Allocating risk through innovation in a connected world
Richard Nohe, BT general counsel for the Americas, gives a call to action to his fellow GCs to embrace and proactively manage risk for their clients.
Dealing with technological risk
GENERAL COUNSEL FOR THE AMERICAS, BTE-mail Richard
There are opportunities and threats to every business as the world becomes increasingly connected. General counsel must embrace their roles as positive agents of change and help the legal landscape keep pace with these market dynamics, particularly around risk. This is especially true in areas of the business where the pace of evolution is rapidly accelerating, as in the field of information technology. It is inevitable that as businesses across the globe evolve, the role of the GC will also continue to evolve. This is because GCs occupy a unique position within the corporate structure from which to understand risk and thereby counsel the business to better manage it. Taking informed risks will deliver better returns and mitigate the chances of adverse consequences from black swan events, which can have a long-lasting effect.
Historically, lawyers have been trained to be conservative and protective of their client’s interests. Their approach is akin to driving by looking through the rear-view mirror: they reactively apply the law to a set of facts that happened in the past and then zealously advocate on their client’s behalf. Insufficient thought is given to how things could be different in the future and how to effect change. Corporate lawyers today must look both inside and outside the company and work to take a more proactive approach to risk management.
In this regard, GCs play pivotal roles as leaders; they need to step back and consider how the law may be used proactively, outside the heat of the battle. They can navigate the evolving legal landscape with an eye to how things may progress due to specific market developments and trends. Changes are happening in virtually every market and industry. The one I know best is the field of technology, so I will focus on some examples in that area.
Every board of directors must have this on its risk register. It is a complex area that is not centrally owned by any single function in a company. The CEO, CIO, CFO, CSO, and the GC each have a role to play. The CIO and the CSO are key and interact with peers across their professions, looking for ways to better manage systems and protect the perimeters, but they are looking primarily from a technical point of view rather than a legal or commercial one. The GC advises each of those involved, as well as the board, in managing the overall issue. GC engagement in a dialogue about cybersecurity risk from a legal and commercial contract point of view is beneficial to all.
How can GCs kick this off and what are some examples? There is no shortage of news about cyber breaches. They often come from hacktivists, organised crime, nation states, and insider threat. Regardless of the source of the attack, GCs can discuss among themselves issues such as what data protection and privacy laws are at issue given the different types of information that may be under attack. This can lead to a dialogue around whether it is reasonable to impose contractual obligations to comply with all applicable laws when laws are constantly changing and often in conflict. Is seeking to extract such mutual obligations from parties the core of the issue, or is it simply an attempt to seek insurance cover which may be better sought from a third party? In the event of an attack, does the legal community want to engage in supply-chain lawsuits, or is there a more productive way for legal talent to be used?
GCs can also engage in a dialogue around issues such as the SEC’s reporting requirements for cyber incidents. These are fraught with legal considerations that can impact the potential for litigation and regulatory action. Discussing ways in which different industry segments may approach disclosure would add value and help the people who are directly involved steer a complex and evolving area.
The marketplace is undergoing a fundamental shift from distributed computing, with applications sitting on the desktop at the edge of the network, to more centralised computing, with applications sitting in the ‘cloud’; meaning essentially that they reside off-premises and are accessed remotely via a network. This technological development is transforming the way businesses operate.
In this environment, the supply chain deserves extra scrutiny from the legal team to consider issues such as in which jurisdiction the data physically resides, and whether it will be transferred across jurisdictional boundaries thereby raising cross-border data flow concerns. In addition, there will be players with deep pockets and substantial assets, and players on the opposite end of the spectrum who might have a valuable app running on a server, but it may be the only real asset of the company – and intangible at that. The marketplace has not determined where the risk will reside, and GCs of various market participants are uniquely placed to discuss, shape the debate, and facilitate solutions.
The legal community can become more engaged in where the legal risk for cloud computing should sit within the market. Steered by their GCs, lawyers from the buy and sell sides can come together to work out standard terms similar to the way the technical community does. Not too long ago, IBM introduced a two-page cloud contract. As with any standard-form agreement, it seeks to limit the exposure through the usual mechanisms of a liability cap, exclusion of consequential damages and most third-party claims. However, there is an opportunity to take this a step further and consider the customer side in more depth. For example, there are certain industry verticals with common risks – financial, pharmaceutical, government, manufacturing, oil and gas, retail – and each has a common need for cloud computing. GCs from those industries can come together with cloud providers to have a broader risk conversation, taking into account the cloud supply chain, where the law is heading, and what their respective business clients are really trying to accomplish with a contract.
Most of the time business people are not seeking to get bogged down in liability limits and indemnities – their concerns are more operational. Are the lawyers focused on the right things? Where ‘third-rail’ or catastrophic risk should sit from a legal point of view is important in the rare case that litigation ensues. Most often though, actual in-life disputes concern areas on which lawyers tend to spend insufficient time: for example governance, change control, service level credits, definition of scope and so forth. GCs can help change this dynamic by setting forth reasonable middle-of-the-road general terms and conditions that correctly place risk between the parties or with a third party insurer, and move towards industry-standard contracts and understanding of risk.
The role of the network is changing as well. Technological advancements over the past two decades have forever changed how companies access and use information. In the past, large corporate networks were built to be physically separated and isolated with private lines connecting various offices. We then saw a transition to Virtual Private Networks (VPN) where multiple companies shared the same network infrastructure, and software in the network allowed for a logical separation rather than a physical one. Now we are seeing a further evolution where the internet will play an even larger role than it does today with the IPv6 [Internet Protocol version 6] standard allowing further secure sharing of physical infrastructure, with applications increasingly shifting to the cloud and the much-hyped Internet of Things. Those able to connect various cloud providers and integrate the network service providers will provide unique added value and be key to the security of corporate information ecosystems.
At this point, most large corporates are not willing to put all their money, literally and figuratively, on the internet. It is not yet secure enough, and VPNs will remain at the core of the enterprise. The importance of communications to companies continues to rise, and they will continue to benefit from the more-for-less phenomenon where bandwidth increases as price comes down – similar to the computing space.
This evolution is occurring against a backdrop of regulatory change. You may have seen in the press news about ‘Net Neutrality’, which is essentially how to ensure equal treatment to all with regard to speed over the internet. In the US, there have been legal battles over Net Neutrality and they are likely to continue, possibly culminating in a legislative solution at some point. Clearly, the legal profession has a lot of influence in this area and can be a positive agent of change. If that is to be the case, GCs for the parties with vested interests on all sides need to pause, step back, and consider how to best facilitate solutions.
The exponential growth in data storage will continue with the Internet of Things, but human capability to digest information is not increasing at such exponential rates. There is a factoid applicable here (I’m not sure if it’s actual fact or fiction but it makes the point either way): a child with a smartphone today has access to more information than Bill Clinton had access to when President of the US.
Increasingly, the GC community will have to grapple with issues such as data protection, profiling of individuals, intellectual property and intervention prior to a bad act based on pattern recognition. There are areas and risks approaching that we cannot conceive of at this point in time, but we can pause and consider the direction of travel and what sorts of rules should apply based on what we do know.
GCs can discuss with each other, and their stakeholders, how they see the allocation of risk unfolding within the market and the supply chain. The output of such dialogue should feed into the guidance and direction they give to their external counsel who need to consider risk in a different, less risk-averse, way. In contract negotiations lawyers need to step back from simply trying to push liability, indemnity, and other risks on to the other party. They should consider which party can most efficiently accept each risk or whether a third party (for example an insurer) can be involved, so that the risk inherent in any one deal can be shared across multiple deals and players.
Of course, insurance will not always make sense and there will be different costs to consider. However, it was not long ago that the concept of cybersecurity insurance did not exist. It does now and government bodies like the US Department of Homeland Security’s National Protection and Programs Directorate are facilitating its development. This is commendable. The point is to pause, take a step back, and avoid framing solutions on what is available today. Instead consider how the legal community can offer some thought leadership that will add value and provide the business with a better risk profile to enable growth.
This forward-thinking dialogue is best done in a proactive way, and outside the heat of a negotiation where the clients’ interests tend to force the lawyer into a reactive and protectionist mindset. This is especially true in the context of the dreaded and largely unhelpful ‘request for proposal’ process which seeks to commoditise input prices without considering the value of the solution to the problem being addressed. The GC can facilitate a change in the way companies buy and sell from each other by advocating to identify the problem, define a solution, and then address which party is best placed to carry each risk under what terms and conditions. Only then can the optimal price – for both parties – be determined.
It is beneficial to act in this way in a rapidly evolving world. For example, the legal team at BT has reached out to analysts and consultants who advise our customers, to engage in a dialogue about terms and conditions that we see over and over again. It makes sense to discuss risk profiles outside a particular bid where strict procurement and confidentiality rules apply. Of course, the consultants have similar dialogue with competitors. This allows the buy-side advisers to better understand the risk drivers and adjust the standard terms and conditions in order to avoid going through the same song and dance every time. As the market and technology evolve this is crucial because the risk profile evolves as well, and the contract terms have to be adjusted.
One final point is that the GC community is well placed to influence the way law schools teach. There will always be a role for the zealous litigators, but the profession also needs more risk-savvy creative negotiators and diplomats. Law students should be thinking about how the law will change over the course of their careers, and how they can solve problems. The legal profession should not abdicate its role as advocate, but we should shift focus to areas that have more practical benefits given the transformational changes our clients are experiencing.
We all know the joke that everyone hates a lawyer until they need one. This and other lawyer jokes stem at least partly from the profession’s self-inflicted wounds, at times suffered by the overzealous or overcautious among us. The GC community can help turn that tide by pushing the profession – from law student, to in-house counsel, to senior law firm partner – to be more constructive and find ways to facilitate change at the pace being experienced by the business and the market. It is a dialogue that we can start ourselves – let’s get on with it.
Five steps that GCs can take to better allocate risk through innovation in a connected world
- Push back against the mindset of managing simply to get things done and pause to consider what step changes are needed in the current legal framework in order to facilitate growth and innovation while allocating risk to the right parties.
- Reach out to like-minded innovative thinkers within the legal profession as well as key stakeholders from other disciplines, question the status quo, and reflect on ways to enable constructive change.
- Nourish the seeds of innovation and use your position of influence to lead by example, championing new ways of working into your own in-house teams and external law firms and other suppliers – press for change in the way law schools educate.
- Highlight the positive change to stakeholders and foster the dialogue around where risk is best-placed and in doing so show how the GC community delivers true value-added thought leadership.
- If you need to switch firm, do it fast.
If you’d like to add your thoughts to the debate, contact Richard.