Key Takeaways: Cybersecurity Interdisciplinary Tips on the New Regulatory Landscape for In-House Counsel
The Association of Corporate Counsel (ACC) Chicago recently hosted a dynamic panel discussion, “Cybersecurity: Interdisciplinary Tips on the New Regulatory Landscape for In-House Counsel,” in partnership with Benesch Law.
The panel, which included ArmorText CEO Navroop Mitter, offered invaluable insights into the evolving cybersecurity regulatory landscape and how in-house counsel can better prepare for potential breaches. Here are the key takeaways from the discussion:
1. Tabletop Exercises: A Strategic Approach to Preparedness
One of the central points made during the panel was the importance of conducting tabletop exercises–simulated cybersecurity incident drills. However, these exercises should not be reactive to headlines but instead focus on actual risks to the organization.
To maximize effectiveness, tabletop exercises must:
- Involve cross-functional participants, including leaders from cybersecurity, legal, HR, finance, communications, and crisis response.
- Go beyond the “tech teams in the basement” and include key executives like the General Counsel (GC), Chief Financial Officer (CFO), Chief Information Officer (CIO), and Chief Executive Officer (CEO).
- Be conducted at least once a year, with some organizations benefiting from multiple exercises per year, targeting both technical and executive teams to test different aspects of the incident response.
These tabletop exercises are critical for building organizational readiness and testing the communication strategies that are often the first to falter during real incidents.
2. Post-Exercise Debrief and Ownership
Following each tabletop exercise, a debrief is essential to capture key takeaways and ensure accountability for subsequent improvements. The panel suggested creating a “cheat sheet” that outlines notification requirements and incident response protocols, giving teams a quick reference for real-world incidents.
The importance of leadership setting the tone was stressed throughout the panel. Involvement from top executives not only enhances the exercise but ensures that cybersecurity becomes a priority at every level of the organization.
3. Industry-Specific Challenges: Communication Breakdown in Crisis
For industries like engineering, manufacturing, and energy, the panel noted that communication failures are a recurring challenge. More than 70% of companies in these sectors struggle to maintain communication when primary systems (e.g., email, chat, and video conferencing) are compromised.
Mitter discussed how companies with out-of-band communication systems—systems that allow secure, alternative communication outside of compromised networks—perform significantly better during crisis response. Without such systems, companies risk communicating in the presence of their attackers, potentially giving away vital information about remediation efforts or negotiation strategies
4. Regulatory Compliance and Legal Considerations
The panel also touched on the complex and evolving regulatory requirements facing in-house counsel. Legal obligations are no longer limited to incident disclosure; they now encompass record retention, board oversight, and increasingly stringent cybersecurity standards across various sectors.
The panelists also highlighted the importance of cross-departmental alignment between legal, C-suite executives, and security teams during and after a breach. This collaboration is essential to meet regulatory demands such as SEC disclosure requirements via Form 8-K and to manage ongoing risk in annual reports.
5. Out-of-Band Communications: A Critical Component of Incident Response
One of the key themes was the critical need for out-of-band communication solutions. In the event of a breach, organizations must be able to communicate securely and effectively, outside the compromised environment. The use of consumer apps like Signal and WhatsApp, while convenient, can lead to gaps in compliance and security.
Mitter advised that leveraging enterprise-grade tools like ArmorText—which offer end-to-end encryption, centralized user management, and audit trails—can help organizations avoid the pitfalls of using insecure or non-compliant, consumer-grade platforms. In fact, organizations without robust out-of-band communication risk exacerbating the damage of a breach by leaking sensitive information to adversaries.
6. Incident Response Best Practices: Real-World Examples
The discussion was further enriched by real-world examples, including the MGM breach orchestrated by the “Scattered Spider” group, which underscored the need for immediate forensic reviews and rapid legal assessments of obligations.
Panelists recommended maintaining a comprehensive checklist of applicable laws and regulatory obligations. This checklist should be regularly updated and readily accessible to the GC and other key stakeholders to ensure compliance in a crisis.
Mitter emphasized the critical role of out-of-band communications in incident response. If your organization cannot leverage a solution like ArmorText—which provides secure, compliant out-of-band communication capabilities— and must rely on consumer apps like Signal or WhatsApp, it’s crucial to be prepared to address the key control gaps in ephemeral messaging. These gaps are detailed in Benesch’s client bulletin: “Staying Ahead of the Curve: Adapting to Evolving Cyber Regulatory Enforcement.” Without filling these gaps, organizations risk further exposure during an incident, as these apps lack centralized user management, audit trails, and policy enforcement.
7. Preparing for the Inevitable by Adopting a “Post-breach Mindset”
The panel concluded with a consensus that breaches are not a matter of if, but when. Building resilience into your organization’s cybersecurity strategy—through tabletop exercises, regulatory compliance, and out-of-band communication tools—is essential for surviving and thriving in the face of a cyber incident.
ArmorText, as highlighted by Mitter, offers a secure out-of-band communication solution that checks all the boxes when it comes to compliance and security. It has been recognized as a Leader in The Forrester Wave™: Secure Communications Solutions, Q3 2024 report, which cites how “ArmorText outclasses for SecOps, incident response, and threat-intel-sharing use cases.”
PHOTOS
