when to contact the appropriate regulator. Just having our head of privacy, general counsel and myself in the loop right away on a major incident is the best solution to allow us to identify issues.”
image
image
image
image

Not enough firms are preparing in advance

Collaborating with the legal team also helps with preparation.

For example, you need to ensure that statements about data in disclosures, privacy policies, terms of use and advertising do not become outdated when technology and products change. And in jurisdictions where class actions can be brought, you should also prepare for class actions for data breaches or non-compliance with privacy requirements.

One way to prepare is by simulating a breach – and redo it if working practices change. But not enough businesses are doing this.

Fewer than a third of businesses conducted a cybersecurity response exercise in the past 12 months

Q. When did you last conduct a cybersecurity response simulation exercise?

Most businesses overlook supplier risk

“We’ve worked with many clients that have suffered a breach due to the fault of a vendor. This adds a layer of complexity because there may be a potential second front for the litigation. Depending on the relationship with the vendor, you may want to litigate against them or seek some indemnification.”

Michelle Kisloff | Partner, Hogan Lovells

Despite numerous cases of cyber attacks stemming from suppliers’ vulnerabilities, two-thirds of businesses assess only a small number of their suppliers’ cybersecurity credentials.

Most businesses only assess the minority of their third-party technology suppliers' and vendors' cybersecurity credentials

Q. How many of your third-party technology suppliers' and vendors' cybersecurity credentials do you assess?

Cyber vulnerabilities can come from unlikely places, so you need robust oversight. U.S. retail giant Target experienced a data breach in 2013 that compromised 41 million customer payment card accounts. The breach started with the theft of credentials from its heating, ventilation, and air-conditioning supplier.

“Any supplier who is going to hook into our technology, online ecosystem or payment and HR processes in any way through an API or otherwise is going to have to go through a full data security review. It’s best to err on the side of caution.”

Dominic Perella | Deputy General Counsel and Chief Compliance Officer, Snap

image
image

© 2021 Hogan Lovells. All rights reserved. "Hogan Lovells" or the “firm” refers to the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses, each of which is a separate legal entity. Attorney advertising. Prior results do not guarantee a similar outcome.

image
image

© 2021 Hogan Lovells. All rights reserved. "Hogan Lovells" or the “firm” refers to the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses, each of which is a separate legal entity. Attorney advertising. Prior results do not guarantee a similar outcome.