By Megan Stride
Law360, Chicago (August 15, 2012, 2:31 PM ET) -- Data security now ranks as a top concern among corporate general counsel and public company directors, according to a report released Monday, though fewer than half of directors responding to that survey said their company has a written plan for responding to a cyberattack.
For the first time in the 12 years FTI Consulting Inc. and Corporate Board Member have published their Law and the Boardroom Study, data security was the most often cited legal issue of concern for both general counsel, with 55 percent of those surveyed pointing to that topic, and directors, with 48 percent pointing to it. The groups surveyed 1,957 general counsel and 11,340 directors in early 2012.
Despite that level of concern, which the report said has nearly doubled in the past four years, just 42 percent of surveyed directors said their company has a formal, written plan for responding to a cyberattack or data breach; 27 percent said their company did not have one; and 31 percent said they weren't sure, according to the report.
"I hate to say this, but I think it is going to take several well publicized security breaches before a majority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster," Corporate Board Member President TK Kerstetter said in the report.
"While a number of companies are taking steps to become more educated on IT risks, the fact is that not enough are taking the appropriate actions to fully prepare their organization," Kerstetter added.
Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University's Maurer School of Law, told Law360 on Wednesday that it's not surprising data security has shot up in importance in the minds of general counsel and corporate directors.
"We've had some hugely high-profile breaches over the past 18 months," Cate said, pointing to cyberattacks on EMC Corp.'s RSA security division, Yahoo Inc. and Zappos.com as noteworthy examples.
The high-profile cybersecurity bills mulled by Congress this year are also another likely reason the subject is at the front of GCs' minds, he added.
While the idea of a written plan for handling data breaches can sound more bureaucratic than practical, having some strategy in place is essential for businesses of all sizes, according to the professor.
"I think what is absolutely true is that a large majority of institutions in this country and worldwide do not have a well thought out, comprehensive security plan," Cate said.
Companies should build plans that address cyber attack prevention, resistance and recovery, drawing together their human resources, IT and physical security teams, with the company's lawyers taking part in every step of the process, according to Cate.
Regardless of their responses on security plans, 77 percent of the general counsel and directors that responded to the survey said they believe their company is prepared to detect a cyber breach if one occurs, according to Monday's report.
Beyond data security, operational risk was the survey's second most cited concern by both general counsel, with 47 percent of responses, and directors, with 40 percent flagging that issue.
"Boards increasingly are concerned about operational risk in the context of emerging markets, where rising economic prosperity offers opportunities to expand operations and grow market share yet also poses heightened governance risk," Neal Hochberg, the senior managing director and global leader of FTI's forensic and litigation consulting practice, said in the report.
Still, a 59 percent majority of general counsel said they believe their company's board is effective at managing operational risk, and 33 percent of that group gave their board a neutral rating, the report said.
Coming in third on GCs' list of concerns was the management of outside legal fees, cited by 38 percent of respondents.
Directors pointed to risks to the company's reputation as their third biggest concern, with 40 percent of respondents flagging that issue, according to Monday's report.
--Editing by Cara Salvatore.
All Content © 2003-2012, Portfolio Media, Inc.