EPISODE 68
Role of General Counsel in Cyber Risk Management

EP 68: Role of General Counsel in Cyber Risk Management

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

December 8, 2020

What’s the role of general counsel in cyber risk management? Kip Boyle, vCISO with Cyber Risk Opportunities, puts Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group, in the guest chair to find out the answers.

Tags:

Episode Transcript

Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management Journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text, they put clickable links in for all the resources and they create the best look and feel for each episode.

Jake Bernstein: And finally we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to b.link/crmj That's the letter B, dot L-I-N-K forward slash C-R-M-J.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now, on with the show.

Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity counsel is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake. Well, I thought it would be fun to turn the tables a little bit on our format, put you in the guest chair and ask you about the role of the general counsel in cyber risk management programs.

Jake Bernstein: Oh, that sounds fun. We can definitely do that. I was going to just give a disclaimer, is that we record this during not just the COVID lockdown, but the incredible smokiness of the Northwest fires.

Kip Boyle: The great smog of 2020.

Jake Bernstein: The great smog of 2020. So I apologize for sounding congested and if I sneeze or cough. We'll do our best to get rid of that, but that is the situation. So with that, I'm excited for this because, generally speaking, you are nice to our guests, so this will be a welcome... Oh, I just got that joke. This would be a welcome change. That's what the script says, but it took me a second. Now I got it. Very funny.

Kip Boyle: Yeah. Well, that'll teach you to agree to do things before you've read them.

Jake Bernstein: Yes, it will. Okay. So what are we talking about?

Kip Boyle: Okay. So yeah, we're going to unpack what is the role of the general counsel with respect to cyber risk management? That's what I want to explore. And I want to give a shout out to Jason Dance who is somebody that I have been talking with on LinkedIn. And he first suggested that this would be a good topic for us. And I agreed. And so here we are, so thanks, Jason.

So I thought we could start by defining the role of general counsel. Because when I was coming up through the ranks over the years, I didn't even know what that role was, when I was working in systems and when I first encountered it, I didn't really know what to make of it. It just didn't look like anything I'd ever seen before. So I thought we could just start by asking you, could you define what that role is? What is that job? Why does it even exist?

Jake Bernstein: General counsel is definitely an older term. Sometimes you'll see people with titles like chief legal officer or vice president of legal. And those are, I think those are potentially different roles, depending on the company. But a general counsel really is a lawyer at the kind of head of an organization's legal department, in-house, oftentimes, although you can have, as we'll talk about, you can have outside general counsel, but their role is to be a generalist. That's where that comes from. And to kind of be able to spot issues, provide day to day legal advice to the business as the general counsel's primary and only client really. And to manage outside legal resources, find experts when necessary and to otherwise just kind of keep a handle on everything related to a company's legal issues.

Kip Boyle: Okay. Got it. And I've heard you talk about, and I've heard other attorneys talk about the idea of going in-house. From a lawyer's perspective, you're either in-house or your outside counsel. Is that a common way to look at it?

Jake Bernstein: Yeah. I mean, in the private sector. You're either in-house counsel or you are at a private firm. Now, I just want to be clear. There's a major distinction between "general counsel" and just in-house counsel in general. In-house counsel just means a lawyer who is inside of a business, is not working for a law firm. Technically, there's a lot of different... a lot comes from that. You don't need to have malpractice insurance. You don't even have to be admitted to practice law, oftentimes, in the state that you happen to be living in, because you're not practicing law in the sense that you would be if you were in a law firm environment.

So it's a little different. General counsel can be in-house, but it doesn't need to be. So the role of general counsel is actually a separate concept from whether you're in-house or you're outside.

Kip Boyle: Ah, okay. There's such a thing these days as a chief information security officer, but you could also have a virtual chief information security officer, which is somebody that you've contracted with to perform those duties. Is that what you're kind of getting at?

Jake Bernstein: Yeah. And I mean, it's very, very common for smaller companies to have outside general counsel. I suppose these days you could call them virtual general counsel, but no one does that just because that's not... outside general counsel is an old term.

Kip Boyle: Yeah. Okay.

Jake Bernstein: The job exists because ultimately, every company past a certain point needs to deal with legal issues on a daily basis. And sometimes they're operational like HR, sometimes they are operational like security and privacy, and then obviously you have litigation and things like that. So most general counsels do not directly engage in litigation. That would be unusual. Usually what they're doing is managing the litigation, both from a cost perspective and by choosing which law firms to use and things like that.

Kip Boyle: Oh, okay. So they're kind of into team building, right? Because they need to delegate, they need to monitor status and progress and that sort of thing. Okay.

Jake Bernstein: Yeah. And think of it this way, the abbreviation for general counsel is GC, which also happens to be an abbreviation for the general contractor.

Kip Boyle: Oh, right.

Jake Bernstein: It's very similar.

Kip Boyle: Okay. All right. So that helps. So now we understand that term general counsel a little bit better. Now, the intersection between whoever's performing the general counsel function and cyber risk management, let's explore that. I think the first thing that I'd like to know is, the chief information security officer role is very, very new and there's very little agreement about what that role actually consists of. I see people commonly assume that the CISO is just somebody who sort of tweaks the firewall, scrubs viruses off of PCs and just a very technical thing, but then I've also seen it cast as a very strategic role. But what about the general counsel role? Has that been around for a long time? Is it fairly well established?

Jake Bernstein: Less so than you might think. Prior to the '80s, the 1980s, general counsel really did a lot of just administrative tasks and most substantive legal work was handled by outside lawyers. Since the 1980s though, the general counsel position has definitely become more of a recognized and prominent position in large companies.

You have to think about the cost of a general counsel compared to kind of a la carte legal services, and not every company needs a general counsel, and not every company can afford one. So I think one thing that's kind of interesting is that the association of corporate counsel was established in 1982. Is that older than the CISO role? Probably, yes. But it's not really comparable to the CEO, which is, or-

Kip Boyle: Or chief financial office

Jake Bernstein: Or the chief financial officer. Right.

Kip Boyle: Yeah. Those are much more well established. Okay. Now, one of the reasons why you know quite a bit about general counsel as a role is because you've probably worked with many of them and you've probably taken on the role yourself occasionally in your work, in your career. Is that right?

Jake Bernstein: That is right, yeah. I've worked with general counsel from the time that I was an assistant attorney general at the State of Washington. They would oftentimes be a contact or involved in an investigation. When I went into private practice, I would say that general counsel started off as my client. They were the primary client contact for outside counsel, and so I interacted with many general counsels in that role.
And then more recently as I've kind of transitioned, I'd say, away from litigation and more toward advice and counseling and well, frankly, being outside general counsel, I have taken on that role with more than a few clients. So, yeah. I've kind of seen all the different ways you can approach this role.

Kip Boyle: Okay, great. That's fantastic. So I wanted to spend some time talking about this, in part, because I wanted our audience to be more familiar with the function so that they would feel more comfortable with the idea of collaborating with somebody in the GC role, but also as a prelude to the fact that there are so many issues facing a GC. There's so many different things that they could prioritize as worthy of their time, how they're going to allocate, their, not just their effort, but also what they're going to bring to the CEO, the board of directors, right? So they play a really powerful function in terms of driving the agenda, overall, for regulatory legal and that sort of thing. So that's all a tee up for this question, which is, why should a general counsel prioritize cyber risk management for themselves and for their organization?

Jake Bernstein: First of all, I think that right now there's not going to be a ton of GCs who are understanding cyber risk management, which might mean that they're not prioritizing it. And I think that is a mistake.

It's a mistake because as we've talked about other times on the show, cyber risk has become a general business risk. And that puts it into the... and it's also a legal risk. And because it's a legal risk, it needs to be managed and it needs to be considered by the general counsel, just like the general counsel will consider other regulatory risks, HR, human resources problems, typical litigation, potential for that. But cyber risk is really, I mean, whether people have wanted it or not, cyber risk is a significant legal risk that all general counsels need to be aware of.

And that's because it can affect the... the liability can flow to the executives and the board of directors. We've talked about that before, the good old business judgment rule. And the general counsel's job is to kind of understand and spot those issues and spot the risks. And then if the general counsel isn't able to deal with it on his or her own, then they can just go ahead and hire specialists. And I think the general counsel also needs to become very friendly with the CISO, if there is one-

Kip Boyle: Or Whoever's playing that.

Jake Bernstein: Whoever's playing that part, because there's just so much that happens within a company that touches on security and privacy. By the way, if there's a chief privacy officer that also is going to be... And actually, just by way of anecdotally, a lot of the times a company's chief privacy officer is also the GC.

Kip Boyle: Oh, okay. So that's an emergent thing?

Jake Bernstein: That's an emergent thing. Yeah. Sometimes, they definitely can be separate, but in a company of a certain size, there's no reason to separate them at certain times. So, the GC role is really, it's incredibly broad as you might expect. And with cyber risk, cyber risk is also incredibly broad. It is not just, at this point it feels like a broken record, but it's not an IT problem. It's a management opportunity. And it's a team sport and all of our other cliches that we use to describe cyber risk. And if the GC isn't involved or doesn't understand it, then you're not likely to get the clout of the organization's legal department to assist on cyber risk management. And that would be a real loss.

Kip Boyle: And when I perform the function of CISO, one of the first things I try to do is figure out who's general counsel, because it is a team sport, because I recognize how powerful it is to align agendas with whoever's acting as general counsel. And one of the areas that I first attempt to prioritize is third party cyber risk management. I just think that's the most natural opportunity to collaborate. What do you think?

Jake Bernstein: I agree completely. And actually, that's a really good way to intro a general counsel to cyber risk. I think if you try to go in and you start talking about your CAS bites.

Kip Boyle: Bits and B.

Jake Bernstein: Yeah. Your bits and bites, your CASB, your blinking light security, most GC's eyes are just going to glaze over and they're going to decide, perhaps without completely being wrong, that this is not their problem. But if you go in and you start talking about, hey, we just signed a contract with vendor X and they seem to be this very clever startup. We don't really understand their cyber risk profile, but we just gave them access to all of our customer data. We really need you to review this contract. Now you've just spoken the general counsel's language and they're going to at least take a look at that to figure out, okay, do I need to do more about this? And you can leverage that one experience into, hey GC, we actually really need to stand up of an overall vendor risk manage management program around cyber risk. And that's a great intro.

I have personally been doing that a lot, recently. In fact, I think as time has gone on, I'm finding myself really being the champion of standing up vendor risk management programs, because it is so important and so common for cyber risk to flow through third party vendors.

Kip Boyle: Yeah. And I also think it's natural because the primary tool for cyber risk management with third parties is the contract and the addendums. As a CISO, that's probably not my strong point. I probably would prefer to write a policy or set a standard or actually codify in rules in a system what you can and cannot do. But managing risk through a contract is weird. And I don't necessarily understand contract language. And so it just seems like such a natural fit.

Jake Bernstein: It is. It's a natural fit. And the challenge is that the GC doesn't understand the cyber security language. The CISO doesn't understand the contract language. Automatically you can see that you're headed for... you've got a challenge to overcome on kind of that level, but also the risk posed by the business to itself... Here's a kind of quick anecdote that I think really encompasses or encapsulates this issue.

Recently was asked a question about a vendor and what the contract should have in it. And according to the business people involved, we are going to send information to them. Well, I come to dig in and ask some questions and it turns out there's probably going to be a bidirectional API connection. So these are some very-

Kip Boyle: That sounds super techy by the way. Congratulations.

Jake Bernstein: Yes, well, that's my secret sauce. But this is the point, right? Which is that the description that somebody gives in the business might be completely accurate in terms of a high level-

Kip Boyle: Conceptual description.

Jake Bernstein: Conceptual, yeah. We're sending them this information so they can do this service for us. But from a cyber risk management perspective, there's a difference between packaging and shipping a data file that is totally one way and has no possibility for interaction, versus the more common method these days, which is letting them hook up via API to one of our systems.

Kip Boyle: Right.

Jake Bernstein: At some point, the CISO, the business person and the GC need to actually get on the same page. And that can be very hard to do.

Kip Boyle: Right. But it's necessary.

Jake Bernstein: It's necessary.

Kip Boyle: These connections are so deep and so profound.

Jake Bernstein: And they're pervasive. And the problem is that connections are being made without anyone really thinking through them.

Kip Boyle: Yeah. There's really not governance. Right? I mean, it's more treated as just a technical chore. Make this system talk to that system. Okay. Boss done. Right?

Jake Bernstein: Yep.

Kip Boyle: I twiddled the keys. I issued an API key. We did a test data exchange and I'm going on to my next thing. That's kind of how technical people look at at it. It's completely routine. It's just, they're just turning digital wrenches.

Jake Bernstein: And that's how you get the target data breach through the HVAC system.

Kip Boyle: Right.

Jake Bernstein: People just connect things up because it seems convenient, and before you know it, oops.

Kip Boyle: Yeah. Okay. Now another thing that I have had a certain amount of success with is, if I'm trying to make the case that cyber is a business risk and not just a technological annoyance, then I've got to be persuasive with senior decision makers, whether they're in the C-suite or in the board of directors, and so the general counsel sort of has the key to those doors and can go in and say, "I declare that this is important. Please pay attention to me. Let me tell you what's going on and then let me tell you what I think we ought to do."

So I have found that it could be very productive to align with the GC and then go to the senior decision makers together. Is there any downside for the general counsel if they join forces with the CISO to do something like this?

Jake Bernstein: I mean, it's an interesting phrase, interesting question. I don't know that there's a downside, other than that a lot of GCs are going to be pushed out of their comfort zones. Which I don't think is a bad thing, so I'm not even sure if I'd call that a downside.

Kip Boyle: Well, it's going to feel awkward and weird, that's for sure.

Jake Bernstein: Will definitely feel awkward and weird. I suppose a potential risk is that if a GC starts to dip their toe into cyber risk, then they're going to get questions about cyber risk that they may not be prepared to personally answer, which is fine. That's not uncommon. That's not a weird position for a general counsel to be in, but I think... honestly, whether there's downside or not, it has to happen. It's not really a question of upside or downside. This is just something that needs to become the new norm. General counsels and CISOs need to be... they don't need to be joined at the hip, but they should not be far apart.

Kip Boyle: Yeah. Okay. Another area where I've had great experience collaborating with attorneys, in-house attorneys, is with the planning and the testing of cyber risk crisis response. And I think this is even more crucial in today's world with things like... Like the GDPR, for example, has a 72 hour notice requirement. And then you've got all kinds of other regulatory requirements to give notice whether you're in the defense industry. They've got one there. State data breach laws, they've got one there. but I wanted to ask you this. Now, do you think that's too operational of a duty to expect most GCs to participate in, this idea of cyber risk crisis response?

Jake Bernstein: I don't think it's too operational to an extent. I think that a GC is going to be involved in, definitely vetting communications and things like that. I do think that the GCs best involvement is to ensure that leadership has taken all of these things seriously, so that there is a crisis management process and incident response plan, but I wouldn't be surprised if a lot of times the GC is going to be not at the forefront of the actual activation of the plan, other than to hire outside counsel pretty quickly if necessary for a breach.

Kip Boyle: Yeah. Well, so that's the natural segue to the next thing that I think is important for the GC to be aware of and to facilitate, which is attorney client privilege. We've had a previous episode where we've talked about the Capital One data breach and the judge's ruling about what has to be disclosed with respect to reporting around the data breach, versus what people had expected would not be disclosed, because they thought it was under ACP. So is there a role for the general counsel in here to affect ACP? And is that something that they can just sort of set up once and just sort of let it roll? Or is it a more actively participating sort of a duty? How do you see this?

Jake Bernstein: This is a hard one, because the role of general counsel has really evolved over the years. And some of this is an issue kind of where we did it to ourselves. What happened is that general counsel, certainly, they're an attorney. They give advice to the client.

Kip Boyle: Legal advice.

Jake Bernstein: Legal advice to a client, so that's attorney client privilege. Problem is that a general counsel, an in-house general counsel in particular, this is more of an issue with in-house counsel than it is general counsel as a role, but with in-house general counsel, there's been a real erosion of the attorney client privilege. Because a lot of general counsels are really mixing business and legal roles.

And you can see that in even the title, as it begins to kind of morph. Vice president of legal or chief legal officer, those are different... I mean, you could say they're the same as general counsel, but they evoke a more business integrated sense than the term general counsel.

Kip Boyle: Ah.

Jake Bernstein: You're never going to have an outside VP of legal or an outside chief legal officer. That doesn't compute, right?

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: So, what's happened is that, frankly, people in general have, I don't want to say abused, but they have been overly enthusiastic about trying to rely upon ACP with in-house counsel. And case law has simply eroded it. Because what-

Kip Boyle: So the in-house GC really doesn't have the magic wand or the bag of pixie dust to just sprinkle on stuff and make it protected?

Jake Bernstein: Not to the same extent that outside counsel does. If anyone has, I don't think it's really a magic pixie dust thing, it's fairly well defined.

Kip Boyle: It seems like magic to us non lawyers.

Jake Bernstein: Yeah, it would. I think the issue is that people have this misconception that, oh, if I just CC the general counsel, then this email is magically protected. It is not it. That is just not how it works.

Kip Boyle: Well, I can tell you that was told to me several times in the past.

Jake Bernstein: I'm sure. It was. I mean, it was common. Well, here's the problem is, is that's why things have changed. Is that for a long time that worked. And then in active litigation, in cases, plaintiffs got sick and tired of hearing ACP, ACP; and then judges got sick and tired of seeing ACP, ACP. So they were like, you know what? If you just CC the general counsel, I'm sorry, that's not legal advice. Particularly if the general counsel doesn't even say anything in the email thread. It's not legal advice. This is all business discussion.

Personally, I think the evolution of attorney client privilege for in-house counsel is principled. It makes sense to me, but it's something to be aware of. An outside general counsel is more likely to be able to kind of use that magic pixie dust, as you said, simply because, when acting in that general counsel role, they're more likely to be giving legal advice.

Kip Boyle: Okay. That makes sense. Okay, cool. Just a couple other things I wanted to ask you. Let's talk about cyber liability insurance policies.

Jake Bernstein: Buy them.

Kip Boyle: Okay. Yeah, absolutely. I mean, we think everybody should have one. And just the other day, for example, there was a customer that I was working with and they're kind of a smaller company and they were concerned about the expense and so forth. Anyway, they went ahead and talked to a broker. They bought a policy and they were pleasantly surprised at the reasonableness of the premium and the support they got. They had a small issue come up downstream from buying that, and they wondered if they should report it because they thought, well, it's not a whole lot of money and it's below our deductible. And they were sort of thinking of it in terms of their own personal automobile policies, how those work.

But it turns out cyber liability policies work very, very differently. And so they went to their broker and said, "Should we report this?" And the broker said, "Yes, absolutely." And all kinds of good stuff came in terms of data forensic support, data breach coach support, so it was a really good experience. But the question I have is, is there a role for the general counsel in the building of a business case that you should buy one of these things, and then selecting the right one?

Jake Bernstein: Probably, I think the general counsel can add some information relating to the legal risk of cyber risk and what cyber insurance can cover. But ultimately, this is kind of more of a CFO type thing. I'd say where the GC can be helpful, is to read a policy and attempt to give a high level kind of contractual overview. However, I will say, that trying to understand insurance policies is almost a specialization in and of itself. So, a good GC who hasn't worked in the insurance business is likely to say to grab an outside counsel assist on that one.

Kip Boyle: Yeah. Okay. That makes sense. And I tell senior decision makers that I work with that they should ideally consult an independent insurance broker that has experience with cyber liability policies. I think those are probably the best experts to turn to. But I was curious about the because after all, I mean, an insurance policy is a contract and I'm watching the standardization of cyber reliability policies happen through lawsuits. And so it just occurred to me that there's an awful lot of legal involvement here, so okay. That makes sense.

So let's wrap it up with just one final question. I've kind of pitched some cyber risk management duties to you that might or might not fit in with the scope of general counsel responsibilities. But now let me just give you control. I mean, are there other duties for the GC that you think they should be taking on? Anything I haven't mentioned?

Jake Bernstein: So, I mean, basically, any area that creates legal risk for a company is something that the GC should at least be aware of. And any area that cyber touches on that also creates legal risk is kind of one of those intersections. So physical security, HR, even liaising with law enforcement, all of these are potential legal issues for a company. HR always has been, so that's kind of normal. Obviously HR has cyber risk components to it.

Kip Boyle: Yeah. The big area that I see there is if I need to discipline an employee for a cyber failure, that's going to go through the human resources area of expertise.

Jake Bernstein: Mm-hmm (affirmative). Yes. So really, I mean, again, what really is happening is that the generalist general counsel's role, or need to be even more of a generalist, it's just increasing in scope. 20 years ago, Info Sec really wasn't a significant source of legal risk at all. Arguably that wasn't even the case 10 years ago. Now though, as it becomes a... It's become normalized enough to become a legal risk.

Kip Boyle: Yeah.

Jake Bernstein: And there's lawsuits and new laws about it, it is automatically on board the GC's plate, just like privacy.

Kip Boyle: Yeah. And the legal risk created by not paying attention to-

Jake Bernstein: Correct.

Kip Boyle: privacy regulations. Yeah. That makes a lot of sense. So thematically, we can watch the evolution of cyber risk as a legal issue, privacy as a legal issue, we can watch it evolve, and as it ebbs and flows, we can expect to see greater and lesser amounts of interaction with GC.

Jake Bernstein: That's right. Let's just go totally off the rails for a moment and kind of grab a science fiction example of where things could go for the general counsel. Right now we have all this AI and machine learning stuff. Well, is that really a GC issue? Not right now. It's the technicians, it's the engineers, it's the scientists.

Kip Boyle: We could add facial recognition to that.

Jake Bernstein: We could, yes. But what if we start to create reasonably intelligent artificial intelligences? What if they have to end up getting, not necessarily human rights, but AI rights? Now, suddenly you have taken something that was once nothing but a technical kind of operational issue, and you have tacked on some legal risk to it. Now the general counsel has to learn about that as well.

Kip Boyle: Right. And I threw facial recognition in there because that's not so far in the future. We're-

Jake Bernstein: No, that's now.

Kip Boyle: Yeah. That's now. Where we're using facial recognition, law enforcement is. And so there's questions about its efficacy. It's ability to not falsely accuse. Its ability to be able to discriminate among people with different colored skin. So yeah, that's a present day example. Great. All right. Any last words before we wrap it up?

Jake Bernstein: Let's wrap it up.

Kip Boyle: All right. So that does in fact wrap up this episode of the Cyber Risk Management Podcast. Today, I interviewed my co-host, Jake, about the role of the general counsel in cyber risk management. Thanks for being here every everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.