19/10/2021

Warning from your lawyer: cyber security is also a legal challenge for your company

Reading time: 7 minutes

Anyone who wants to arm his or her company against cyber risks initially thinks of technical security. This is no surprise. Antivirus, firewalls, password managers, encryption software and countless other IT products and services effectively ensure a safer digital environment. Needless to say, they form the basis of any sound cyber security policy.

When we, as lawyers or legal experts, point out to companies that cyber security is also a legal issue in addition to all those technical measures, entrepreneurs are often very surprised. What on earth has a lawyer got to do with the cyber security of your company? That reaction is understandable, but also very unfortunate. After all, strong and specialised legal advice can and should play a key role in your cyber security strategy.

Of course, we have long been convinced of this ourselves, but you can also assume it from others, and not the least, such as the World Economic Forum.

Cyber security requires a 360° approach

The media do not lie. Every day you read about new cyber attacks on companies. Crypto-locker attacks attract the most attention, but in the meantime companies are just as often the victims of plain hacking and data theft. Cybercriminals also notice that their online activities pay off: profits from crime are maximised and the chances of being caught are minimal. External cyberattacks are big business if you compare them to traditional street crime. But we are also increasingly seeing that internal employees in companies are no longer ‘digital natives’ and, in conflict situations, know very well how to exploit their employer’s digital vulnerabilities. In other words, cyber risks are permanently present and often come from unexpected sources.

Precisely because cyber risks lurk around every corner, your cyber security policy will never be completely foolproof. Of course, this does not mean that you do not have to start working thoroughly and take a close look at every fibre of your business. Technical and organisational solutions are obvious, but in themselves offer only a fragmented and not a holistic solution. To put it simply: no password manager protects your company against the consequences of a cyberattack.

 

It is precisely there that good legal cyber security measures can make the difference. With the right legal interventions, you can eliminate, mitigate or transfer the financial and practical consequences of cyber risks. At the very least, you can get a good idea of the potential risks and clearly delineate them. Only then can you maximise control over your cyber risks from a transparent general (360° or “panoptic”) view.

Yet legal work is specialist work and legal cybersecurity work is even more so. A lawyer specialised in cybersecurity and data protection is the right person to be your first partner in cybersecurity and to work with you to achieve maximum cybersecurity in your company. Of course, such a legal expert does more than just read your insurance policy. A true legal cyber expert is in the first place your personal advisor and ally and builds with you a bridge between your management and your internal teams like HR, IT, sales, marketing, etc. and between your company and external partners and authorities.

The cyber security lawyer as a specialised generalist

A cyber security lawyer is not an external auditor. He or she is a consultant and advisor who is in the trenches with you. He or she helps draft and amend your employment contracts and regulations to incorporate stricter data security guidelines, negotiates with ICT suppliers, polishes up all internal security policies, and ensures the best cyber insurance cover for your company. A true specialist does this with extensive experience as a consultant to companies and with specific knowledge and experience in privacy legislation and data protection and in international and national cyber security legislation.

What do we do for our clients at Sirius Legal?

 

  • Preventive: legal risk management

At Sirius Legal, cybersecurity and by extension data security is a real specialisation. For years, we have been assisting companies and organisations in all (security) aspects of the digital economy, ranging from GDPR compliance, over ICT contracts, assistance to web builders and software developers, advice in AI and IoT and other new technologies and systematic guidance of technology start-ups. To this end, our team combines a rare mix of specialists in data protection, contract and liability law, criminology and criminal law and non-legal internal and external experience in consultancy, online marketing, ICT and cyber security.

We take the lead in developing your cyber security programme together with you. This means that, first of all, we assist you with all internal risk assessments that give you an insight into potential threats to your business. We then actively assist you in assessing the identified risks and in drawing up a plan of action to eliminate or minimise these risks.

On the legal side in particular, we examine which compliance obligations need to be worked out and where and how we can limit your liability to your customers, suppliers, authorities and other third parties as much as possible. Here, we play a key role between the management, the operational team and everyone who is externally connected to your company.

As specialists in contract management, we assess and negotiate software & cloud contracts, purchases of hardware, agreements with security providers, service level agreements, NDAs, processor agreements, data export agreements, etc. Of course, we always do this with all necessary knowledge and from our innate interest in new technological evolutions. Our role is possibly even more important in mergers and acquisitions. After all, a thorough due diligence with specific attention to cyber security risks, data protection risks and ICT risks in general of the entity to be acquired is essential. Classic lawyers involved in M&A often lack the necessary experience in this respect.

Needless to say, we also take a critical look at your insurance contracts and at specific cyber insurance policies. After all, it is important to ensure that your policy does indeed cover your primary risks in your cyber security programme.

However, internally you must also take the necessary measures and set the right course. An adapted and tailor-made policy coupled with the necessary internal training and education for your teams ensures maximum awareness and correct procedures that are respected by everyone. If every member of your organisation knows his or her (legal) responsibilities and is aware of the risks and dangers for the company, it will be much easier for everyone to comply with the internal cyber security programme meticulously. Classically, we think about policies concerning correct e-mail use, correct use of IT assets, internet use, access management, correct use of databases, a password policy, home working policies, etc.

Our preventive guidance invariably starts from the maximum limitation of the (potentially even criminal) liability of your company and its directors under the GDPR, NIS and other relevant cyber security legislation. After all, prevention is still the best defence.

 

  • Curative: Incident Response Management

However, preventive measures will never provide a bulletproof vest that protects your company one hundred per cent. If you are nevertheless confronted with a cyber incident, it is important to be able to respond correctly and to ensure that you can do maximum damage control. After all, it is at that moment that your company will be exposed to legal risks.

Sirius Legal can assist you in a correct reporting procedure to the various authorities and in the correct communication to clients and suppliers, without compromising your most favourable legal position. On the other hand, with a view to the correct contractual and legal relationships, we can also call your suppliers or other responsible parties to order in good time.

Naturally, we also defend your rights in and out of court. Our team has decades of experience in court proceedings and in all forms of alternative dispute resolution. If necessary, we will stand by you.

Finally, it is important to have an eye for an immediate and efficient IT forensic investigation, to ensure that no evidence disappears. This is essential to allow the judicial services to successfully carry out their investigation and/or to compile a well-founded file that can then be used to bring the respective responsible parties to justice. Knowledge of evidentiary and procedural law is therefore essential in such an investigation.

A cyber security lawyer, the sooner the better

Cyber risks are here to stay and a good cyber security policy in your company is desperately needed. Not only because new legislation is constantly being introduced, especially in Europe, but also because cyber security is increasingly becoming a sales argument and a part of your corporate identity and brand image. Security sells, also for you as a company.

Arm yourself for the future by tackling cyber security in all its aspects. Solid legal advice is essential and our specialised team can certainly assist you with this. Looking for more information or wanting to discuss this without obligation? Feel free to contact Roeland at roeland@siriuslegal.be, or book a free introductory meeting on the side of this page.

Would you like to chat with our cyber security lawyer?

About the author

Roeland
Lembrechts

I studied criminology at KU Leuven, before I went on to study law at the University of Antwerp. With this combined background, I started my ...