THE State of Cybersecurit y ReportTypes of data security specialists employed by company 51 ......
Transcript of THE State of Cybersecurit y ReportTypes of data security specialists employed by company 51 ......
LEARN ABOUT the best practices, organizational roles, and experiences of in-house counsel in more than 800 organizations.
FIND OUT HOW top in-house lawyers mitigate the threat of breaches and safeguard their data.
DISCOVER INSIGHT from over 1,000 in-house lawyers in 30 countries.
CybersecurityTHE State of
An in-house perspective
acc Foundation:
Report
©2016 ACC Foundation. All rights reserved. For more information, go to www.acc-foundation.com. May not be distributed without expressed permission from ACC Foundation.
ACC FOUNDATION: STATE OF CYBERSECURITY REPORT IN-HOUSE COUNSEL PERSPECTIVES
Published by the ACC Foundation.
The ACC Foundation wishes to acknowledge with gratitude the contributions of Ballard Spahr LLP for its underwriting support of the State of Cybersecurity Report.
The ACC Foundation also wishes to recognize the following members of cybersecurity project advisory group for their contributions to the development of the State of Cybersecurity Report:
Phil N. Yanella, Ballard Spahr LLPKim Phan, Ballard Spahr LLPEdward J. Willey III, Dallas, TXKerry L. Childe, Richfield, MNNeal Dittersdorf, Intersections Inc.Jandria S. Alexander, The Aerospace Corporation
Atlanta | Baltimore | Bethesda | Delaware | Denver | Las Vegas | Los Angeles | New Jersey | New York Philadelphia | Phoenix | Salt Lake City | San Diego | Washington, DC | www.ballardspahr.com
Protecting What MattersCompanies process more information about their customers than ever before. And the consequences if that information is lost or inadvertently disclosed can be cat-astrophic. Our cross-disciplinary team of attorneys helps clients around the world mitigate risk, respond in the event of a crisis, and recover.
• Information Risk Management• Asset Inventories• Employee Training• Transactions/Vendor Management• Privacy and Consumer Marketing
Compliance
• Data Incident Response Plans• Network Intrusion/Data Breach
Response• Litigation• Investigations• Plan Assessment
2 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
TABLE OF CONTENTS
Introduction 3Key Findings 5Project Overview & Interpreting the Data 9Executive Summary (full report only) 11Industry Trends (full report only) 30Overall Results (full report only) 38 Top concerns related to cybersecurity 39 Experienced a data breach 41 Year of breach 43 How did you find out about the breach? 45 Comments from experienced in-house counsel: 47
What you wish you’d known before breach? In-house counsel responsibilities regarding cybersecurity 49 Types of data security specialists employed by company 51 Location of cybersecurity central operations in company 53 Frequency company conducts cybersecurity audits 55 Entity conducted most recent cybersecurity audit 57 Audit of legal service providers for cybersecurity risk 59 Cybersecurity standards used in company 61 Cybersecurity policies in company 63 Legal department’s role on data breach response team 65 Cyber insurance 67 Amount of cybersecurity insurance coverage 69 Confidence in cybersecurity insurance coverage 71 Determining the amount of coverage needed 73 Expectations for changes in cyber insurance 74
coverage over next year Employee training 76 Evaluating preparedness at employee level 78 Retention of forensic company 80 Retention of outside counsel 82 Frequency legal department briefs board of 84
directors on cybersecurity Preference regarding cybersecurity role 86
and responsibilities Expectations of legal department’s cybersecurity 88
role over the next year Confidence third-parties are protecting company 90
from cybersecurity risk Confidence outside law firms are appropriately 92
managing data security
Third party notification requirements 94 (cybersecurity risks/breaches)
Termination of contractual relationship 96 due to cybersecurity risks
Termination of pending merger/acquisition 98 due to cybersecurity risks
Cybersecurity budget allocation trends 100 Law department spend changes related to cybersecurity 102 Allocation of increase in law department 104
spend on cybersecurity Law department budget dedicated to cybersecurity 106 First executive officer to be notified 108
when breach discovered From whom do you expect to be notified 111
of a data breach? Company primary point of contact during a breach 114 Company collaborates with law enforcement/other 117
government agencies to address cybersecurity risks? How was the system breached? 119 Type of information compromised during a breach 121 Role of encryption on breach incidence 123 Public notice 125 Regulatory/governmental notification 126 Comments from experienced in-house counsel: 128
Challenges faced in preserving lawyer-client privilege after a data breach and how to navigate them
Number affected by the breach 129 Length of time to resolve breach 131 Comments from experienced in-house counsel: 133
Resource most helpful in managing breach response Degree of change made to company policies post-breach 134 Comments from experienced in-house counsel: 136
Lessons learned and changes made following breach Insurance coverage of breach damages 138 Best practices: Comments from experienced 140
in-house counsel on best practices to manage cybersecurity risk and/or a breach
Demographic Profile 144Glossary of Key Terms 148
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 3www.acc-foundation.com
INTRODUCTION
1ACC 2015 CLO Survey, executive summary, page 3. www.acc.com/legalresources/resource.cfm?show=1389460
he State of Cybersecurity Report is a special study published by the As-sociation of Corporate Counsel (ACC) Foundation. The ACC Founda-tion — a 501(c)(3) nonprofit organization — supports the efforts of the
Association of Corporate Counsel, serving the needs of the more than 40,000 cor-porate lawyers employed by over 10,000 organizations in 85 countries. Through the dissemination of cutting-edge research and surveys, the ACC Foundation developed an unprecedented study of the state of cybersecurity in the corporate sector. Considering the increasingly active role general counsel play in cyberse-curity strategy, risk assessment, and prevention, this report provides insight from more than 1,000 corporate lawyers. The largest study of its kind, the report aims to serve as a resource for corporations, lawyers, board of directors, and members of the public affected by one of the greatest challenges organizations face today — cybersecurity.
In an environment where data breaches are largely an inevitability, assiduous preparation is key. Threats to an organization’s information security are as varied as they are dangerous. Preventing, preparing, and responding to data breaches in real time is a chief concern for today’s general counsel (GC) and chief legal officers (CLOs), who are increasingly called on to guide their organizations and aid with thwarting such attacks. Knowing common practices, what works, and what your peers are doing is key in benchmarking and planning to protect your company from risk. Straddling business, IT, and legal, today’s GC/CLOs are uniquely po-sitioned to engage the multiple stakeholders that a robust data protection regime requires. Execution of incident response plans, protection of privilege, and com-pliance and notification requirements arising from a breach — these are just some of the unique functions that legal is charged with to manage when data is com-promised or lost. And with one in four CLOs/GC reporting a breach in the last two years1, the damage and repercussions of major cybersecurity incidents will heighten the legal department’s role in strategic planning and risk management as well as in responding to cybersecurity-related incidents.
Consumer exposure and privacy concerns have begun to weigh on government agencies and regulators as well. European regulators struck down the longstand-ing international Safe Harbor agreement, which had enabled American companies working in the European Union to transfer data painlessly. Various data protec-tion bills are working their way through the US Congress, including the Cyber-security Information Sharing Act recently passed by the Senate. And at a time of tension between the world’s largest economies over cybersecurity in general, the United States and China held a cybersecurity summit in September 2015, pledg-ing to ease off the burgeoning Internet arms race. Dealing with the dual threats of breach preparedness and compliance with cybersecurity laws is not trivial—it’s no wonder that data security is one of the leading issues that keep in-house counsel up at night.
T
50% of GC/CLOs want to increase their role and responsibilities when it comes to cybersecurity
4 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
The 2015 ACC Global Census of more than 5,000 in-house counsel in 73 countries found that in-house counsel considered cybersecurity one of the greatest challenges in complying with laws inside their jurisdiction, just behind privacy concerns, which ranked number one among all concerns.2 In short, data security is top of mind for in-house counsel. And rightly so — data theft is a growing risk. No single metric can capture the immense cost of data breaches, but by any measure they represent a large and growing threat to virtually any company doing business today. The Center for Strategic and International Studies estimates that “the likely annual cost to the global econo-my from cybercrime is more than US $400 billion.”3
Additionally, the average cost incurred per stolen record increased in 2015. The Ponemon Institute in its Cost of Data Breach Study: Global Analysis found that the average consolidated total cost of a data breach has risen 23 per-cent since 2013, clocking in at US $3.8 million.4 And the average cost for each stolen record has risen as well. Costs per stolen record have risen due to mounting financial consequences of losing customers due to security incidents — likely due to high-profile news reports and consumers’ increasing concern over the vulnerability of their data. Expenditures related to class-action lawsuits, compliance, damages, crisis management, and the necessity of foren-sic activities related to malicious data breaches have contributed to this rise in cost per compromised record as well.
No form of data is safe. Cybercriminals have come to value data that might otherwise seem difficult to monetize, such as personally identifiable information (PII), as it can be sold to third parties who specialize in exploiting such records. Data thieves have come to value data useful for long-term, insidious identity theft schemes over the “smash and grab” credit-card plots of yesteryear. Once compromised, it can take individuals years to recover and secure their information — or even to notice that it has been stolen in the first place. As such, safeguarding PII is a vital practice in maintaining the trust of the general public and regulators.
As more and more business data storage moves into cloud data storage servers, hackers have an ever-expanding trove of enterprise data to plunder. The theft of intellectual property has especially pernicious effects for indus-tries that depend on intellectual property (IP) protection. It disproportionately affects market leaders that invest in research and development, and it discourages innovation. Corporations must now contend with increasingly so-phisticated and well-resourced actors—targeting organizations rich in IP for strategic purposes or for competitors seeking to close the gap in proprietary manufacturing processes.
In keeping with the ACC Foundation’s goal of generating the most comprehensive reports of its kind, and cap-turing as large a segment of the in-house counsel population as possible, we have surveyed mainly GC and CLOs5 — hailing from 887 organizations in 30 countries — to chronicle information about cyber-related events that are not normally available to the public. The State of Cybersecurity Report therefore captures the thoughts of an unprecedented record number of in-house counsel. This survey also reveals best practices for preparation, crisis management, and breach response. Read on to find out what worked and what didn’t, why breaches happen, how to prepare, and how to react.
22015 ACC Global Census, page 8. www.acc.com/legalresources/resource.cfm?show=1411926 3Net Losses: Estimating the Global Cost of Cybercrime, June 2014. Center for Strategic and International Studies4 2015 Cost of Data Breach Study: Global Analysis. IBM and Ponemon Institute. https://securityintelligence.com/cost-of-a-data-breach-2015/ 5 GC and CLOs constituted 77 percent of the total set of respondents for a total of 776 GC/CLOs
INTRODUCTION
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 5www.acc-foundation.com
KEY FINDINGS
6 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
Employee error is the number-one cited cause of breaches Employee error is the most common reason for a breach. And while nearly half of all in-house counsel say that mandatory train-ing exists, few have a policy of testing knowledge or tracking at-tendance at these trainings. Lawyers in Canada are least likely to say their company has mandatory employee training (29 percent) compared with those in the US, which has the highest percentage reporting so (48 percent). Overall, 17 percent of in-house counsel say the data accessed during a breach was encrypted.
Thirty-six percent of all respondents reported employee error as the cause of a system breach when an audit was conducted by an outside auditor compared with 26 percent of respondents when an audit was conducted by internal staff.
Reputation: the top concern worldwide when it comes to cybersecurity Top concerns cited by in-house counsel include damage to repu-tation, loss of proprietary information, and economic damage. In Europe, the Middle East and Africa (EMEA), and Asia Pacific re-gions, government and regulatory action made the top three most cited primary concerns.
Data breaches are a reality for manyNearly one in three in-house counsel have experienced a data breach at their company. Nineteen percent say their current com-pany has experienced a data breach, while 10 percent say their for-mer employer did. Nearly half (47 percent) have recent experience, reporting the breach took place in 2014 or 2015. Forty-five percent of in-house counsel in companies with 5,000 or more employees say they either work or have worked at a company that experienced such a breach.
Company and legal department budgets are growing when it comes to cybersecurityDespite an overall trend toward insourcing, cybersecurity spend seems to be the exception for most law departments. Fifty-six per-cent of GC and CLOs say their company is allocating more money to cybersecurity than one year ago, and 23 percent say their legal department spend has increased as a result of company focus on cybersecurity. Among GC/CLOs who report an increase in de-
partmental spend, 53 percent say this is mainly outside spend, and 24 percent report spend as equally split between inside and out-side. Notably, just 8 percent of GC/CLOs have a portion of their departmental budget explicitly dedicated to cybersecurity-related issues despite the growing role of the legal department.
The expanding role of legal in the cyber arena Fifty percent of all GC and CLOs want to increase their role and responsibilities when it comes to cybersecurity. Though oversight of cyber-risk continues to sit firmly in the IT department, the legal role is also expanding, with 57 percent of GC and CLOs expecting their department’s role to increase in the coming year.
Cybersecurity insurance is becoming more common, and amount of coverage is risingHalf of all GC and CLOs surveyed say their company has cyber-security insurance, and for companies that have this insurance, 68 percent have coverage valued at US $1 million or more. One in four say they expect their company to increase coverage in the coming year, while 58 percent expect it to remain the same. Bare-ly 1 percent expect a decrease in cybersecurity coverage amounts. Among those who have experienced a breach, just 19 percent say the insurance policy fully covered the related damages.
Managing outside risk plays a significant role in preparing and preventingWith only 61 percent of GC/CLOs confirming that third parties are required to notify them should a breach occur, it appears out-side support and risk are high for many companies. Just one in four report that their company has retained a forensic company, and one in three have retained outside counsel to help should a cybersecurity event occur. This leaves companies searching for outside support in many instances where data has been compro-mised. And just 7 percent of all in-house counsel surveyed are very confident that their third-party vendors and affiliates are protect-ing the company from cybersecurity risks. Twenty-two percent are very confident their outside service providers are managing the security of client data.
KEY FINDINGS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 7www.acc-foundation.com
Industry trendsThe healthcare industry continues to see the highest percentage of in-house counsel reporting they have experienced a data breach. Over half in the healthcare and social assistance industry say they have experienced a breach at their current or former employer compared with 31 percent of corporate counsel on average across all industries. In-house lawyers in the healthcare industry (75 percent) are most likely to report that their company has cyberse-curity insurance. In-house counsel in the healthcare industry are also most likely to say their vendors and third-party agents are re-quired to notify them of a breach (88 percent). Corporate lawyers in the retail industry have the highest percentage reporting that they proactively collaborate with law enforcement or other gov-ernment agencies to address cybersecurity risks (45 percent).
Waiting to change until after the breach can be costlyWe are clearly observing a dramatic increase in budget allocation toward cybersecurity issues across companies and legal depart-ments. A major reason may be due to the lack of prevention strat-egies implemented. Among those who have experienced a data breach, 74 percent say that their company is making at least some changes to their security policies as a result of the breach, and 58 percent report making moderate to significant changes.
KEY FINDINGS
Benchmarking the state of cybersecurityKey variables in prevention, preparedness, and response cross organizational boundaries and functional areas. However, sever-al items related to the legal department, both directly and indi-rectly, are excellent benchmarks for evaluating preparedness. The checklist in this section provides a summary of these items. Inside the report, benchmarks from more than 800 organizations can be found along with this checklist for comparison purposes. These items are commonly recommended as foundational best practices for the prevention or preparation of a data breach. While few have all of the items listed, it is useful to examine your practices in com-parison and take steps to plan for data security.
DATA BREACHES BY INDUSTRY*
Healthcare/Social Assistance
56%
Insurance 36%
Manufacturing 33%
Retail Trade 32%
IT/ Software/ Internet-Related Services
31%
*Industries with highest percentage shown
“I wish we had done a better job at educating employees on cybersecurity issues, how to recognize and what to do and to become more informed on various ways that data breaches occur and proactive ways that could eliminate or reduce exposure.”
Sample cybersecurity checklist with benchmarks. See full report for complete benchmarking checklist.
Cybersecurity Checklist
Organizational Prevention and Preparedness ü66% Organization conducts a cybersecurity audit of the entire organization at least annually
60% A member of the legal department is on the company’s data breach response team
55% Organization has cybersecurity insurance
44% Organization has mandatory training on cybersecurity for all employees
34% Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually
32% Organization retained outside counsel to assist you should a breach occur
27% Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks
24% Organization retains a forensic company to assist should a breach occur
Organizational Policies ü80% Password policy
73% Social media policy
71% Document retention policy
66% Website privacy policy
66% Employee manual acceptance policy
63% Internet privacy policy
55% Identity and access management
41% BYOD policy
17% Data map
Organizational Staffing ü46% Chief Infromation Officer (CIO)
24% Privacy/Security Manager
18% Chief Information Security Officer (CISO)
14% Chief Risk Officer (CRO)
13% Chief Privacy Officer (CPO)
11% Chief Security Officer (CSO)
Organizational Preparedness Evaluation ü41% Conduct cybersecurity audit of entire organization at least annually
34% Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk
33% Track mandatory training requirement and attendance for all employees
20% Test employees’ knowledge of mandatory training
17% Conduct mock security event
11% Conduct tabletop exercises
8% Review disciplinary actions for violations
8 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
KEY FINDINGS
Cybersecurity Checklist Self-Assessment Tool
Organizational Prevention and Preparedness üOrganization conducts a cybersecurity audit of the entire organization at least annually
A member of the legal department is on the company’s data breach response team
Organization has cybersecurity insurance
Organization has mandatory training on cybersecurity for all employees
Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually
Organization retained outside counsel to assist you should a breach occur
Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks
Organization retains a forensic company to assist should a breach occur
Organizational Policies üPassword policy
Social media policy
Document retention policy
Website privacy policy
Employee manual acceptance policy
Internet privacy policy
Identity and access management
BYOD policy
Data map
Organizational Staffing üChief Infromation Officer (CIO)
Privacy/Security Manager
Chief Information Security Officer (CISO)
Chief Risk Officer (CRO)
Chief Privacy Officer (CPO)
Chief Security Officer (CSO)
Organizational Preparedness Evaluation üConduct cybersecurity audit of entire organization at least annually
Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk
Track mandatory training requirement and attendance for all employees
Test employees’ knowledge of mandatory training
Conduct mock security event
Conduct tabletop exercises
Review disciplinary actions for violations
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 9www.acc-foundation.com
PROJECT OVERVIEW & INTERPRETING THE DATA
10 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
Project OverviewThis survey opened on August 31, 2015, and closed October 10, 2015. An email invitation to partic-ipate in the survey was delivered to 15,176 chief legal officers, general counsel, and assistant general counsel. Those holding the title of group general counsel and head of legal are included in the GC/CLO sample. The population includes members of ACC and nonmembers. A total of 1,015 respons-es were received; 760 were from ACC members, and 255 were from nonmembers. This represents an overall response rate of 7 percent. Seventy-seven percent identified as GC/CLO, and 14 percent are assistant general counsel. The remainder hold other titles not included in the GC/CLO group. Those not in the GC/CLO or AGC role may have been invited to complete the survey by their GC, CLO, or AGC on behalf of their organization. Participants represent 887 unique organizations as determined by their email address and/or pre-identified employer.
Interpreting the DataThe full report contains an introduction, key findings, executive report, and overall results. Al-though many pertinent topics are covered in the key findings, other thought-provoking findings are exhibited in the overall survey results. Overall results touch upon all survey questions, and responses from all respondents are stratified by a number of relevant segments such as region/coun-try; industry; company revenue; number of employees in the company; department size; GC/CLOs and those with other titles; ever worked where a cybersecurity breach has occurred; and company domestic only or global. By analyzing responses in this way, we are able to decrease the influence of overrepresentation across audience segments. Cross-tabulations were conducted in order to assess the influence of these segments of the survey population, and t-tests were used when appropriate to determine whether differences between groups or between time points were statistically significant at the .05 α level.
PROJECT OVERVIEW & INTERPRETING THE DATASE
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 11www.acc-foundation.com
EXECUTIVE SUMMARY
12 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
The present: Data breaches are a realityThirty-one percent of in-house counsel say that they have experi-enced a data breach either at a former employer or at their current company. Employee error is cited as the most common manner in which a breach occurred followed by inside jobs, phishing, and access through a third party.
Overall, nearly one in three in-house lawyers report they have worked or currently work in a company that has experienced a data breach. The healthcare industry continues to see the highest percentages reporting data breaches. Over half of the in-house counsel surveyed in the healthcare and social assistance industry report having experienced a data breach (56 percent) followed by 36 percent of lawyers in the insurance industry.
EXECUTIVE SUMMARY
EXPERIENCED A DATA BREACH IN CURRENT OR FORMER COMPANY
Don’t know
Not experienced breach
Work/worked where breach occurred
62%
31%
7%
HOW WAS THE SYSTEM BREACHED?
Employee error 24%
Inside job
Application vulnerability
15%
7%
Phishing
Malware
12%
12%
7%
Access through a third party
Ransomware (CryptoLocker)
1%
Lost laptop/device
Operating system vulnerability
9%
<1%
n=252
DATA BREACHES BY INDUSTRY*
Healthcare/social assistance
56%
Insurance 36%
Manufacturing 33%
Retail trade 32%
IT/software/Internet-related services
31%
*Industries with highest percentage shown
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 13www.acc-foundation.com
EXECUTIVE SUMMARY
Risk exposure, management, and mitigationThough the main cause of a data breach is employee error, many companies are focusing on raising employee awareness through mandatory training only. There is a lack of follow-up regarding confirmation that employees both attend and understand what they have learned.
Regionally there is some variation in the origin of a breach that may influence how companies manage or should manage risk at the organizational level. For example, the most commonly report-ed cause in the US was employee error with 25 percent of respon-dents, followed by inside job (14 percent) and phishing (13 per-cent). Within the EMEA region employee error is the main cause of a data breach with 25 percent, followed by malware (17 percent) and access through a third party (17 percent).
Lawyers in the Asia Pacific region have the highest percentage re-porting they have weathered a data breach at their current com-pany (23 percent), followed by the United States (20 percent). Ten percent in the US report experiencing a data breach at a former employer, followed by 9 percent of respondents in the Asia Pacific region. In-house counsel in the EMEA region are most likely to say they have never experienced a data breach.
CAUSE OF BREACH BY REGION
US
EMEA
Canada
Asia Pacific
Employee error
25%29%
25%15%
14%14%
Inside job8%
27%
13%
Phishing8%
12%
12%Access through
a third party 17%15%
10%14%
Lost laptop/device8%
4%
7%14%
Application vulnerability
15%
8%
Malware17%
14 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
CLOs, GC and other in-house counsel are concerned with various aspects of data security and are increasingly focusing on expand-ing their role to assist in defending their organizations against a breach. Because of the growing number of both customer-facing and business-to-business (B2B) companies undergoing breaches of protected data and IP, it is no surprise that the legal department is becoming a prominent player in prevention, preparedness, and response to a cyberattack or data breach. This is reflected in the most immediate concerns of in-house counsel affected by a data breach. Damage to reputation or brand far outpaces other issues as the top concern.
Lawyers who have worked in companies that experienced data breaches did not rank the top two concerns any differently. How-ever a higher percentage of lawyers who have breach experience rank damage to reputation as a top concern (36 percent) than those who have not experienced a data breach (29 percent).
Damage to reputation/brand is the top concern among in-house counsel in all four regions examined, followed by loss of propri-etary information, economic damage, and government/regulatory action. Shareholder activity ranks lowest among the concerns list-ed for in-house counsel in all regions. Government and regulato-ry action is a high-ranking concern for in-house counsel in the EMEA and Asia Pacific regions, perhaps a result of strict privacy and data security laws.
MOST IMMEDIATE CONCERN RELATED TO DATA BREACH BY REGION
RANKING OF MOST IMMEDIATE CONCERNS RELATED TO DATA BREACH
1. Damage to reputation/brand2. Loss of proprietary information3. Economic damage 4. Government/regulatory action5. Business continuity6. Litigation7. Board (board of directors) concerns8. Executive liability9. Preservation of lawyer-client privilege10. Media coverage 11. Shareholder activity
US EMEACanada Asia Pacific
Damage to reputation/brand
Damage to reputation/brand
Damage to reputation/brand
Damage to reputation/brand
Loss of proprietary information
Loss of proprietary information
Loss of proprietary information
Loss of proprietary information
Economic damageGovernment/
regulatory actionGovernment/
regulatory action
Economic damage
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 15www.acc-foundation.com
EXECUTIVE SUMMARY
Common approaches to cybersecurityThere is a wide disparity in how companies approach prevention and preparedness regarding cybersecurity. Four in ten GC/CLOs report that their company audits their organization’s current cyber risk at least annually, but less than half retain outside counsel in the event of a breach. While employing certified security experts such as the chief information security officer is becoming more common, few have hired such experts in addition to the CIO. Less than half of GC/CLOs report their organization employs a CIO.The majority have policies (such as social media policies) to protect the company from malicious attacks triggered by employee error, yet few actually track mandatory training or test the knowledge of employees on the policies and regulations in place to help them identify and prevent lower threshold attacks (such as phishing) that are commonly used to execute a data breach.
CLOs and GC play a significant role, want to expand itOver half of the CLOs and CG surveyed as part of this study have an organizational role when it comes to cybersecurity, with the remainder occupying a departmental role. One-third of GC/CLOs (35 percent) are in a leadership role at the organizational level, and 36 percent hold a departmental leadership role. Those in the pro-fessional, scientific, or technical services industry are most likely be in an organizational leadership role (45 percent) than in-house counsel in other industries such as finance and banking (35 per-cent), manufacturing (21 percent), or healthcare (36 percent). In-house counsel holding titles other than GC/CLO are most likely to hold departmental roles, with 35 percent reporting a leadership role in the department.
Over half of all in-house counsel want to broaden their role in cybersecurity Fifty-nine percent of GC, CLOs, and all other lawyers surveyed expect their law department’s role in cybersecurity to increase in 2016. This aligns with the desire of most in-house lawyers to main-tain or expand their current responsibilities when it comes to cy-bersecurity. Just over half (52 percent) prefer to increase their role and responsibilities, and 44 percent want to maintain their current involvement. Just 4 percent prefer to decrease their involvement.
These expectations do not vary among those who have and have not experienced a data breach. Among those who experienced a data breach in the past two years, 49 percent say they want to maintain their current level of responsibility. Forty-five percent of respondents say they would prefer to expand their role, while only 6 percent say they would prefer to decrease their role.
Those in larger departments and those in the Asia Pacific region are slightly more likely to anticipate their department’s role in cybersecurity increasing over the coming year. And the prefer-ences of in-house counsel who have experienced a breach appear to be somewhat related to views on their level of responsibility, with a smaller percentage of in-house lawyers who have worked/are working in a company that suffered a breach wanting to ex-pand their role (49 percent) than those who had not experienced a breach (54 percent).
PREFERENCE FOR CHANGE IN LEVEL OF INVOLVEMENT IN CYBERSECURITY AMONG THOSE WHO EXPERIENCED A BREACH IN PAST TWO YEARS
Maintain current role and responsibilities
Increase role and responsibilities
Decrease role and responsibilities
45%49%
6%
HOW WOULD YOU CHARACTERIZE YOUR RESPONSIBILITIES REGARDING CYBERSECURITY IN YOUR COMPANY?
I am in a leadership role in the legal department
36%
35%
35%
11%
21%
27%
3%
16%
I am in a leadership role at the organization level
I am part of a team in the organization that has been
designated with cybersecurity responsibilities
I am in a support role in the legal department
CLO/GC Other Title
“Outsource all handling of secured data to the extent practicable to vendors that meet high security standards, then invest heavily in protecting the remaining functions. Set up multiple means for detecting potential vulnerabilities and actual intrusion efforts. Train, train, train.”
16 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
HOW WOULD YOU CHARACTERIZE YOUR RESPONSIBILITIES REGARDING CYBERSECURITY IN YOUR COMPANY?
I am in a leadership role at the organization level
I am part of a team in the organization that has been designated with cybersecurity responsibilities
1 employee
32% 33%30%
20%17%
20%24%
27% 28%
13%
38%35% 35%
31%
43%
4% 4% 3%
14%18%
2 to 9 employees 10 to 24 employees
25 to 49 employees
50 or more employees
I am in a leadership role in the legal department
I am in a support role in the legal department
Linear (I am in a leadership role at the organization level)
EXPANSION OF IN-HOUSE COUNSEL’S ROLE IN CYBERSECURITY
Overall CLO/GC vs Others Experienced a breach Region
All Responses
CLO/ GC Other Yes No US Canada EMEAAsia
Pacific
Percentage who expect the legal department’s role in cybersecurity to increase next year (n=868)
59% 57% 65% 59% 58% 58% 58% 58% 63%
Percentage who would prefer to expand their current level of involvement in cybersecurity (n=846)
52% 50% 57% 49% 54% 52% 48% 51% 53%
Number in law department
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 17www.acc-foundation.com
EXECUTIVE SUMMARY
Half of all GC and CLOs are on the data breach response teamA data breach response plan and a team ready to respond are vital in mitigating the risk of a cyberattack. Companies that maintain a data breach response team do tend to feature top legal officers in such teams, as roughly half GC and CLOs are a member of their company’s data breach response team (49 percent). Fewer in-house counsel not in a GC/CLO role are a part of such teams (29 percent).
A greater proportion of GC/CLOs heading legal departments with two to nine employees have a place on the data response team than in larger departments. Notably, GC and CLOs heading smaller de-partments of nine or fewer employees are more likely to say they never brief the board of directors on cybersecurity, and 46 percent say they brief the board on ad hoc basis.
IS A MEMBER OF THE LEGAL DEPARTMENT ON THE COMPANY’S DATA BREACH RESPONSE TEAM? (AMONG GC/CLOs)
Yes, GC/CLO
Yes, other member of legal department
No (no member of the legal department on team)
Company does not have a formal data breach response team
50 or more employees
35%
42%
43%
55%
30%
43%
43%14%
1%
8%8%
33%7%
17%
28%
28%3%
37%7%
21%
25 to 49 employees
10 to 24 employees
2 to 9 employees
1 employee
“Be prepared; have a data breach response plan and do a tabletop exercise; have some internal security expertise and a trusted security/forensics vendor in advance; have detection systems to alert of an issue; consider segmentation of systems and data; have knowledgeable outside counsel in advance.”
18 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
Prevention and preparationPrevention, preparation, and awareness are vital to closing the most common avenues for a breach or cyberattack. Not only is pre-paredness critical to minimizing risk and cost, but transparency may also be a regulatory requirement based on the nature of the breach and the data compromised. Companies should pay careful attention to planning and preparing for disclosure based on reg-ulatory standards. Thirty-one percent of in-house counsel in this study say they were required to notify a regulatory/governmental body when their company was the victim of a cyberattack.
Advanced implementation of standards and effective policies, consultation, and training are as vital to information and data se-curity as technical approaches because attacks often result from employee errors (24 percent), according to in-house counsel in this study. This is vital information that aligns with other major research. The 2015 global Ponemon Institute Research Study of the cost of cybercrime estimates that attacks by malicious code, Web-based attacks, and phishing/social engineering can take between 22 and 54 days to resolve at a technical level.6
The total impact of a breach can last much longer when it comes to litigation, customer turnover, and damage to brand. Among in-house counsel who have experienced a breach, 17 percent report that significant changes to company security policies took place
62015 Cost of Data Breach Study, p.15. IBM and Ponemon Institute.7ROI savings were over half a million US dollars when certified, compared to industry-leading standards. IBM and Ponemon Study, p. 21
after the breach. An additional 41 percent report moderate chang-es postbreach. Implementing changes proactively may decrease the amount of change required postbreach and may decrease the avenues through which breaches can occur.
Standards used to help cybersecurity planningCompanies use a variety of standards to address their cybersecu-rity needs. The International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Statement on Standards for Attestation Engagements (SSAE) are common in general. Regionally, there is some variation in what is most often cited as the company standard. In the United States, NIST and SSAE 16 are most often cited; in the EMEA and Asia Pacific regions, ISO programs are most common.7
CYBERSECURITY STANDARDS/FRAMEWORK BY REGION
US Canada EMEA Asia Pacific
n= 672 35 50 92
NIST 14% 6% 4% 1%
ISACA 3% 3% 6% 4%
SSAE 16 14% 9% 6% 1%
Six Sigma 2% 0% 2% 3%
SANS Critical Security Controls 2% 0% 0% 3%
ISO 177799 / 27001 13% 11% 30% 15%
COBIT 5 1% 0% 6% 2%
SSE-CMM 1% 0% 0% 1%
OWASP 1% 0% 0% 1%
Other - Please specify 5% 0% 2% 2%
None 5% 3% 10% 10%
Unsure 59% 74% 52% 68%
“I wish we had known to put more focus on prevention and have a response plan in place in advance.”
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 19www.acc-foundation.com
Policies, training, and security expertise play a vital role in prevention and preparationPreventive policies and training, employment of certified security experts, use of a common standard for preparedness, and miti-gating risk through third parties are all components in how com-panies address cybersecurity. Insurance coverage in the case of a breach is also a common practice among companies globally. And while most CLOs and GC are confident in the insurance cover-age their organization holds, and nearly all in-house counsel who participated in the Cybersecurity Survey claim to have at least one data protection policy in place, many are catching up on critical elements of data security and protection of intellectual property. A password policy, a social media policy, and a document retention policy are the data security policies most commonly cited by in-house lawyers as those their employer has implemented.
EXECUTIVE SUMMARY
More than six in 10 in-house counsel in the IT (67 percent), fi-nance and banking (63 percent), and insurance (65 percent) indus-tries say their company has identity and access management. Par-ticipants in companies with revenues of US $500 million or more are significantly more likely than those in companies with lower revenue to have many of these policies. The only policy those in companies with less revenue are more likely to have is an employee manual acceptance policy.
DOES YOUR ORGANIZATION CURRENTLY HAVE ANY OF THE FOLLOWING POLICIES IN PLACE?
Password policy 81%
Social media policy 75%
Website privacy policy
Document retention policy
68%
74%
Employee manual acceptance policy
65%
Internet privacy policy 64%
Identity and access management
57%
BYOD policy 42%
Data map 18%
PERCENTAGE “YES”
“It is great to have a written plan but you must be proactive and put things in place before a breach and have a proactive response and not reactionary. Test tactical aspects to make sure response team really knows their responsibilities.”
20 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
As expected, CLOs, GC, and other in-house counsel who report experiencing a breach either at their current company or at a for-mer employer are significantly more likely to have a social media policy (84 percent to 71 percent), a bring-your-own-device (BYOD) policy (52 percent to 37 percent), identity and access management
DATA SECURITY POLICIES BY COMPANY ANNUAL REVENUE (US$)
Password policy78%
87%
66%
85%
68%
85%
69%
70%
59%
70%
54%
64%
69%
61%
36%
55%
15%
21%
Document retention policy
Social media policy
Website privacy policy
Internet privacy policy
Identity and access management
Employee manual acceptance policy
BYOD policy
Data map
<$500 million $500 million or more
(65 percent to 55 percent), and a document retention policy (79 percent to 71 percent). Also, 70 percent of in-house participants in the US report having an employee manual acceptance policy. This is significantly higher than other regions — 51 percent in Canada, 50 percent in EMEA and 40 percent in Asia Pacific.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 21www.acc-foundation.com
EXECUTIVE SUMMARY
Outside resources a key component of preparation for manyWhile participating lawyers report that their organization has many data security policies in place, over half of participants re-port that their organization has not retained a forensic company for support in case a breach occurs. About the same amount report that their company has not retained outside counsel to assist them should a breach happen.
Participating CLOs, GC, and other in-house counsel who work for companies that are global entities are significantly more likely than in-house lawyers at domestic organizations to report hav-ing retained both a forensic company (27 percent to 21 percent) and outside counsel (36 percent to 29 percent) after a data breach.
Again, those in companies with the highest revenue are more like-ly to report retaining both a forensic company and outside counsel.
In-house lawyers who work or worked in a company that experi-enced a breach are more likely than those who do not to say their organization has retained outside counsel (44 percent to 26 per-cent) and retained a forensic company (37 percent to 17 percent) to assist them should a breach occur.
HAS YOUR ORGANIZATION RETAINED A FORENSIC COMPANY IN CASE A DATA BREACH OCCURS?
No
Don’t know
Yes
HAS YOUR ORGANIZATION RETAINED OUTSIDE COUNSEL IN CASE A DATA BREACH OCCURS?
No
Don’t know
Yes
57%
24%19%
58%33%
9%
RETAINED OUTSIDE COUNSEL/FORENSIC SERVICES BY COMPANY ANNUAL REVENUE QUARTILE
Annual Revenue
<$100 million $100M-$499M $500M-$2.9 billion $3 billion or more
Company has retained forensic company 15% 22% 30% 42%
Company has retained outside counsel 22% 35% 40% 48%
22 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
The approach and execution of cybersecurity audits as a prevention tool varies across companiesWhether the most recent audit was conducted by internal staff, a trusted vendor, or an outside auditor, employee error consistently ranked as the top cause of a system breach by respondents. How-ever, there are several interesting differences.
Thirty-six percent of respondents report employee error as the cause when an audit was conducted by an outside auditor com-pared with 26 percent of respondents when conducted by internal staff.
Only 6 percent of respondents report an inside job as the cause of the system breach when an audit was conducted by an outside au-ditor, compared with 13 percent when conducted by internal staff.
Fifteen percent of respondents report phishing as the cause of the system breach when audited by internal staff compared with 9 per-cent of respondents when audited by an outside auditor.
Hiring internal cybersecurity profession-als is gaining momentum as a preventive measureStaffing expert security personnel is a critical component of gover-nance in relation to cybersecurity. According to the 2015 Ponemon Institute Study, and in line with many available frameworks to address cybersecurity at the organizational level, employment of
expert personnel is a vital activity one should use as a step toward reducing the cost of cybercrime. The incremental cost savings for employing such experts is estimated at US $1.5 million.
In-house counsel in larger departments are significantly more likely to report that their company employs specialized security experts. Those in companies with law departments of 25 or more employees more frequently report having a CIO, CSO, or CISO, for example. With most companies placing cybersecurity firmly in the hands of the IT department (82 percent say cybersecurity is housed in IT), the responsibility of the legal team may increase with regard to cybersecurity in smaller companies or smaller de-partments. Among in-house counsel working with none of the aforementioned specialized data security positions, 34 percent say they undertake a leadership role in data security at the organiza-tion level compared with 25 percent who have a CIO.
Among all information security positions studied, the CIO is the most common position among all organizations that have at least one specialized position, regardless of department size, though smaller legal departments are significantly less likely to have a CIO. The mix of staffing varies by department size, with the larg-est legal departments far more likely to have a CPO. The CISO is becoming more common in organizations with 10 or more in the legal department.
8 2015 Cost of Data Breach Study: Global Analysis. IBM and Ponemon Institute.
EXECUTIVE SUMMARY
MANNER SYSTEM WAS BREACHED BY HOW MOST RECENT CYBERSECURITY AUDIT WAS CONDUCTED AMONG THOSE WHO HAVE EXPERIENCED A DATA BREACH
15% 15%
6%
11%9%
7%
12%
8%
4% 4% 2% 4% 4%6%
9% 8%11%12%11%
6%
13%11%
9%
Internal staff Trusted vendor Outside auditor
26%
33%36%
Employeeerror
Phishing Inside job Lost laptop/ device
Application vulnerability
Malware Access through
a third party
Ransomware (CryptoLocker)
Operating system
Don’t know/ Not sure
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 23www.acc-foundation.com
EXECUTIVE SUMMARY
Budget and spendIn almost every instance, respondents working in companies that have seen growth in dedication of funds to cybersecurity at the law department and/or organizational level are more likely to also say their company has policies and procedures commonly accept-ed as protection against a cyberattack. For example, 41 percent of in-house lawyers in companies that dedicated more budget to cy-bersecurity last year say their company tracks mandatory training, compared with 27 percent who report no organizational budget change on the topic. Thirty-seven percent of respondents in de-
partments that saw no increase in law department funding for cy-bersecurity say their organization never tests employee knowledge of cybersecurity, compared with 22 percent in in-house counsel working in companies that did increase departmental spend.
Companies spending more are more likely to have cybersecurity insurance and are more likely to be increasing the amount of their coverage. A greater percentage of in-house counsel in these com-panies report that their organization has retained outside counsel and/or a forensic company that can assist in the event of a breach.
ORGANIZATION SECURITY SPECIALISTS BY DEPARTMENT SIZE WHICH OF THE FOLLOWING DOES YOUR ORGANIZATION EMPLOY?
Chief Information Officer (CIO)
Privacy/Security Manager
Chief Privacy Officer (CPO)
Chief Information Security Officer (CISO)
Chief Security Officer (CSO)
Board-level committee devoted to cybersecurity
Chief Risk Officer (CRO)
None of the above
46%73%
77%19%
23%27%
13%6%
36%45%
23%18%
19%29%
34%7%
11%
47%12%
8%14%
14%5% 24%
24%4%4%
6%15%
52%
5%3%
25%
67%
46%41%
40%38%
50 or more employees
5%1%
25 to 49 employees
10 to 24 employees
2 to 9 employees
1 employee
24 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
CYBERSECURITY STANDARDS/FRAMEWORK
Has your law department spend increased as a result
of your company's approach to cybersecurity?
Is your company allocating more, less, or the same
amount of (company) budget to cybersecurity compared
with a year ago?
Yes No Same More
Does your organization currently have any of the following policies in place? (Select all that apply)
Password policy Yes 85% 81% 79% 86%
Social media policy Yes 81% 74% 70% 81%
Document retention policy Yes 75% 72% 70% 78%
Website privacy policy Yes 72% 67% 65% 75%
Internet privacy policy Yes 68% 63% 62% 68%
Employee manual acceptance policy Yes 65% 66% 68% 68%
Identity and access management Yes 62% 57% 56% 63%
BYOD policy Yes 50% 41% 35% 49%
Data map Yes 26% 14% 14% 21%
None of the above Yes 1% 1% 1% <1%
Does your organization have cybersecurity insurance?
Yes 66% 44% 47% 57%
Self-insurance 3% 4% 4% 5%
Do you expect your company to decrease, maintain, or increase the amount of cybersecurity insurance coverage in the next year?
Decrease coverage 1% <1% 0% 1%
Maintain current coverage 50% 65% 70% 57%
Increase coverage 33% 23% 22% 28%
Has your organization retained a forensic company to assist you should a breach occur?
Yes 43% 19% 16% 33%
Has your organization retained outside counsel to assist you should a breach occur?
Yes 64% 24% 27% 41%
Does your organization have mandatory training on cybersecurity for all employees?
Yes 58% 39% 34% 56%
How often does your organization test employee preparedness/knowledge of cybersafety practices/data policies?
Never, company does not test knowledge of cybersecurity
22% 37% 44% 26%
Quarterly 5% 2% 0% 5%
Monthly 4% 1% 1% 2%
Semiannually 6% 3% 2% 5%
Annually 36% 25% 25% 33%
How does your organization evaluate company preparedness at the employee level? (Select all that apply)
Track mandatory training requirement and attendance for all employees
Yes 44% 29% 27% 41%
Conduct mock security event Yes 25% 17% 9% 25%
Test employees’ knowledge of mandatory training
Yes 25% 18% 15% 25%
Conduct tabletop exercises Yes 22% 9% 6% 18%
Review disciplinary actions for violations Yes 10% 8% 7% 9%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 25www.acc-foundation.com
EXECUTIVE SUMMARY
It is clear that with greater revenue come more resources. Larg-er departments have the ability to specialize in their approach to cybersecurity, which may explain the variance in how in-house counsel describe their cybersecurity responsibilities in large and small departments. Thirty-three percent of respondents in the largest law departments say their department spend increased as a result of their company’s approach to cybersecurity, compared with just 21 percent in law departments of two to nine employees. This increase in spend has chiefly been outside spend (55 percent), with just 16 percent saying the increase was mainly inside spend. Respondents from the US and the EMEA region are more likely
than those in other regions to say law department spend rose last year. For the most part, lawyers in these regions characterize this increase as outside spend.
And, with greater resources, larger departments have the ability to specialize in their approach to cybersecurity. However, few in the top legal seat say that a portion of their budget is dedicated specif-ically to cybersecurity (8 percent). As seen in other findings, size affects the budget. The percentage of in-house counsel who report that a portion of their budget is dedicated specifically to cyberse-curity rises with organization size by revenue and employee count.
HAS YOUR LAW DEPARTMENT SPEND INCREASED AS A RESULT OF YOUR COMPANY’S APPROACH TO CYBERSECURITY?
Department Size
1 employee 2 to 9 employees 10 to 24 employees 25 to 49 employees 50 or more employees
n= 162 440 112 58 79
Yes 14% 21% 32% 29% 33%
No 81% 73% 59% 55% 39%
Don't know/Not sure 6% 5% 9% 16% 28%
LAW DEPARTMENT SPEND INCREASED AS A RESULT OF COMPANY’S APPROACH TO CYBERSECURITY BY REGION
25%
9%
31%
8%
US EMEACanada Asia Pacific
PERCENTAGE “YES”
26 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
In-house counsel not confident in third-party protection despite reporting requirementsAccess through a third party is the fourth most common mech-anism for cybercriminals to execute a data breach; however, just 7 percent of respondents report the highest degree of confidence that their third-party affiliates/vendors protect them from cyber-security risks. The majority, 60 percent, report being somewhat confident, and 17 percent are not at all confident. There is little dif-ference among subgroups. And while a higher percentage report being very confident that outside law firms their company employs are appropriately managing the security of client data, it is only 22 percent. Just over half, 52 percent, are somewhat confident, and 10 percent are not confident at all.
Survey respondents who have worked for an organization that ex-perienced a breach are less confident in their outside law firms’ management of client data compared with those who have not ex-perienced a breach (14 percent to 9 percent). Another interesting significant difference: those responding in Asia Pacific are more likely than those in the US to report being very confident in the outside firms they employ when it comes to the security of client data, 35 percent to 20 percent.
Even without a high degree of confidence, 61 percent of GC, CLOs,
and other in-house counsel report that third-party agents and vendors are required to notify them of cybersecurity risks or ac-tual events. Only 15 percent state they do not require third-party agents and vendors to report cybersecurity events, but 24 percent say they are not sure if they are required to notify them. Nearly two-thirds (64 percent) of respondents in the US say third-party vendors are required to notify them if a breach occurs. This is sig-nificantly higher than the 40 percent in the EMEA region. Along the same lines, two-thirds of nonglobal entities report third par-ties’ being required to notify them compared with 57 percent of those with business and/or employees working abroad. And 64 percent of those in companies with 5,000 or more employees say third parties are required to notify them compared with 53 per-cent in companies of less than 100 employees.
Many respondents work for organizations that hire outside law firms to manage client data security. These respondents were asked about their degree of confidence in those outside law firms’ appropriately managing the security of their client data. Among respondents who experienced a data breach in the past two years, 75 percent said they had at least some degree of confidence in their outside law firms on this issue. Sixteen percent are not at all con-fident.
CONFIDENCE IN OUTSIDE LAW FIRM DATA SECURITY BY THOSE WHO EXPERIENCED A BREACH
14%
Not at all confident
20%
Very confident
54%
Somewhat confident
12%
Don’t know/ Not sure
9%
50%
24%
17%
Experienced a breach
Have not experienced a breach
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 27www.acc-foundation.com
Cybersecurity insurance becoming common, growing in coverage amount*
When asked whether they expect their company to decrease, maintain, or increase the amount of cybersecurity coverage in the next year, among those whose insurance did not cover damages, 41 percent reported an expectation to increase their cybersecurity coverage compared with 32 percent whose damages were covered. Among those whose insurance did not cover damages, 59 percent reported an expectation to maintain coverage compared with 32 percent whose damages were covered. No respondents reported an expectation to decrease coverage in the next year, regardless of whether they were protected from damages from a previous data breach.
In-house counsel who have worked in a company affected by a cy-bersecurity breach are no more likely to say their organization has cybersecurity insurance than those who have not. Among those respondents with awareness of their company’s cybersecurity in-surance status, 64 percent who report experiencing a breach either at their current company or at a previous one say they have cyber-security insurance; 57 percent who have not been in a company that experienced a data breach report their company has cyber-security insurance. Respondents without the GC or CLO title are twice as likely to lack awareness of their company’s cybersecurity status as GCs and CLOs (36 percent to 18 percent).
The same percentage (64 percent) of participating US lawyers aware of their company’s breach insurance status say their com-pany is indeed insured. This is significantly higher than 41 percent in Asia Pacific and slightly higher than the overall population who said their company has cybersecurity insurance.
By contrast, just one-quarter of in-house counsel in the manufac-turing industry aware of their company’s cybersecurity insurance status report that their organization is insured. This is much lower than in-house counsel who participated from other industries —
84 percent in IT, 76 percent in insurance, and 64 percent in finance and banking.
More than three-quarters (79 percent) of those GC, CLOs, and in-house counsel who are aware of the amount of coverage their com-pany carries report that their company’s cybersecurity insurance coverage is at least US $1 million. And respondents with awareness of their company’s coverage who work in companies with fewer than 100 employees are less likely to have that high of cybersecuri-ty coverage than those in companies with between 100 and 4,999 employees (58 percent to 84 percent). While that is a lot of cover-age, just 13 percent say they are extremely confident they have the right coverage for a cybersecurity event (answering nine or 10 on a confidence scale between one and 10). Even so, only 26 percent report they expect their company to increase cybersecurity cov-erage over the next year. A majority (58 percent) say they expect their organization to maintain the coverage as it is now. Fifteen percent are not sure of their company’s plans with regard to its cybersecurity insurance coverage. For comparison, 50 percent of IT management and security practitioners around the globe said their IT security budget will increase in the next two years, and 46 percent said it would remain the same.9
Among respondents who work for organizations with cybersecu-rity insurance, 70 percent report that their insurance did not cover the damages created by the data breach, while 30 percent say their insurance did cover the damages.
9 According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments of 1,825 IT management and security practitioners in 42 countries.
* Analysis of insurance-related questions exclude those who selected “Don’t know/Not sure” when asked if their company has cybersecurity insurance.
DID YOUR INSURANCE COVER THE DAMAGES?
Yes
No
30%
70%
EXECUTIVE SUMMARY
“The process of obtaining cybersecurity insurance is helpful, as the insurer will require certain policies and protections. This helps to get organizational ‘buy-in,’ as it is not management that is dictating these changes, but an outside carrier.”
28 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
EXECUTIVE SUMMARY
EXPECTATIONS FOR LEGAL DEPARTMENT’S ROLE AMONG THOSE WHO EXPERIENCED A DATA BREACH IN PAST TWO YEARS
Stay the same
Decrease
Increase
43% 55%
2%
DEGREE OF CHANGE IN SECURITY POLICIES POSTBREACH
There were no changes made
15%
Minimal changes were made
16%
Moderate changes were made
41%
Significant changes were made
17%
Don’t know/Not sure
12%
Looking ahead after a breach: lessons learned
POSTBREACH CHANGE
Many times it is only after a crisis has occurred that meaningful change takes place. Despite creating contracts with protectionist clauses, having policies that mandate training, and putting ex-perts on the ground to monitor the company environment, with-out holistic understanding and follow-up, the best-laid plans can fail at preventing what cybercriminals work hard to perfect. This is why tools and standards to plan and monitor progress are so important in prevention and preparedness as well as response to a cyberattack.
When asked to describe the degree of change made to their com-pany’s security policies following a cybersecurity breach, 74 per-cent said that at least some changes were made to their security policies; 15 percent say that no changes were made. Twelve percent of respondents are unsure if changes were made, though these re-spondents may work for organizations where changes are ongoing, making the specific degree of change unclear.
Generally, in-house lawyers who have worked in an organiza-tion that experienced a breach in the last two years plan to boost their role and their company’s general preparedness. When asked whether they expect their legal department’s role in cybersecurity to increase, decrease, or stay the same in the next year, 55 percent say they expect it to increase, while 43 percent expect it to stay the same. Only 2 percent expect a decrease.
Respondents were asked whether they expect their company to decrease, maintain, or increase its amount of cybersecurity insur-ance coverage in the next year. Among respondents whose com-pany experienced a data breach in the past two years, 59 percent say they expect to maintain their current level of coverage. Twen-ty-two percent of respondents say they expect to increase their coverage, and no one anticipated decreasing it.
COVERAGE EXPECTATIONS IN THE NEXT YEAR BY THOSE WHO EXPERIENCED A BREACH IN THE PAST TWO YEARS
59%
22%
Maintain current coverage
Don’t know/Not sure
Increase coverage19%
(Decrease coverage, <1%)
“The business will be afraid to inform clients and drag its feet, but moving quickly is important.”
“Written policies and procedures and regular training and testing are key. Preparing ahead of time for what is the inevitable in today’s environment.”
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 29www.acc-foundation.com
EXECUTIVE SUMMARY
Benchmark checklistTracking practice and progress is an important step in ensuring that all is being done to thwart cyberattacks in any organization. The checklist provided highlights some key activities and actions undertaken to prevent, manage, and respond to cybersecurity risk.
This tool is useful in providing organizational leadership with a snapshot of what GC and CLOs report regarding their company and department and as a benchmark for the current state of cyber-security at the company and department level.
Cybersecurity Checklist Self-Assessment Tool
Organizational Prevention and Preparedness ü66% Organization conducts a cybersecurity audit of the entire organization at least annually
60% A member of the legal department is on the company’s data breach response team
55% Organization has cybersecurity insurance
44% Organization has mandatory training on cybersecurity for all employees
34% Organization tests employee preparedness/knowledge of cybersafety practices/data polices at least annually
32% Organization retained outside counsel to assist you should a breach occur
27% Company collaborates proactively with law enforcement or other governmental agencies to address cybersecurity risks
24% Organization retains a forensic company to assist should a breach occur
Organizational Policies ü80% Password policy
73% Social media policy
71% Document retention policy
66% Website privacy policy
66% Employee manual acceptance policy
63% Internet privacy policy
55% Identity and access management
41% BYOD policy
17% Data map
Organizational Staffing ü46% Chief Infromation Officer (CIO)
24% Privacy/Security Manager
18% Chief Information Security Officer (CISO)
14% Chief Risk Officer (CRO)
13% Chief Privacy Officer (CPO)
11% Chief Security Officer (CSO)
Organizational Preparedness Evaluation ü41% Conduct cybersecurity audit of entire organization at least annually
34% Use a standard (e.g., SSAE, NIST, ISO) to prepare for, manage, and reduce cybersecurity risk
33% Track mandatory training requirement and attendance for all employees
20% Test employees’ knowledge of mandatory training
17% Conduct mock security event
11% Conduct tabletop exercises
8% Review disciplinary actions for violations
30 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
INDUSTRY TRENDS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 31www.acc-foundation.com
INDUSTRY TRENDS
What is your employer’s primary industry?
WHAT IS YOUR EMPLOYER’S PRIMARY INDUSTRY?
12% IT and related
10% Finance and banking
9% Manufacturing
8% Insurance
4% Not-for-profit organization
4% Retail trade
3% Healthcare/social assistance
3% Professional, scientific, technical services
47% Other
What is your employer's primary industry? Number
Information Technology/Software/Internet-Related Services 118
Finance and Banking 96
Manufacturing 88
Insurance 75
Not-for-Profit Organization (i.e., Charity, Environment) 40
Retail Trade 38
Healthcare/Social Assistance 34
Professional, Scientific, and/or Technical Services 31
Telecommunications 26
Educational Services 25
Real Estate/Rental and Leasing 24
Service Company and Organization 24
Energy 23
Accommodation/Food Services 19
Arts, Sports, Entertainment/Recreation 19
Advertising/Marketing/Public Relations 16
Construction/Engineering 16
Oil/Gas 16
Pharmaceutical/Medical Devices 16
Fast-Moving Consumer Goods/Consumer Services 15
What is your employer's primary industry? Number
Wholesale Trade/Distribution 15
Biotechnology/Life Sciences 14
Defense 13
Administrative/Business/Support Services 12
Chemicals/Plastics 12
E-commerce/Online Sales 12
Aviation/Aerospace 11
Prepared Food Stuff/Beverages 9
Transportation/Warehousing 9
Utilities 9
Agriculture/Forestry/Fishing/Hunting 8
Technical/Research and Development 8
Trade Association 7
Management of Companies/Enterprises (i. e., Holding Companies)
6
Mining/Quarrying 6
Broadcasting/Media 2
Public Administration/Government Regulation and Support 2
Waste Management, Remediation/Environmental Services 2
Intellectual Property 1
Other 62
32 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
INDUSTRY TRENDS
Ove
rall
Indu
stry
(o
nly
thos
e sh
own
wit
h ≥3
0 re
spon
ses
are
show
n; n
ot a
ll an
swer
s ar
e sh
own
in t
his
tabl
e of
top
line
resu
lts)
All
resp
onse
s
Fina
nce
an
d Ba
nkin
g
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
In
tern
et-
Rel
ated
Se
rvic
es
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sc
ient
ific,
and/
or T
echn
ical
Se
rvic
es
Ret
ail
Trad
e
How
wou
ld y
ou c
hara
cter
ize
your
res
pons
ibili
ties
rega
rdin
g cy
bers
ecur
ity in
you
r co
mpa
ny?
(Sel
ect
the
best
ans
wer
des
crib
ing
your
hig
hest
leve
l of r
espo
nsib
ility
)
I am
in a
lead
ersh
ip r
ole
at t
he o
rgan
izat
ion
leve
l30
%35
%36
%34
%28
%21
%29
%45
%27
%
I am
par
t of
a t
eam
in t
he o
rgan
izat
ion
that
has
bee
n de
sign
ated
with
cyb
erse
curi
ty r
espo
nsib
ilitie
s23
%21
%30
%29
%28
%23
%32
%21
%24
%
I am
in a
lea
ders
hip
role
in t
he le
gal d
epar
tmen
t36
%37
%30
%25
%30
%43
%26
%24
%35
%
I am
in a
sup
port
rol
e in
the
lega
l dep
artm
ent
6%4%
3%5%
9%6%
3%7%
11%
Oth
er, p
leas
e sp
ecify
:1%
1%0%
3%0%
0%0%
0%3%
Not
app
licab
le4%
2%0%
4%4%
8%11
%3%
0%
Whi
ch o
f the
follo
win
g do
es y
our
orga
niza
tion
empl
oy?
(Sel
ect
all t
hat
appl
y)
Chi
ef In
form
atio
n O
ffice
r (C
IO)
50%
49%
71%
34%
69%
55%
41%
48%
73%
Priv
acy/
Secu
rity
Man
ager
26%
22%
32%
39%
20%
23%
18%
38%
43%
Non
e of
the
abo
ve25
%16
%3%
23%
5%28
%31
%31
%5%
Chi
ef In
form
atio
n Se
curi
ty O
ffice
r (C
ISO
)19
%27
%41
%16
%30
%16
%10
%17
%38
%
Chi
ef R
isk
Offi
cer
(CRO
)17
%37
%26
%6%
39%
6%10
%17
%24
%
Chi
ef P
riva
cy O
ffice
r (C
PO)
16%
19%
56%
21%
32%
7%8%
10%
24%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
13%
17%
21%
22%
14%
9%5%
21%
3%
Boar
d-le
vel c
omm
ittee
dev
oted
to
cybe
rsec
urity
6%10
%15
%4%
7%6%
5%7%
5%
Whe
re is
cyb
erse
curi
ty p
rim
arily
hou
sed
in y
our
orga
niza
tion?
IT82
%73
%84
%72
%88
%92
%71
%79
%86
%
Lega
l5%
5%0%
8%3%
2%5%
7%3%
Ope
ratio
ns/A
dmin
istr
ativ
e5%
7%3%
10%
1%1%
16%
14%
0%
Com
plia
nce
2%4%
9%3%
4%1%
3%0%
8%
Hav
e yo
u ev
er w
orke
d fo
r co
mpa
ny t
hat
has
expe
rien
ced
a da
ta b
reac
h? F
or t
he p
urpo
ses
of t
his
surv
ey, a
dat
a br
each
is c
onsi
dere
d an
inci
dent
in w
hich
con
fiden
tial,
sens
itive
, or
priv
ate
data
/info
rmat
ion
is v
iew
ed, c
opie
d, s
tole
n, o
r tr
ansm
itted
by
an u
naut
hori
zed
entit
y or
indi
vidu
al.
Yes
(wor
k or
wor
ked
whe
re b
reac
h oc
curr
ed)
31%
28%
56%
31%
36%
33%
22%
29%
32%
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 33www.acc-foundation.com
(Con
t’d)
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
Ove
rall
Indu
stry
(o
nly
thos
e sh
own
wit
h ≥3
0 re
spon
ses
are
show
n; n
ot a
ll an
swer
s ar
e sh
own
in t
his
tabl
e of
top
line
resu
lts)
All
resp
onse
s
Fina
nce
an
d Ba
nkin
g
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
Inte
rnet
-R
elat
ed S
ervi
ces
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sci
entifi
c, an
d/or
Tec
hnic
al S
ervi
ces
Ret
ail T
rade
In w
hat
year
did
the
bre
ach
occu
r? (
Plea
se s
elec
t th
e m
ost
rece
nt if
mul
tiple
bre
ache
s.)
2015
26%
9%33
%21
%38
%19
%13
%25
%18
%
2014
21%
23%
11%
24%
13%
27%
50%
25%
27%
2013
17%
32%
33%
9%21
%12
%25
%25
%18
%
Befo
re 2
013
36%
36%
22%
45%
29%
42%
13%
25%
36%
How
did
you
lear
n of
the
bre
ach?
IT d
epar
tmen
t44
%48
%35
%47
%35
%54
%13
%38
%36
%
Oth
er -
ple
ase
spec
ify24
%22
%24
%16
%31
%4%
25%
50%
18%
Com
plia
nce
depa
rtm
ent
14%
22%
24%
19%
19%
0%13
%0%
18%
Thi
rd-p
arty
ven
dor
(i.
e., e
-fore
nsic
s, e-
billi
ng)
13%
4%12
%16
%12
%31
%13
%0%
18%
Out
side
gov
ernm
enta
l age
ncy
6%4%
6%3%
4%12
%38
%13
%9%
How
oft
en d
oes
your
org
aniz
atio
n co
nduc
t a
cybe
rsec
urity
aud
it of
the
ent
ire
orga
niza
tion?
At
leas
t an
nual
ly41
%55
%50
%50
%50
%27
%34
%46
%43
%
Who
con
duct
ed t
he m
ost
rece
nt c
yber
secu
rity
aud
it?
Inte
rnal
sta
ff40
%38
%35
%44
%32
%21
%36
%53
%27
%
Out
side
aud
itor
29%
33%
39%
32%
37%
43%
29%
27%
27%
Trus
ted
vend
or27
%27
%26
%21
%32
%36
%36
%20
%40
%
Doe
s yo
ur la
w d
epar
tmen
t an
d/or
IT d
epar
tmen
t au
dit
your
lega
l ser
vice
pro
vide
rs fo
r cy
bers
ecur
ity r
isk?
Yes
14%
24%
21%
7%16
%14
%3%
14%
39%
Wha
t st
anda
rd(s
) do
es y
our
orga
niza
tion
curr
ently
use
to
addr
ess
cybe
rsec
urity
? (S
elec
t al
l tha
t ap
ply)
ISO
177
799
/ 270
0114
%12
%0%
29%
20%
7%8%
25%
17%
Nat
iona
l Ins
titut
e of
Sta
ndar
ds a
nd
Tech
nolo
gy (
NIS
T)
12%
14%
24%
19%
21%
6%14
%18
%17
%
SSA
E 16
11%
20%
15%
26%
14%
3%6%
11%
6%
INDUSTRY TRENDS
34 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
Ove
rall
Indu
stry
(o
nly
thos
e sh
own
wit
h ≥3
0 re
spon
ses
are
show
n; n
ot a
ll an
swer
s ar
e sh
own
in t
his
tabl
e of
top
line
resu
lts)
All
resp
onse
s
Fina
nce
an
d Ba
nkin
g
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
In
tern
et-
Rel
ated
Se
rvic
es
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sc
ient
ific,
and/
or T
echn
ical
Se
rvic
es
Ret
ail
Trad
e
Doe
s yo
ur o
rgan
izat
ion
curr
ently
hav
e an
y of
the
follo
win
g po
licie
s in
pla
ce?
(Sel
ect
all t
hat
appl
y)
Pass
wor
d po
licy
81%
85%
88%
87%
93%
75%
69%
79%
74%
Soci
al m
edia
pol
icy
75%
74%
82%
65%
77%
75%
66%
79%
86%
Doc
umen
t re
tent
ion
polic
y74
%86
%76
%56
%83
%77
%77
%79
%86
%
Web
site
pri
vacy
pol
icy
68%
72%
68%
80%
69%
63%
80%
64%
77%
Empl
oyee
man
ual a
ccep
tanc
e po
licy
65%
74%
76%
66%
65%
57%
69%
68%
54%
Inte
rnet
pri
vacy
pol
icy
64%
64%
71%
63%
62%
63%
57%
54%
74%
Iden
tity
and
acce
ss m
anag
emen
t57
%63
%65
%67
%65
%45
%37
%54
%54
%
BYO
D p
olic
y42
%39
%59
%51
%58
%34
%43
%43
%40
%
Dat
a m
ap18
%18
%26
%14
%17
%16
%9%
25%
34%
Is a
mem
ber
of t
he le
gal d
epar
tmen
t on
the
com
pany
's da
ta b
reac
h re
spon
se t
eam
?
Yes,
I am
44%
60%
50%
52%
53%
27%
54%
57%
51%
Yes,
othe
r m
embe
r of
dep
artm
ent
17%
14%
32%
15%
30%
21%
6%7%
23%
Doe
s yo
ur o
rgan
izat
ion
have
cyb
erse
curi
ty in
sura
nce?
Yes
47%
52%
75%
72%
62%
15%
54%
50%
59%
Plea
se s
elec
t the
ans
wer
that
bes
t des
crib
es th
e le
vel o
f mon
etar
y co
vera
ge fo
r yo
ur c
ompa
ny's
cybe
rsec
urity
insu
ranc
e pl
an (i
n U
S$)?
(Con
vert
to U
S do
llars
usin
g th
e cu
rren
cy c
onve
rsio
n to
ol b
elow
)
Less
tha
n $1
mill
ion
17%
19%
29%
13%
13%
9%0%
8%31
%
$1 m
illio
n or
mor
e66
%58
%57
%77
%68
%73
%71
%92
%46
%
How
con
fiden
t ar
e yo
u th
at y
our
com
pany
has
the
rig
ht c
over
age
for
a cy
bers
ecur
ity e
vent
?
Mea
n6.
35.
96.
26.
46.
96.
87.
15.
85.
8
Med
ian
65.
56
77
88
5.5
6
Do
you
expe
ct y
our
com
pany
to
decr
ease
, mai
ntai
n, o
r in
crea
se t
he a
mou
nt o
f cyb
erse
curi
ty in
sura
nce
cove
rage
in t
he n
ext
year
?
Mai
ntai
n cu
rren
t co
vera
ge58
%63
%54
%51
%55
%75
%68
%62
%56
%
Incr
ease
cov
erag
e26
%28
%42
%30
%25
%17
%21
%31
%17
%
Don
’t kn
ow/N
ot S
ure
15%
9%4%
18%
20%
8%11
%8%
28%
(Con
t’d)
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
INDUSTRY TRENDS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 35www.acc-foundation.com
(Con
t’d)
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
Ove
rall
Indu
stry
(o
nly
thos
e sh
own
wit
h ≥3
0 re
spon
ses
are
show
n; n
ot a
ll an
swer
s ar
e sh
own
in t
his
tabl
e of
top
line
resu
lts)
All
resp
onse
s
Fina
nce
an
d Ba
nkin
g
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
In
tern
et-
Rel
ated
Se
rvic
es
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sc
ient
ific,
and/
or
Tech
nica
l Se
rvic
es
Ret
ail
Trad
e
Doe
s yo
ur o
rgan
izat
ion
have
man
dato
ry t
rain
ing
on c
yber
secu
rity
for
all e
mpl
oyee
s?
Yes
45%
65%
75%
62%
65%
30%
33%
46%
47%
How
oft
en d
oes
your
org
aniz
atio
n te
st e
mpl
oyee
pre
pare
dnes
s/kn
owle
dge
of c
yber
safe
ty p
ract
ices
/dat
a po
licie
s?
Nev
er, c
ompa
ny d
oes
not
test
kno
wle
dge
of c
yber
secu
rity
32%
22%
10%
24%
17%
45%
33%
36%
32%
At
leas
t an
nual
ly34
%51
%55
%48
%49
%19
%30
%29
%46
%
Don
't kn
ow/N
ot s
ure
27%
21%
26%
20%
28%
30%
27%
18%
21%
How
doe
s yo
ur o
rgan
izat
ion
eval
uate
com
pany
pre
pare
dnes
s at
the
em
ploy
ee le
vel?
(Sel
ect
all t
hat
appl
y)Tr
ack
sman
dato
ry t
rain
ing
requ
irem
ent
and
atte
ndan
ce fo
r al
l em
ploy
ees
33%
53%
56%
35%
50%
19%
35%
21%
39%
Test
s em
ploy
ees’
kno
wle
dge
of m
anda
tory
tra
inin
g19
%30
%47
%22
%29
%10
%18
%14
%24
%
Con
duct
s m
ock
secu
rity
eve
nt17
%24
%24
%13
%31
%11
%15
%14
%24
%
Con
duct
s ta
blet
op e
xerc
ises
12%
15%
15%
9%27
%4%
6%7%
36%
Rev
iew
s di
scip
linar
y ac
tions
for
viol
atio
ns9%
10%
21%
10%
9%5%
12%
0%12
%
Has
you
r or
gani
zatio
n re
tain
ed a
fore
nsic
com
pany
to
assi
st y
ou s
houl
d a
brea
ch o
ccur
?
Yes
24%
25%
28%
22%
26%
19%
9%25
%48
%
Has
you
r or
gani
zatio
n re
tain
ed o
utsi
de c
ouns
el t
o as
sist
you
sho
uld
a br
each
occ
ur?
Yes
34%
31%
38%
38%
37%
33%
39%
22%
66%
Thi
nkin
g ab
out
your
rol
e an
d re
spon
sibi
litie
s re
gard
ing
cybe
rsec
urity
, wou
ld y
ou p
refe
r to
exp
and,
dec
reas
e, o
r m
aint
ain
your
cur
rent
leve
l of i
nvol
vem
ent?
Dec
reas
e ro
le a
nd r
espo
nsib
ilitie
s4%
1%3%
6%6%
1%3%
12%
3%
Mai
ntai
n cu
rren
t ro
le a
nd r
espo
nsib
ilitie
s44
%45
%53
%41
%54
%42
%50
%46
%52
%
Incr
ease
rol
e an
d re
spon
sibi
litie
s52
%53
%44
%53
%40
%56
%47
%42
%45
%
Do
you
expe
ct y
our
lega
l dep
artm
ent's
rol
e in
cyb
erse
curi
ty t
o in
crea
se, d
ecre
ase,
or
stay
the
sam
e in
the
nex
t 12
mon
ths?
Stay
the
sam
e40
%33
%45
%39
%50
%38
%55
%26
%43
%
Incr
ease
59%
65%
55%
59%
50%
60%
45%
74%
57%
INDUSTRY TRENDS
36 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
(Con
t’d)
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
Ove
rall
(onl
y th
ose
sho
wn
wit
h ≥3
0 re
spo
nses
are
sho
wn,
no
t al
l ans
wer
s ar
e sh
own
in t
his
tabl
e o
f to
plin
e re
sult
s)
All
resp
onse
s
Fina
nce
and
Bank
ing
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
In
tern
et-R
elat
ed
Serv
ices
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sc
ient
ific,
and/
or
Tech
nica
l Ser
vice
sR
etai
l Tra
de
How
con
fiden
t ar
e yo
u th
at y
our
thir
d-pa
rty
affil
iate
s/ve
ndor
s pr
otec
t yo
u fr
om c
yber
secu
rity
ris
ks?
Not
at
all c
onfid
ent
17%
7%22
%17
%13
%23
%12
%31
%10
%
Som
ewha
t co
nfide
nt60
%68
%47
%66
%67
%54
%68
%46
%69
%
Very
con
fiden
t7%
16%
25%
6%4%
5%12
%12
%10
%
How
con
fiden
t ar
e yo
u th
at t
he o
utsi
de la
w fi
rms
your
com
pany
em
ploy
s ar
e ap
prop
riat
ely
man
agin
g th
e se
curi
ty o
f clie
nt d
ata?
Not
at
all c
onfid
ent
10%
11%
13%
13%
5%13
%0%
0%17
%
Som
ewha
t co
nfide
nt52
%46
%47
%55
%66
%47
%55
%65
%52
%
Very
con
fiden
t22
%28
%23
%13
%15
%26
%23
%13
%21
%
Are
thi
rd p
artie
s, su
ch a
s ve
ndor
s/ag
ents
, req
uire
d to
not
ify y
ou o
f cyb
erse
curi
ty r
isks
/bre
ache
s th
at t
hey
expe
rien
ce?
Yes
61%
71%
88%
63%
78%
49%
65%
60%
77%
Hav
e yo
u ev
er t
erm
inat
ed a
con
trac
tual
rel
atio
nshi
p be
caus
e of
cyb
erse
curi
ty r
isks
?
Yes
11%
24%
21%
9%15
%3%
9%4%
24%
Hav
e yo
u ev
er t
erm
inat
ed a
pen
ding
mer
ger/
acqu
isiti
on b
ecau
se o
f cyb
erse
curi
ty r
isks
?
Yes
1%3%
0%1%
2%1%
0%0%
0%
Is y
our
com
pany
allo
catin
g m
ore,
less
, or
the
sam
e am
ount
of (
com
pany
) bu
dget
to
cybe
rsec
urity
com
pare
d w
ith o
ne y
ear
ago?
Mor
e53
%67
%70
%54
%61
%52
%35
%67
%53
%
Has
you
r la
w d
epar
tmen
t sp
end
incr
ease
d as
a r
esul
t of
you
r co
mpa
ny's
appr
oach
to
cybe
rsec
urity
?
Yes
23%
25%
15%
37%
22%
22%
15%
31%
45%
Plea
se d
escr
ibe
the
incr
ease
in s
pend
:
Mai
nly
outs
ide
spen
d55
%58
%80
%41
%50
%63
%0%
25%
86%
Mai
nly
insi
de s
pend
22%
32%
0%30
%7%
19%
75%
50%
0%
Equa
lly s
plit
betw
een
insi
de a
nd o
utsi
de s
pend
23%
11%
20%
30%
43%
19%
25%
25%
14%
Is a
ny p
ortio
n of
you
r la
w d
epar
tmen
t's b
udge
t de
dica
ted
spec
ifica
lly t
o cy
bers
ecur
ity o
r re
late
d cy
ber
issu
es?
Yes
10%
7%9%
15%
9%9%
9%12
%26
%
Who
in y
our
orga
niza
tion
is t
he fi
rst
exec
utiv
e of
ficer
to
be n
otifi
ed o
nce
a br
each
is d
isco
vere
d?
Chi
ef In
form
atio
n O
ffice
r (C
IO)
26%
23%
33%
14%
36%
30%
27%
8%42
%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
23%
27%
12%
29%
13%
16%
36%
38%
10%
INDUSTRY TRENDS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 37www.acc-foundation.com
Ove
rall
Indu
stry
(o
nly
thos
e sh
own
wit
h ≥3
0 re
spon
ses
are
show
n; n
ot a
ll an
swer
s ar
e sh
own
in t
his
tabl
e of
top
line
resu
lts)
All
resp
onse
s
Fina
nce
an
d Ba
nkin
g
Hea
lthca
re/
Soci
al
Ass
ista
nce
IT/S
oftw
are/
In
tern
et-
Rel
ated
Se
rvic
es
Insu
ranc
eM
anuf
actu
ring
Not
-for-
Profi
t O
rgan
izat
ion
Prof
essi
onal
, Sc
ient
ific,
and/
or T
echn
ical
Se
rvic
es
Ret
ail
Trad
e
From
who
m d
o yo
u ex
pect
to
be n
otifi
ed o
f a d
ata
secu
rity
bre
ach?
Chi
ef In
form
atio
n O
ffice
r (C
IO)
29%
31%
24%
18%
37%
41%
29%
15%
35%
Doe
s yo
ur c
ompa
ny c
olla
bora
te p
roac
tivel
y w
ith la
w e
nfor
cem
ent
or o
ther
gov
ernm
enta
l age
ncie
s to
add
ress
cyb
erse
curi
ty r
isks
?
Yes
27%
34%
39%
24%
31%
25%
10%
4%45
%
Who
in y
our
com
pany
is t
he p
rim
ary
poin
t of
con
tact
dur
ing
a br
each
(in
clud
ing
outs
ide
coun
sel)?
Chi
ef In
form
atio
n O
ffice
r (C
IO)
24%
20%
26%
15%
28%
28%
18%
23%
39%
How
was
the
sys
tem
bre
ache
d?
Empl
oyee
err
or24
%15
%50
%26
%38
%9%
29%
0%11
%
Insi
de jo
b15
%30
%13
%4%
14%
17%
14%
13%
0%
Acc
ess
thro
ugh
a th
ird
part
y12
%5%
13%
19%
10%
22%
14%
25%
22%
Phis
hing
12%
15%
6%11
%10
%13
%14
%0%
11%
Wha
t ty
pe o
f inf
orm
atio
n w
as c
ompr
omis
ed d
urin
g th
is b
reac
h? (
Sele
ct a
ll th
at a
pply
)
Oth
er p
erso
nally
iden
tifiab
le in
form
atio
n su
ch a
s ad
dres
s, na
tiona
l ide
ntifi
catio
n nu
mbe
r/SS
N, h
ealth
info
rmat
ion
44%
55%
72%
33%
71%
48%
43%
25%
33%
Was
the
info
rmat
ion
that
was
com
prom
ised
dur
ing
the
brea
ch e
ncry
pted
?
Yes
17%
16%
13%
21%
26%
14%
0%13
%33
%
Wer
e yo
u re
quir
ed t
o no
tify
a re
gula
tory
/gov
ernm
enta
l bod
y as
a r
esul
t of
a b
reac
h?
Yes
32%
37%
56%
15%
36%
10%
50%
13%
38%
How
man
y pe
ople
wer
e af
fect
ed b
y th
e br
each
(in
clud
ing
empl
oyee
s, cu
stom
ers,
etc.
)?
Less
tha
n 50
46%
35%
38%
42%
53%
52%
33%
38%
13%
50 o
r m
ore
39%
65%
44%
46%
42%
26%
50%
38%
75%
If th
e br
each
has
bee
n re
solv
ed, h
ow lo
ng d
id it
tak
e to
res
olve
? If
it ha
s no
t be
en r
esol
ved,
ple
ase
sele
ct t
hat
optio
n.
1 ye
ar o
r le
ss80
%79
%81
%80
%81
%68
%60
%10
0%67
%
Mor
e th
an 1
yea
r ag
o9%
16%
13%
20%
14%
9%20
%0%
11%
Des
crib
e th
e de
gree
of c
hang
e (if
any
) m
ade
to y
our
com
pany
's se
curi
ty p
olic
ies
or p
roce
dure
s fo
llow
ing
the
brea
ch.
The
re w
ere
no c
hang
es m
ade
15%
5%27
%12
%19
%13
%33
%13
%33
%
Cha
nges
wer
e m
ade
73%
85%
67%
77%
76%
70%
50%
88%
67%
Did
you
r cy
ber
insu
ranc
e po
licy
fully
cov
er a
ny d
amag
es r
elat
ed t
o th
e br
each
?
Yes
19%
10%
8%21
%22
%0%
40%
50%
17%
(Con
t’d)
Wha
t is
you
r em
ploy
er’s
prim
ary
indu
stry
?
INDUSTRY TRENDS
38 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
OVERALL SURVEY RESULTS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 39www.acc-foundation.com
OVERALL SURVEY RESULTS
TOP CONCERNS
Rank your top concerns with regard to a data breach (e.g., what worries you most?). Top picks shown.Damage to reputation, loss of proprietary information, economic damage, and government/regulatory action are the concerns that were ranked first most often. This is fairly consistent across all subgroups.
1. Damage to reputation/brand
2. Loss of proprietary information
3. Economic damage
4. Government/regulatory action
5. Business continuity
6 Litigation
7. Board (board of directors) concerns
8. Executive liability
9. Preservation of lawyer-client privilege
10. Shareholder activity
11. Media coverage
40 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
Hav
e yo
u ev
er
expe
rien
ced
a br
each
w
here
yo
u ar
e/ha
ve b
een
empl
oyed
?
Reg
ion
- O
ffice
loca
tio
nO
rgan
izat
ion’
s to
tal g
ross
rev
enue
for
the
last
fisc
al
year
(U
S $
)
All
resp
onse
sYe
sN
oU
SC
anad
aEM
EAA
sia
Paci
fic<
$100
m
illio
n$1
00M
-$49
9M$5
00M
- $2
.9 b
illio
n$3
bill
ion
or
mor
e
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
on
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Econ
omic
da
mag
eEc
onom
ic
dam
age
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Econ
omic
da
mag
e
Loss
of
prop
riet
ary
info
rmat
ion
Econ
omic
da
mag
e
Econ
omic
da
mag
eEc
onom
ic
dam
age
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Loss
of
prop
riet
ary
info
rmat
ion
Gov
ernm
ent/
regu
lato
ry
acti
on
Gov
ernm
ent/
regu
lato
ry
acti
on
Gov
ernm
ent/
regu
lato
ry
acti
on
Loss
of
prop
riet
ary
info
rmat
ion
Gov
ernm
ent/
regu
lato
ry
acti
on
Gov
ernm
ent/
regu
lato
ry
acti
on
Gov
ernm
ent/
regu
lato
ry
acti
on
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
onLi
tiga
tion
Econ
omic
da
mag
eEc
onom
ic
dam
age
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
eB
usin
ess
cont
inui
ty
TO
P C
ON
CE
RN
S (
MO
ST
FR
EQ
UE
NT
LY R
AN
KE
D N
UM
BE
R 1
)
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
tha
n 10
010
0-49
950
0-4,
999
5,00
0 or
m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 t
o 24
em
ploy
ees
25 t
o 49
em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
o
Loss
of
prop
riet
ary
info
rmat
ion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
on
Loss
of
prop
riet
ary
info
rmat
ion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onD
amag
e to
re
puta
tion
Dam
age
to
repu
tati
onEc
onom
ic
dam
age
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Dam
age
to
repu
tati
on
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Loss
of
prop
riet
ary
info
rmat
ion
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
on
Bus
ines
s da
mag
eEc
onom
ic
dam
age
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
eEc
onom
ic
dam
age
Gov
ernm
ent/
regu
lato
ry
acti
on
Loss
of
prop
riet
ary
info
rmat
ion
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
e
Gov
ernm
ent/
regu
lato
ry
acti
on
Econ
omic
da
mag
eEc
onom
ic
dam
age
Gov
ernm
ent/
regu
lato
ry
acti
onLi
tiga
tion
Gov
ernm
ent/
regu
lato
ry
acti
on
Loss
of
prop
riet
ary
info
rmat
ion
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 41www.acc-foundation.com
OVERALL SURVEY RESULTS
BREACH
Have you ever worked for a company that has experienced a data breach? For the purposes of this survey, a data breach is considered an incident in which confidential, sensitive, or private data/information is viewed, copied, stolen, or transmitted by an unauthorized entity or individual.Three in 10 report ever working for a company that has experienced a data breach. Those in larger companies were more likely to have experienced a breach. Among respondents who said they would like to decrease their role regarding cybersecurity, 42 percent have worked or currently work where a breach has occurred. This is higher than the percentage who would like to increase their cybersecurity role and have ever exprienced a breach at their current company (29 percent). Two-thirds of respondents who say their organization does not have cybersecurity insurance have never experienced a breach at their company.
EVER WORKED AT A COMPANY THAT HAS EXPERIENCED A BREACH
Don’t know7%
Yes (work/worked where data breach
occurred)31%
No (have not experienced a data breach)
62%
42 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s. O
ther
sR
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
ye
ar (
US
$)
All
resp
onse
sC
LO/G
CO
ther
tit
leU
SC
anad
aEM
EAA
sia
Paci
fic<
$100
m
illio
n$1
00M
-$49
9M$5
00M
- $2
.9 b
illio
n
$3
billi
on
or m
ore
n=88
469
418
762
832
4982
273
166
198
140
Yes
(wor
k/w
orke
d w
here
dat
a br
each
occ
urre
d)31
%31
%30
%32
%25
%27
%34
%23
%27
%36
%45
%
No
(hav
e no
t ex
peri
ence
d a
data
bre
ach)
62%
63%
60%
62%
63%
69%
61%
72%
69%
58%
46%
Don
’t kn
ow/N
ot s
ure
7%6%
10%
7%13
%4%
5%5%
4%7%
9%
*Pre
fer
not t
o an
swer
not
sho
wn
for
anal
ysis
purp
oses
Tota
l num
ber
of e
mpl
oyee
s in
o
rgan
izat
ion/
com
pany
Siz
e o
f yo
ur la
w d
epar
tmen
t (a
ll st
aff i
n al
l lo
cati
ons
)E
mpl
oyer
a
glo
bal e
ntit
y?
Em
ploy
er
a gl
oba
l en
tity
?
Less
th
an 1
0010
0-49
950
0-4,
999
5,00
0 or
m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 t
o 24
em
ploy
ees
25 t
o 49
em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
oYe
sN
o
n=13
822
528
322
617
246
010
660
8149
837
454
039
9
Yes
(wor
k/w
orke
d w
here
dat
a br
each
occ
urre
d)17
%23
%31
%45
%16
%30
%32
%52
%52
%32
%29
%21
%17
%
No
(hav
e no
t ex
peri
ence
d a
data
bre
ach)
75%
73%
62%
46%
74%
66%
57%
42%
40%
60%
65%
9%11
%
Don
’t kn
ow/N
ot s
ure
8%4%
7%9%
10%
4%11
%7%
9%8%
6%56
%61
%
*Pre
fer
not t
o an
swer
not
sho
wn
for
anal
ysis
purp
oses
(Con
t’d)
Hav
e yo
u ev
er w
orke
d fo
r a
com
pany
tha
t ha
s ex
peri
ence
d a
data
bre
ach?
For
the
pur
pos-
es o
f thi
s su
rvey
, a d
ata
brea
ch is
con
side
red
an in
cide
nt in
whi
ch c
onfid
entia
l, se
nsiti
ve, o
r pr
ivat
e da
ta/in
form
atio
n is
vie
wed
, cop
ied,
sto
len,
or
tran
smitt
ed b
y an
una
utho
rize
d en
tity
or in
divi
dual
.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 43www.acc-foundation.com
OVERALL SURVEY RESULTS
In what year did the breach occur? (Please select the most recent if multiple breaches)Nearly two-thirds (64 percent) of those who have experienced a breach say it occurred in the past three years. Those in organizations with larger revenue and number of overall employees are more likely to report a breach occurring in the past couple of years. Fifty-seven percent who say their organization has not retained outside counsel for assistance in a possible breach report the breach occurred after 2012, compared with 72 percent of those working in companies who have retained outside counsel for this reason and experienced a breach within the same timeframe.
YEAR MOST RECENT BREACH OCCURRED
21%
2014
26%
2015
17%
2013
8%
2012
6%
2011
8%
2010
3%
2010
3%
2009
2%
2008
2%
2007
5%
2006
Retained outside counsel for cybersecurity?
Yes NoBreach occurred before 2013 28% 43%Breach occurred in 2013, 2014, or 2015 72% 57%
44 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s. O
ther
sH
ave
you
ever
ex
peri
ence
d a
brea
ch?
Reg
ion
- O
ffice
loca
tio
nO
rgan
izat
ion'
s to
tal g
ross
rev
enue
for
the
last
fisc
al y
ear
(US
$)
All
resp
onse
sC
LO/G
CO
ther
titl
eYe
sN
oU
SC
anad
aEM
EAA
sia
Paci
fic<
$100
m
illio
n$1
00M
- $4
99M
$500
M-
$2.9
bill
ion
$3 b
illio
n or
mor
en=
266
212
5426
50%
193
812
2860
4571
61
2005
5%6%
4%5%
0%5%
13%
17%
0%3%
11%
7%3%
2006
2%2%
2%2%
0%2%
0%0%
0%7%
0%1%
0%
2007
2%1%
2%2%
0%2%
0%0%
0%2%
4%0%
2%
2008
3%3%
4%3%
0%3%
0%0%
7%5%
2%1%
2%
2009
3%2%
4%3%
0%2%
0%0%
7%5%
0%1%
3%
2010
8%8%
6%8%
0%9%
0%17
%0%
17%
4%7%
5%
2011
6%6%
6%6%
0%4%
0%8%
7%10
%0%
3%3%
2012
8%9%
4%8%
0%9%
13%
0%7%
8%11
%6%
7%
2013
17%
16%
22%
17%
0%20
%13
%0%
14%
18%
16%
24%
13%
2014
21%
23%
15%
21%
0%20
%13
%42
%29
%12
%22
%21
%30
%
2015
26%
24%
33%
26%
0%25
%50
%17
%29
%13
%29
%28
%33
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=21
5288
100
2913
434
2940
155
107
2005
5%6%
6%5%
0%9%
0%0%
5%6%
4%
2006
0%6%
3%0%
0%4%
0%0%
0%1%
4%
2007
5%2%
0%1%
3%1%
3%0%
0%1%
2%
2008
0%4%
6%1%
7%2%
3%7%
0%3%
4%
2009
10%
4%1%
2%0%
3%0%
3%5%
2%3%
2010
19%
8%7%
6%7%
10%
3%0%
10%
8%7%
2011
19%
10%
2%5%
17%
4%9%
0%8%
4%9%
2012
5%10
%8%
8%14
%6%
15%
7%5%
9%7%
2013
14%
17%
17%
17%
14%
20%
9%10
%20
%13
%22
%
2014
5%17
%20
%25
%17
%20
%21
%31
%20
%24
%17
%
2015
19%
17%
30%
30%
21%
20%
38%
41%
28%
28%
22%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
In w
hat
year
did
the
bre
ach
occu
r? (
Plea
se s
elec
t th
e m
ost
rece
nt if
mul
tiple
bre
ache
s)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 45www.acc-foundation.com
OVERALL SURVEY RESULTS
How did you learn of the breach?Among those who experienced a data breach, 44 percent say that the IT department informed them when it occurred, followed by a member of the compliance department (14 percent) and a third-party vendor (13 percent). Another 24 percent report they were informed by some other entity. Just 6 percent say they were informed by an outside governmental agency. Those in the Asia Pacific region are more likely to report they learned of the breach from the compliance department than those in other regions. Furthermore, the more employees in the company, the less likely respondents are to hear about the breach from the IT department. GC/CLOs were more likely to hear about the breach from the IT department than respondents with other titles.
HOW DID YOU LEARN OF THE BREACH?
44% IT department
14% Compliance department
13% Third-party vendor (i.e., forensics, e-billing)
6% Outside governmental agency
24% Other - please specify
46 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/G
CO
ther
tit
leYe
sN
oU
SC
anad
aEM
EAA
sia
Paci
fic<
$100
m
illio
n$1
00M
- $4
99M
$500
M-
$2.9
bill
ion
$3 b
illio
n or
mor
e
n=27
121
556
269
119
98
1228
6344
7064
IT d
epar
tmen
t44
%47
%34
%44
%0%
43%
13%
75%
46%
44%
41%
47%
47%
Com
plia
nce
depa
rtm
ent
14%
14%
13%
14%
0%12
%13
%0%
32%
13%
9%14
%14
%
Thi
rd-p
arty
ven
dor
(i.e.
, fo
rens
ics,
e-bi
lling
)13
%13
%13
%13
%0%
15%
0%17
%4%
11%
16%
11%
14%
Out
side
gov
ernm
enta
l age
ncy
6%5%
7%6%
0%6%
0%0%
4%5%
2%6%
8%
Oth
er -
ple
ase
spec
ify24
%21
%34
%23
%10
0%24
%75
%8%
14%
27%
32%
21%
17%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=22
5389
101
2813
535
3142
159
108
IT d
epar
tmen
t55
%47
%42
%43
%54
%39
%43
%58
%45
%46
%42
%
Com
plia
nce
depa
rtm
ent
14%
11%
15%
16%
14%
14%
17%
6%17
%14
%13
%
Thi
rd-p
arty
ven
dor
(i.e.
, fo
rens
ics,
e-bi
lling
)14
%15
%10
%15
%4%
16%
11%
10%
14%
13%
13%
Out
side
gov
ernm
enta
l age
ncy
0%2%
6%7%
7%5%
9%6%
2%6%
5%
Oth
er -
ple
ase
spec
ify18
%25
%28
%20
%21
%27
%20
%19
%21
%21
%28
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
did
you
lear
n of
the
bre
ach?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 47www.acc-foundation.com
OVERALL SURVEY RESULTS
What is the most important thing you wish you had known before the breach that you know now as a result of your experience?Comments from in-house counsel center around having better prevention, training, and monitoring. Better detection of cyber-related threats, greater awareness of regulatory requirements, and having a plan in place to manage the breach before it occurs help decrease vulnerabilities. On a technical note, several in-house counsel note that they wish they would have known more about employee behavior, readiness to identify and respond to a potential threat, and the extent to which vulnerabilities exist at various levels in the organization. Below is a sample of best practices cited by in-house counsel.
Act fast and get out ahead of the news and the regulators.
Be prepared in advance; manage internal and external communi-cations in a controlled and organized fashion.
Better detection of long-term tiny leaks caused by viruses in client data.
Better due diligence on suppliers on cyber security issues.
Better understanding of the risk of fraud by a third party to enable circumvention of security controls.
Difficulty of getting law-enforcement cybercrimes assistance with investigation.
Employee training needed to increase on reporting of issues.
Extent of information encryption and retention level of unneces-sary information.
Full mapping of company data and data flows.
It is important to understand what third parties have processes that impact how information flows in the company’s IT systems.
How manual and automated processes can sometimes expose an organization to a breach if closer QA processes are not main-tained.
How much time is involved in responding to a breach.
How to perform due diligence for IT security issues in M&A.
How to properly scope an investigation to determine the scope of the breach.
How to quickly identify the third-party vendors involved in the breach.
How to train people properly.
I wish I had known the extent to which personal information was being shared by email.
I wish I had known what network vulnerabilities are considered unreasonable by the FTC.
I wish I had more clarity on how we protected client’s personally identifiable information.
Importance of enterprisewide sense of responsibility about all things data security.
In order to help law enforcement prosecute and sentence, you have to meticulously provide the value of the things stolen.
Interconnectedness of systems.
Internal threat vulnerabilities.
Lack of security protocols of IT equipment.
No firewall can give 100% protection.
Our PR department was not as prepared as the rest of the organi-zation to address the breach.
Requirements can vary significantly by state.
Risks associated with lack of policies and procedures related to removing old/stale user accounts.
Significant adverse consequences of self-reporting to regulators when it wasn’t mandatory.
That breaches can occur out of employee negligence and not just on the cunning of ‘hackers.’
That some employees working from home are on their own unen-crypted devices.
That we had no ability to detect it.
The amount of personal data maintained on the servers.
The extent of the vulnerability of our systems.
The extent to which our data security relied on third parties.
The importance of regular internal training on avoidance of phishing attacks.
The lack of checks and balances in our document management system.
The lack of governmental standards around what is ‘reasonable’ security program.
The PR reputational aspects.
The proper scope of a forensic investigation.
To do a better job at educating employees on cybersecurity issues, how to recognize and what to do and to become more informed on various ways that data breaches occur and proactive ways that could eliminate or reduce exposure.
48 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
To have cybersecurity insurance and a policy/plan in place in the event of a breach.
We need to make sure we have the appropriate monitoring tools in place.
What people take with them when they leave.
Whether or not to report the breach to the police.
Which employees had which access rights to which systems.
Who was accountable for the systems that allowed the breach.
Wish we would have had a corrective action plan at the ready.
Too many missteps and lost time in trying to fix the breach.
(Cont’d) What is the most important thing you wish you had known before the breach that you know now as a result of your experience?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 49www.acc-foundation.com
OVERALL SURVEY RESULTS
How would you characterize your responsibilities regarding cybersecurity in your company? (Select the best answer describing your highest level of responsibility)Regarding cybersecurity, 30 percent of respondents characterize their role as one of leadership at the organiza-tion level. An organizational leadership role is more common among GC/CLOs; 35 percent report such a role compared with 11 percent of in-house counsel not in the GC/CLO role. Those without the GC/CLO title are more likely to report they have a support role in cybersecurity in their legal department. Those with a leadership role at the organizational level are more likely to say they would like to maintain their current role and responsibilities with regard to cybersecurity rather than increase their role (34 percent to 27 percent). In-house lawyers with a leadership role in the department are more likely to say they would prefer to increase their role in cybersecurity in their organization rather than maintain it (40 percent to 30 percent).
LEVEL OF RESPONSIBILITY REGARDING CYBERSECURITY IN COMPANY
30% I am in a leadership role at the organization level
23% I am part of a team in the organization that has been designated with cybersecurity responsibilities
36% I am in a leadership role in the legal department
6% I am in a support role in the legal department
1% Other, please specify
4% Not applicable
50 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=95
473
621
527
054
866
634
4992
285
181
211
154
I am
in a
lead
ersh
ip r
ole
at t
he
orga
niza
tion
leve
l30
%35
%11
%33
%29
%31
%24
%24
%27
%35
%34
%29
%19
%
I am
par
t of
a t
eam
in t
he
orga
niza
tion
that
has
bee
n de
sign
ated
with
cyb
erse
curi
ty
resp
onsi
bilit
ies
23%
21%
27%
24%
22%
26%
18%
20%
11%
24%
22%
28%
21%
I am
in a
lead
ersh
ip r
ole
in t
he le
gal
depa
rtm
ent
36%
36%
35%
34%
37%
33%
44%
33%
55%
34%
37%
36%
42%
I am
in a
sup
port
rol
e in
the
lega
l de
part
men
t6%
3%16
%4%
7%6%
6%10
%4%
3%4%
4%12
%
Oth
er, p
leas
e sp
ecify
1%1%
1%1%
1%1%
3%2%
0%2%
0%<1
%1%
Not
app
licab
le4%
3%9%
4%5%
4%6%
10%
2%2%
3%3%
5%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=14
823
330
425
317
649
212
165
9454
139
7
I am
in a
lead
ersh
ip r
ole
at t
he
orga
niza
tion
leve
l34
%35
%32
%20
%32
%33
%30
%20
%17
%26
%35
%
I am
par
t of
a t
eam
in t
he
orga
niza
tion
that
has
bee
n de
sign
ated
with
cyb
erse
curi
ty
resp
onsi
bilit
ies
22%
24%
23%
23%
20%
24%
27%
28%
13%
23%
23%
I am
in a
lead
ersh
ip r
ole
in t
he
lega
l dep
artm
ent
36%
34%
35%
39%
38%
35%
35%
31%
43%
38%
34%
I am
in a
sup
port
rol
e in
the
le
gal d
epar
tmen
t3%
3%5%
11%
4%4%
3%14
%18
%7%
4%
Oth
er, p
leas
e sp
ecify
1%1%
1%1%
2%1%
0%2%
1%1%
1%
Not
app
licab
le3%
3%4%
6%3%
3%5%
6%9%
5%3%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
wou
ld y
ou c
hara
cter
ize
your
res
pons
ibili
ties
rega
rdin
g cy
bers
ecur
ity in
you
r co
mpa
ny?
(Sel
ect
the
best
ans
wer
des
crib
ing
your
hig
hest
leve
l of r
espo
nsib
ility
)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 51www.acc-foundation.com
OVERALL SURVEY RESULTS
Which of the following does your organization employ? (Select all that apply)Half of GC/CLOs and other in-house lawyers responding to the survey say their company has a chief information officer (CIO). Approximately a quarter report their company has a privacy/security manager, and 19 percent say their company employs a chief information security officer (CISO). Also prevalent are chief risk officers (17 per-cent), chief privacy officers (16 percent), and chief security officers (13 percent) with respect to cybersecurity. Just 6 percent say their organization has a board-level committee devoted to cybersecurity issues. Those in companies with cybersecurity insurance (24 percent) or self-insurance (26 percent) are more likely to employ a CISO than those without cybersecurity insurance (13 percent). Similarly, those with cybersecurity insurance (29 percent) and self-insurance (47 percent) say they have someone in a privacy/security manager role at their company. A third of respondents who say they do not have cybersecurity insurance say their company has none of these data/informa-tion security roles.
ORGANIZATION EMPLOYS THE FOLLOWING
Chief Information Officer (CIO)
50%
None of the above 25%
Privacy/Security manager 26%
Chief Information Security Officer (CISO)
19%
Chief Risk Officer (CRO) 17%
Chief Privacy Officer (CPO)
16%
Chief Security Officer (CSO)
13%
Board-level committee devoted to cybersecurity
6%
52 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=96
274
321
427
255
267
235
5092
289
180
214
153
Chi
ef In
form
atio
n O
ffice
r (C
IO)
50%
46%
62%
62%
44%
50%
49%
50%
51%
28%
47%
71%
72%
Priv
acy/
Secu
rity
Man
ager
26%
24%
31%
34%
20%
24%
34%
34%
29%
19%
22%
31%
37%
Chi
ef In
form
atio
n Se
curi
ty O
ffice
r (C
ISO
)19
%18
%24
%26
%16
%20
%11
%36
%16
%8%
17%
24%
43%
Chi
ef R
isk
Offi
cer
(CRO
)17
%15
%22
%22
%13
%14
%14
%22
%28
%10
%8%
21%
30%
Chi
ef P
riva
cy O
ffice
r (C
PO)
16%
14%
21%
21%
12%
14%
34%
8%17
%10
%9%
15%
37%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
13%
12%
19%
15%
11%
13%
11%
26%
8%6%
7%16
%33
%
Boar
d-le
vel c
omm
ittee
dev
oted
to
cybe
rsec
urity
6%5%
8%6%
5%5%
3%4%
8%4%
4%6%
8%
Non
e of
the
abo
ve25
%27
%15
%14
%30
%25
%26
%16
%24
%41
%28
%11
%5%
*Mul
tiple
res
pons
es p
ossib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=15
023
630
825
017
949
612
464
9254
240
2
Chi
ef In
form
atio
n O
ffice
r (C
IO)
19%
38%
55%
74%
24%
47%
67%
77%
73%
55%
44%
Priv
acy/
Secu
rity
Man
ager
15%
17%
29%
36%
15%
25%
29%
36%
40%
30%
19%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
3%12
%20
%35
%5%
14%
34%
45%
38%
22%
16%
Chi
ef R
isk
Offi
cer
(CRO
)7%
13%
17%
26%
6%14
%19
%27
%41
%15
%18
%
Chi
ef P
riva
cy O
ffice
r (C
PO)
6%11
%12
%30
%4%
12%
23%
19%
46%
16%
15%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
2%7%
13%
27%
4%8%
18%
23%
46%
16%
10%
Boar
d-le
vel c
omm
ittee
dev
oted
to
cyb
erse
curi
ty3%
6%5%
8%3%
5%7%
13%
5%6%
5%
Non
e of
the
abo
ve59
%29
%18
%8%
52%
24%
11%
6%1%
18%
33%
*Mul
tiple
res
pons
es p
ossib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
(Con
t’d)
Whi
ch o
f the
follo
win
g do
es y
our
orga
niza
tion
empl
oy?
(Sel
ect
all t
hat
appl
y)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 53www.acc-foundation.com
OVERALL SURVEY RESULTS
Where is cybersecurity primarily housed in your organization?A large majority (82 percent) of in-house counsel report that cybersecurity is primarily housed in the IT depart-ment in their company. Nine in 10 (89 percent) who say their legal department never briefs the board of directors on the subject of cybersecurity say cybersecurity is primarily housed in IT. In fact, 84 percent who report their organization does not have a board-level committee dedicated to cybersecurity say that responbility is primarily housed on IT. This is higher than the 75 percent who report their company does have a board-level committee dedicated to cybersecurity and say cybersecurity is housed in IT.
LOCATION CYBERSECURITY HOUSED IN COMPANY
5% Legal
5% Operations/Administrative
4% Other - please specify
2% Compliance
2% Don’t know/Not sure
82% IT
54 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=94
172
920
926
854
765
935
5091
283
178
212
152
IT82
%83
%78
%82
%82
%81
%83
%78
%87
%78
%88
%84
%82
%
Lega
l5%
5%4%
4%5%
5%0%
4%1%
5%6%
5%3%
Ope
ratio
ns/A
dmin
istr
ativ
e5%
6%3%
4%6%
5%3%
8%8%
8%2%
3%5%
Oth
er, p
leas
e sp
ecify
4%4%
5%3%
4%4%
9%4%
2%6%
2%3%
4%
Com
plia
nce
2%2%
3%3%
2%3%
0%2%
1%2%
1%4%
3%
Don
't kn
ow/N
ot s
ure
2%1%
6%3%
2%1%
6%4%
1%1%
0%1%
4%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=14
423
130
224
817
448
712
163
9153
439
1
IT74
%82
%85
%81
%82
%83
%84
%87
%70
%82
%83
%
Lega
l4%
6%4%
5%5%
3%8%
5%4%
5%4%
Ope
ratio
ns/A
dmin
istr
ativ
e11
%6%
4%3%
10%
5%2%
0%7%
5%5%
Oth
er, p
leas
e sp
ecify
5%4%
4%4%
2%5%
2%5%
7%3%
5%
Com
plia
nce
3%1%
3%2%
1%3%
2%3%
2%2%
3%
Don
't kn
ow/N
ot s
ure
3%0%
1%4%
1%1%
1%0%
10%
3%1%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Whe
re is
cyb
erse
curi
ty p
rim
arily
hou
sed
in y
our
orga
niza
tion?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 55www.acc-foundation.com
OVERALL SURVEY RESULTS
How often does your organization conduct a cybersecurity audit of the entire organization?Four in ten respondents report that their organziation conducts a companywide cybersecurity audit on an annual or more frequent basis. Thirty-eight percent are unsure if their company conducts one. Those who say their or-ganization has cybersecurity insurance are more likely to work in a company that conducts cybersecurity audits annually than those who say their company does not have such insurance (43 percent to 30 percent). And those who say their company has retained a forensic company for possible breaches are also more likely than those who have not retained such a company to say their organization conducts an annual cybersecurity audit (41 percent to 33 percent).
HOW OFTEN DOES YOUR ORGANIZATION CONDUCT A CYBERSECURITY AUDIT OF THE ENTIRE ORGANIZATION?
4%
Two times per year
5%
Quarterly
32%
Annually
5%
Every two years
11%
Organization does not conduct a
security audit
6%
Other - please specify
38%
Don’t know/ Not sure
56 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=86
167
118
725
650
961
634
4884
263
168
193
138
Qua
rter
ly5%
6%2%
5%5%
4%6%
10%
6%6%
5%7%
3%
Two
times
per
yea
r4%
4%4%
3%5%
4%0%
2%5%
3%5%
5%1%
Ann
ually
32%
35%
21%
35%
31%
36%
24%
21%
15%
37%
36%
32%
25%
Ever
y tw
o ye
ars
5%6%
2%5%
5%5%
0%4%
4%4%
5%7%
4%
Org
aniz
atio
n do
es n
ot c
ondu
ct
a se
curi
ty a
udit
11%
12%
10%
9%13
%11
%15
%13
%13
%19
%15
%4%
7%
Oth
er -
ple
ase
spec
ify6%
6%4%
6%5%
6%6%
6%4%
4%5%
9%7%
Don
't kn
ow/N
ot s
ure
38%
32%
57%
38%
37%
34%
50%
44%
54%
27%
28%
36%
54%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=13
121
428
022
316
145
110
760
7948
936
0
Qua
rter
ly3%
6%8%
2%5%
6%3%
7%0%
5%5%
Two
times
per
yea
r4%
5%5%
2%3%
5%5%
2%1%
3%5%
Ann
ually
33%
37%
35%
24%
30%
36%
27%
28%
23%
30%
34%
Ever
y tw
o ye
ars
3%6%
3%6%
5%5%
4%10
%0%
4%5%
Org
aniz
atio
n do
es n
ot
cond
uct
a se
curi
ty a
udit
24%
12%
10%
4%20
%11
%6%
7%4%
11%
12%
Oth
er -
ple
ase
spec
ify3%
5%8%
6%2%
4%15
%8%
6%7%
5%
Don
't kn
ow/N
ot s
ure
30%
29%
32%
56%
34%
33%
41%
38%
66%
40%
34%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
oft
en d
oes
your
org
aniz
atio
n co
nduc
t a
cybe
rsec
urity
aud
it of
the
en
tire
orga
niza
tion?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 57www.acc-foundation.com
OVERALL SURVEY RESULTS
Who conducted the most recent cybersecurity audit?Of those who say audits are conducted, 40 percent report that the most recent audit was done by internal staff. Twenty-nine percent report it was done by an outside auditor, and nearly the same amount say it was done by a trusted vendor. In-house counsel in smaller companies are more likely to report use of internal auditors versus those in large companies of 500 or more employees. Among lawyers who say the most recent breach they experi-enced was due to employee error, 39 percent say their most recent audit was conducted by internal staff, 33 percent by an outside auditor, and 25 percent by a trusted vendor.
WHO CONDUCTED MOST RECENT CYBERSECURITY AUDIT?
Outside auditor
29%
Trusted vendor
27%
Don’t know/Not sure
4%
Internal staff40%
58 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s. O
ther
sH
ave
you
ever
ex
peri
ence
d a
brea
ch?
Reg
ion
- O
ffice
loca
tio
nO
rgan
izat
ion'
s to
tal g
ross
rev
enue
for
the
last
fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er t
itle
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
m
ore
n=43
437
261
135
253
335
1221
2713
896
113
54
Inte
rnal
sta
ff40
%39
%41
%44
%39
%37
%25
%57
%48
%43
%35
%38
%35
%
Out
side
aud
itor
29%
31%
21%
27%
30%
30%
42%
19%
33%
31%
34%
25%
31%
Trus
ted
vend
or27
%27
%26
%24
%27
%30
%25
%24
%15
%23
%26
%35
%22
%
Don
't kn
ow/N
ot s
ure
4%2%
11%
4%4%
4%8%
0%4%
2%4%
2%11
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=59
124
160
9073
248
5633
2423
519
3
Inte
rnal
sta
ff53
%42
%36
%34
%47
%39
%34
%36
%42
%39
%40
%
Out
side
aud
itor
25%
31%
29%
31%
23%
32%
34%
21%
25%
28%
32%
Trus
ted
vend
or22
%26
%29
%29
%26
%27
%29
%30
%25
%28
%26
%
Don
't kn
ow/N
ot s
ure
0%2%
6%6%
4%2%
4%12
%8%
6%1%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Who
con
duct
ed t
he m
ost
rece
nt c
yber
secu
rity
aud
it?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 59www.acc-foundation.com
OVERALL SURVEY RESULTS
Does your law department and/or IT department audit your legal service providers for cybersecurity risk?Just 14 percent of in-house counsel say their company audits their legal service providers. Just 3 percent of those in Canada say their law or IT department audits their legal service providers for cybersecurity risk. That is signifi-cantly less than those reporting in other regions. Only 14 percent of those in companies that carry cybersecurity insurance report that their IT or law department audits their legal service providers for cybersecurity risk. How-ever, 22 percent who say their organization has retained a forensic company and 19 percent who say their compa-ny has retained outside counsel in case of a breach also audit their legal service providers for cyber risk.
LAW OR IT DEPARTMENT AUDIT LEGAL SERVICE PROVIDERS FOR CYBERSECURITY RISK?
Yes14%
No58%
Don’t know/ Not sure
11%
60 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st
fisc
al y
ear
(US
$)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
m
ore
n=89
069
619
126
052
763
034
5090
270
171
200
145
Yes
14%
12%
19%
16%
11%
13%
3%16
%18
%13
%13
%12
%19
%
No
75%
80%
58%
73%
78%
76%
91%
80%
74%
81%
81%
77%
61%
Don
't kn
ow/N
ot s
ure
11%
8%24
%11
%11
%11
%6%
4%8%
6%6%
12%
19%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=13
422
028
723
616
646
011
461
8550
237
5
Yes
17%
9%13
%16
%10
%12
%13
%23
%22
%13
%15
%
No
72%
86%
79%
64%
84%
78%
78%
59%
49%
74%
77%
Don
't kn
ow/N
ot s
ure
11%
5%8%
20%
6%10
%9%
18%
28%
13%
8%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Doe
s yo
ur la
w d
epar
tmen
t an
d/or
IT d
epar
tmen
t au
dit
your
lega
l ser
vice
pr
ovid
ers
for
cybe
rsec
urity
ris
k?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 61www.acc-foundation.com
OVERALL SURVEY RESULTS
What standard(s) does your organization currently use to address cybersecurity? (Select all that apply)Most GC/CLOs and other in-house counsel do not know what standards their organization uses to address cyber-security. And just 6 percent say that their company employs none of standards provided. ISO 177799/27001, the National Institute of Standards and Technology (NIST), and SSAE 16 standards are most popular. Those working in companies that are global entities are significantly more likely than those working in domestic-only companies to report that their company uses ISO 177799/27001. Twice as many in-house counsel in EMEA report using ISO 177700/27001 than in any other region. And just 6 percent in companies with fewer than 100 employees report using NIST, half as much as those in larger companies in the other regions.
STANDARDS USED TO ADDRESS CYBERSECURITY
ISO 177799/27001 14%
SSE-CMM 1%
NIST 12%
OWASP 1%
SSAE 16 11%
Other - please specify
4%
ISACA 3%
None 6%
COBIT 5 2%
Don’t know/Not sure
60%
SANS Critical Security Control
2%
Six Sigma 2%
62 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=94
473
120
827
054
867
235
5092
283
179
211
149
ISO
177
799/
2700
114
%14
%16
%16
%11
%13
%11
%30
%15
%10
%22
%17
%15
%N
atio
nal I
nstit
ute
of S
tand
ards
and
Te
chno
logy
(N
IST
)12
%12
%12
%14
%10
%14
%6%
4%1%
11%
11%
15%
13%
SSA
E 16
11%
11%
13%
13%
10%
14%
9%6%
1%12
%15
%12
%8%
Info
rmat
ion
Syst
ems A
udit
and
Con
trol
Ass
ocia
tion
(ISA
CA
)3%
3%3%
2%3%
3%3%
6%4%
3%2%
4%3%
Six
Sigm
a2%
2%2%
3%1%
2%0%
2%3%
2%1%
2%2%
SAN
S C
ritic
al S
ecur
ity C
ontr
ols
2%2%
4%2%
2%2%
0%0%
3%3%
0%3%
4%
CO
BIT
52%
2%2%
1%2%
1%0%
6%2%
2%1%
1%4%
Ope
n W
eb A
pplic
atio
n Se
curi
ty
Proj
ect
(OW
ASP
)1%
2%1%
1%1%
1%0%
0%1%
2%1%
1%1%
SSE-
CM
M1%
1%<1
%1%
1%1%
0%0%
1%<1
%2%
1%1%
Oth
er -
Ple
ase
spec
ify4%
4%5%
4%4%
5%0%
2%2%
5%7%
4%1%
Non
e6%
6%5%
4%7%
5%3%
10%
10%
12%
7%2%
1%
Don
't kn
ow/N
ot s
ure
60%
60%
61%
60%
62%
59%
74%
52%
68%
53%
50%
64%
68%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
10
010
0-49
950
0-4,
999
5,00
0 or
m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 to
24
empl
oyee
s25
to 4
9 em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
o
n=14
323
430
624
417
748
712
163
8953
239
4
ISO
177
799/
2700
16%
14%
18%
15%
10%
14%
18%
14%
19%
18%
10%
Nat
iona
l Ins
titut
e of
Sta
ndar
ds
and
Tech
nolo
gy (
NIS
T)
6%13
%13
%12
%10
%11
%14
%13
%16
%10
%14
%
SSA
E 16
4%14
%14
%10
%8%
12%
14%
8%15
%12
%10
%In
form
atio
n Sy
stem
s Aud
it an
d C
ontr
ol A
ssoc
iatio
n (IS
AC
A)
1%3%
3%3%
2%3%
2%3%
2%4%
2%
Six
Sigm
a1%
2%2%
3%2%
2%2%
2%3%
3%1%
SAN
S C
ritic
al S
ecur
ity C
ontr
ols
3%2%
1%4%
1%2%
3%5%
2%2%
3%
CO
BIT
51%
2%1%
3%1%
1%2%
3%3%
2%2%
Ope
n W
eb A
pplic
atio
n Se
curi
ty
Proj
ect
(OW
ASP
)2%
2%1%
1%1%
2%1%
0%3%
1%2%
SSE-
CM
M0%
1%1%
1%1%
1%0%
0%2%
1%<1
%
Oth
er -
Ple
ase
spec
ify4%
5%6%
2%3%
5%3%
5%1%
4%5%
Non
e15
%8%
4%2%
14%
5%2%
2%1%
5%7%
Don
't kn
ow/N
ot s
ure
64%
52%
57%
69%
58%
60%
58%
62%
67%
61%
59%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
(Con
t’d)
Wha
t st
anda
rd(s
) do
es y
our
orga
niza
tion
curr
ently
use
to
addr
ess
cybe
rsec
urity
? (S
elec
t al
l tha
t ap
ply)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 63www.acc-foundation.com
OVERALL SURVEY RESULTS
Does your organization currently have any of the following policies in place? (Select all that apply)A majority of respondents have basic policies in place to reduce cybersecurity risk. The most common are pass-word and social media policies along with document retention policies. The only policies that are not used by a majority are a data map and BYOD guidelines.
POLICIES ORGANIZATION HAS IMPLEMENTED
Password policy 81%
BYOD policy 42%
Social media policy 75%
Data map 18%
Document retention policy
74%
None of the above 1%
Website privacy policy
68%
Don’t know/Not sure
3%
Employee manual acceptance policy
65%
Internet privacy policy
64%
Identity and access management
57%
64 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
CLO
/ G
CO
ther
tit
leYe
sN
oU
SC
anad
aEM
EAA
sia
Paci
fic<
$100
m
illio
n$1
00M
- $4
99M
$500
M-$
2.9
billi
on
$3
billi
on
or
mor
e
n=93
572
420
626
854
367
235
5092
279
178
211
147
Pass
wor
d po
licy
81%
80%
84%
84%
80%
82%
71%
86%
75%
76%
81%
86%
88%
Soci
al m
edia
pol
icy
75%
74%
79%
84%
71%
75%
74%
72%
77%
65%
73%
85%
86%
Doc
umen
t re
tent
ion
polic
y74
%72
%82
%79
%71
%73
%66
%66
%73
%65
%68
%85
%84
%
Web
site
pri
vacy
pol
icy
68%
67%
76%
71%
67%
67%
60%
64%
76%
69%
70%
71%
69%
Empl
oyee
man
ual a
ccep
tanc
e po
licy
65%
66%
61%
68%
64%
70%
51%
50%
40%
69%
69%
65%
56%
Inte
rnet
pri
vacy
pol
icy
64%
64%
67%
67%
64%
62%
54%
64%
73%
59%
60%
69%
73%
Iden
tity
and
acce
ss m
anag
emen
t57
%56
%63
%65
%55
%57
%63
%72
%48
%52
%58
%59
%71
%
BYO
D p
olic
y42
%42
%46
%52
%37
%45
%40
%38
%35
%34
%40
%50
%61
%
Dat
a m
ap18
%17
%20
%18
%18
%20
%14
%12
%10
%13
%19
%16
%27
%
Non
e of
the
abo
ve1%
1%0%
<1%
1%1%
3%0%
1%1%
1%<1
%0%
Don
't kn
ow/N
ot S
ure
3%2%
3%1%
2%3%
3%2%
1%3%
2%<1
%1%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
10
010
0-49
950
0-4,
999
5,00
0 or
m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 to
24
empl
oyee
s25
to 4
9 em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
o
n=14
023
130
424
317
448
312
062
8952
739
0
Pass
wor
d po
licy
71%
78%
84%
86%
72%
80%
90%
87%
87%
81%
81%
Soci
al m
edia
pol
icy
59%
66%
78%
88%
57%
75%
88%
85%
84%
77%
72%
Doc
umen
t re
tent
ion
polic
y67
%61
%76
%87
%61
%71
%85
%82
%90
%74
%74
%
Web
site
pri
vacy
pol
icy
61%
68%
71%
70%
57%
72%
65%
73%
73%
72%
65%
Empl
oyee
man
ual a
ccep
tanc
e po
licy
65%
65%
68%
60%
64%
68%
57%
63%
64%
63%
67%
Inte
rnet
pri
vacy
pol
icy
56%
58%
66%
72%
50%
66%
69%
68%
78%
67%
61%
Iden
tity
and
acce
ss m
anag
emen
t49
%55
%55
%67
%44
%56
%58
%76
%75
%60
%54
%
BYO
D p
olic
y26
%40
%43
%55
%26
%41
%55
%47
%66
%43
%42
%
Dat
a m
ap12
%16
%15
%25
%10
%16
%23
%26
%31
%19
%15
%
Non
e of
the
abo
ve2%
1%<1
%0%
2%<1
%0%
0%0%
<1%
1%
Don
't kn
ow/N
ot S
ure
5%3%
1%2%
4%2%
1%2%
3%2%
3%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
(Con
t’d)
Doe
s yo
ur o
rgan
izat
ion
curr
ently
hav
e an
y of
the
follo
win
g po
licie
s in
pla
ce?
(Sel
ect
all t
hat
appl
y)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 65www.acc-foundation.com
OVERALL SURVEY RESULTS
Is a member of the legal department on the company’s data breach response team?Sixty-one percent of respondents say that they themselves or another member of their department is on the data breach team. Nine percent say that no member of the legal department is on the data breach team, while 30 per-cent say their company has no formal data breach response team. Forty-nine percent of CLOs/GC say they are a member of the data response team compared with 29 percent of all other respondents. The highest percentage of respondents saying they are a member of their data breach team come from the US with 49 percent, compared with the lowest percentage (28 percent) coming from the EMEA region.
MEMBER OF LEGAL DEPARTMENT ON DATA BREACH TEAM?
Yes, I am or someone else is
Less than $50,000
Company does not have a formal data breach response team
61%
30%
9%
66 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=92
472
020
026
454
066
535
5092
278
177
208
145
Yes,
I am
or
som
eone
els
e is
61%
61%
63%
69%
57%
65%
54%
40%
43%
53%
62%
69%
74%
Yes,
I am
44%
49%
29%
47%
44%
49%
34%
28%
27%
49%
55%
42%
34%
Yes,
othe
r m
embe
r of
dep
artm
ent
17%
12%
35%
22%
13%
17%
20%
12%
16%
4%7%
26%
41%
No
mem
ber
of d
epar
tmen
t on
da
ta b
reac
h re
spon
se t
eam
9%9%
8%8%
10%
7%9%
18%
9%9%
11%
5%8%
Com
pany
doe
s no
t ha
ve a
form
al
data
bre
ach
resp
onse
tea
m30
%31
%29
%23
%34
%27
%37
%42
%48
%38
%27
%26
%18
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
or
gani
zati
on/c
ompa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
10
010
0-49
950
0-4,
999
5,00
0 or
m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 to
24
empl
oyee
s25
to 4
9 em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
o
n=13
923
030
223
817
447
911
960
8652
138
7
Yes,
I am
or
som
eone
els
e is
43%
62%
61%
72%
42%
60%
76%
77%
78%
62%
61%
Yes,
I am
41%
56%
47%
31%
41%
51%
40%
35%
27%
40%
49%
Yes,
othe
r m
embe
r of
dep
artm
ent
2%6%
14%
41%
1%9%
36%
42%
51%
21%
12%
No
mem
ber
of d
epar
tmen
t on
da
ta b
reac
h re
spon
se t
eam
6%9%
12%
6%16
%8%
7%3%
5%9%
8%
Com
pany
doe
s no
t ha
ve a
form
al
data
bre
ach
resp
onse
tea
m50
%30
%27
%22
%42
%32
%17
%20
%17
%30
%31
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Is a
mem
ber
of t
he le
gal d
epar
tmen
t on
the
com
pany
’s da
ta b
reac
h re
spon
se t
eam
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 67www.acc-foundation.com
OVERALL SURVEY RESULTS
Does your organization have cybersecurity insurance?Forty-seven percent of respondents say that their organization has cybersecurity insurance, while 26 percent say their organization does not have insurance. One in five were not certain of their company’s cybersinsurance sta-tus. Smaller law departments and organizations with lower revenues tend to be more likely to have cybersecurity insurance. The highest percentage of respondents to report having cyberinsurance comes from the US with 53 percent, compared with the lowest percentage (25 percent) in the Asia Pacific.
DOES YOUR ORGANIZATION HAVE CYBERSECURITY INSURANCE?
Yes47%
Don’t know/Not sure
22%
No26%
Self-insurance4%
68 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=87
568
219
125
752
063
835
4684
263
171
197
140
Yes
47%
50%
37%
53%
44%
53%
37%
30%
25%
53%
57%
49%
36%
No
26%
28%
19%
24%
29%
26%
29%
33%
30%
29%
30%
25%
19%
Self-
insu
ranc
e4%
4%7%
6%3%
5%3%
2%6%
2%4%
4%11
%
Don
't kn
ow/N
ot s
ure
22%
18%
36%
17%
24%
16%
31%
35%
39%
16%
9%22
%33
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
728
922
816
544
911
559
8449
936
5
Yes
32%
61%
52%
38%
45%
53%
45%
44%
29%
45%
50%
No
41%
27%
26%
19%
32%
28%
22%
25%
14%
24%
30%
Self-
insu
ranc
e2%
2%3%
9%3%
3%5%
5%13
%5%
3%
Don
't kn
ow/N
ot s
ure
25%
10%
19%
34%
20%
16%
28%
25%
44%
25%
17%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Doe
s yo
ur o
rgan
izat
ion
have
cyb
erse
curi
ty in
sura
nce?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 69www.acc-foundation.com
OVERALL SURVEY RESULTS
Please select the answer that best describes the level of monetary coverage for your company’s cybersecurity insurance plan (in US $).Two-thirds of those who report their company has a cybersecurity insurance plan say the coverage is US $1 mil-lion or more. Those in companies with the highest annual company revenue were most likely to be unsure of the company’s amount of coverage.
AMOUNT OF CYBERSECURITY INSURANCE COVERAGE
16% Don’t know/Not sure
9% Less than $50,000
2% $50,000 to $99,999
5% $100,000 to $499,999
2% $500,000 to $999,999
66% $1 million or more
70 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
en=
355
295
5911
520
329
810
1317
132
8178
42
Less
tha
n $1
,000
0%0%
0%0%
0%0%
0%0%
0%0%
0%0%
0%
$1,0
00 t
o $4
,999
1%1%
2%2%
<1%
1%0%
0%0%
2%2%
0%0%
$5,0
00 t
o $9
,999
3%3%
2%3%
3%3%
0%0%
0%3%
2%3%
2%
$10,
000
to $
14,9
993%
2%3%
4%1%
3%0%
0%0%
3%1%
5%0%
$15,
000
to $
19,9
99<1
%<1
%0%
0%<1
%<1
%0%
0%0%
0%0%
1%0%
$20,
000
to $
29,9
991%
1%2%
2%1%
1%0%
0%6%
1%1%
0%7%
$30,
000
to $
39,9
990%
0%0%
0%0%
0%0%
0%0%
0%0%
0%0%
$40,
000
to $
49,9
99<1
%<1
%0%
1%0%
<1%
0%0%
0%0%
0%1%
0%
$50,
000
to $
99,9
992%
2%2%
1%3%
2%20
%0%
6%0%
4%3%
5%
$100
,000
to
$499
,999
5%5%
3%5%
4%4%
10%
8%6%
8%2%
0%5%
$500
,000
to
$999
,999
2%2%
3%2%
2%2%
10%
0%0%
4%1%
3%0%
$1 m
illio
n or
mor
e66
%68
%56
%61
%67
%67
%50
%62
%59
%67
%75
%72
%48
%
Don
't kn
ow/N
ot s
ure
16%
14%
27%
19%
15%
15%
10%
31%
24%
12%
10%
13%
33%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=36
120
123
7263
210
4421
1719
215
9
Less
tha
n $1
,000
0%0%
0%0%
0%0%
0%0%
0%0%
0%
$1,0
00 t
o $4
,999
6%1%
1%0%
2%1%
0%0%
0%0%
3%
$5,0
00 t
o $9
,999
3%3%
2%3%
0%3%
7%5%
0%3%
3%
$10,
000
to $
14,9
996%
1%2%
4%3%
2%2%
0%6%
2%3%
$15,
000
to $
19,9
990%
0%0%
1%0%
<1%
0%0%
0%1%
0%
$20,
000
to $
29,9
993%
1%0%
4%2%
<1%
0%10
%6%
1%2%
$30,
000
to $
39,9
990%
0%0%
0%0%
0%0%
0%0%
0%0%
$40,
000
to $
49,9
990%
0%1%
0%0%
0%2%
0%0%
0%1%
$50,
000
to $
99,9
993%
3%2%
3%3%
1%2%
5%6%
3%2%
$100
,000
to
$499
,999
6%8%
2%3%
5%6%
2%0%
0%5%
4%
$500
,000
to
$999
,999
11%
2%1%
1%6%
1%2%
0%0%
3%2%
$1 m
illio
n or
mor
e50
%68
%74
%60
%68
%67
%70
%67
%35
%68
%64
%
Don
't kn
ow/N
ot s
ure
14%
13%
15%
21%
11%
17%
11%
14%
47%
16%
16%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Plea
se s
elec
t th
e an
swer
tha
t be
st d
escr
ibes
the
leve
l of m
onet
ary
cove
rage
for
your
com
pany
’s cy
bers
ecur
ity
insu
ranc
e pl
an (i
n U
S $)
. (C
onve
rt t
o U
S do
llars
usi
ng t
he c
urre
ncy
conv
ersi
on t
ool b
elow
)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 71www.acc-foundation.com
OVERALL SURVEY RESULTS
How confident are you that your company has the right coverage for a cybersecurity event?Just 13 percent of those in organizations with cybersecurity insurance are extremely confident (choosing 9 or 10 out of a scale of 10) in the amount of coverage they have in case of a breach. But only 9 percent are not confident at all (choosing 1 or 2 out of a scale of 10).
CONFIDENCE COMPANY HAS RIGHT CYBERSECURITY COVERAGE
20%
22%
9%
4%
7%
14%
6%
2%
1%
15%
1 Not at all confident
2 3 4 5 6 87 9 10 Extremely confident
72 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3
billi
on
or
mor
e
n=38
131
862
128
208
315
1114
2012
995
8548
1- N
ot a
t al
l con
fiden
t1%
1%0%
2%<1
%1%
0%0%
0%2%
1%1%
0%
22%
2%3%
3%2%
3%0%
0%0%
3%2%
2%2%
36%
6%10
%3%
8%6%
27%
14%
0%8%
6%5%
2%
47%
7%6%
5%8%
7%9%
7%10
%5%
12%
7%6%
520
%21
%13
%21
%18
%19
%27
%21
%5%
19%
22%
21%
17%
615
%14
%18
%13
%16
%14
%9%
14%
25%
11%
17%
15%
15%
714
%14
%13
%16
%12
%16
%0%
0%10
%15
%9%
15%
17%
822
%21
%27
%23
%22
%22
%18
%36
%30
%25
%16
%24
%31
%
99%
9%6%
11%
8%9%
0%7%
10%
8%9%
7%6%
10 -
Ext
rem
ely
confi
dent
4%4%
3%3%
5%4%
9%0%
10%
5%5%
2%4%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=34
127
140
7667
225
4623
2021
216
4
1- N
ot a
t al
l con
fiden
t0%
2%1%
0%0%
2%0%
0%0%
1%1%
26%
3%1%
3%1%
3%0%
9%0%
1%4%
315
%7%
4%5%
13%
5%4%
0%5%
8%5%
40%
9%6%
8%6%
8%7%
13%
0%8%
7%
512
%21
%21
%20
%21
%19
%24
%17
%20
%17
%23
%
612
%14
%14
%16
%13
%16
%15
%17
%5%
17%
13%
718
%9%
17%
14%
15%
14%
9%13
%25
%14
%13
%
824
%20
%22
%28
%21
%20
%33
%17
%35
%25
%20
%
912
%10
%9%
4%4%
11%
4%13
%5%
9%7%
10 -
Ext
rem
ely
confi
dent
3%5%
4%3%
4%4%
4%0%
5%1%
7%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
con
fiden
t ar
e yo
u th
at y
our
com
pany
has
the
rig
ht c
over
age
for
a cy
bers
ecur
ity e
vent
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 73www.acc-foundation.com
OVERALL SURVEY RESULTS
Please describe how your company determined the amount of insurance needed for effective coverage.In determining the amount of insurance coverage, the following were common approaches used by companies:• worked with an insurance broker • based coverage levels on contractual requirements• benchmarked similar markets/organizations • conducted risk analysis• based coverage on number of records and cost of breach
Examples shared by in-house respondents are listed below.
A full study was carried out to determine the cyber risks we face, what controls we have in place, what mitigations plans we need to put in place, and the residual risk that we want to insure.
Cyberinsurance attorney.
Comparison of coverage levels and premiums.
Advice of our insurance broker based on our operations.
Amount required to meet contractual requirements from cus-tomers.
Analysis of 10 largest customers’ exposure.
Analysis of risks/threats taken by outside risk management firm.
As the leading cybersecurity consulting company, size and num-ber of clients and fast-changing nature of business risks deter-mine ever-increasing levels of coverage.
Assessment of likely damages that would follow an incident.
Audited by independent brokers.
Based on availability and premiums, weighed against likely expense associated with a breach.
Based on how much our customers required us to have contractually.
Benchmark comparisons with other similar companies and considering our size and potential losses.
Broker provided weighted risks, amounts of prior settlements, etc. for analysis.
CIO made decision.
Combination of availability and what company was willing to afford.
Combination of size of our business and availability in the market.
Contractual liability.
Cost of rectification/mitigation and likely damages.
Cross-functional committee.
Customer/vendor requirements.
Deep-dive analysis and risk assessment of company and compar-ison to market.
Discussion with agent, IT, comparable for like industries, and outside counsel.
Established by government insurer.
Estimated average direct sales online + estimated costs of notifi-cation/legal compliance/fines/penalties + consideration of indus-try-related average cost of breach surveys + comfort margin.
Estimated the cost to respond on a per-record basis.
Highest level available given PCI compliance.
It is incorporated in our E&O coverage; we have had no claims or losses so we felt the coverage was sufficient to meet our realistic needs.
Legacy coverage. We are reassessing the coverage and amounts.
Likeliest body of data that could be breached, factoring in reason-ably likely containment abilities and the likely costs associated with same.
Market study of coverage taken by competitors and similar busi-nesses but adjusted for our business model.
Number of policyholders times various stress-test scenarios.
Our IT team worked with me and our broker.
Our risk management department conducted a comprehensive review.
Ponemon study.
Risk management based on industry and company.
What coverage was affordable.
Working with our CFO and insurance provider, we used a formu-la to determine adequate coverage.
74 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Do you expect your company to decrease, maintain, or increase the amount of cybersecurity insurance coverage in the next year?The majority of respondents (58 percent) expect their company to maintain their current cybersecurity coverage for the next year. Twenty-six percent expect an increase in coverage, while less than 1 percent expect a decrease. In-house lawyers in the US and EMEA most frequently cite expectations for a rise in coverage. Twenty-eight per-cent of respondents in the US and 29 percent in the EMEA region expect an increase in coverage next year, while only 8 percent in Canada expect an increase.
EXPECTATIONS FOR COMPANY’S CYBERSECURITY INSURANCE FOR THE UPCOMING YEAR
Don’t know/Not sure
15%
Decrease coverage
<1%
Maintain current
coverage58%
Increase coverage
26%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 75www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=40
533
371
134
223
336
1314
1913
896
9350
Dec
reas
e co
vera
ge<1
%1%
0%1%
<1%
<1%
0%0%
0%1%
0%0%
2%
Mai
ntai
n cu
rren
t co
vera
ge58
%58
%61
%57
%59
%56
%69
%64
%68
%62
%56
%56
%60
%
Incr
ease
cov
erag
e26
%27
%21
%29
%26
%28
%8%
29%
16%
26%
30%
28%
18%
Don
't kn
ow/N
ot S
ure
15%
14%
18%
13%
15%
15%
23%
7%16
%12
%14
%16
%20
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or m
ore
1 em
ploy
ee2
to 9
em
ploy
ees
10 to
24
empl
oyee
s25
to 4
9 em
ploy
ees
50 o
r m
ore
empl
oyee
sYe
sN
o
n=41
129
146
8472
233
5126
2322
217
8
Dec
reas
e co
vera
ge0%
0%1%
1%0%
<1%
0%4%
0%1%
0%
Mai
ntai
n cu
rren
t co
vera
ge66
%62
%52
%61
%69
%59
%51
%35
%61
%56
%61
%
Incr
ease
cov
erag
e17
%26
%31
%21
%17
%28
%29
%35
%17
%27
%25
%
Don
't kn
ow/N
ot S
ure
17%
12%
16%
17%
14%
12%
20%
27%
22%
16%
14%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Do
you
expe
ct y
our
com
pany
to
decr
ease
, mai
ntai
n, o
r in
crea
se t
he a
mou
nt o
f cyb
erse
curi
ty in
sura
nce
cove
rage
in t
he n
ext
year
?
76 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Does your organization have mandatory training on cybersecurity for all employees?Respondents are split over mandatory cybersecurity training at their place of work. Forty-five percent report they have mandatory training at their workplace for all employees, and 49 percent report there is no such training. About half of those in the US report there is mandatory cybersecurity training at their office. This is a significant-ly higher percentage than in other regions. Companies with the highest revenues, most employees, and largest law departments are more likely to have mandatory training.
MANDATORY CYBERSECURITY TRAINING FOR ALL EMPLOYEES
Yes45% No
49%
Don’t know/Not sure
7%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 77www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=86
366
919
126
050
363
534
4888
257
170
198
139
Yes
45%
43%
51%
47%
42%
48%
29%
35%
31%
40%
42%
48%
54%
No
49%
51%
40%
46%
52%
46%
59%
58%
61%
52%
54%
46%
40%
Don
't kn
ow/N
ot s
ure
7%6%
9%7%
7%6%
12%
6%8%
7%4%
6%6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
121
528
622
815
844
611
358
8548
936
3
Yes
31%
47%
44%
51%
28%
45%
52%
48%
62%
44%
45%
No
62%
48%
50%
41%
67%
48%
39%
48%
29%
48%
49%
Don
't kn
ow/N
ot s
ure
7%6%
6%8%
5%7%
9%3%
8%7%
6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Doe
s yo
ur o
rgan
izat
ion
have
man
dato
ry t
rain
ing
on c
yber
secu
rity
for
all e
mpl
oyee
s?
78 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
How does your organization evaluate company preparedness at the employee level? (Select all that apply)While 45 percent say mandatory training is in place, fewer are able to say whether employees understand or know how to respond to a threat. One in three in-house counsel report that their company tracks attendance for mandatory training as a means to evaluate preparedness at the employee level, while 19 percent test knowledge acquired during mandatory training. Seventeen percent report their company conducts mock security events. Forty-four percent of CLOs/GC do not know what efforts their organization undertakes to evaluate company pre-paredness. Those in smaller law departments and in companies with fewer employees have the highest percentage of in-house counsel without direct knowledge of this topic, indicating legal may not play a signifiant role in this matter in these departments.
HOW DOES YOUR ORGANIZATION EVALUATE COMPANY PREPAREDNESS AT THE EMPLOYEE LEVEL?
Track mandatory training requirement and attendance for all employees
33%
Test employees’ knowledge of mandatory training
19%
Hold mock security event 17%
Conduct tabletop exercises 12%
Review disciplinary actions for violations 9%
Other, please specify 4%
Don’t know/Not sure 43%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 79www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=91
470
520
426
352
967
235
5092
275
174
207
144
Hol
d m
ock
secu
rity
eve
nt17
%18
%17
%22
%14
%18
%6%
22%
23%
11%
14%
25%
28%
Test
em
ploy
ees'
know
ledg
e of
m
anda
tory
tra
inin
g19
%19
%20
%24
%18
%20
%17
%16
%15
%17
%14
%22
%32
%
Rev
iew
dis
cipl
inar
y ac
tions
for
viol
atio
ns9%
8%11
%13
%7%
8%3%
18%
11%
6%10
%11
%13
%
Trac
k m
anda
tory
tra
inin
g re
quir
emen
t an
d at
tend
ance
for
all e
mpl
oyee
s33
%32
%36
%41
%29
%35
%31
%26
%29
%29
%29
%37
%40
%
Con
duct
tab
leto
p ex
erci
ses
12%
11%
15%
15%
11%
12%
14%
8%11
%6%
11%
16%
22%
Oth
er, p
leas
e sp
ecify
4%4%
3%2%
4%4%
6%2%
3%4%
6%4%
1%
Don
't kn
ow/N
ot S
ure
43%
44%
39%
34%
46%
42%
49%
48%
47%
48%
45%
36%
33%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=13
622
729
823
716
747
311
961
8851
338
3
Hol
d m
ock
secu
rity
eve
nt7%
14%
18%
26%
8%15
%23
%33
%28
%19
%15
%
Test
em
ploy
ees'
know
ledg
e of
m
anda
tory
tra
inin
g13
%20
%16
%27
%13
%16
%24
%28
%40
%19
%20
%
Rev
iew
dis
cipl
inar
y ac
tions
fo
r vi
olat
ions
4%4%
13%
9%2%
10%
8%8%
14%
7%10
%
Trac
k m
anda
tory
tra
inin
g re
quir
emen
t an
d at
tend
ance
fo
r al
l em
ploy
ees
26%
32%
34%
38%
20%
34%
34%
39%
48%
30%
36%
Con
duct
tab
leto
p ex
erci
ses
4%8%
11%
21%
3%10
%18
%25
%25
%12
%13
%
Oth
er, p
leas
e sp
ecify
4%3%
5%3%
2%3%
8%5%
0%4%
4%
Don
't kn
ow/N
ot S
ure
50%
44%
41%
37%
57%
43%
35%
33%
28%
46%
39%
(Con
t’d)
How
doe
s yo
ur o
rgan
izat
ion
eval
uate
com
pany
pre
pare
dnes
s at
the
em
ploy
ee le
vel?
(Sel
ect
all t
hat
appl
y)
80 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Has your organization retained a forensic company to assist you should a breach occur?One in four in-house counsel say their organization has retained a forensic company to assist in the event of a data breach. Lawyers working in the US and companies with US $3 billion or more in annual revenue were the most likely to have a forensic company on retainer. Companies with fewer than 100 employees were the least likely to have retained a forensic company.
ORGANIZATION RETAINING A FORENSIC COMPANY IN CASE OF A BREACH
Yes24%
No57%
Don’t know/Not sure
19%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 81www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=84
465
918
225
249
762
932
4583
258
167
190
132
Yes
24%
25%
22%
37%
17%
26%
19%
20%
18%
15%
22%
30%
42%
No
57%
61%
41%
45%
64%
59%
56%
58%
48%
73%
69%
50%
28%
Don
't kn
ow/N
ot s
ure
19%
14%
37%
18%
19%
16%
25%
22%
34%
12%
9%20
%30
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
620
927
821
816
144
010
456
8147
135
9
Yes
10%
17%
27%
36%
14%
22%
30%
39%
41%
27%
21%
No
83%
68%
55%
34%
80%
63%
47%
27%
14%
51%
66%
Don
't kn
ow/N
ot s
ure
7%14
%18
%30
%6%
16%
23%
34%
46%
22%
14%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Has
you
r or
gani
zatio
n re
tain
ed a
fore
nsic
com
pany
to
assi
st y
ou s
houl
d a
brea
ch o
ccur
?
82 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Has your organization retained outside counsel to assist you should a breach occur?One in three in-house counsel work in an organization that retains in-house counsel to assist in the event a breach. Lawyers who have worked or currently work in a company that experienced a breach are far more likely to say their organization has retained outside counsel (44 percent) compared with those who have not directly expe-rienced a breach (26 percent). In-house lawyers in the US are more likely to have retained outside counsel for this purpose than those in all other regions. Lawyers in larger law departments, in larger companies as determined by annual company revenue and number of employees, and in domestically focused companies (as opposed to global) all have a higher percentage of lawyers who report that their company retains outside counsel to help in the event of a breach.
ORGANIZATION RETAINS OUTSIDE COUNSEL IN CASE OF BREACH
Yes33%
No58%
Don’t know/ Not sure
9%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 83www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
066
418
224
850
163
531
4484
264
165
189
130
Yes
33%
33%
35%
44%
26%
35%
29%
23%
26%
22%
35%
40%
48%
No
58%
63%
40%
50%
65%
58%
65%
61%
64%
73%
62%
52%
36%
Don
't kn
ow/N
ot s
ure
9%4%
25%
6%9%
8%6%
16%
10%
5%2%
7%15
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
528
121
416
044
610
856
7747
436
2
Yes
13%
26%
37%
49%
15%
32%
47%
52%
48%
36%
29%
No
83%
68%
57%
36%
82%
62%
45%
27%
26%
53%
65%
Don
't kn
ow/N
ot s
ure
5%6%
6%16
%3%
6%7%
21%
26%
11%
6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Has
you
r or
gani
zatio
n re
tain
ed o
utsi
de c
ouns
el t
o as
sist
you
sho
uld
a br
each
occ
ur?
84 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
How frequently does the legal department brief the board of directors on the subject of cybersecurity?Most in-house counsel report that their legal department briefs the board of directors on cybersecurity on an ad-hoc basis. One in five GC/CLOs say the department never updates the board of directors. A slightly higher per-centage of in-house lawyers in the US say they brief the board on a regular basis (yearly or quarterly) than those in other regions.
FREQUENCY LEGAL DEPARTMENT BRIEFS BOARD OF DIRECTORS ON CYBERSECURITY
0%
Weekly
19%
Never
1%
Monthly
11%
Quarterly
11%
Yearly
40%
Ad hoc (as needed)
4%
Other - please specify
14%
Don’t know/ Not sure
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 85www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
866
219
225
550
363
434
4685
261
166
197
138
Nev
er19
%20
%16
%17
%22
%19
%26
%17
%22
%26
%20
%13
%12
%
Wee
kly
0%0%
0%0%
0%0%
0%0%
0%0%
0%0%
0%
Mon
thly
1%1%
0%1%
1%1%
0%2%
4%1%
1%1%
1%
Qua
rter
ly11
%11
%13
%13
%9%
13%
9%2%
8%7%
12%
18%
12%
Year
ly11
%12
%6%
15%
10%
12%
6%9%
4%8%
16%
14%
10%
Ad
hoc
(as
need
ed)
40%
44%
27%
36%
42%
39%
32%
43%
44%
47%
44%
37%
28%
Oth
er, p
leas
e sp
ecify
4%5%
3%5%
4%4%
9%7%
2%3%
4%5%
7%
Don
't kn
ow/N
ot s
ure
14%
7%36
%13
%12
%12
%18
%20
%16
%8%
4%13
%29
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
128
422
415
644
411
159
8648
336
3
Nev
er22
%25
%22
%10
%28
%22
%14
%7%
3%19
%20
%
Wee
kly
0%0%
0%0%
0%0%
0%0%
0%0%
0%
Mon
thly
1%1%
2%<1
%1%
2%0%
0%1%
1%1%
Qua
rter
ly6%
9%14
%13
%6%
11%
15%
20%
9%9%
14%
Year
ly9%
13%
10%
12%
10%
11%
11%
15%
10%
12%
9%
Ad
hoc
(as
need
ed)
54%
41%
39%
32%
50%
41%
40%
24%
27%
38%
43%
Oth
er, p
leas
e sp
ecify
2%5%
4%5%
2%3%
10%
5%5%
4%5%
Don
't kn
ow/N
ot s
ure
6%7%
11%
28%
4%10
%11
%29
%44
%17
%8%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
freq
uent
ly d
oes
the
lega
l dep
artm
ent
brie
f the
boa
rd o
f dir
ecto
rs o
n th
e su
bjec
t of
cyb
erse
curi
ty?
86 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Thinking about your role and responsibilities regarding cybersecurity, would you prefer to expand, decrease, or maintain your current level of involvement?The majority of in-house counsel would like to expand their role and responsibilities when it comes to cybersecu-rity. Those not in the GC or CLO role were slightly more likely to desire a greater role compared with GC/CLOs.
PREFERENCE REGARDING CYBERSECURITY ROLE AND RESPONSIBILITIES
Decrease role and
responsibilities
Maintain current role and responsibilities
Increase role and responsibilities
4%
44%52%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 87www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s O
ther
sH
ave
you
ever
ex
peri
ence
d a
brea
ch?
Reg
ion
- O
ffice
loca
tio
nO
rgan
izat
ion'
s to
tal g
ross
rev
enue
for
the
last
fisc
al y
ear
(US
$)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=84
665
518
824
749
562
733
4790
260
164
196
134
Dec
reas
e ro
le a
nd r
espo
nsib
ilitie
s4%
3%7%
5%3%
4%9%
2%0%
6%4%
3%3%
Mai
ntai
n cu
rren
t ro
le a
nd
resp
onsi
bilit
ies
44%
47%
36%
46%
43%
44%
42%
47%
47%
36%
48%
51%
49%
Incr
ease
rol
e an
d re
spon
sibi
litie
s52
%50
%57
%49
%54
%52
%48
%51
%53
%58
%48
%46
%48
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
421
627
721
915
344
610
758
7947
835
3
Dec
reas
e ro
le a
nd
resp
onsi
bilit
ies
2%5%
3%5%
3%5%
3%3%
3%4%
4%
Mai
ntai
n cu
rren
t ro
le a
nd
resp
onsi
bilit
ies
40%
40%
47%
47%
35%
46%
52%
36%
51%
42%
47%
Incr
ease
rol
e an
d re
spon
sibi
litie
s57
%55
%49
%48
%63
%50
%45
%60
%47
%53
%49
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Thi
nkin
g ab
out
your
rol
e an
d re
spon
sibi
litie
s re
gard
ing
cybe
rsec
urity
, wou
ld
you
pref
er t
o ex
pand
, dec
reas
e, o
r m
aint
ain
your
cur
rent
leve
l of i
nvol
vem
ent?
88 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Do you expect your legal department’s role in cybersecurity to increase, decrease, or stay the same in the next 12 months?In addition to growth in their individual role, a majority of in-house counsel expect their legal department’s role in cybersecurity to increase. Four in 10 believe the department’s role will remain the same. Those in larger com-panies were slightly more likely to say they expect their department’s role to grow in the coming year.
EXPECTATIONS OF LEGAL DEPARTMENT’S CYBERSECURITY ROLE OVER THE NEXT YEAR
Stay the same40%
Increase59%
Decrease1%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 89www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=86
867
419
125
250
864
633
4889
265
164
203
139
Dec
reas
e1%
1%2%
2%1%
1%0%
2%0%
1%1%
2%1%
Stay
the
sam
e40
%42
%34
%40
%41
%41
%42
%40
%37
%40
%43
%40
%39
%
Incr
ease
59%
57%
65%
59%
58%
58%
58%
58%
63%
60%
57%
58%
60%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
522
028
322
915
745
211
658
8348
836
5
Dec
reas
e0%
1%1%
1%1%
1%3%
0%1%
1%1%
Stay
the
sam
e42
%42
%43
%34
%40
%43
%40
%34
%29
%38
%43
%
Incr
ease
58%
57%
56%
65%
59%
56%
58%
66%
70%
61%
56%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Do
you
expe
ct y
our
lega
l dep
artm
ent’s
rol
e in
cyb
erse
curi
ty t
o in
crea
se, d
ecre
ase,
or
stay
the
sam
e in
th
e ne
xt 1
2 m
onth
s?
90 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
How confident are you that your third-party affiliates/vendors protect you from cybersecurity risks?Sixty-seven percent of respondents are at least somewhat confident that their third-party/outside vendor will protect them from cyber risks. Seventeen percent are not at all confident, while 15 percent are unsure. Twen-ty percent of those who have experienced a breach are not at all confident they will be protected, compared with 15 percent of those who have not experienced a breach. Respondents in the EMEA region are the least confident with 27 percent, while 71 percent of those in Canada say they are at least somewhat confident in being protected. There is not a large degree of variation in confidence of outside vendors across organization revenue, size, or law department size.
CONFIDENCE THIRD PARTIES ARE PROTECTING COMPANY FROM CYBERSECURITY RISK?
60%
Somewhat confident
17%
Not at all confident
7%
Very confident
15%
Don’t know/ Not sure
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 91www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
166
018
825
249
864
334
4985
263
168
188
133
Not
at
all c
onfid
ent
17%
16%
19%
20%
15%
17%
21%
27%
11%
15%
21%
16%
19%
Som
ewha
t co
nfide
nt60
%62
%54
%60
%61
%60
%65
%53
%62
%62
%57
%59
%62
%
Very
con
fiden
t7%
7%8%
6%9%
8%6%
4%6%
8%9%
6%6%
Don
't kn
ow/N
ot s
ure
15%
15%
19%
14%
15%
14%
9%16
%21
%15
%13
%19
%13
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
522
027
422
015
944
311
158
7747
536
5
Not
at
all c
onfid
ent
14%
17%
18%
18%
21%
14%
21%
24%
14%
19%
15%
Som
ewha
t co
nfide
nt64
%65
%55
%60
%60
%62
%54
%60
%60
%60
%60
%
Very
con
fiden
t8%
6%8%
8%6%
8%8%
7%6%
6%9%
Don
't kn
ow/N
ot s
ure
14%
12%
19%
14%
12%
16%
17%
9%19
%15
%15
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
con
fiden
t ar
e yo
u th
at y
our
thir
d-pa
rty
affil
iate
s/ve
ndor
s pr
otec
t yo
u fr
om c
yber
secu
rity
ris
ks?
92 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
How confident are you that the outside law firms your company employs are appro-priately managing the security of client data?Seventy-four percent of respondents are at least somewhat confident that their outside law firms are appropriately managing their data security. Ten percent are not at all confident, and 15 percent are unsure. Among those who have experienced a data breach, 14 percent are not at all confident, compared with 9 percent of those who have not experienced a data breach. Eighteen percent of respondents are not at all confident in the EMEA region, while only 1 percent report this lack of confidence in the Asia Pacific region. A higher percentage of respondents in higher revenue and larger companies report this lack of confidence in their outside law firms’ data management.
CONFIDENCE YOUR OUTSIDE LAW FIRMS ARE APPROPRIATELY MANAGING CLIENTS’ DATA SECURITY?
52%
Somewhat confident
10%
Not at all confident
22%
Very confident
15%
Don’t know/ Not sure
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 93www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=81
563
417
824
447
160
735
4983
236
161
187
133
Not
at
all c
onfid
ent
10%
10%
10%
14%
9%11
%14
%18
%1%
10%
9%11
%14
%
Som
ewha
t co
nfide
nt52
%53
%51
%54
%50
%54
%43
%47
%47
%50
%58
%53
%49
%
Very
con
fiden
t22
%22
%22
%20
%24
%20
%26
%24
%35
%22
%20
%20
%24
%
Don
't kn
ow/N
ot s
ure
15%
15%
16%
12%
17%
15%
17%
10%
17%
19%
13%
16%
13%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=11
220
526
621
914
342
510
957
7847
033
3
Not
at
all c
onfid
ent
9%8%
10%
13%
12%
8%10
%19
%12
%11
%9%
Som
ewha
t co
nfide
nt51
%56
%50
%52
%51
%52
%54
%60
%51
%51
%54
%
Very
con
fiden
t24
%23
%20
%22
%22
%23
%23
%11
%24
%22
%22
%
Don
't kn
ow/N
ot s
ure
16%
14%
19%
12%
15%
17%
13%
11%
13%
15%
15%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
con
fiden
t ar
e yo
u th
at t
he o
utsi
de la
w fi
rms
your
com
pany
em
ploy
s ar
e ap
prop
riat
ely
man
agin
g th
e se
curi
ty o
f clie
nt d
ata?
94 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Are third parties, such as vendors/agents, required to notify you of cybersecurity risks/breaches that they experience?Sixty-one percent of respondents say that third parties are required to notify them if they become aware of a breach. Fifteen percent said they were not required to be notified. Regionally, the highest percentage of respondents saying they required notification were from the US (64 percent), while the lowest came from the EMEA region with 40 percent. Fifty-seven percent of respondents who work for companies that conduct business internationally were required to be notified, compared with 66 percent of those in companies that are not global entities. Larger organizations and those with higher revenues also tend to have a slightly high-er percentage of respondents saying they require notification.
THIRD PARTIES REQUIRED TO NOTIFY YOU OF CYBERSECURITY RISKS/BREACHES THEY EXPERIENCE?
Yes61% No
15%
Don’t know/Not sure
24%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 95www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=84
965
619
024
850
063
834
4885
263
163
189
136
Yes
61%
61%
63%
65%
59%
64%
56%
40%
56%
60%
63%
65%
65%
No
15%
16%
12%
13%
17%
13%
18%
25%
22%
14%
20%
15%
10%
Don
't kn
ow/N
ot s
ure
24%
23%
25%
22%
24%
24%
26%
35%
21%
26%
17%
20%
24%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=13
121
327
222
215
744
310
858
7947
636
1
Yes
53%
63%
63%
64%
50%
64%
58%
64%
68%
57%
66%
No
17%
13%
17%
10%
19%
15%
14%
12%
4%16
%14
%
Don
't kn
ow/N
ot s
ure
31%
24%
20%
26%
31%
20%
28%
24%
28%
27%
20%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Are
thi
rd p
artie
s, s
uch
as v
endo
rs/a
gent
s, r
equi
red
to n
otify
you
of c
yber
secu
rity
ris
ks/b
reac
hes
that
th
ey e
xper
ienc
e?
96 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Have you ever terminated a contractual relationship because of cybersecurity risks?Eleven percent of respondents report terminating a contractual relationship due to cybersecurity risks. The vast majority (71 percent) have not, while 18 percent are unsure. A higher percentage of those who have experienced a data breach report that they have terminated a contractual relationship due to cyber concerns (16 percent) than those who have not experienced a breach (9 percent). More respondents in the US have terminated a contract (13 percent) than those in the Asia Pacific (4 percent). Respondents in companies with higher revenues also tend to be more likely to have terminated a contract due to cyber concerns than lower-revenue-generating organizations.
EVER TERMINATED CONTRACTUAL RELATIONSHIP DUE TO CYBERSECURITY RISKS?
No71%
Yes11%
Don’t know/Not sure
11%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 97www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=84
465
518
625
149
863
933
4784
263
162
190
133
Yes
11%
11%
11%
16%
9%13
%6%
9%4%
9%12
%12
%15
%
No
71%
74%
60%
62%
78%
70%
79%
66%
74%
82%
81%
71%
49%
Don
't kn
ow/N
ot s
ure
18%
15%
30%
22%
14%
17%
15%
26%
23%
9%7%
17%
36%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
227
222
115
744
010
858
7747
435
8
Yes
6%10
%13
%12
%6%
11%
10%
17%
16%
9%13
%
No
86%
81%
71%
55%
86%
75%
67%
50%
35%
71%
72%
Don
't kn
ow/N
ot s
ure
9%8%
17%
33%
8%13
%23
%33
%49
%20
%15
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Hav
e yo
u ev
er t
erm
inat
ed a
con
trac
tual
rel
atio
nshi
p be
caus
e of
cyb
erse
curi
ty r
isks
?
98 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Have you ever terminated a pending merger/acquisition because of cybersecurity risks?Only 1 percent of respondents report ever terminating a pending M&A due to cybersecurity risks. Eighty-nine percent say they have not, while 11 percent are unsure. There is little variation across regions, organiza-tional revenue, company, or department size.
EVER TERMINATED PENDING MERGER/ACQUISITION DUE TO CYBERSECURITY RISKS?
No89%
Yes1%
Don’t know/Not sure18%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 99www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=83
665
018
324
549
563
133
4684
257
162
188
133
Yes
1%1%
1%<1
%1%
1%0%
2%2%
1%0%
1%2%
No
89%
92%
75%
90%
91%
90%
82%
87%
86%
94%
96%
93%
71%
Don
't kn
ow/N
ot s
ure
11%
7%25
%9%
9%10
%18
%11
%12
%5%
4%6%
27%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
421
027
121
915
843
310
657
7947
335
2
Yes
1%1%
0%2%
1%<1
%0%
0%5%
1%<1
%
No
95%
94%
92%
77%
93%
94%
87%
82%
57%
87%
92%
Don
't kn
ow/N
ot s
ure
4%5%
8%21
%6%
5%13
%18
%38
%12
%8%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Hav
e yo
u ev
er t
erm
inat
ed a
pen
ding
mer
ger/
acqu
isiti
on b
ecau
se o
f cyb
erse
curi
ty r
isks
?
100 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Is your company allocating more, less, or the same amount of (company) budget to cybersecurity compared with one year ago?Fifty-three percent of respondents say that their company is allocating more of their budget toward cybersecurity than one year ago. Twenty-five percent are maintaining the same spend, 1 percent are decreasing their budget allocation, and 20 percent are unsure. Fifty-seven percent of respondents who have experienced a breach say their company is allocating more money, compared with 51 percent of those who have not experienced a breach. The highest percentage of respondents saying their company is allocating more money toward cybersecurity come from the US with 56 percent, while the lowest percentage of respondents come from the Asia Pacific region with 40 percent. A higher percentage of respondents in lower-revenue organizations, smaller companies, and smaller law departments report allocating more money to cybersecurity compared to those in their larger counterparts.
IS YOUR COMPANY ALLOCATING MORE, LESS, OR THE SAME AMOUNT OF (COMPANY) BUDGET TO CYBERSECURITY COMPARED WITH ONE YEAR AGO?
25%
Same
1%
Less
53%
More
20%
Don’t know/ Not sure
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 101www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
966
718
925
450
265
234
4783
266
167
195
138
Less
1%1%
2%1%
1%1%
0%4%
0%1%
1%0%
4%
Sam
e25
%28
%18
%22
%29
%26
%26
%15
%27
%34
%29
%22
%12
%
Mor
e53
%56
%45
%57
%51
%56
%47
%51
%40
%50
%57
%56
%59
%
Don
't kn
ow/N
ot s
ure
20%
16%
35%
20%
20%
17%
26%
30%
34%
15%
13%
22%
25%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
427
822
816
344
111
457
8148
636
1
Less
1%<1
%1%
1%0%
1%0%
2%2%
1%<1
%
Sam
e46
%29
%21
%15
%39
%28
%18
%7%
9%22
%30
%
Mor
e35
%57
%58
%55
%42
%53
%63
%67
%54
%53
%53
%
Don
't kn
ow/N
ot s
ure
17%
13%
20%
29%
19%
18%
18%
25%
35%
23%
17%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Is y
our
com
pany
allo
catin
g m
ore,
less
, or
the
sam
e am
ount
of (
com
pany
) bu
dget
to
cybe
rsec
urity
com
-pa
red
with
one
yea
r ag
o?
102 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Has your law department spend increased as a result of your company’s approach to cybersecurity?Law department spend has not increased for the majority (69 percent) of respondents due to their company’s approach to cybersecurity. However, larger law departments with 50 or more employees were far more likely to report an increase in spend (33 percent) than respondents in much smaller law departments, reporting a 14 to 21 percent increase in spend. The Asia Pacific region had the lowest percentage of respondents re-porting an increase in spend (8 percent), while the EMEA region had the highest percentage reporting an increase in spend (31 percent).
LAW DEPARTMENT SPEND INCREASED DUE TO COMPANY’S CYBERSECURITY APPROACH?
No69%
Yes23%
Don’t know/Not sure
9%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 103www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
466
318
825
250
164
434
4886
264
167
195
137
Yes
23%
23%
23%
27%
20%
25%
9%31
%8%
17%
24%
28%
31%
No
69%
73%
54%
67%
72%
67%
76%
58%
83%
77%
72%
67%
52%
Don
't kn
ow/N
ot s
ure
9%5%
23%
6%9%
8%15
%10
%9%
6%4%
5%17
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
327
822
516
244
011
258
7948
236
0
Yes
14%
17%
27%
28%
14%
21%
32%
29%
33%
26%
19%
No
77%
77%
68%
57%
81%
73%
59%
55%
39%
65%
74%
Don
't kn
ow/N
ot s
ure
9%5%
5%15
%6%
5%9%
16%
28%
10%
7%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Has
you
r la
w d
epar
tmen
t sp
end
incr
ease
d as
a r
esul
t of
you
r co
mpa
ny’s
appr
oach
to
cybe
rsec
urity
?
104 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Please describe the increase in spend:Among respondents who reported an increase in spend, 55 percent attributed this increase to outside spend, while 22 percent reported the increase was mainly inside spend. Growth in inside spend outpaced increases in outside spend in smaller companies with fewer than 100 employees (47 percent compared with 35 percent), while those in companies with 5,000 or more employees reported a much larger increase in outside spend than inside spend (62 percent compared with 17 percent).
HOW WAS THE INCREASE IN SPEND ALLOCATED?
Equally split23%
Mainly outside spend55%
Mainly inside spend22%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 105www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=18
514
738
6791
152
314
642
3953
39
Mai
nly
outs
ide
spen
d55
%53
%63
%58
%51
%59
%33
%43
%33
%48
%64
%47
%64
%
Mai
nly
insi
de s
pend
22%
23%
16%
22%
20%
22%
0%14
%33
%31
%13
%26
%15
%
Equa
lly s
plit
betw
een
insi
de a
nd
outs
ide
spen
d23
%24
%21
%19
%30
%19
%67
%43
%33
%21
%23
%26
%21
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=17
3373
6020
9233
1624
118
66
Mai
nly
outs
ide
spen
d35
%61
%51
%62
%60
%53
%55
%50
%63
%53
%59
%
Mai
nly
insi
de s
pend
47%
21%
21%
17%
20%
23%
15%
31%
21%
22%
20%
Equa
lly s
plit
betw
een
insi
de
and
outs
ide
spen
d18
%18
%29
%22
%20
%24
%30
%19
%17
%25
%21
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Plea
se d
escr
ibe
the
incr
ease
in s
pend
:
106 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Is any portion of your law department’s budget dedicated specifically to cybersecurity or related cyber issues?The vast majority of respondents (83 percent) reported that no portion of their law department budget is dedicated specifically to cybersecurity. A higher percentage of respondents from larger law departments and organizations with higher revenues report having at least some portion of their budget dedicated to cyberse-curity, but the majority of respondents in all cases report no such budget allocation. Respondents in the Asia Pacific region are the least likely to report a cyber-related budget allocation with only 1 percent, while the US had the highest percentage claiming some budget allocation to cyber with 11 percent.
ANY PORTION OF LAW DEPARTMENT BUDGET DEDICATED TO CYBERSECURITY?
No83%
Yes10%
Don’t know/Not sure
7%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 107www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
366
218
825
050
064
634
4785
263
168
195
137
Yes
10%
8%14
%11
%8%
11%
3%4%
1%6%
10%
10%
20%
No
83%
90%
62%
83%
85%
81%
88%
89%
94%
91%
88%
84%
64%
Don
't kn
ow/N
ot s
ure
7%2%
24%
6%6%
7%9%
6%5%
3%2%
6%16
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
721
227
722
516
044
011
059
8048
335
6
Yes
7%6%
9%16
%4%
8%11
%25
%16
%11
%7%
No
91%
91%
86%
69%
94%
88%
80%
63%
58%
80%
88%
Don
't kn
ow/N
ot s
ure
2%3%
5%14
%2%
4%9%
12%
26%
8%5%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Is a
ny p
ortio
n of
you
r la
w d
epar
tmen
t’s b
udge
t de
dica
ted
spec
ifica
lly t
o cy
bers
ecur
ity o
r re
late
d cy
ber
issu
es?
108 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Who in your organization is the first executive officer to be notified once a breach is discovered?Twenty-six percent of respondents listed their CIO as the first executive officer to be notified in times of a breach, followed by the president/chief executive officer (CEO) with 23 percent. These two positions are generally the first two to be notified regardless of department size, revenue, and region.
FIRST EXECUTIVE OFFICER TO BE NOTIFIED WHEN BREACH DISCOVERED
Chief Information Officer (CIO)
26%
President/Chief Executive Officer
(CEO)23%
Chief Information Security Officer
(CISO)9%
A vice president in your company
9%
Chief Compliance Officer
4%
Chief Security Officer (CSO)
3%
Chief Privacy Officer (CPO)
3%
Chief Financial Officer (CFO)
2%
Chief Technology Officer (CTO)
2%
Chief Risk Officer (CRO)
Chief Communications
Officer (CCO)
Board-level committee devoted to
cybersecurity
Other - please specify
Don’t know/ Not sure
1%
<1%
<1%
7%
11%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 109www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
666
319
025
549
665
235
4989
263
169
192
136
Chi
ef In
form
atio
n O
ffice
r (C
IO)
26%
26%
26%
29%
25%
26%
29%
16%
31%
16%
30%
34%
31%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
23%
25%
12%
16%
27%
23%
17%
24%
20%
39%
22%
15%
4%
A v
ice
pres
iden
t in
you
r co
mpa
ny9%
9%9%
8%9%
10%
11%
10%
1%10
%13
%6%
7%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
9%8%
11%
11%
7%9%
3%22
%6%
4%7%
10%
21%
Chi
ef C
ompl
ianc
e O
ffice
r4%
5%3%
5%4%
4%3%
2%4%
<1%
6%6%
3%
Chi
ef P
riva
cy O
ffice
r (C
PO)
3%3%
4%3%
3%3%
9%2%
3%4%
2%3%
3%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
3%3%
3%3%
2%3%
0%6%
1%3%
1%4%
5%
Chi
ef T
echn
olog
y O
ffice
r (C
TO)
2%2%
0%2%
2%2%
6%0%
1%3%
2%1%
0%
Chi
ef F
inan
cial
Offi
cer
(CFO
)2%
2%1%
1%3%
2%3%
2%6%
2%2%
4%0%
Chi
ef R
isk
Offi
cer
(CRO
)1%
1%1%
2%1%
1%3%
0%4%
2%0%
2%1%
Boar
d-le
vel c
omm
ittee
dev
oted
to
cyb
erse
curi
ty<1
%1%
0%1%
<1%
<1%
0%2%
1%1%
0%1%
0%
Chi
ef C
omm
unic
atio
ns O
ffice
r (C
CO
)<1
%<1
%1%
0%1%
<1%
0%2%
1%1%
1%0%
0%
Oth
er -
ple
ase
spec
ify7%
7%8%
9%6%
7%3%
4%9%
8%8%
7%7%
Don
't kn
ow/N
ot s
ure
11%
7%22
%10
%10
%10
%14
%6%
10%
8%7%
8%17
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Who
in y
our
orga
niza
tion
is t
he fi
rst
exec
utiv
e of
ficer
to
be n
otifi
ed o
nce
a br
each
is d
isco
vere
d?
110 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
821
428
122
115
944
511
059
7948
236
1
Chi
ef In
form
atio
n O
ffice
r (C
IO)
10%
22%
31%
33%
11%
28%
35%
36%
22%
27%
24%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
55%
26%
20%
4%51
%23
%8%
2%0%
18%
29%
A v
ice
pres
iden
t in
you
r co
mpa
ny6%
9%12
%6%
9%10
%6%
8%6%
8%10
%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
3%7%
7%17
%4%
6%14
%19
%23
%10
%8%
Chi
ef C
ompl
ianc
e O
ffice
r2%
3%5%
6%1%
4%7%
5%5%
5%3%
Chi
ef P
riva
cy O
ffice
r (C
PO)
4%3%
2%4%
1%3%
5%2%
3%3%
3%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
0%3%
2%5%
1%2%
4%0%
10%
4%1%
Chi
ef T
echn
olog
y O
ffice
r (C
TO)
2%3%
1%<1
%3%
2%0%
0%0%
2%1%
Chi
ef F
inan
cial
Offi
cer
(CFO
)1%
2%3%
1%2%
3%2%
0%0%
2%2%
Chi
ef R
isk
Offi
cer
(CRO
)1%
2%1%
1%1%
1%1%
2%4%
1%1%
Boar
d-le
vel c
omm
ittee
de
vote
d to
cyb
erse
curi
ty1%
<1%
<1%
<1%
1%1%
0%0%
0%<1
%<1
%
Chi
ef C
omm
unic
atio
ns
Offi
cer
(CC
O)
2%<1
%<1
%0%
1%<1
%1%
0%0%
<1%
1%
Oth
er -
ple
ase
spec
ify5%
9%7%
7%8%
8%4%
10%
8%7%
7%
Don
't kn
ow/N
ot s
ure
8%9%
9%15
%6%
9%13
%17
%20
%11
%9%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Who
in y
our
orga
niza
tion
is t
he fi
rst
exec
utiv
e of
ficer
to
be n
otifi
ed o
nce
a br
each
is d
isco
vere
d?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 111www.acc-foundation.com
OVERALL SURVEY RESULTS
From whom do you expect to be notified of a data security breach?When a data breach occurs, 29 percent of respondents expect to be notified by their chief information officer, followed by the president/CEO (12 percent) or their chief information security officer (11 per-cent). These expectations are generally conistent across law departments, revenue, and region. Eight percent of respondents report not having a single point of contact they expect to be notified by in the event of a data breach.
FROM WHOM DO YOU EXPECT TO BE NOTIFIED OF A DATA BREACH?
Chief Information Officer (CIO)
29%
Chief Privacy Officer (CPO) 3%
Other - Write in 6%
President/Chief Executive Officer (CEO)
12%
IT Director/Head of IT 2%
Company does not have a single point of contact in the
case of a breach8%
Chief Information Security Officer (CISO)
11%
Chief Financial Officer (CFO) 2%
Don’t know/Not sure 3%
A vice president in your company
8%
Chief Technology Officer (CTO)
1%
Privacy/security specialist or manager
7%
Chief Risk Officer (CRO) 1%
Chief Security Officer (CSO) 5%
Outside Counsel <1%
Chief Legal Officer (CLO) 4%
Chief Accounting Officer (CAO)
<1%
112 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=85
866
618
925
250
065
734
4789
263
169
194
134
Chi
ef A
ccou
ntin
g O
ffice
r (C
AO
)<1
%<1
%0%
<1%
<1%
<1%
0%0%
0%1%
1%0%
0%
Out
side
Cou
nsel
<1%
<1%
1%0%
<1%
<1%
0%0%
0%0%
1%0%
1%
Chi
ef In
form
atio
n O
ffice
r (C
IO)
29%
30%
24%
32%
28%
29%
29%
26%
29%
22%
34%
38%
25%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
12%
13%
6%5%
16%
12%
9%13
%10
%21
%12
%4%
2%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
11%
10%
13%
12%
10%
10%
6%19
%8%
5%9%
12%
20%
A v
ice
pres
iden
t in
you
r co
mpa
ny8%
8%6%
9%7%
9%9%
9%0%
7%12
%8%
7%
Priv
acy/
secu
rity
spe
cial
ist
or
man
ager
7%7%
7%10
%5%
7%6%
4%8%
7%5%
6%10
%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
5%5%
2%4%
4%4%
3%6%
7%4%
4%5%
7%
Chi
ef L
egal
Offi
cer
(CLO
)4%
1%14
%4%
5%4%
0%2%
4%2%
2%7%
5%
Chi
ef P
riva
cy O
ffice
r (C
PO)
3%2%
5%5%
2%3%
9%2%
3%2%
2%3%
7%
Chi
ef F
inan
cial
Offi
cer
(CFO
)2%
2%1%
2%2%
1%0%
2%2%
2%1%
2%0%
IT D
irec
tor/
Hea
d of
IT2%
3%0%
2%2%
2%3%
0%0%
4%2%
1%0%
Chi
ef R
isk
Offi
cer
(CRO
)1%
1%1%
1%<1
%1%
3%0%
3%1%
1%2%
0%
Chi
ef T
echn
olog
y O
ffice
r (C
TO)
1%2%
0%<1
%2%
1%3%
0%0%
2%1%
1%0%
Oth
er -
Wri
te in
6%6%
6%7%
5%5%
6%6%
11%
8%5%
5%5%
Com
pany
doe
s no
t ha
ve a
sin
gle
poin
t of
con
tact
in t
he c
ase
of a
br
each
8%8%
9%6%
8%8%
9%9%
10%
9%9%
7%5%
Don
't kn
ow/N
ot S
ure
3%2%
6%2%
2%2%
6%2%
3%2%
1%2%
5%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
From
who
m d
o yo
u ex
pect
to
be n
otifi
ed o
f a d
ata
secu
rity
bre
ach?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 113www.acc-foundation.com
OVERALL SURVEY RESULTS
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
921
428
222
116
044
711
158
7848
136
4
Chi
ef A
ccou
ntin
g O
ffice
r (C
AO
)1%
1%0%
0%1%
<1%
0%0%
0%<1
%<1
%
Out
side
Cou
nsel
0%0%
1%0%
1%<1
%0%
0%0%
<1%
<1%
Chi
ef In
form
atio
n O
ffice
r (C
IO)
13%
29%
34%
32%
21%
30%
42%
28%
18%
31%
26%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
36%
12%
7%3%
34%
8%4%
2%1%
10%
14%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
4%9%
11%
17%
5%9%
15%
26%
18%
11%
10%
A v
ice
pres
iden
t in
you
r co
mpa
ny7%
7%10
%6%
8%9%
5%5%
8%7%
9%
Priv
acy/
secu
rity
spe
cial
ist
or
man
ager
5%8%
8%5%
3%9%
5%9%
6%7%
7%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
1%5%
4%7%
1%4%
6%3%
12%
5%4%
Chi
ef L
egal
Offi
cer
(CLO
)2%
2%5%
5%1%
4%5%
5%10
%5%
3%
Chi
ef P
riva
cy O
ffice
r (C
PO)
2%2%
2%6%
1%3%
5%3%
5%2%
4%
Chi
ef F
inan
cial
Offi
cer
(CFO
)1%
4%1%
1%1%
2%1%
0%0%
1%2%
IT D
irec
tor/
Hea
d of
IT5%
3%1%
0%4%
2%0%
0%0%
1%3%
Chi
ef R
isk
Offi
cer
(CRO
)1%
1%1%
<1%
1%<1
%2%
0%3%
1%1%
Chi
ef T
echn
olog
y O
ffice
r (C
TO)
2%1%
1%<1
%1%
2%0%
0%0%
2%1%
Oth
er -
Wri
te in
8%6%
6%5%
8%6%
2%9%
6%6%
6%
Com
pany
doe
s no
t ha
ve a
si
ngle
poi
nt o
f con
tact
in t
he
case
of a
bre
ach
12%
8%6%
7%9%
9%5%
9%3%
7%9%
Don
't kn
ow/N
ot S
ure
2%1%
2%5%
1%2%
3%2%
10%
4%1%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
From
who
m d
o yo
u ex
pect
to
be n
otifi
ed o
f a d
ata
secu
rity
bre
ach?
114 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Who in your company is the primary point of contact during a breach (including outside counsel)?Twenty-four percent of respondents say the primary point of contact during a breach is their chief information of-ficer, followed by the president/CEO (10 percent). Again, these points of contact do not dramatically differ across regions or company revenues; however, corporate counsel in smaller companies and law departments are more likely to list the president/CEO as their primary point of contact than the chief information officer. Smaller orga-nizations are less likely to have a CIO on staff, potentially explaining this finding. Fourteen percent of in-house counsel do not have a primary point of contact in their organization during a data breach.
COMPANY PRIMARY POINT OF CONTACT DURING A BREACH
Chief Information Officer (CIO)
24%
IT/IT department 2%
President/Chief Executive Officer
(CEO)10%
Chief Risk Officer (CRO) 2%
Chief Information Security Officer (CISO)
9%
Chief Accounting Officer (CAO) 1%
A vice president in your company 7%
Board-level committee devoted to
cybersecurity0.30%
GC/CLO 5%
Other - Write in 7%
Chief Security Officer (CSO) 5%
Company does not have a single point of contact
in the case of a breach14%
Chief Privacy Officer (CPO)
4%
Don’t know/Not sure 10%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 115www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=84
465
318
825
149
564
135
4988
262
164
193
133
Chi
ef In
form
atio
n O
ffice
r (C
IO)
24%
25%
19%
25%
25%
24%
23%
20%
30%
19%
25%
34%
22%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
10%
11%
6%6%
13%
10%
9%8%
10%
17%
14%
3%3%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
9%8%
15%
10%
8%9%
9%16
%7%
5%6%
9%22
%
A v
ice
pres
iden
t in
you
r co
mpa
ny7%
8%5%
8%7%
8%17
%4%
0%7%
12%
5%5%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
5%5%
3%4%
4%4%
6%8%
3%4%
2%8%
4%
GC
/CLO
5%5%
3%6%
4%5%
0%2%
3%5%
4%6%
2%
Chi
ef P
riva
cy O
ffice
r (C
PO)
4%3%
9%4%
4%4%
6%2%
5%3%
2%4%
8%
Chi
ef R
isk
Offi
cer
(CRO
)2%
2%2%
2%2%
2%0%
2%2%
3%1%
2%2%
IT/IT
dep
artm
ent
2%2%
1%1%
3%2%
0%2%
1%5%
2%1%
0%
Chi
ef A
ccou
ntin
g O
ffice
r (C
AO
)1%
1%1%
1%<1
%1%
0%0%
2%1%
1%1%
1%
Boar
d-le
vel c
omm
ittee
dev
oted
to
cyb
erse
curi
ty<1
%1%
0%1%
<1%
<1%
0%0%
2%1%
0%0%
0%
Oth
er -
Wri
te in
7%8%
6%8%
6%7%
9%4%
10%
8%7%
7%6%
Com
pany
doe
s no
t ha
ve a
sin
gle
poin
t of
con
tact
in t
he c
ase
of a
br
each
14%
14%
13%
15%
14%
14%
14%
16%
11%
16%
18%
11%
11%
Don
't kn
ow/N
ot s
ure
10%
8%17
%7%
9%9%
9%14
%13
%5%
5%10
%14
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Who
in y
our
com
pany
is t
he p
rim
ary
poin
t of
con
tact
dur
ing
a br
each
(inc
ludi
ng o
utsi
de c
ouns
el)?
116 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=12
621
027
821
915
943
910
857
7847
835
3
Chi
ef In
form
atio
n O
ffice
r (C
IO)
11%
24%
28%
27%
14%
27%
31%
23%
17%
25%
23%
Pres
iden
t/C
hief
Exe
cutiv
e O
ffice
r (C
EO)
29%
11%
6%1%
28%
9%1%
0%1%
9%12
%
Chi
ef In
form
atio
n Se
curi
ty
Offi
cer
(CIS
O)
4%6%
9%16
%3%
6%19
%16
%19
%9%
9%
A v
ice
pres
iden
t in
you
r co
mpa
ny7%
8%9%
4%6%
10%
4%2%
5%7%
7%
Chi
ef S
ecur
ity O
ffice
r (C
SO)
0%5%
5%6%
1%5%
5%7%
9%5%
4%
GC
/CLO
4%5%
6%2%
5%5%
4%5%
0%4%
5%
Chi
ef P
riva
cy O
ffice
r (C
PO)
5%3%
3%6%
2%3%
6%7%
8%3%
5%
Chi
ef R
isk
Offi
cer
(CRO
)1%
2%3%
2%3%
2%1%
2%5%
2%1%
IT/IT
dep
artm
ent
4%5%
1%0%
4%3%
0%2%
0%1%
3%
Chi
ef A
ccou
ntin
g O
ffice
r (C
AO
)2%
<1%
<1%
1%1%
1%1%
0%0%
1%1%
Boar
d-le
vel c
omm
ittee
de
vote
d to
cyb
erse
curi
ty2%
<1%
0%<1
%1%
1%0%
0%0%
<1%
<1%
Oth
er -
Wri
te in
8%7%
8%7%
8%7%
7%11
%4%
7%8%
Com
pany
doe
s no
t ha
ve a
si
ngle
poi
nt o
f con
tact
in t
he
case
of a
bre
ach
18%
16%
12%
13%
20%
13%
14%
14%
9%16
%12
%
Don
't kn
ow/N
ot s
ure
5%6%
11%
15%
6%9%
8%12
%23
%10
%9%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Who
in y
our
com
pany
is t
he p
rim
ary
poin
t of
con
tact
dur
ing
a br
each
(inc
ludi
ng o
utsi
de c
ouns
el)?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 117www.acc-foundation.com
OVERALL SURVEY RESULTS
Does your company collaborate proactively with law enforcement or other governmental agencies to address cybersecurity risks?Twenty-seven percent of in-house lawyers surveyed work for companies that practively collaborate with law enforcement to address cybersecurity risks, while 45 percent do not. A much higher percentage of respon-dents who work in companies with 5,000 or more employees say they practively collaborate with law en-forcement compared with only 17 percent of those in companies with 100 or fewer employees. Respondents in companies with larger revenues are also more likely to report collaboration with law enforcement than those in companies with lower revenues.
COMPANY COLLABORATES WITH LAW ENFORCEMENT/OTHER GOVERNMENTAL AGEN-CIES TO ADDRESS CYBERSECURITY RISKS?
No45%
Yes27%
Don’t know/Not sure
28%
118 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=78
461
017
123
846
259
631
4383
242
150
181
126
Yes
27%
27%
29%
39%
21%
28%
29%
21%
22%
19%
24%
31%
48%
No
45%
48%
31%
36%
51%
46%
35%
49%
43%
53%
60%
40%
21%
Don
't kn
ow/N
ot s
ure
28%
25%
40%
25%
29%
26%
35%
30%
35%
28%
16%
29%
31%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=11
419
326
220
514
940
210
154
7644
432
9
Yes
11%
20%
32%
39%
17%
24%
35%
33%
54%
30%
23%
No
63%
53%
43%
29%
64%
49%
35%
28%
11%
40%
52%
Don
't kn
ow/N
ot s
ure
26%
27%
25%
32%
19%
28%
31%
39%
36%
30%
25%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Doe
s yo
ur c
ompa
ny c
olla
bora
te p
roac
tivel
y w
ith la
w e
nfor
cem
ent
or o
ther
gov
ernm
enta
l age
ncie
s to
ad
dres
s cy
bers
ecur
ity r
isks
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 119www.acc-foundation.com
OVERALL SURVEY RESULTS
How was the system breached?Among those who have experienced a data breach, 24 percent report employee error as the main cause, followed by inside job (15 percent) and phishing (12 percent). Respondents in smaller companies overwhelmingly report employee error and inside job as the most common causes of a system breach, while there is wider variation in how a breach occurred reported by in-house counsel in larger companies.
HOW WAS THE SYSTEM BREACHED?
Employee error 24%
Ransomware (CryptoLocker)
1%
Inside job 15%
Operating system vulnerability
<1%
Phishing 12%
Other - please specify
3%
Access through a third party
12%
Don’t know/Not sure
9%
Lost laptop/device 9%
Application vulnerability
7%
Malware 7%
120 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=23
218
448
232
0%18
17
1226
5943
5850
Empl
oyee
err
or24
%27
%15
%24
%0%
25%
29%
25%
15%
31%
26%
24%
18%
Insi
de jo
b15
%14
%21
%15
%0%
14%
14%
8%27
%24
%9%
16%
8%
Acc
ess
thro
ugh
a th
ird
part
y12
%11
%15
%12
%0%
12%
0%17
%15
%10
%12
%7%
18%
Phis
hing
12%
13%
8%12
%0%
13%
0%8%
12%
8%12
%12
%12
%
Lost
lapt
op/d
evic
e9%
9%10
%9%
0%10
%14
%8%
4%3%
9%12
%16
%
Mal
war
e7%
7%10
%7%
0%8%
0%17
%0%
7%14
%7%
6%
App
licat
ion
vuln
erab
ility
7%8%
4%7%
0%7%
14%
0%15
%7%
9%14
%2%
Ran
som
war
e (C
rypt
oLoc
ker)
1%1%
0%1%
0%0%
0%0%
8%0%
2%0%
0%
Ope
ratin
g sy
stem
vul
nera
bilit
y<1
%1%
0%<1
%0%
1%0%
0%0%
0%2%
0%0%
Oth
er -
ple
ase
spec
ify3%
3%2%
3%0%
3%14
%0%
0%3%
2%3%
2%
Don
't kn
ow/N
ot s
ure
9%7%
15%
9%0%
9%14
%17
%4%
7%2%
5%18
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=19
4781
8024
122
2923
3413
396
Empl
oyee
err
or32
%30
%22
%21
%25
%24
%24
%22
%26
%21
%29
%
Insi
de jo
b37
%17
%11
%13
%29
%14
%14
%9%
15%
14%
18%
Acc
ess
thro
ugh
a th
ird
part
y5%
15%
11%
11%
8%14
%3%
17%
12%
12%
10%
Phis
hing
5%9%
16%
13%
8%15
%14
%9%
6%12
%11
%
Lost
lapt
op/d
evic
e0%
6%10
%14
%0%
10%
14%
4%15
%11
%8%
Mal
war
e0%
4%10
%9%
8%7%
3%13
%9%
9%5%
App
licat
ion
vuln
erab
ility
5%6%
14%
3%4%
7%21
%4%
0%7%
8%
Ran
som
war
e (C
rypt
oLoc
ker)
0%0%
1%1%
4%1%
0%0%
0%2%
0%O
pera
ting
syst
em
vuln
erab
ility
0%2%
0%0%
0%1%
0%0%
0%0%
1%
Oth
er -
ple
ase
spec
ify11
%0%
2%3%
4%2%
0%4%
3%3%
2%
Don
't kn
ow/N
ot s
ure
5%11
%2%
14%
8%6%
7%17
%15
%11
%6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
was
the
sys
tem
bre
ache
d?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 121www.acc-foundation.com
OVERALL SURVEY RESULTS
What type of information was compromised during this breach? (Select all that apply)Of those who experienced a data breach, 44 percent reported that “other personally identifiable information” was compromised during the breach, followed by “email/password/username” with 18 percent and “trade secrets” with 11 percent. Ten percent of respondents were unsure of the type of information compromised. Trade secrets were more commonly reported by lawyers in companies with fewer than 100 employees (30 percent) than those in larger companies (8 to 11 percent). There is not a large degree of variation in the type of information compromised across region, revenue, or law department size.
TYPE OF INFORMATION COMPROMISED DURING THIS BREACH
Other personally identifiable
information 44%
Email/password/username
18%
Trade secrets 11%
Credit card/debit card number
10%
Other - please specify
9%
Don’t know/Not sure
10%
122 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=25
520
253
255
0%19
88
1328
6144
6660
Oth
er p
erso
nally
iden
tifiab
le
info
rmat
ion
such
as
addr
ess,
natio
nal i
dent
ifica
tion
num
ber/
SSN
, hea
lth in
form
atio
n
44%
43%
45%
44%
0%43
%63
%38
%43
%39
%50
%47
%38
%
Emai
l/pas
swor
d/us
erna
me
18%
19%
17%
18%
0%18
%0%
15%
29%
23%
20%
17%
12%
Trad
e se
cret
s11
%11
%8%
11%
0%10
%0%
23%
14%
16%
11%
9%8%
Cre
dit
card
/deb
it ca
rd n
umbe
r10
%9%
11%
10%
0%12
%13
%0%
4%8%
20%
5%12
%
Oth
er -
ple
ase
spec
ify9%
9%8%
9%0%
10%
0%8%
0%8%
18%
8%3%
Don
't kn
ow/N
ot s
ure
10%
9%11
%10
%0%
10%
25%
15%
4%10
%9%
8%12
%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=20
5087
9324
130
3130
4014
710
4
Oth
er p
erso
nally
iden
tifiab
le
info
rmat
ion
such
as
addr
ess,
natio
nal i
dent
ifica
tion
num
ber/
SSN
, hea
lth
info
rmat
ion
35%
46%
44%
43%
42%
43%
55%
40%
40%
38%
52%
Emai
l/pas
swor
d/us
erna
me
20%
18%
25%
12%
25%
23%
6%13
%13
%18
%19
%
Trad
e se
cret
s30
%8%
11%
8%21
%11
%6%
10%
8%14
%6%
Cre
dit
card
/deb
it ca
rd
num
ber
10%
6%9%
12%
13%
9%10
%3%
15%
10%
10%
Oth
er -
ple
ase
spec
ify0%
12%
15%
3%8%
11%
10%
3%5%
10%
7%
Don
't kn
ow/N
ot s
ure
10%
10%
9%10
%0%
12%
3%10
%13
%11
%9%
*Mul
tiple
res
pons
e po
ssib
le. P
erce
ntag
es m
ay s
um to
gre
ater
than
100
%.
(Con
t’d)
Wha
t ty
pe o
f inf
orm
atio
n w
as c
ompr
omis
ed d
urin
g th
is b
reac
h? (
Sele
ct a
ll th
at a
pply
)
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 123www.acc-foundation.com
OVERALL SURVEY RESULTS
Was the information that was compromised during the breach encrypted?Seventeen percent of in-house counsel report that information was compromised despite the data being encrypt-ed. This percentage was markedly higher for law departments consisting of only one lawyer (26 percent) and for companies with fewer than 100 employees (26 percent). There was also a fair degree of variation across regions, with the highest percentage of respondents in Canada reporting compromised information even with data en-cryption (29 percent). In contrast, only 15 percent of respondents from the EMEA region and 17 percent in the US reported that the information compromised during the data breach was encrypted.
INFORMATION COMPROMISED DURING THIS BREACH ENCRYPTED?
No64%
Yes17%
Don’t know/Not sure
19%
124 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=22
618
046
226
0%17
77
1323
5842
5650
Yes
17%
18%
13%
17%
0%17
%29
%15
%22
%17
%17
%20
%14
%
No
64%
66%
54%
64%
0%66
%43
%54
%57
%66
%76
%70
%58
%
Don
't kn
ow/N
ot s
ure
19%
16%
33%
19%
0%18
%29
%31
%22
%17
%7%
11%
28%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=19
4580
7723
116
2825
3413
192
Yes
26%
24%
15%
13%
26%
17%
7%20
%18
%18
%16
%
No
53%
60%
71%
62%
70%
64%
79%
60%
50%
59%
72%
Don
't kn
ow/N
ot s
ure
21%
16%
14%
25%
4%19
%14
%20
%32
%24
%12
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Was
the
info
rmat
ion
that
was
com
prom
ised
dur
ing
the
brea
ch e
ncry
pted
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 125www.acc-foundation.com
OVERALL SURVEY RESULTS
What public notice was legally required as a result of the breach?Among those who indicated that public notice was required as a result of a data breach experienced, most in-house counsel say those affected, including patients, clients, employees, and consumers, were notified via letter. Several cited notification to states or attorney general offices where required. Web notification is also cited. Some lawyers indicate no notice was required due to the nature of the breach (employee only) or the small number affected. Examples shared by in-house respondents are listed below.
30 days.
Affected individuals, HHS, state regulators.
Certain state notice requirements were satisfied.
Claim at court.
Consumer notice.
Individual notification, publication, regulator notice.
Letter to parties breached.
Letter to policyholders and ID theft protection.
Letters to attorney general’s office.
Local US states notification.
Media distribution, website disclosure.
No mandatory data breach reporting in Australia as yet.
No public notice was required, just individual notice.
Nothing, as we are a private company.
Notice requirements varied by state, and we did not have a size that was eligible for substitute public notice.
Notice to individuals in certain US states.
Notification to affected consumers per state breach notification laws.
OAIC investigation.
Report to privacy commissioner, notify person affected.
Reporting to Office of Civil Rights and Adult Protective Services.
Significant on behalf of the third party.
State law requirements and HIPAA requirements.
Substitute notice by publication nationwide and on all company website home pages.
Varies by state and if feds ask company to delay notice.
We gave public notice regardless of the requirement.
Website.
126 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Were you required to notify a regulatory/governmental body as a result of a breach?Thirty-one percent of in-house lawyers say they were required to notify a regulatory/governmental body as a result of a breach. Only 16 percent of respondents in organizations with fewer than 100 employees were required to do so, compared with up to 33 percent in larger organizations. Twenty-nine percent of lawyers in organizations generating less than US $100 million report having to notify a regulatory body compared with 39 percent in orga-nizations with more than US $3 billion in revenue. Canada had the highest percentage of respondents stating this requirement, while the EMEA region had 25 percent of respondents claiming this requirement.
REQUIRED TO NOTIFY REGULATORY/GOVERNMENTAL BODY AS RESULT OF A BREACH?
No62%
Yes31%
Don’t know/Not sure
6%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 127www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=23
518
649
235
0%18
48
1225
5942
5954
Yes
31%
32%
29%
31%
0%31
%50
%25
%28
%29
%29
%27
%39
%
No
62%
63%
57%
62%
0%61
%50
%67
%72
%61
%71
%69
%52
%
Don
't kn
ow/N
ot s
ure
6%4%
14%
6%0%
8%0%
8%0%
10%
0%3%
9%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=19
4680
8523
122
2923
3813
796
Yes
16%
33%
33%
32%
26%
30%
38%
35%
34%
26%
41%
No
74%
59%
65%
61%
65%
66%
59%
61%
53%
68%
53%
Don
't kn
ow/N
ot s
ure
11%
9%3%
7%9%
5%3%
4%13
%7%
6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Wer
e yo
u re
quir
ed t
o no
tify
a re
gula
tory
/gov
ernm
enta
l bod
y as
a r
esul
t of
a b
reac
h?
128 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
What challenges did you face in preserving lawyer-client privilege after the data breach, and how did you navigate these?In-house counsel mentioned a wide variety of challenges when preserving lawyer-client privilege after a data breach. A frequently cited challenge stems from controlling the flow of information via email and through outside counsel or forensic experts assisting in the response to the breach.
A sample of challenges cited by in-house counsel is listed below.
All emails, including the legal department emails, were breached — so the obvious concerns about privilege were had, i.e., use of privileged communications in litigation, media, etc.
Challenge is keeping the circle of people who know about the in-cident during the initial investigation process small and mindful of the privilege.
Controlled investigation. Controlled communication about the matter. Advised internal clients. Difficult to control individual consumer interactions with company personnel on site.
Correspondence with forensic firm and what they had to share with credit card brands.
Data breach response plan addresses communication plan in-cluding attorney-client privilege, and it was still challenging.
Dealing with external law firm to manage this risk.
Employees forwarding privileged information to people who should not have it. We specifically note on our privileged doc-uments that they should not be given or forwarded to anyone without our permission.
Ensure that an attorney from the legal department is on the initial strike force/team when a breach occurs.
Having to share forensics reports with credit card companies and various states attorneys general.
Inability to be involved in all technical assessment/evaluation meetings and actions between employees and third-party consul-tants; we determined that not all information needed to be priv-ileged, but otherwise all reports from third parties were directed to legal for review/distribution.
Investigation was conducted by outside counsel under attor-ney-client privilege to discover all facts and assess needed re-sponse and potential liability. Couldn’t locate laptop to determine if breached by forensics, so had to assume. Not registered or encrypted so couldn’t wipe remotely.
It is difficult because facts aren’t privileged.
IT reported to legal and responded based on privileged advice.
Lack of knowledge in the company as to what lawyer-client privi-lege is. Took steps to explain.
Legal took over the internal investigation, planning, and briefing and locked down all communications on the subject to try to preserve lawyer-client privilege.
Maintaining privilege with outside forensics investigation, board communications, and law enforcement communications.
Making sure all involved understood process to protect privilege.
Needed to be careful with communications with breach victims; where privilege was an issue, nonlawyer staff made the contact.
Only that I was acting as general counsel and privacy officer. Breach had to be subject to a HIPAA risk assessment to deter-mine if it was reportable to HHS and if patient notification was necessary. This was performed and documented outside of the attorney-client privilege.
Proliferation of internal communications.
The challenge we had to face was exactly to preserve lawyer-client privilege, because the data breach was caused by a former in-house counsel. We navigate through this by filling a suit for NDA violation, and we reported to the local bar ethics committee.
We asserted privilege where possible; did not end up being an issue.
We cooperated fully and did not rely on attorney-client privilege defense.
We weren’t concerned with preserving attorney-client privilege with the breach in question.
Working through outside counsel.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 129www.acc-foundation.com
OVERALL SURVEY RESULTS
How many people were affected by the breach (including employees, customers, etc)?Most breaches affected a small number of individuals, according to in-house counsel who have experienced a data breach. Forty-six percent of the time, fewer than 50 people were affected. As one would expect, fewer people tend to be affected in smaller companies, while more people tend be affected in larger companies. Fifty-six percent of respondents in companies with fewer than 100 people said that fewer than 50 people were affected, compared with 34 percent in companies with 5,000 or more employees.
NUMBER OF PEOPLE AFFECTED BY BREACH
5%
50 to 99
2%
10,000 to 49,999
46%
Less than 50
1%
5,000 to 9,999
11%
100 to 499
0.30%
50,000 to 99,999
6%
500 to 999
1%
100,000 to 499,999
2%
1 million or more
10%
1,000 to 4,999
0%
500,000 to 999,999
15%
Don’t know/ Not sure
130 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=22
017
545
220
0%17
48
1026
5641
5746
Few
er t
han
5046
%47
%40
%46
%0%
41%
63%
70%
62%
50%
51%
53%
30%
50 o
r m
ore
39%
38%
42%
39%
0%43
%25
%10
%27
%30
%44
%40
%46
%
Don
’t kn
ow/N
ot s
ure
15%
14%
18%
15%
0%16
%13
%20
%12
%20
%5%
7%24
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=18
4576
7624
115
2724
3012
790
Few
er t
han
5056
%53
%51
%34
%42
%54
%30
%50
%30
%46
%47
%
50 o
r m
ore
28%
33%
38%
47%
33%
35%
56%
33%
50%
35%
43%
Don
’t kn
ow/N
ot s
ure
17%
13%
11%
18%
25%
11%
15%
17%
20%
19%
10%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
How
man
y pe
ople
wer
e af
fect
ed b
y th
e br
each
(inc
ludi
ng e
mpl
oyee
s an
d cu
stom
ers)
?
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 131www.acc-foundation.com
OVERALL SURVEY RESULTS
If the breach has been resolved, how long did it take to resolve? If it has not been resolved, please select that option. Among in-house counsel who experienced a breach and report that it has been resolved, most say it took under a year to do so. Eighty percent report that it took one year or less to resolve the data breach. Breaches were slighly more time consuming in the EMEA region, where 11 percent of in-house counsel say it took up to two years to resolve the breach.
LENGTH OF TIME IT TOOK TO RESOLVE BREACH
7%
Within 2 years
80%
1 year or less
1%
Within3 years
<1%
Within 4 years
<1%
5 years or more
3%
Has not been
resolved
9%
Don’t know/
Not sure
132 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3
billi
on
or
mor
e
n=22
518
045
225
0%17
87
927
5641
5947
One
yea
r or
less
80%
82%
71%
80%
0%79
%86
%67
%85
%77
%83
%92
%68
%
With
in t
wo
year
s7%
7%7%
7%0%
7%0%
11%
4%5%
10%
5%6%
With
in t
hree
yea
rs1%
1%4%
1%0%
2%0%
0%0%
2%2%
0%2%
With
in fo
ur y
ears
<1%
1%0%
<1%
0%1%
0%0%
0%0%
2%0%
0%
Five
yea
rs o
r m
ore
<1%
1%0%
<1%
0%0%
0%0%
4%0%
0%0%
0%
Has
not
bee
n re
solv
ed3%
3%2%
3%0%
2%14
%0%
0%5%
2%2%
2%
Don
't kn
ow/N
ot s
ure
9%7%
16%
9%0%
9%0%
22%
7%11
%0%
2%21
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=18
4580
7824
116
3024
3112
894
One
yea
r or
less
78%
76%
86%
77%
83%
81%
77%
83%
71%
79%
80%
With
in t
wo
year
s11
%7%
6%6%
0%7%
13%
0%10
%6%
7%
With
in t
hree
yea
rs0%
2%0%
1%0%
2%3%
0%0%
1%2%
With
in fo
ur y
ears
0%0%
1%0%
0%1%
0%0%
0%1%
0%
Five
yea
rs o
r m
ore
0%0%
1%0%
0%1%
0%0%
0%0%
1%
Has
not
bee
n re
solv
ed0%
4%3%
3%8%
3%3%
0%0%
2%3%
Don
't kn
ow/N
ot s
ure
11%
11%
3%13
%8%
6%3%
17%
19%
11%
6%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
If th
e br
each
has
bee
n re
solv
ed, h
ow lo
ng d
id it
tak
e to
res
olve
? If
it ha
s no
t be
en r
esol
ved,
ple
ase
sele
ct t
hat
optio
n.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 133www.acc-foundation.com
OVERALL SURVEY RESULTS
Please describe what resource was most helpful in managing the breach response?In-house counsel cite a variety of helpful resources when managing a data breach including internal and external IT specialists, outside counsel and forensics experts, internal multidisciplinary teams, and internal chief security.
Sample resources cited by in-house counsel are listed below.
A thorough forensics investigation and identification of the ap-propriate steps for remediation.
Association of Corporate Counsel resources.
Beazley, our insurance carrier, had recommended counsel, credit reporting agencies, forensics, etc. — very good resources, very responsive.
Being open and timely with customer and early engagement to help mitigate.
Chief information security officer/legal.
Chief privacy officer.
Chief security officer.
Chief security officer and local law enforcement.
CISO and internal well-prepared response team, including media relations.
Collaborative effort of IT and HR.
Company’s IT security officer and cyberforensics.
Contacting the vendor who received the information, have him return all material (delete it from his computers), and his CEO signed a confirmation that no information has been retained by his company.
Cooperation of employees in relevant functions.
Cybercrime unit of the US Attorney’s office.
Encryption.
External assistance — appointment of CIO.
External IT providers.
Federal and local authorities.
Forensic consultant and outside law firm.
Forensic data analysis.
Forensic expert advice on future prevention.
Former government employee acting as internal security officer.
Good internal communications and collaboration among various departments.
Great internal systems that identified the breach and addressed the problem immediately; ongoing IT and legal coordination; experienced outside counsel.
Guidelines from the Office of Australian Information Commissioner.
Having an established incident response team.
Having an outside call center for those impacted.
Incident response readiness team that has practiced via tabletop exercises and experienced in-house privacy counsel.
In-house privacy counsel.
Insurance company.
Internal compliance team.
Internal IT security team and trusted security/forensics vendor.
Internal management team.
IT and HR teams.
IT department, outside law enforcement.
IT forensic to identify source and restore firewall with updated username/password.
IT monitoring (software and personnel) and all-hands-on-deck IT response.
Notification service.
Office of Australian Information Commissioner guidelines.
Our incident response team (internal members).
Our legal department’s knowledge and experience in dealing with such incidents.
Outside consultant.
Partnering with our head of corporate security, who himself is related to the FBI contacts.
Secret Service, outside counsel, internal resource.
Skilled forensic technician, who was aided by a special agent from the FBI.
Subject matter experts and a single center point of contact.
The company liquidators.
The information security department as well as local manage-ment and operations staff.
The legal department drafted the cybersecurity policy, so we had a good framework on how to deal with the situation.
The vendor took responsibility and ran the response.
Third-party review team to review data diverted and determine if any confidential data was involved.
Utilized experts through our cybersecurity insurance carrier.
Well-managed press release and hotline.
Well-trained privacy officer.
134 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Describe the degree of change (if any) made to your company’s security policies or procedures following the breach?Three of four in-house counsel who have experienced a data breach say that at least some changes were made to their company’s security policies following the breach. Lawyers in the EMEA region were most likley to make significant changes after a breach compared with those in the Asia Pacific region, who were most likely to say no changes were made (19 percent).
DEGREE OF CHANGE MADE TO COMPANY’S SECURITY POLICIES POSTBREACH
There were no changes made
15%
Minimal changes were made
16%
Moderate changes were made
41%
Significant changes were made
17%
Don’t know/Not sure
12%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 135www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s.
Oth
ers
Hav
e yo
u ev
er
expe
rien
ced
a br
each
?R
egio
n -
Offi
ce lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
yea
r (U
S $
)
All
resp
onse
sC
LO/
GC
Oth
er
title
Yes
No
US
Can
ada
EMEA
Asi
a Pa
cific
<$1
00
mill
ion
$100
M-
$499
M$5
00M
-$2.
9 bi
llion
$3 b
illio
n or
mor
e
n=23
018
050
230
0%18
08
1227
5942
5850
The
re w
ere
no c
hang
es m
ade
15%
16%
14%
15%
0%16
%13
%0%
19%
14%
21%
12%
14%
Min
imal
cha
nges
wer
e m
ade
16%
14%
20%
16%
0%17
%25
%0%
11%
15%
17%
16%
16%
Mod
erat
e ch
ange
s w
ere
mad
e41
%43
%34
%41
%0%
37%
38%
58%
59%
42%
33%
53%
36%
Sign
ifica
nt c
hang
es w
ere
mad
e17
%18
%10
%17
%0%
17%
0%25
%7%
14%
21%
16%
18%
Don
't kn
ow/N
ot s
ure
12%
9%22
%12
%0%
12%
25%
17%
4%15
%7%
3%16
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal e
ntit
y?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=19
4781
7923
119
2925
3413
393
The
re w
ere
no c
hang
es m
ade
11%
15%
12%
20%
17%
13%
24%
24%
9%15
%15
%
Min
imal
cha
nges
wer
e m
ade
16%
19%
17%
13%
9%19
%17
%8%
12%
10%
25%
Mod
erat
e ch
ange
s w
ere
mad
e58
%30
%46
%38
%57
%39
%28
%48
%41
%47
%34
%
Sign
ifica
nt c
hang
es w
ere
mad
e5%
19%
17%
16%
9%17
%24
%8%
21%
17%
15%
Don
't kn
ow/N
ot s
ure
11%
17%
7%13
%9%
12%
7%12
%18
%12
%11
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Des
crib
e th
e de
gree
of c
hang
e (if
any
) m
ade
to y
our
com
pany
’s se
curi
ty p
olic
ies
or p
roce
dure
s
follo
win
g th
e br
each
?
136 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Please provide examples of changes your company made following the data breach.Many respondents report that technical changes were made following the data breach. The tightening of access points, encryption, and more controlled access and storage of records/email are all frequently noted. In addition, several lawyers say enhanced employee training, policy changes, more frequent training exercises, and more strin-gent contract management were key changes made based on experience with a data breach.
Sample changes cited by in-house counsel are listed below.
Additional security software, more emphasis on upgrading tech-nology, more stringent user access policies, network segmenta-tion.
Adoption of information security protocols.
All mobile devices inventoried, encryption software installed, all employers re-educated about importance of registering devices, encryption, password protection, prompt notice if device lost or stolen, can now wipe remotely because all devices registered. New policies developed.
Amended the third party system access procedures.
Auditing of obsolete databases, review of effectiveness of vulner-ability scanning.
Authentication and encryption for external devices.
Banking protocols were amended.
Better monitoring of relevant external service provider (provides website service).
Changed application that had vulnerability. Took down public access points.
Changed procedures to minimize human error.
Changed security protocol internally and implemented new secu-rity procedures for all employees.
Changed vendor, went to point to point credit card system, hired IT security specialist.
Changes were made in how employees processed certain credit card transactions.
Company protocols increased; laptops are encrypted. Conducts phishing exercises.
Delegated authority process was tightened to prevent lone wolf fraud.
Deployment of two-factor authentication; hiring internal security team; addressing on ongoing basis the potential points of risk; employee training.
Developed extensive data security SOPs.
Developed Information Security System. Hired personnel for this purpose. Hired outside security assessment company to conduct audits.
Documents required to be locked up; sensitive documents not retained at all unless necessary.
Dual authentication log-in; additional IT screening and moni-toring mechanisms, some employee training (though sporadic), more IT policies for employees.
Employee policies and handbook were updated to clearly state that they had no expectation of privacy in their use of our sys-tems.
Employees were given more training on handling personally identifiable information.
Encrypting at-home devices.
Encryption mandated for all laptops.
Encryption cards and one time passwords, tighter VPN and tighter access to the supercomputer.
Enhanced employee agreements.
Exit audit of materials prior to employees leaving.
Hired new executive to lead/coordinate efforts.
Hiring IT Security expert.
Implementation of new policy on Data Security and Confidenti-ality. Issue of new Code of Conduct.
Improved server firewalls; implemented regular email tests to employees to reduce risks of phishing succeeding with employees; improved junk filters.
Increase firewall.
Increased education of staff regarding already existing rules; strengthened centralized IT.
Increased penetration testing; two factor authentication; business continuity planning; increased employee communication; in-creased resources and tools.
Issues related to the management of servers in overseas offices were tightened down, specifically including access. In my role, I am attempting to implement a more permanent and policy-based change that is followed and used on a routine basis.
Logging and monitoring.
Mandatory encryption of all devices.
More frequent password changes and more complexity required; more robust ‘whitelisting’ software implemented.
More robust individual training; rules about transporting PHI in personal vehicles; scanning and electronically transferring PHI versus moving paper in autos.
New controls, new protocols, enhanced education of employees.
New identity protection procedures for board members.
New intrusion detect software. New password protocols. Segrega-tion of highly valuable trade secrets.
Password confirmations and secondary sign-in.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 137www.acc-foundation.com
OVERALL SURVEY RESULTS
Password policies were enforced more rigorously.
Placing better controls with respect to employee access.
Plan developed to manage data breaches. Vendor access reviewed.
Proper processes for approving EFTs, checking confirmation of payments.
Regular patching regime of OS and applications.
Review of access rights globally.
Site-by-site data audits and retention policy audits, with massive destruction of hoarded but unnecessary data.
Social media policy and controls.
Started to include specific breach responsibilities in contractual negotiations (i.e., who is responsible for what cost should a breach occur).
Training, additional firewalls, tokenization.
Two-factor authentication required. Random phishing testing of employees. More stringent password rules (strength, frequency of change).
Updated contractual language with vendor related to data securi-ty and notification of breaches. Updated policies for transmission of data.
USB policy.
We hired a head of information security, started conducting audits, upgraded technology safeguards, used a third party to process credit cards so they were no longer stored.
(Cont’d) Please provide examples of changes your company made following the data breach.
138 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Did your cyberinsurance policy fully cover any damages related to the breach?Among corporate counsel who say their company was insured against a data breach, 46 percent report that their company’s policy did not fully cover the damages from the breach. Only 19 percent say they were fully covered against the damages, while 34 percent are not sure if damages were fully covered. In-house counsel in the US were the least likely to report that their cybsersecurity insurance fully covered damages from a data breach (17 percent), compared with other regions on average (33 percent).
CYBERINSURANCE POLICY FULLY COVERING BREACH DAMAGES
No46%
Yes9%Don’t know/
Not sure34%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 139www.acc-foundation.com
OVERALL SURVEY RESULTS
Ove
rall
CL
O/G
C v
s. O
ther
sH
ave
you
ever
ex
peri
ence
d a
brea
ch?
Reg
ion
- O
ffice
lo
cati
on
Org
aniz
atio
n's
tota
l gro
ss r
even
ue fo
r th
e la
st fi
scal
ye
ar (
US
$)
All
resp
onse
sC
LO/
GC
Oth
er t
itle
Yes
No
US
Oth
er<
$100
m
illio
n$1
00M
-$49
9M$5
00M
-$2.
9 bi
llion
$3 b
illio
n
or m
ore
n=10
885
2310
80%
8918
3019
3518
Yes
19%
18%
26%
19%
0%17
%33
%10
%32
%29
%11
%
No
46%
51%
30%
46%
0%49
%33
%37
%58
%51
%39
%
Don
't kn
ow/N
ot s
ure
34%
32%
43%
34%
0%34
%33
%53
%11
%20
%50
%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
Tota
l num
ber
of e
mpl
oyee
s in
org
aniz
atio
n/co
mpa
nyS
ize
of y
our
law
dep
artm
ent
(all
staf
f in
all l
oca
tio
ns)
Em
ploy
er a
glo
bal
enti
ty?
Less
than
100
100-
499
500-
4,99
95,
000
or
mor
e1
empl
oyee
2 to
9
empl
oyee
s10
to 2
4 em
ploy
ees
25 to
49
empl
oyee
s50
or
mor
e em
ploy
ees
Yes
No
n=7
2043
3611
5917
1110
6145
Yes
29%
5%26
%14
%36
%17
%18
%9%
30%
25%
13%
No
14%
55%
44%
53%
27%
47%
53%
64%
30%
41%
56%
Don
't kn
ow/N
ot s
ure
57%
40%
30%
33%
36%
36%
29%
27%
40%
34%
31%
Tota
l10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%10
0%
(Con
t’d)
Did
you
r cy
ber
insu
ranc
e po
licy
fully
cov
er a
ny d
amag
es r
elat
ed t
o th
e br
each
?
140 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.Best practices cited by lawyers who have experienced a data breach cover a wide array of topics and approaches to cybersecurity.
Common themes include having a written and well-practiced incident response plan guided by accepted stan-dards, more in-depth prevention systems and policies with regular employee training, ongoing review of risk and policies (including regular audits), closer control and review of vendor and third-party contracts, and regular review and updates to systems and approaches to cybersecurity. Employing experts such as a CIO or CISO and quick response were also mentioned often.
See below for a sample of best practices cited by in-house counsel.
(1) Always monitor who has access to sensitive data, and educate and train the employees (on things like social engineering hacking attempts, etc.), as oftentimes humans are the least secure means of defense and the biggest vulnerability point — trust but verify — monitor users after training them. (2) Create user administration controls to limit who has access to sensitive data. (3) Track and monitor the systems with automated tools that log and report activity; automated tools can help find issues and close security holes. (4) Keep antimalware software updated by main-taining security patches. (5) Have clear policies and procedures in place for employees, consultants, and outside vendors, and strictly enforce those policies. (6) Have a data breach response plan in place so you are prepared if a breach occurs.
Review all supplier contracts, and verify we have appropriate reps and warranties, coupled with carve-out of breach remediation costs from LOL. For critical items, we also ask the vendor for an indemnity. 2) As a software company, we develop code and use third-party code in our products. We implement robust in-bound licensing controls to ensure that we do not use code that contains legal risks (e.g., ‘copy left’ restrictions under the GNU GPL) or operational risks (e.g., code known to have vulnerabilities, such as the OpenSSL/Heartbleed virus). 3) We hired a CISO to perform companywide assessments of our risk profile, to assist us in implementing best practices (including penetrating testing of our systems and employee training), and to raise awareness at the board level of the risks (and prophylactic best practices) to minimize any impact.
A good broker working with you to obtain cyberliability cover-age is essential. The broker can identify the best carriers from which to obtain coverage. Coverage for an incident is more than just reimbursement of monetary spend; it must include a crisis management team to help the company put into place a plan to deal with the fallout. Also, having someone from the in-house legal department dedicated as the go-to person for the IT team is essential to help with the management of any breaches.
Act as if you’ve already been breached.
As a financial services trade association, our members have formed peer groups that meet with and collaborate with FSISAC, etc. The industry’s federal regulators are collaborating with industry trades on educational events.
As this survey has already hinted, a multidisciplinary approach both for preventing breaches (training, audits, contractual lan-guage, etc.) and for responding to breaches.
Awareness of third-party security (or lack thereof).
Back up to a cloud system that is geographically remote from your office. Maintain current contact information for all staff.
Be prepared; have a data breach response plan and do a tabletop exercise; have some internal security expertise and a trusted security/forensics vendor in advance; have detection systems to alert of an issue; consider segmentation of systems and data; have knowledgeable outside counsel in advance.
Bringing back the war stories of others from attending live/inter-active events focused on security/data breach issues.
Cannot invest too much in training everybody in workforce about their duties to safeguard nonpublic info regardless of role or function.
Choose the right information security standard and framework for your business; understand your risk profile and discuss with all parts of the business. Establish a risk tolerance level and make risk assessment an integral part of your operating culture. Be prepared for and plan for the worst.
Clear guidance to employees on personal devices.
Close management of data to (I) minimize the amount/type of sensitive data on-boarded, (ii) ensure data is stored and trans-mitted in an encrypted format, and (iii) ensure data is securely deleted/destroyed once no longer needed.
Communication to employees about where to report a breach, potential breach, and what is a breach.
Companies experiencing a breach should: (1) already have an ongoing relationship with cyber risk management company like ours so ‘Red Team’ can immediately go into action. If no agree-ment already in place, then immediately retain one to conduct breach analysis and forensics.
Complete readiness: (1) response vendors with SLAs, (2) written procedures on what to do vis-a-vis the 47 states — this would in-clude templates for responses; (3) designated response teams with a templated project plan; (4) tabletop exercises with changing fact patterns.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 141www.acc-foundation.com
OVERALL SURVEY RESULTS
Conduct a deep-dive analysis into your information governance (what you have, do we need it, where it is, who has access, why do they have access, how is it stored, how is it accessed).
Conduct a tabletop exercise at least twice a year.
Continuous review and improvement of security processes. Never stop evaluating them and improving them.
Cooperation with law enforcement.
Cyber/privacy insurance; focus on educational opportunities for board, management, and employees to raise awareness; develop-ing and testing a response plan.
Cybersecurity insurance is not always useful (expensive and with deductibles that do not cover most common damages for IT frauds). If a serious breach happens, the internal security measures are the most important thing for the organization, including a business continuity plan. To have clear guidelines for the internal users of our systems and make sure those rules are followed. To have CSO and people dedicated to DP and PCI compliance. Risk management department and DPO to follow up on risks identified until those are closed.
Data logs are your friend, but the information collected and stored varies, as do log retention policies. Most companies (or external IT resources) collect basic information (IP address and date/time) and retain logs for some period of time, but they may be overwritten almost instantly or retained for months or years. Additional information can also be helpful: geographic location of the server, equipment and OS, and user name. This could be the difference between quickly identifying the source of a breach and hiring an outside forensics firm.
Don’t sign form business associate agreements without carefully considering whether any modifications are necessary for your business (e.g., is time to report breaches reasonable in view of the statutory requirements?).
Easier to manage in the USA than abroad. Even getting an in-country audit report is not comforting. When there is shared data internationally, this is a problem. Our solution was to move everything to the cloud. Our CIO is satisfied that this is the best current security solution for shared data.
Employ individuals who are knowledgeable and experienced. Chief information security officer should report to legal, not IT.
Employ outside counsel immediately. Issue a companywide hold notice. Inform insurance immediately. Inform CEO and board immediately.
Employee training and vigilance are the best defense.
Encouragement/requirement that any potential breaches report-ed immediately.
Ensure all business units handling data understand the types of consumer data that trigger breach notification requirements, as those categories are broadening beyond the types of sensitive financial and health data previously understood to be the only triggers under state law. Emphasize the importance of encrypting all databases containing personal data.
Ensure that the board is appropriately briefed, and anticipate questions and place cybersecurity in the right place in the risk hierarchy — i.e., one of many significant risks that can arise in a large and complex business operation.
Ensure you have a dedicated team that can put aside their daily work to focus on the current breach.
Exceed industry standards in all respects.
External audit every 6-12 months.
For a small company, we have taken pains to make sure that our IT group is extremely well trained. We send them to training constantly in order to stay up on the latest. We do not allow thumb drives by employees or any visitors. We conduct training annually, and this is important enough that it’s done as a group at a hotel. We don’t rely on computer training for this. It’s done in person by a trainer, and our corporate officers/principals stand up and speak and/or attend to emphasize the importance of cybersecurity.
Have a crisis management team in place. Ensure effective com-munications among all crisis team members. Manage the risks and the message well.
Have a forensics firm and outside counsel lined up in advance. Talk to everyone you know with any influence to try to get Con-gress to address the morass this industry has become.
Have a shared responsibility between IT and legal. Get the board and CEO to acknowledge that preparedness does not mean “breach roof.”
Have cybersecurity insurance. Going through that application process will often highlight many shortcomings within an organization. Additionally, it will force conversations within departments and offices relating to how cybersecurity risks are being handled and addressed.
Having a well-documented plan in place, with outside ven-dors identified and tabletop exercises conducted in the last few months, has raised our confidence level that we are prepared should an event occur.
Hire an external auditor to audit the current state of your IT sys-tems so that you can properly assess your risk. Do not rely upon your internal IT staff to provide accurate risk assessment.
Hire an outside law firm to manage outside PEN testing to enable you to assert attorney-client privilege.
Hiring a chief information officer.
I feel very strongly about the benefits of working with the federal government if you are a critical infrastructure company.
Immediate notification once breach was discovered and prompt internal escalation. Quick assessment of nature and scope of breach. Regular communication and collaboration of breach response team.
Important to map existing insurance coverage for gaps.
(Cont’d) Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.
142 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
In the midstream energy industry, biggest threat is through con-trol room, so that is where we focus our efforts on security.
Increase management awareness.
Invest in a cybersecurity/compliance manager.
ISO27001 certification has provided a good yardstick to assess level of cybersecurity protection.
It is critical for the in-house legal team to have a good under-standing of the material cybersecurity risks to the business, not simply rely on the IT department to take care of the risks.
It is vitally important to have a cybersecurity response plan in place and to practice in the event of an actual breach. Having the key employees and departments engaged may provide a company better response time to minimize damage and work through any communication plans effectively.
IT staff continually monitors our systems and traffic for unusual events or PSAs.
Key is for company to have a cross-functional oversight commit-tee in place to address cybersecurity and privacy risks. Represen-tatives on committee should include CIO, chief privacy officer, legal representative (if CPO not part of legal), compliance, and key business areas (e.g., finance, HR).
Learned most from a near miss; network monitoring system operated by a contracted provider was disabled. Resulted in a malware hack; no data loss or breach. However, it highlighted the vulnerability of relying on systems put in place without regular audit and training of personnel monitoring those systems.
Legal counsel should endeavor to become familiar with common threats and investigate its IT people on their cybersecurity and how they address such threats. Both IT and legal should attend seminars and learn from the experts the various cyberthreats, what can be done to reduce them, and develop a plan to address the issues if the threats prove real. Get a team in place proactively, especially and outside cybersecurity IT expert to help identify and quickly plug the breach, and possibly conduct a mock breach.
Maintain a list of customers who have a contractual right to know in the event of breach.
Make sure that people know what their jobs are and with whom they are supposed to communicate.
Multiple-factor authentication, close vendor oversight, constant monitoring, practice, and testing.
My best practical suggestion is to have the legal department re-view and enhance the company’s cybersecurity policy and to have a clear line of communication on who should be notified and who has authority to make high-level decision in the case of a breach.
Need to be aware of what is actually happening on the ground in remote offices.
Need to have a plan and test it (tabletop and other simulations). Need to designate who owns what relationships and nurture relationships with outside providers so as to be ready in the event
of a breach. Need to have the right terms in vendor agreements (including standards, cooperation, indemnification, shutdown triggers, etc.). Need to be able to defend the reasonableness of what amounts are and are not spent on data security and privacy. Need to pay attention to data in all forms — hard copies too.
Negotiate reasonable terms with e-commerce and merchant banking providers to ensure reasonable transparency/audit-ability/control of security aspects of the relationship, proper notice, reasonable sharing of obligations in the event of a breach, reasonable allocation of risk and responsibility relative to the circumstances/causes of any breach are unauthorized disclosure. Steer clear of flat refusals to address confidentiality, privacy, and data breach liability matters in indemnification and/or limitation of liability situations. Establish clear SLAs and KPIs with agreed response times and penalties.
Never undervalue any data breach. It can lead to serious penalties and to major reputational damage, no matter the (even little) im-portance or sensitivity of the information leaked. It simply shows the weakness of security, and that is serious business.
Our best practice is PAYMENT CARD INDUSTRY COMPLI-ANCE and using outside vendor to host data.
Our company culture from top down is concerned about cyberse-curity. It’s a prime concern from the board and a top concern.
Our security department sits and presents at every quarterly board meeting. They are integrated into our day-to-day, and the CEO and president have a strong relationship with the section.
Pay attention to customer’s needs in terms of what they expect in terms of cybersecurity
Prepare your board for increased costs anticipated.
Preparedness is key — if we had not been proactive, could have been much worse.
Quarterly audits and staff retraining.
Read and edit each subcontractor and vendor agreement care-fully to determine how much protection each one will offer with regard to your company’s data.
Regular meetings (monthly) with IT for sensitivity training on security requirements required by HIPAA and other state laws.
Regularly perform external penetration testing. Prohibit em-ployees from downloading software without security risk review. Annual employee and new hire training.
Review cyberinsurance policy to know what it covers. Have a team and vendors ready to go with a plan.
Routine internal and external audits are critical to manage cyber-security risk/and or a breach.
Sensitive data is not accessible from offsite or via any Internet connection. Access is limited to onsite only network by a limited number of people with passwords that must be changed every ninety (90) days.
(Cont’d) Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 143www.acc-foundation.com
OVERALL SURVEY RESULTS
Smaller organizations like ours (28 employees, $5 million annual revenue, but with law dept. of three attorneys due to nature of business) typically run into management resistance regarding ex-penditures for more formal and robust cybersecurity programs. Instead, our organization, and I believe others similarly situated, rely almost exclusively on local outside vendors that are them-selves less sophisticated than they should be. As general counsel, this has been an ongoing source of tension with the CEO for the past 10 years.
Start with insider risk; easier to control than external risk, and it’s possible to make significant improvements.
Stay on top of new information regarding cybersecurity risk and/or breach daily using the Internet.
Surfacing a breach is often the most difficult task. Therefore, developing a culture of compliance with staff is critical so they can identify issues quickly and notify the appropriate parties in a timely manner.
Take the risk seriously and communicate risks and provide edu-cation to employees.
Take the time to build and test your company’s cyber crisis plan. Have a strong PR team on retainer that is familiar with your industry, and have holding statements ready to go. Have a credit monitoring and ID theft prevention vendor on retainer, such as AllClearID, so you can move fast. Have clear decision lines so it’s not a cluster of voices and opinions when you need to move swiftly. Identify who your company’s spokesperson will be ahead of time and who will appear before Congress or some other public forum, if needed. Be brutally honest in picking someone who will do well with this — don’t just focus on the executive’s role. Practice and get that person some media training so they are prepared. Document your information security and privacy programs so you can readily produce evidence of training, audits, investigations, notifications, etc. A good eGRC tool like Archer can be invaluable in keeping things organized.
Test vendors rigorously and regularly. Hire the best consultants and counsel. Prepare for breach, and educate the board.
The ability to track what was potentially disclosed and whether it was actually accessed are the two most critical and difficult things to assess.
The fact that companies have not standardized vendor require-ments for cybersecurity is a major issue. Our customers have varying standards, questionnaires, and audit requirements, and it can be very burdensome to comply or respond to so many different requirements. Any standardization in this area would be welcome and could have significant economic benefits for both buyers and sellers.
The importance of maintaining litigation privilege is paramount.
The need to have experts who know your company and its sys-tems ready before the breach occurs.
The scope of the breach tends to broaden rather than lessen over time.
The simplest things often cause the breach. Focus on those first. Passwords, cutting off access to terminated employees, monitor-ing systems to make sure large amounts of data are not down-loaded by employees (rogue employee issue), do not have a failure point of one.
Tokenization. Communication between legal and IT regarding vendors.
Top on the response plan list should making contact with your cyberinsurance carrier. Often, they must manage the process and vendors (through their counsel).
Training, training, training — and not a mandatory 20-minute video. Something real that people can touch, feel, and relate to.
Understand the key contact points for vendors who may be involved in a data breach, and you can quickly address the issue with the right stakeholders.
Understand what your cyberinsurance policy covers and doesn’t cover.
Understand your particular risks. Require two-factor authentica-tion. Conduct regular audits and penetration testing. Make sure the CEO and board are engaged.
Use experts.
Use incident response platforms. Get away from spreadsheets and email.
Utilizing outside vendor to stage a mock exercise to test security measures.
We do periodic tests — hacking attempts of our firewall and other security measures to see whether they are truly secure. We also require vendors who will handle proprietary/confidential data or PII to have similar measures and do SSAE-compliant audits annually.
Work with regulators; keep them apprised of suspicious phishing attempts. Work with IT to get ahead of the cyber requirements for government contracting.
Work with your local FBI.
You are best served by a product-enabled managed service to protect your environment.
(Cont’d) Please share your best practices or most important learnings that may help others manage cybersecurity risk and/or a breach.
144 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
OVERALL SURVEY RESULTS
DEMOGRAPHICPROFILE
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 145www.acc-foundation.com
DEMOGRAPHIC PROFILE
What was your organization’s total gross revenue for the last fiscal year, including affiliates and subsidiaries in US dollars? (Convert to US dollars using the currency conversion tool below.)
Is your employer a global entity with employees or business operations outside of the country in which your company is headquartered?
Overall Region - Office location
All responses US Canada EMEA Asia Pacific
n= 853 602 30 46 74
<$100 million 34% 36% 27% 24% 34%
$100M-$499M 22% 24% 20% 15% 14%
$500M-$2.9 billion 25% 24% 37% 22% 34%
$3 billion or more 19% 16% 17% 39% 19%
Total 100% 100% 100% 100% 100%
Overall Region - Office location
All responses
US Canada EMEA Asia Pacific
n= 965 659 34 49 92
Yes 58% 55% 65% 86% 57%
No 42% 45% 35% 14% 43%
Total 100% 100% 100% 100% 100%
146 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
DEMOGRAPHIC PROFILE
What is the total number of employees in your organization/company, including all departments and locations?
What best describes the size of your law department (including all lawyers, paralegals, specialists, and support staff in all locations)?
Overall Region - Office location
All responses
US Canada EMEA Asia Pacific
n= 964 662 35 49 89
Less than 100 16% 16% 9% 10% 16%
100-499 25% 26% 29% 16% 21%
500-999 10% 10% 11% 10% 11%
1,000-4,999 22% 24% 23% 18% 21%
5,000-9,999 7% 7% 9% 6% 9%
10,000-49,999 12% 10% 14% 24% 12%
50,000-99,999 4% 3% 6% 10% 6%
100,000 or more 3% 3% 0% 4% 3%
Total 100% 100% 100% 100% 100%
Overall Region - Office location
All responses US Canada EMEA Asia Pacific
n= 975 669 34 50 92
1 employee 19% 20% 18% 12% 11%
2 to 9 employees 52% 53% 53% 44% 58%
10 to 24 employees 13% 12% 18% 14% 12%
25 to 49 employees 7% 6% 3% 10% 9%
50 or more employees 10% 8% 9% 20% 11%
Total 100% 100% 100% 100% 100%
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 147www.acc-foundation.com
Headquarters Region
Overall Region-Office location
All responses US Canada EMEA Asaia Specific
n= 867 671 35 50 92
US 76% 94% 6% 16% 11%
Canada 4% <1% 86% 0% 1%
Europe 8% 4% 6% 58% 10%
Former Soviet republic 0% 0% 0% 0% 0%
Middle East/North Africa 1% 0% 0% 20% 0%
Sub-Saharan Africa <1% <1% 0% 2% 0%
South/Latin America 1% 0% 0% 0% 0%
Asia Pacific — excluding Aus/NZ 2% 1% 0% 2% 7%
Australia/New Zealand 8% 1% 3% 0% 70%
Other country/not provided <1% <1% 0% 0% 0%
Prefer not to answer 1% <1% 0% 2% 2%
Total 100% 100% 100% 100% 100%
Office Region
Overall Region-Office location
All responses US Canada EMEA Asaia Specific
n= 862 672 35 50 92
US 78% 100% 0% 0% 0%
Canada 4% 0% 100% 0% 0%
Europe 4% 0% 0% 74% 0%
Former Soviet republic 0% 0% 0% 0% 0%
Middle East/North Africa 1% 0% 0% 24% 0%
Sub-Saharan Africa <1% 0% 0% 2% 0%
South/Latin America 1% 0% 0% 0% 0%
Asia Pacific — excluding Aus/NZ 1% 0% 0% 0% 8%
Australia/New Zealand 10% 0% 0% 0% 92%
Other country/not provided <1% 0% 0% 0% 0%
Prefer not to answer <1% 0% 0% 0% 0%
Total 100% 100% 100% 100% 100%
DEMOGRAPHIC PROFILE
148 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
GLOSSARY OF INFORMATION SECURITY TERMS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 149www.acc-foundation.com
GLOSSARY OF INFORMATION SECURITY TERMS
Access control: A combination of policies, models, and mecha-nisms that regulate access to system resources and protect system resources against unauthorized user access. Mechanisms include software, biometrics devices, and physical security measures.
Active attack: An intentional attempt to alter, disable, or de-stroy a system, its operations, resources, or data.
Advanced persistent threats: A covert network attack, usual-ly through multiple attack vectors (e.g., cyber, physical, and decep-tion) and often occurring over an extended period of time.
Administrator account: A user account with credentials that confer full privileges on a computer and/or throughout a network.
Antispyware: A type of program designed to prevent and de-tect unwanted spyware program installations and to remove those programs if installed.
Antivirus: Software used to prevent, detect, and remove mali-cious applications such as computer worms, viruses, and Trojan horses from systems, servers, and endpoints. Once an infected file has been detected, it can be either repaired or quarantined so that the viral code does not execute. When a new virus is discovered, a unique string of code is extracted and added to a database with other information about the virus.
Attack attribution: Determining the identity or location of an attacker or the attacker’s intermediary.
Attack signature: Rules or patterns in the heading of a packet or in the pattern of a group of packets that distinguish legitimate traffic from attacks or classes of attacks on a Web application and its components.
Authentication: Verifying the identity or other attribute of a user logging onto a computer system or the integrity of a trans-mitted message.
Authorization: The granting or denying of access rights to a user, program, or process.
Back door: Typically unauthorized hidden software or hardware mechanism used to circumvent security controls to gain access to a computer system.
Biometrics: The science and technology of measuring and ana-lyzing biological data. The term usually refers to automated tech-nologies for authenticating users through characteristics such as fingerprints, eye retinas or irises, voice patterns, facial patterns, and hand measurements.
Blacklist: A list of people or programs that are blocked or denied privileges within or access to a system or service.
Botnet: A network of hundreds or thousands of computers in-fected with malicious code that work together to perform tasks as-signed by the network controller. These tasks are either automated or assigned through a control channel such as Internet relay chat.
Brute force attack: A method of accessing a computer or net-work by attempting multiple combinations of numeric and/or al-phanumeric passwords.
Buffer overflow attack: A method of accessing a computer or network by sending more input than can be placed into a buffer or data holding area to crash a system or to insert specially crafted
code that allows the attacker to gain control of the system.
Business continuity plan: A plan to help ensure that business processes can continue during an emergency or disaster. In the context of information security, the plan will detail the restoration of critical IT processes and operations as well as designing an ar-chitecture that prevents, detects, and isolates security breaches and reroutes network traffic in the event of a circuit failure.
Category: A restrictive label that can be applied to classified or unclassified information to limit access or to trigger heightened security measures.
Certificate: A set of data that uniquely identifies an entity, con-tains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.
Clear text: Information that is not encrypted.
Cloud computing: Technology that uses the Internet and shared central remote servers, rather than local servers or personal devic-es, to store data and applications. Centralizing data storage, pro-cessing, and bandwidth improves efficiency.
Compartmentalization: Organizing resources into groups that are isolated from each other and controlling the means of exchanging information between groups. When networks are compartmentalized, filtering devices such as firewalls are used to partition a network into zones.
Computer security incident: Any unlawful, unauthorized, or unacceptable action that involves a computer system or computer network. This can include theft of trade secrets, email spam, unau-thorized intrusions into computing systems, or denial-of-service attacks.
Containers: Isolated user-space instances that share an operat-ing system kernel and may share files as well.
Credentials: A data object that supports a claim of identity or authorization that is generally intended to be used more than once.
Cross-Site Scripting (XSS): A prevalent security vulnerability in websites and Web applications where data that is inputted by a user is sent to the browser without proper validation or sanita-tion. In an XSS attack, an attacker exploits this vulnerability by inputting malicious code, which is injected on the website. Users become victims by visiting or clicking on a link to the compro-mised website. Injected code may cause the compromised website to display inappropriate images, redirect users to a malicious web-site or cause malicious files to be automatically downloaded onto a user’s computer.
Data breach: This term is defined differently under various laws and regulations, but generally it is the unauthorized disclosure of sensitive or privileged information to a party that is not authorized to access the information.
Data integrity: The process of preventing accidental deletion or corruption of data in a database.
Data loss prevention (DLP): A strategy for preventing data loss due to insider threats by ensuring end users cannot send or otherwise share confidential information outside of the corporate network.
150 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
Data mining: The process of analyzing large amounts of data, usually through an automated process, to uncover facts, patterns, relationships, trends, and anomalies with the goal of using the in-formation to predict data subjects’ behavior.
Defense-in-depth: A comprehensive security strategy involving the coordinated use of multiple security countermeasures to pro-tect the integrity of an organization’s information assets.
Digital forensics: The specialized techniques used to collect, re-tain, and analyze potential evidence in digital form for investiga-tive purposes in such a way that chain of custody is preserved and can be proven.
Digital rights management: Any access control technology used to protect, license, and otherwise restrict the use of propri-etary software, hardware, or content.
Digital signature: A data string that is added to a digital message to guarantee its integrity. The string is created by hashing the orig-inal message into a few lines, known as a message digest, and then encrypting it with the signatory’s private key. Message recipients can determine whether a message has been modified by hashing it into a message digest, decrypting the signature with the sender’s public key, and comparing the two message digests.
Disruption: An event that causes an unscheduled interruption in processes or operations for an unusual or unacceptable length of time.
Distributed denial of service attack: The introduction of code into a trusted component or software that will be distributed to other companies. The infected computers can then be instruct-ed remotely to send a flood of network traffic to a target. Over-whelming the target system causes delays and outages, thus mak-ing its resources — websites, applications, email, voicemail, etc. — unavailable to legitimate users.
Encryption: Encoding information and messages so they are un-usable, unreadable, or indecipherable without a key or password.
End-to-end security: Safeguarding information in an informa-tion system from point of origin to point of destination.
Enterprise: An organization such as a business or company.
Enterprise risk management: The process of planning, orga-nizing, leading, and controlling the activities of an organization to minimize the risk to its assets.
Exploit: A method or a program that automates a method that targets a software vulnerability to compromise the integrity, avail-ability, or confidentiality of information or services.
Firewall: Software applications on a network gateway server that are used to keep a network secure. A firewall can be used to sepa-rate internal network segments and public Web servers to prevent unauthorized access to private network resources from outside the network. A firewall can also be used to protect internal network segments from unauthorized use by someone within the network.
Forensics: A structured investigation of computer systems, net-works, wireless communications, and storage devices to identify, collect, preserve, and analyze data that can be presented as evi-dence in court.
Honeypot: A system or system resource created to attract poten-tial intruders. The goal is to distract intruders from the real target and to gain information about the intruder and the attack.
Identity and access management (IAM): A system of man-aging access to information and applications in internal and exter-nal applications systems. IAM generally has four components: au-thentication, authorization, user management, and a central user repository that stores and delivers identity information to services and verifies credentials submitted by users.
Incident response: A process or set of activities including im-pact and scope measurement and remediation that addresses the immediate and direct effects of a cyberincident and provides short-term recovery.
Insider threat: A threat that originates within an organization.
Intrusion prevention systems (IPS): A device or software used to prevent intruders from accessing systems and halt mali-cious or suspicious activity. An IPS will identify malicious activity, log information about it, attempt to stop it, and report it. This is in contrast to an Intrusion Detection System, which merely detects and notifies but takes no further action.
Investigation: A systematic inquiry into a threat or incident us-ing digital forensics and other examination techniques to collect evidence and determine specifically what has transpired.
Internet protocol (IP) address: A unique number that devices use to identify and communicate with one another on a computer network using the IP standard. All devices on a network, including routers, computers, printers, and Internet fax machines, must have their own IP addresses.
Intrusion: A security event or events where an unauthorized en-tity gains or attempts to gain access to a system or system resource by circumventing the system’s security protections.
Key: A string of bits used by an algorithm to produce encrypted text from a string of unencrypted text or to produce decrypted text from a string of encrypted text.
Local Area Network (“LAN”): A group of computers and as-sociated devices that are connected to the same server by hardware and software communications facilities to share resources, such as information, and peripheral devices, such as printers and mo-dems. Typically the devices and server are all in a small geographic area.
Malware: Malicious software intended to do harm, such as dis-rupting computer operations, stealing confidential information, or gaining access to computer systems. Malware includes viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, spyware, and browser helper objects.
Multifactor authentication: A type of authentication based on more than one component. For example, something a user knows, such as a password, would serve as one component and would be combined with something the user has, such as a fingerprint or debit card, which is another component. To access a network, the user must have all the required components.
GLOSSARY OF INFORMATION SECURITY TERMS
ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP 151www.acc-foundation.com
Network: A group of computers and associated devices that are connected by hardware and software communications facilities in order to share resources, such as information, and peripheral de-vices, such as printers and modems.
Network-based incident response: A set of disciplines, tech-nologies, and processes for responding to incidents that focuses on attempts to block breaches at the network perimeter or firewall.
Passive attack: Unauthorized monitoring of system activities without altering the system or its resources, data, or operations. Examples include traffic analysis, monitoring unencrypted com-munications, decrypting weakly encrypted traffic, and capturing passwords or other authentication information.
Password: A data value, usually a string of characters, that a user presents to a system to authenticate the user’s identity or verify ac-cess authorization. A password is generally kept secret and paired with a user identifier, such as a user name. Authentication or ver-ification occurs when the inputted password is matched with the password held by the access control system for the relevant user identifier.
Packet capture (“pcap”): Using an application programming interface to capture “packets” of information crossing a network in order to diagnose a network problem or to spot-check for ma-licious activity.
Patch: A software modification or the act of modifying software. A patch generally fixes a vulnerability or bug but may also enhance the software or introduce a new feature.
Patch management: The application of patches to installed software systems on an organization’s computers.
Penetration testing: The practice of testing a system for vulner-abilities. Tests are either automated with software applications or performed manually.
Permission: An authorization to perform some action on the system.
Persistent data: Data stored on a local hard drive or other de-vice that remains in storage when the device is turned off.
Phishing: An attempt to illegally gather personal and/or financial information from targets by sending them a message that appears to be from a trusted source. A phishing message typically includes at least one link to a fake website, designed to mimic the site of a legitimate business and trick the target into providing information that can be used for identity theft or online financial theft.
Plaintext: Unencrypted and otherwise readable text or messages. Plaintext is the input in the encryption process and output of the decryption process.
Port: Packets of information transmitted on the Internet are sep-arated into separate streams, or virtual ports, based on type. Each packet is assigned a number based on the port, which allows the receiving system to recognize what it is receiving. For example, secure online data is generally assigned to Port 443. A physical port is a connection point between a computer and an external or internal device.
Privilege: Authorization to perform a security-related function to a computer’s operating system.
Protocol: A set of rules for communications that computers use when sending signals among themselves.
Proxy server: An intermediary server between an Internet user and the Internet.
Radio frequency identification: A system that wirelessly transmits identity or other information stored in a tag using radio waves. The system consists of a transponder (the tag), an antenna, and transceiver. The antenna and transceiver are often combined into one reader. The antenna transmits a signal using radio waves that activates the transponder, which then transmits data back to the antenna.
Ransomware: A type of malware designed to lock or encrypt files on the infected computer system and display messages de-manding a fee to unlock the system.
Red Team: A group of white-hat hackers authorized to attack an entity’s computer systems using the same tactics that malicious hackers would use. Instead of damaging systems or stealing infor-mation, the Red Team reports its findings to the entity to help it understand threats to its security.
Redundancy: A system design in which a component is duplicat-ed so that if it fails, there will be a backup.
Remote access: The ability of a user to control a computer or device on an organization’s network or the Internet regardless of where the user is.
Risk assessment: The process of systematically identifying an organization’s valuable resources and threats to those resources, quantifying loss exposure based on frequency of loss and cost of occurrence, and making recommendations on how to allocate available resources to defend against or mitigate loss exposure.
Rootkit: An intruder uses this tool to gain administrator-level access to a computer. These tools are generally difficult to detect and are installed by cracking a password or through a known vul-nerability to access a remote computer.
Router: A computer-networking device that forwards data pack-ets across a network via routing. The device acts as a junction be-tween two or more networks transferring data packets.
Safeguards: Physical, administrative, or technical countermea-sures to avoid, detect, counteract, or mitigate security risks to a computer system or network.
Scanning: Inspection of a computer or network for vulnerabili-ties or security holes.
Security analytics: The study of trends, patterns, and associa-tions in large sets of disparate data to measure its importance in managing risk and making sound decisions.
Security information and event management: Tools de-signed to detect, consolidate, analyze, and deliver information about data breaches from network monitoring and threat-detec-tion devices.
GLOSSARY OF INFORMATION SECURITY TERMS
152 ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP ©2016 ACC Foundation, All rights reserved.
Situational awareness: The capability to perceive different se-curity threats and events, comprehend the meaning of an organi-zation’s cybersecurity status, and project its future status to better position security mechanisms.
Sniffing: The use of software to intercept and read all the packets of data traveling on a network. This can be done to monitor net-work traffic. Communications appear in clear text unless they are encrypted.
Spam filtering: A software process that deletes or diverts sus-pected spam or junk mail based on criteria defined in spam filters.
Spoofing: Either receiving a communication by masquerading as the legitimate recipient or sending a communication by masquer-ading as the legitimate sender. “IP spoofing” refers to sending a network packet that appears to come from a source other than the actual source.
Spyware: A broad category of malicious software designed to in-tercept or take partial control of a computer’s operation without the consent of its owner or user. Spyware is typically bundled as a hidden component of other programs that users download from the Internet. Its purpose is generally to collect information about a user, such as Internet browsing habits, login information, and payment information and transmit it to third parties.
System integrity: The condition of a system where it is perform-ing its intended functions without degradation or being impaired by changes or disruptions to its environments.
Tabletop exercise: An activity where personnel responsible for emergency management are gathered to discuss various simulated emergency situations.
Threat intelligence: A collection of focused information on po-tential threats and gaps in security based on artifacts related to threats such as associated files and communication protocols.
Token: A device that generates a random number that changes at regular intervals. This number is used, generally with a user name and password, to authenticate an individual.
Traffic: Packets of information being transmitted over a network.
Trojan horse: A malicious computer program or application that has a seemingly legitimate function but also contains an un-expected and usually destructive function that circumvents secu-rity mechanisms. They are distinguishable from viruses because they do not replicate themselves. For a Trojan horse to spread, us-ers must invite the program onto their computers, for example by opening an infected email attachment.
Verification: The process of checking the truth of an assertion by examining evidence or testing. For example, during authenti-cation, a user’s identity is verified by examining the identification information that the user presents.
Validation: To officially approve data structures, relationships, or systems that depend on verified items. For example, a public-key certificate is validated to confirm the relationship between an iden-tity and a key by verifying the digital signature on the certificate.
Virus: A self-replicating computer program that executes itself and inserts copies of itself into other computer programs, data files, or the boot sector of the hard drive, thereby altering the way a computer operates. Viruses often have a harmful purpose, such as corrupting or deleting data, using the user’s email program to spread itself to other computers, or taking up available hard-drive space.
Virtual Private Network (VPN): A means of securely ac-cessing a private network remotely while connected to a public network. To connect to a VPN, a user first connects to the public network through an Internet service provider and then uses client software on the user’s device to initiate a secure connection with client software on the private network’s server. Once the connec-tion is established, the device has the same functionality, access, and security as it would if it were on the private network.
Volatile data: Data that is stored in registries, cache, and ran-dom access memory or exists in transit but is lost when a computer is no longer on.
Vulnerability: A security flaw, glitch, or weakness in software or an operating system that can lead to security concerns. Vulner-abilities can be caused by, among other things, weak passwords, bugs in software, software misconfigurations, a computer virus or other malware, a script code injection, or an SQL injection. They exist in all software and operating systems and can be exploited by malicious parties.
Vulnerability assessment: The process of identifying, measur-ing, and prioritizing security vulnerabilities in an organization or system. Generally the assessment involves cataloging assets and resources in a system, assigning a value to those resources, identi-fying potential threats to each resource, and eliminating or miti-gating the most serious threats to the most valuable resources.
White hat hacker: A person who attempts to compromise the security of a computer system to ultimately improve its security.
Whitelist: An application whitelist is a set of administrator-ap-proved programs that are allowed to run on a system. All other programs are blocked from running by default.
Worm: A standalone malware program that self-replicates and self-propagates, spreading from system to system. Unlike a virus, a worm does not require a host file to spread. A typical result is that the worm consumes too much system memory or network band-width, which overwhelms servers, network servers, or individual computers.
Zero-day attack: An attack that exploits a previously unknown vulnerability in software or hardware (a “zero-day vulnerability”). “Zero day” refers to the time that elapses between when the vul-nerability is made public and the first attack.
GLOSSARY OF INFORMATION SECURITY TERMS
ACC FOUNDATION: STATE OF CYBERSECURITY REPORT IN-HOUSE COUNSEL PERSPECTIVES
Published by the ACC Foundation.
The ACC Foundation – a 501(c)(3) nonprofit organization – supports the efforts of the Association of Corporate Counsel, serving the needs of the in-house bar through the dis-semination of research and surveys, leadership and professional development opportunities, and support of diversity and pro-bono initiatives. The ACC Foundation partners with corporations, law firms, legal service providers, and bar associations to assist in the furtherance of these goals.
1025 CONNECTICUT AVENUE, NW SUITE 200, WASHINGTON, DC 20036 USA TEL +1 202.293.4103
WWW.ACC-FOUNDATION.COM
©2016 ACC Foundation. All rights reserved. For more information, go to www.acc-foundation.com.