How in-house counsel can shore up cyber security in a business
Legal teams can boost their organisation’s cyber security position during the procurement and contract management processes, according to a cyber security expert.
Ahead of the Corporate Counsel Summit 2024, founder and principal of Cyber GC Annie Haggar said in-house counsel are well-placed to minimise vulnerabilities against cyber attacks by considering the factors within their sphere of control.
Corporate counsel have multiple roles to play in helping secure their organisations, including becoming involved in the security issues in the procurement process and contract management, and supporting their organisation during a breach and subsequent litigation, Haggar said.
“Firstly, work closely with your procurement team during the procurement process to ensure that your supply chain is secure and has strong security practices,” she told Lawyers Weekly.
“Understand how the business is dealing with cyber security when buying a product or service and ensure that the proposed vendor has considered cyber security in its solution and legal compliance. Security should form a part of the RFT, the contract, the evaluation process, and help determine overall risk (including pricing) when buying from a vendor.
“If you wait until after the contract is signed, you will struggle to solve any of those problems.”
Haggar also suggested that legal teams include their cyber security requirements in the contract with vendors because most contracts do not address security at the level that is required.
“You need information about your vendors’ security, including their IT systems. Include specific clauses about how they will help you if there is a cyber attack. Detail what action you want the vendor to take and the information you’d need to access in case of a breach,” she underscored.
Using contracts to tighten security
Secondly, in-house lawyers should be involved in contract management on a regular basis to address security breaches as they occur during the life of the contract, according to Haggar.
“If you let small breaches slip, your organisation is likely to be subject to a major breach because the vendor hasn’t paid attention to security,” she warned.
“This means you need to use contractual mechanisms to have ongoing reporting so you can understand and manage those breaches.”
Training for legal and contract management helps enable in-house legal teams to identify security issues and collaborate with the security team when there is a cyber security breach, Haggar said.
Ensure legal privilege applies
In order for legal privilege to apply to incident response reports, the way the report is requested, delivered, and handled must adhere to strict criteria.
Legal teams should collaborate with the company’s executives (including the chief executive, chief information security officer and/or chief information officer) to create and execute an incident response plan that allows for privilege to be established where appropriate.
For example, when Optus experienced a cyber attack in September 2023, it engaged Deloitte to conduct an independent external review of its security systems.
In November 2023, an Optus class action gained access to the forensic investigation report after the Federal Court of Australia rejected Optus’ claim of legal professional privilege.
While the court recognised that factual investigation reports may be protected by legal professional privilege in some cases, it found in this instance that the Deloitte report was not prepared for the dominant purpose of providing legal advice.
“The report didn’t meet a number of important criteria on how it was requested, produced, distributed, and discussed,” Haggar noted.
“The incident response plan and organisational processes when there is a breach must support all of these factors before a breach occurs so that their organisation has the best chance of applying legal privilege to the report for subsequent litigation. This applies from the initial stage when there is a request to produce an incident response report, through to the way the report is received, reviewed, understood, and actioned by the business.”
Be an enabler in an incident response
Finally, Haggar urged in-house and general counsel to enable the government to aid with recovery, while simultaneously protecting the organisation against potential litigation.
To do this, lawyers require training and must participate in incident response training, tabletops and simulations to understand how an incident operates, the types of data that are important to make available to the Australian Signals Directorate (ASD) and other government agencies, as well as an organisation’s reporting obligations.
Haggar concluded: “The last thing legal teams want to hear from government agencies is that they got in the way of a good incident response for their organisation.
“In-house legal teams can demonstrate their value when they involve themselves in the incident response planning and preparation and do their job to the best of their ability when a breach occurs.”
To hear more from Annie Haggar about how in-house counsel could help their business prepare for ongoing and emerging cyber security threats, come along to the Corporate Counsel Summit.
It will be held on Thursday, 2 May 2024, at The Star, Sydney.
Click here to book your tickets and don’t miss out!
For more information, including agenda and speakers, click here.
This summit is produced by Captivate Events. If you need help planning your next event, email director Jim Hall at