ESG Risk Research Survey Report: 2021

Foreword

Even before the Covid-19 pandemic altered businesses and society, the environmental, social and governance (ESG) movement was gaining steam within corporate circles. Issues of climate change, consumer pressure, regulatory reform and social movements, were top of mind for investors and executives.

The global pandemic only further heightened the awareness around ESG, and the social impact of severe lockdowns and business instability forced companies to rethink their priorities. As a result, ESG issues such as environmental sustainability, social justice, and emerging reporting disclosure protocols have dominated corporate news headlines around the world.

ESG reporting has been voluntary in many countries, but in the last 12 months the EU – along with many other national governments and regulatory bodies – have issued ESG reporting guidelines. As the move towards establishing a common reporting standard around ESG continues, corporate counsel have been tasked with implementing effective protocols and oversight.

GC partnered with Irwin Mitchell to gauge the ESG outlook of leading corporate counsel across Europe and the United States. With the 26th UN Climate Change Conference (COP26) taking place in the United Kingdom from 31st October to 12th November 2021, the ESG agenda has been cemented as a business imperative for general counsel. This research documents the thoughts and opinions of more than 190 in-house lawyers on ESG, their risk outlook, and how a shift in business focus has shaped their legal agenda.

In-House Legal Research Team
GC magazine

Irwin Mitchell Comment

Irwin Mitchell is determined to become a leading responsible business. We’re already on a journey to ensure that our environmental, social and governance values are embedded into our business and influence our relationships, strategies and aspirations. But to be truly successful, we need to proactively engage in conversation and collaboration; with our colleagues, with our clients, within our business and geographic communities, and, setting commercial competition aside, with our peers across the legal sector. In doing that, we believe our aspirations will be realised and we will lead as a responsible business. We’re delighted that so many in-house counsel contributed to this research, and I’d like to thank them for their time and for sharing their insights into the role of in-house in setting and supporting the ESG agenda within their businesses. We hope that you’ll find this research useful in plotting where you, your team and your business are on your own ESG journey, and where it will take you next.’

Vicky Brackett, Group Chief Commercial Officer

Download and read the report offline

Are you prepared?

As pressure for sustainable and ethical corporate practices from regulators, investors and consumers mounts, ESG has become the most pressing topic in the boardroom.

From our research, a staggering 96% of corporate counsel reported that their companies have either implemented a formal ESG plan or are in the process of developing one. While this focus is not new, treating ESG as a crucial component of the business and governance framework has increased in recent years.

GCs are placed in a unique position to take the lead, and influence company policy. Increased focus from regulators has been one key driver, explains a survey respondent: ‘ESG has become the main focus of regulators and certain key players in the financial sector. The fact that these players promote ESG best practices means that other market participants should make ESG a priority to keep up with the best practices and improve the chances of better financial return in the longer run.’

Before the pandemic, ESG reporting was a nice-to-have niche. But 2020 saw several major regulatory developments from the European Union:

  • The Sustainability-Related Disclosure Regulation (SFDR) lays down the ground rules for financial markets on transparency
  • The Corporate Sustainability Reporting Directive sets out legislative goals
  • The Taxonomy Regulation (TR) defines what is regarded as sustainable.

Meanwhile, in the United States, although there are no mandatory ESG disclosure requirements, the Biden administration has declared its intentions to make sustainability a priority. In 2021, the House of Representatives passed the ESG Disclosure Simplification Act, requiring public companies to make ESG disclosures in their Securities and Exchange Commission (SEC) filings.

Does your company have an ESG plan?

Echoing this sentiment, the UK government has also indicated its intentions to introduce its own mandatory ESG reporting requirements. Currently, there is no single over-arching ESG regulation, but rather a disparate array of regulations that touch on ESG concerns. The Corporate Governance Code 2018, Companies Act 2006 and the Disclosure Guidance Transparency Rules all set out the current ESG disclosure regulations.

The fragmented legal policies around ESG, and the regulatory notices governments have put forward, signal to lawyers and businesses that a unified ESG framework is in development.

One respondent from the financial sector explained: ‘There is a much greater focus in the regulatory sphere when it comes to ESG. Covid-19 has accelerated this interest and legal teams will play a key role in managing these changes.’

Irwin Mitchell Comment

‘Although there is currently no global standard for ESG reporting, there is a huge range of legal reporting requirements for businesses. In the UK alone there is a wide variety of existing and incoming legislation that involves important elements of ESG reporting such as gender pay gap reporting and modern slavery statements. In addition, we believe that some of the confusion around current ESG reporting obligations has arisen from the fragmented reporting framework that places obligations on companies depending on their size (rules for large undertakings under section 172 and 414 Companies Act), whether they are listed (arising from the Disclosure Transparency Rules and UK Governance Code) and whether they are in the regulated financial services sector (Prospectus regulations, Disclosure Guidance and Transparency Rules and Market Abuse Regulations).

The current reporting requirements are disparate and can be difficult to navigate. It’s clear that in-house counsel will play a crucial role in guiding businesses through their approach to ESG and how ESG performance is measured and reported both now and as harmonised ESG reporting obligations are introduced. As standardised reporting is introduced, we are likely to see the introduction of financial penalties for non-reporting or false reporting and in-house counsel will become even more important in bringing key ESG stakeholders together to make reasoned and justified decisions to allow effective reporting and compliance’.

Jason Newall, Senior Associate Solicitor, Regulatory and Crime

Ignore at your own peril

Whilst regulators work towards legislating ESG obligations, our survey results highlighted that companies have already started prioritising key areas.

Unsurprisingly, it was reported that 42% of ESG plans contained a governance framework. This was closely followed by plans containing published policies and guidelines, identification of ESG related risks, a named senior management sponsor, and KPI monitoring and reporting. Lower on the agenda was identification of ES-related opportunities and setting SMART objectives. In fact, it was alarming to note that almost 90% of respondents failed to take into account all of the above when considering their own ESG framework.

Given the increasing importance of ESG initiatives, responsibility still lies with a relatively small group of people. In 57% of the cases, ESG strategy was led by one or no people, with the majority (83%) of those individuals reporting to either their CEO or CLO. A GC from the transport industry commented: ‘Depending on ESG strategies and targets, the responsibility should lie either with the Chief Executive Officer’s or the Chief Legal Officer’s department.’

When survey respondents were asked what areas they believed needed more investment to improve ESG oversight, 31% indicated the need to invest in a dedicated ESG team. This is reflective of the upward trend of companies creating new ESG-specific roles.

While 26% of respondents pointed to the ability of their organisations to continue operating in increasingly difficult conditions as a significant environmental concern, a larger number of GCs said that issues not directly tied to their organisations’ market performance were top priorities. This included, 31% or respondents saying they wanted to see greater investment in efforts to improve biodiversity or tackle pollution, and 38% saying resource use and the so-called circular economy was their biggest concern.

It is also clear that social issues are now deemed to be risk items relevant to the legal team. While issues such as working conditions or health and safety have long been a potential matter for the legal team, respondents were just as likely to see diversity and inclusion as an area needing their oversight.

What does your company’s ESG plan include?

The growing importance of new types of risk is even shaping GCs’ views on corporate governance. While the staples of fraud, bribery and corruption emerged as pressing concerns, just as many respondents said they wanted to see greater attention to corporate transparency.

Even five years ago, few general counsel would have felt that their role called for ensuring fair operating practices or scrutinising executive pay and boardroom diversity. Now they are seen as key areas of risk.

Nevertheless, legal departments are still expected to play a crucial part in setting the ESG agenda — although other business functions may share responsibility. As one respondent explained: ‘I think it should be sponsored at the highest level but that responsibility should sit across all staff and not just a specific team.’

Another survey participant said that spreading ESG accountability across numerous company functions would lead to better outcomes: ‘Different elements of ESG should have different owners,’ explained an in-house lawyer from the tech industry.

‘ESG should address all stakeholders and touch on all areas of a company’s business. Shared responsibility is especially important given the breadth of topics (operational/facilities, HR and Legal).’

ESG in more detail: where do GCs think investment is needed to improve oversight?

Environmental

Social

Governance

Avoiding pitfalls

General counsel play a unique role as the gatekeepers of good corporate practices and ethical considerations.

As guardians for disclosure controls, company litigation strategy and company compliance practices, ESG certainly falls within the corporate counsel remit. Our data reflected this with 63% of respondents reporting that they believe in-house legal teams play a ‘very significant’ or ‘significant’ role in ESG activities.

When asked in what way in-house legal teams are involved in ESG initiatives, 59% of respondents agreed that they contributed to the development and/or evolution of the ESG plan. Whilst 18% said they were involved in the creation and implementation of policies and their adoptions. Those who selected ‘other’ mainly focused on specific parts of the ESG agenda.

As the sustainability movement grows within the corporate community, GCs are not only important legal advisors to the companies they serve, they are crucial strategic partners. So as the trend towards ESG accelerates, having a broad grasp of the wide extent of its impact has never been more important.
Legal teams have become fully involved in ESG-related matters: analysing risks, developing ESG strategy and working on governance-related issues,’ shares a respondent.

In what way are you or your team involved in ESG activities?

Irwin Mitchell Comment

‘The in-house legal team’s role is to ‘help their business do “it” right’ – the “it” being sustainable, successful and compliant business.

ESG is now all pervasive – in the supply to the business, in the supply from the business, in the stakeholder and regulator expectations of the business and, increasingly, in colleague expectations of their employer. So getting ESG right is now at the heart of helping the business to get “it” right overall.

And the key to ESG is the G – the Governance. Contractual, regulatory, processes and policies allow you to document and deliver all the ES things your suppliers and customers want you to commit to.

In-house counsel owns G. Getting G right helps the business get its ESG right. That’s now a core part of in-house helping their employer get “it” right overall.’

Bruce McMillan, General Counsel

The need to focus

Although governance oversight is essential for corporate counsel, it is interesting to note that GCs are placed in a unique position to take the lead, and influence company policy. As a result of the regulatory push towards sustainably conscious guidelines, ESG has become an essential part of influencing investment decisions.

According to the data collected, a total of 92% of survey participants shared that they had either completely, or to some extent integrated ESG into their companies’ investment decision making process.

For this reason, it was no surprise to see this shift in investment sentiment influence GCs to realign their legal objectives. When in-house counsel were asked what their company’s top motivation was for investing in ESG, just under half of respondents (47%) said improving long-term returns. The second highest motivation was ‘doing the right thing’ (12%) followed by ‘environmental sustainability and resilience’ (11%).

Explaining the motivation behind focusing on ESG initiatives, one survey respondent explained: ‘an increased interest from the public about ESG will drive many more companies towards the adoption of ESG practices.’

Does your business integrate ESG criteria into investment decision-making?

Irwin Mitchell Comment

‘The G in ESG is becoming increasingly more important for businesses in the funds and investments space; aligning how you operate your own business with your external ESG messaging is crucial. The impetus for businesses to build ESG into their investment decision making is driven partly by the introduction of new regulation and partly by the growing appetite and demand from stakeholders, whether they be shareholders, investors or customers. Post Brexit the UK has not ‘onshored’ the EU Sustainable Finance Disclosure Regulation (SFDR) into UK domestic law, opting instead to make disclosures that are aligned with the Task Force on Climate related Financial Disclosures (TCFD) fully mandatory by 2025 but there is a general view that it still has a number of indirect/practical implications for funds and investment related businesses in the UK given the UK’s Green Finance Strategy and the fact that ESG considerations will become integral to future EU trade deals and the ability to attract international capital.’

Sean Scott, Partner, Banking and Finance

Risk appetite

Since the pandemic, ESG concerns have propelled to the top of the business risk agenda, and corporate counsel have taken notice.

When GCs were asked if they had incorporated ESG issues into their own risk and resilience plans, 85% reported that they had. This shows that corporate counsel understand that failure to address ESG matters have both reputational and financial risks.

‘ESG is transforming from being a reputational risk to becoming a legal risk. This is particularly obvious when we consider the close adoption of EU legislation in the field,’ explains a survey participant.

When it comes to determining ESG risk, GCs were asked what they believed fell wholly within the remit of their legal team. The threat of regulatory sanctions ranked at the top at 47%, with a further 16% of respondents selecting that this risk fell within the remit of their legal team. Other risk areas that ranked highly included the threat of litigation and corporate reputation.

With new legislative reform around ESG on the horizon, the risk for regulatory liability is an anticipated threat. However, the ESG outlook — if appropriately adopted — does present opportunity.

Which of the following risks fall within the remit of your legal team?

Generating goodwill from showcasing sustainable practices will go a long way with stakeholders. On the other hand, doing the opposite may lead to embarrassing disclosures triggering fallout with investors, employees and consumers.

The data collected is undeniably indicative of the pressures felt by in-house counsel to incorporate ESG into their risk and resilience plans. The pace at which regulatory changes are occurring are making some in-house counsel nervous. A GC from the finance sector explained: ‘From month to month, I can see that environmental issues and regulations are becoming more serious, visible and severe. Results, revenues, incomes and dividends are going to be pivotal when light is directed to them.’

So when it comes to risk, should companies be investing more? The majority of corporate counsel believe businesses should be investing more (68%). The question which then arises is, should this investment be directed at systems, people or knowledge and training? As the risk appetite shifts towards ESG, knowledge and training was considered the area in which investment was most required.

As business priorities shift, training teams to understand new legislative protocols is an important company investment. ‘The way of doing business in the future is transitioning and
the regulations are moving in a particular direction. Understanding this will be necessary to avoid legal risks,’ says
a survey respondent.

GCs are often the torch bearers of responsible conduct. When it comes to manging risk, in-house counsel are well placed to ensure adequate protocols and policies are developed and managed. As ESG becomes the new industry focus, our data highlights that in-house leaders are at the forefront of managing the risks and opportunities a new framework may provide.

Irwin Mitchell Comment

‘ESG is not just about risk management. It is about everything an organisation does and how it goes about doing it. Effective risk management is an essential mechanism for identifying and managing the risks across an organisation, so as to best avoid unnecessary problems and potential reputational damage.

‘In this context, identifying and defining the most relevant ESG risk factors for your organisation and incorporating them into your existing risk frameworks should be a priority.’

Georgie Collins, Partner, Intellectual Property and Media

Irwin Mitchell Comment

‘For two weeks in autumn 2021, the eyes of the world will be on Glasgow as it plays host to the UN Climate Change Conference (COP26). These talks will bring together heads of state, climate experts, leading businesses and campaigners to discuss a coordinated action plan to tackle climate change. Top of the agenda will be the urgency around net-zero commitments and the need for business transparency and accountability.

For the UK, we hope that these discussions will be the catalyst needed to bring the long awaited Environment Bill to fruition. This Bill introduces a green watchdog in the form of the Office of Environmental Protection, which is already taking cases in its interim function. We’re also waiting to hear more about the ‘strong and meaningful’ targets relating to the four priority areas: biodiversity, air quality, water and resource management. Although the target deadlines won’t kick in until sometime in the mid to late 2030s, in-house counsel will need to be alert to the interim targets which will be set to make sure progress is made sooner, rather than later. We can expect to hear more about this in the coming months and years.’

Claire Petricca-Riding, Partner and National Head of Planning and Environmental Law

Greener pastures

As the social and economic impacts of Covid-19 continue to play out on the global stage, 85% of corporate counsel believe ESG will remain a top priority for GCs in the future.

In recent months, the ESG movement has shifted from a non-essential requirement to a vital reporting standard for investors and other stakeholders. Nevertheless, ESG is still in its infancy, with forthcoming legislation on the horizon expected to unify reporting standards.

But for many GCs, there is an even more pressing reason to take these issues seriously: ‘The planet continues to face an existential threat, so ESG must remain a top priority. This will likely be driven by both regulatory (SEC) disclosure obligations and investor interest in sustainable businesses.’

Another survey respondent supported this sentiment by saying: ‘I anticipate we, as general counsel, will become more involved in unpacking the requirements of the various ESG initiatives and support reporting. I also anticipate that there will be an update to legal agreements as ESG becomes more legally binding over time.’

Although ESG reporting isn’t a legal requirement yet, most ESG plans currently enacted are based on feedback from employees (45%). Other important stakeholders include investors and customers who play a crucial role in shaping the current ESG outlook. Going forward, this will likely change as ESG reporting legislation is enacted.

‘In future, ESG issues will likely become more programmatic as consistent standards are developed to allow broader and quicker adoption,’ predicted one survey respondent.

The survey data also indicated that GCs expect their ESG outlook to increase with importance within the next five years, as reported by 88% of respondents. Although 12% believed ESG would retain the current level of importance, it’s vital to note not one respondent thought it would become less important.

The unanimous consensus regarding the future of ESG highlights that the way of doing business is evolving. Although responsibilities around ESG obligations may vary between sectors and jurisdictions, the pressure in-house counsel are feeling from regulators, consumers and employees is universal.

Pre-emptive reporting requirements are reshaping the corporate agenda, with general counsel set to oversee the application of non-financial reporting rules and governance. As policy momentum accelerates, ESG trends are set to raise the corporate profile of general counsel among organisations. With more companies feeling the need to launch more holistic programs, policies and reporting frameworks, one thing is clear, general counsel are pivotal in managing this new focus.

Irwin Mitchell Comment

‘Diversity and inclusion, as part of a wider ESG agenda, provides clear opportunities for those businesses ready to truly embrace it. D&I cannot be seen as a job for HR; as something that should be monitored and reported on but then forgotten. A strategic approach that is embraced by all leaders including GCs must be taken to embracing D&I on a day-to-day organisational basis. We have seen huge leaps forward by businesses who are paving the way including for example the creation of shadow boards or “reverse” mentoring programmes. These businesses are already reaping the rewards of these programmes and those businesses who have not started to properly engage with D&I as an agenda item risk falling behind.’

Elaine Huttley, Partner, Employment

Foreword: Ramon Ignacio Moyano

From all of us here at World Services Group, it is my pleasure to welcome you to the fourth edition in our series of GC Special Reports, examining the impact and influence that technology continues to have on legal practice.

The past two years have seen the legal profession impacted by technology more than any other period in history, a fact of course driven not by a single seismic innovation, but rather by necessity. And by all accounts – as the pages that follow in this report detail – both in-house and private practice teams alike have thrived, as our collective work environments, habits and processes have shifted, in almost every case, literally overnight.

But amongst the litany of success stories that have emerged, so too did several material challenges faced by businesses as a direct result of these shifts in our professional lives – challenges that are sure to shape the face of the profession for years to come. Data privacy, protection and integrity, cybersecurity, as well as of course, specialist legal technology, are near-universal issues faced by enterprises – and more specifically – their legal departments.

As corporate leaders, general counsel and their teams will be on the front lines during this transition, charged with both setting the rules of engagement for their business and guiding the wider organisation throughout a period that is likely to be characterised as much for its upheaval as it is for the evolution it represents.

At World Services Group, our membership have made it clear that they not only want to be a part of this change – they want to be in a position to lead it. Collectively, we strive to be part of the solution to the issues facing our industry and profession at large and together, we have an opportunity to affect positive change for the profession as a whole.

With an international mandate and broad sectoral representation at World Services Group – in addition to a forward-looking digital prospectus – our network is in an ideal position to capitalise on the bold digital transformation set to define what it means to be a successful legal department in this new digital age.

I would like to extend my sincere thanks to all of those in the legal community who continue to contribute to the ongoing success of this series. By sharing the benefit of your own experiences and actively engaging in discourse around these pertinent issues for the wider profession, collectively, we can chart a brighter future for the lawyers of today and tomorrow.

Ramon Ignacio Moyano
Chairman
World Services Group

Partner
Beccar Varela

Running to stay still: How North American legal teams are using technology

Apple, Amazon, Facebook, Google, Microsoft, Netflix – the last year and a half has been hard, but without these familiar names it would have been unthinkable.

Ever since Bill Hewlett and David Packard founded HP in a Palo Alto garage in 1937, the young and tech-smart have been engines of economic growth across the US. Pandemic aside, the S&P 500 is surging at an all-time high, with companies in the tech sector proving to be the safest bet.
Five of the above listed companies alone – Apple, Amazon, Facebook, Microsoft and Google-parent Alphabet – already represent over 20% of the S&P 500’s total market cap. With the pandemic-induced shift to e-commerce and remote working, it is a trend that is unlikely to end any time soon.

Surely in the US, with an economy skewed heavily toward innovation and a premium placed on doing things better, faster and smarter, the lawyers must be doing things differently? Well, not quite. For all the talk of a quiet revolution taking place in the corporate legal teams of US and Canadian blue chips, the reality is much more complicated.

To make sense of it all, GC magazine teamed up with World Services Group to get the inside story on legal tech in North America. Drawing on a detailed survey of over 200 general and senior counsel working at a variety of companies across both the US and Canada – including many of the global leaders in their sectors – our findings show that tech has not been quite the disrupter many predicted. Yet…

Stacking it up

In spite of the advantages legal teams in the US and Canada have when it comes to the availability of legal tech, many feel they are no further ahead in their adoption of new ways of working.

Fewer than half of respondents to our survey (46%) felt that their teams were in a good place to capitalise on technology compared to their peers. Even more surprisingly, legal teams in the tech sector were just as likely to struggle as those in other industries. Just under two thirds (60%) of respondents working for technology businesses felt confident that they benchmarked favourably in their use of legal tech. In fact, across all the sectors surveyed, those employed in the tech industry (broadly defined) were among the least likely to feel that their use of technology was adequate.

Of course, they were also the most likely to be aware of the technological shortcomings of the legal team. As Liz Benegas, GC of enterprise management software provider Totango, comments:

‘When you’re in an environment that really pushes technology as a solution to business problems, you can find yourself asking a lot more questions about how you approach your own work. That can lead to a lot of new ideas, but it also puts you under pressure to bring your “A” game to everything you do.’
Another respondent, senior counsel at a global technology business, gave an even simpler answer: change is hard, particularly when it comes to tech.
‘[Our company] is generally seen to be at the forefront when it comes to bringing tech to market, and I would say we are way ahead of the curve in terms of our own use [within the legal team].

But still, large parts of what we do are built onto a tech stack that has been around for years. When we look to introduce a new contracting system or cloud-based technology we can’t just assume it will work well with what we have in place. I would imagine these problems only increase when you’ve got an older or more complicated stack to deal with.’

Plus ça change

For many general counsel the first year of working in-house comes as an epiphany. The experience of working at a law firm had shown them a world where partners and associates – often some of the most capable, knowledgeable and dedicated people they had ever known – were forced to work in an environment that either did not seem to support them or that actively worked against them by making highly-qualified people undertake work in an absurdly inefficient fashion. After making the move in-house, the realisation comes: “It’s not the law firms, it’s the lawyers”.

The average GC continues to have the same worries that their team is behaving in an inefficient or technologically unsophisticated way. The central problem, as one senior counsel at a global entertainment and media company observed, is how to continue to deliver value while eliminating bottlenecks. ‘Lawyers will not be replaced by technology, just as doctors will not be replaced by technology. The problem we must solve is how we get rid of bad habits while retaining the good ones. That is something we are only just starting to find answers to.’

The problem with technology, respondents to our survey agreed, is not having too little of it. It is having too many resources that are not used properly. Legal teams in North America are, for the most part, able to access the tools and systems they want. In fact, nearly all of those we surveyed (97%) reported that their legal functions were using more technology now compared to five years ago, with well over half (58%) saying they were using significantly more tech.

But having access to technology is only ever a partial solution to the problem of efficiency. Knowing what to do with it is just as important, and it is often not within the skillset of GCs to make sure a department is joined up when it comes to its use of technology.

Our survey shows North America’s in-house lawyers are less worried about technology than they are about their profession’s ability to use it effectively. Fewer than half (48%) of those polled said they were confident in their team’s ability to harness tech effectively.

Positive externalities

If anything is likely to push legal teams to adopt technology, it will be a global pandemic that has forced large numbers of businesses to shift to remote work. The first challenge for many legal teams when the call to work from home was issued was the realisation that existing ways of tracking and managing work were no longer going to cut it. Knowing what the team is doing can be relatively simple when most of its members are sitting in the same office. Asking, “What are you busy with right now?” over Zoom is not entirely practical.

While it is no surprise to see that 67% of those surveyed said their businesses had ramped up investments in tech as a result of the pandemic, the direct – and, many suspect, lasting – change this has had on the way legal teams handle work is something that caught a number of respondents off guard.

Nearly four fifths (78%) of respondents reported making greater use of technologies such as Zoom and Teams to keep their departments functioning during lockdown, while nearly half (48%) had moved their work onto platforms shared with the rest of the business to make handling matters more effective.

‘What Covid really did’, comments one general counsel for a medium-sized US software company, ‘was shine a light on how poorly aligned a lot of departments were across the business. It forced us to move from a situation where everyone had developed their own practices and habits – either as a team or as an individual – to a situation where we all had to move in lockstep to keep the planes from falling out the sky.’

But finding new ways to manage workflows is only the start of it. When nobody can leave their house, getting documents signed is a problem. Except it is not. As many legal teams have come to realise, the problem was relying on ways of thinking and acting that had already outlived their utility.

By forcing teams to rethink the ways in which legal work is completed, Covid has given impetus to a far more radical transformation in the in-house legal function. Nearly a quarter (24%) of the teams surveyed said that they had already redesigned their processes to cope with lockdown, and the results have been positive. As one respondent, director and assistant general counsel for a US-headquartered multinational consumer goods corporation, put it: ‘Having to serve business remotely was probably the best thing that ever happened to us.’

‘With the call to “work from home where possible” we had to take a step back and think about what it actually means to support the various divisions of our business. That was a moment of crisis, but it was also a period of productive reflection.

Instead of automatically following the same steps each time without ever thinking about outcomes, we had to think about what the intended outcomes were and plot the best path to them. Sure, we still have to process sales requests, but do we need people to do it, or is there some better way of getting to the same point?’

Now, as many lawyers return to the office, there is a feeling that legal work will never be quite the same as before. As Michael Shour, GC and secretary for Banyan Software, comments, ‘Especially with the Covid pandemic, it just makes so much sense for a lot of this stuff to move online. Whether it’s sharing information with colleagues or signing documents, we have seen how easy it is to digitise this type of thing and it will be very difficult to unlearn those lessons and go back to the old ways of working.’

Tech Tactics: The case for rethinking the legal function

This time, finally, it might be happening.

For at least a decade now lawyers have talked up the impending transformation of their industry, with technology set to play the lead role in a new and better way of doing things. Why would anyone think otherwise? The legal profession, as every GC will point out, is riddled with inefficiency. Clients are being asked to pay for things they do not need, and very expensive labour is routinely assigned to basic tasks.

But recognising the problem and identifying the solution are two very different things. While almost all GCs can give a long list of reasons why the profession should change and what it should look like, far fewer had a roadmap for how to get there. Until now.

‘There’s a movement afloat’, says Chris Young, general counsel of Ironclad. ‘For the first time ever in the history of the legal profession there is cutting-edge technology that allows us to do our jobs more effectively as lawyers. The whole profession is now waking up to what it can do differently, and it is in-house legal teams driving this change.’

But technology is only part of the picture. When it comes to understanding the changes taking place across corporate legal teams, the rise of legal operations (legal ops) is just as important. ‘For years every department at a major company has had its own ops function’, notes Young. ‘Marketing, engineering, sales – all of these departments have relied on operations professionals to keep them moving. Now we are seeing that in legal teams, and it is having a transformational impact on the way systems, processes, people and tech work together.’

Ashley Herring, global legal programme manager at BCG, is among the new breed of ops professionals working to improve legal teams. Identifying the purpose of the legal function, she says, is key to unlocking its potential.

‘The temptation for a lot of in-house teams is to set things up in a very transactional way that looks to a large extent like the model of an internal law firm. That is not really the best structure, and it doesn’t give the best results. Legal should not let itself become a dumping ground – it overburdens the lawyers and takes away from what the function can deliver to the business.

Setting up things in a way that lets you extract data and make data-driven decisions is essential to this. Technology can play a big part here but technology itself should not be the goal. The goal is being able to structure decisions and processes in a way that is based on data and numbers.’

In other words, technology is a tactic, not a strategy. While it can be a useful way of improving the legal function, it will only work if the function knows what it wants to accomplish. This, for many GCs, can be a difficult question to answer. But, for those that have given it thought, the possibilities are endless.

‘I want to be a data-driven lawyer and not just a lawyer who talks about data’, concludes Young. ‘With the tech that now exists I can look at our sales contracts historically and generate data that is of real predictive value. Finally, legal is beginning to function like any other department and use its data to accurately forecast what the quarter is going to look like.’

Identifying the ‘why’

To judge from the results of our survey, legal teams in North America are enthusiastic supporters of technology. Over half (51%) of those surveyed felt new technology would significantly enhance outcomes within the legal team, while 84% felt it would enhance outcomes to at least some extent.

The appetite for technology was just as apparent, with 58% of respondents saying they wanted to increase the use of technology within their legal team.

As ever, finding the budget for new tech was the biggest obstacle they faced, with 62% of teams citing this as a barrier to change. Over a quarter of legal teams (26%) said they wanted to introduce new technology but lacked the time to research available tools, while just 11% said they were unable to find a solution that met their needs.

However, a sizable number of corporate counsel (14%) felt they already used too much technology. As one respondent, general counsel at a Canadian energy company, noted, ‘Finding technology is not a problem. Making sure that technology is being used properly by everyone in the team is the issue. You can’t execute a tech transformation in a large team without having some form of discipline and training. You either all do it together or it doesn’t work. I am quite willing to admit I do not have the time or expertise to effectively oversee that sort of project.’

Even the most popular and successful forms of legal technology, such as contract management systems, found their critics. ‘Lawyers love contract management systems, but do they really test how they’re being used?’, asked one respondent. ‘Of course, if you’re a lawyer then you intuitively understand why a contract platform would be useful. Go speak to the sales team that has to use it and you will hear a different story. I have found that these things are not actually all that intuitive when they’re out in the wild.’

Still, when it comes to a show of hands the consensus is that corporate legal functions will change for good: 91% of those surveyed said they expected AI to be a disruptor in the legal industry, with nearly half (47%) saying they expect this disruption to be significant.

Inevitably, there will be push back. Any legal team over a certain size recognises that it needs a contract management system, but a solution that can flag risks or identify and extract terms is a different matter. For some, the unspoken message when advanced technology is introduced is ‘a machine can do your job, and it will be more reliable’. But, says Michael Shour of Banyan Software, the results lawyers can achieve with advanced tools mean widespread adoption is all but inevitable.

‘Recently, I trained an AI solution to help review a certain type of regularly occurring contract that was key to our business. It improved our response times and, I think, ultimately helped us win deals. It didn’t get rid of the lawyers; it gave us better and more accurate information and allowed us to handle the matter more effectively.

The use of this technology will continue to evolve and become more pervasive. Already, service-level agreements and the general sophistication of providers have improved considerably. It is incumbent on GCs and legal tech providers to at least try to keep up with these developments, even if doing so is not always easy.’

As ever, there will also be strong resistance from State Bars when it comes to innovative ways of delivering legal services. But as the legal profession reaches critical mass in its use of technology, regulation will have to follow suit. 

The State of Privacy: Does the US need a federal privacy law?

Reforming data privacy laws may not sound like a move destined to leave an enduring political legacy, but in policy-making circles the tropic casts a surprisingly long shadow.

‘One of the major hang ups of US leadership role has been the absence of a federal commercial privacy law in the country’, says Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

For many, the most puzzling question of all is why there is still a debate about the issue. In a world where data, and the power to regulate its use, is becoming a central part of statecraft, the United States is conspicuous in lacking a national data privacy law.

A decade ago, when the Obama administration started discussions on strengthening privacy regulations in the US, the business community considered the initiative as an unwanted and unneeded interference. Since then, it has become clear that the alternative may be far less palatable.

‘We are pretty quickly going down the path toward fifty plus privacy laws, which is the same place we have found ourselves with data breach notification law’ says Liz Benegas, general counsel of enterprise management software provider Totango.

Bob Jett, head of global privacy and risk at Crawford & Company, says the case for a federal law has never been stronger. ‘As citizens and consumers, we are only going to increase the number of things we do online. We can also see that some of the largest tech companies are stepping up and saying they want to be accountable for what they are doing in terms of privacy. They have realised that if they don’t self-regulate, the government might come up with stricter regulations than anticipated.’

Privacy, protection and pragmatism

New ways of working and the technology that enable them are creating all-new challenges for businesses – both legal and otherwise – with data privacy a headline concern for corporates of all shapes and sizes. GC speaks to leading professionals from across the WSG network to find out how they are advising clients navigating an increasingly complex corporate environment.

‘Technology has reshaped every aspect of legal life from the way research is completed, to how documents are filed, and, with the pandemic, how we appear in court via remote video platform,’ says Robert McFarlane, a partner at Hanson Bridgett and leader of the firm’s technology and intellectual property practices.

‘With remote applications come increased risks. All businesses, including law firms, must employ electronic and cloud security measures that minimise the chances of data leakage and the compromise of confidential client materials. We invest heavily in security measures and training and advise our clients to do the same.’

Critical to effectively evaluating current measures and implementing training – particularly from the perspective of corporate counsel – is a thorough understanding of the contemporary rules and regulations applicable across all relevant jurisdictions.

‘The keys to mitigating privacy incidents are actions taken prior to the incident itself,’ explains John Babione, a partner at Dinsmore & Shohl LLP. ‘For organisations operating across state lines in the US or internationally, the work done before an incident to know and understand what laws apply to the data flowing through the organisation will reap tremendous benefits for mitigating the harm.’

But in an area that is evolving as quickly as data privacy and protection, staying abreast of the rules of engagement – particularly when extraterritorial considerations are now also frequently at play – and managing the varying expectations and requirements represents an ongoing challenge for general counsel.

To manage this, Batya Forsyth, a partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice, advocates for maintaining the highest possible standards across the organisation.

‘We typically recommend clients comply with the strictest state privacy laws that could apply to their businesses,’ she says.

‘In recent times, this would be California state law—namely, the CCPA and upcoming CPRA, which goes into effect in 2023 and is very often compared to the GDPR, the EU’s well-known, highly-restrictive privacy scheme.’

Managing the challenges of data in the modern corporate environment can’t be limited to just in-house considerations though, with Forsyth advising that external suppliers and contractors be held to the same high standard as internal stakeholders.

‘GCs must have confidence that the vendors critical to the functioning of their business are committed to and are, in fact, protecting themselves as well,’ she says.

‘A comprehensive vendor management programme should provide a clearinghouse of relevant contracts, a thorough understanding of each vendor’s contractual security promises and insurance commitments, as well as a current audit of select vendors where appropriate. If contract provisions are missing or too lax, GCs should consider negotiating amendments or revisions at renewal.’

Public demand for new privacy laws has tended to be weaker in the US than other developed countries, though the disruptions of the last year and a half – pandemic-related issues like vaccine certificates, digital contact tracing and mobile health apps – have helped put privacy and data security at the forefront of public debate.

A recent poll by data intelligence organisation Morning Consult shows that 83% of voters wanted Congress to prioritise privacy legislation. Surprisingly, those who identified as Republicans were just as likely to hold this view as those who identified as Democrats.

For Cameron Kerry, a visiting fellow at the Center for Technology Innovation at the Brookings Institution, visiting scholar at the MIT Media Lab, and former general counsel of the US Department of Commerce, the significance of strong data privacy laws goes beyond the short-term benefits it would bring to consumers and businesses.   

‘In terms of the international picture, 2021 is a very important year for determining whether people can truly put their trust in American companies and technologies. Businesses want to see a consistent national standard rather than a variety of state standards that mean they have to re-engineer their systems each time they move to a new state.

‘American business has already had to adapt to GDPR, and many companies have internalised a lot of these practices and have acknowledged their advantages for themselves and their clients. There could not be much more fertile grounds for a federal law than we find today.’

Whether or not the US moves to pass a federal data privacy law, the number of states passing their own legislation has ramped up to the point that keeping track of developments can sometimes be a challenge even for the professionals. It also means that, whatever the next four years hold, the state of data privacy in the US is a question every GC will be following closely.

We spoke to those working at the sharp end of data privacy to find out what developments corporate counsel should be paying attention to.

A hill worth fighting for?

The drive to protect private citizens’ data in the US is arguably older than the country itself. Long before he worked to draft the Declaration of Independence and the US Constitution, Benjamin Franklin used his position as Postmaster General to ensure the privacy of communications sent by mail (to this day, the Fourth Amendment protects letters from search and seizure).

Subsequent lawmakers followed in this tradition, and in the last 50 years alone the US has introduced several notable pieces of privacy legislation, from the US Privacy Act 1974, which contained important rights and restrictions on data held by US government agencies, to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which laid down data privacy, security and confidentiality rules for health insurers.

In short, the US has never been inattentive to the importance of privacy. But for GCs struggling to navigate the patchwork of laws across governing data privacy across the country, the big hope is that the Biden administration will finally push for a comprehensive nationwide legislation.

In the run up to the presidential elections in November 2020, privacy specialists were convinced that, whatever the outcome at the ballot, federal legislation would soon follow. Draft bills from both sides of the aisle were circulating in Congress, and when Senators Roger Wicker (a Republican) and Maria Cantwell (a Democrat) introduced the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA) in November 2019, it seemed like an often-polarised political system had at last found common ground. That the election ultimately swung in Biden’s favour only served to reinforce this confidence.

‘Parts of the Trump administration had an interest in weighing in on privacy legislation and trying to help move that forward, but there wasn’t any high-level interest in this issue’, says Cameron Kerry. ‘However, Biden, and certainly some of the people around him, have said explicitly that the US should adopt privacy legislation.’

Since then, there have been further signs that data privacy may come into sharper focus. On 12 May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. While cybersecurity and data protection are not the same thing, there is a close relationship between the two on a legislative level.

As Liz Benegas, general counsel of enterprise management software provider Totango comments, ‘you can have security without privacy, but you cannot have privacy without security. We all know the emphasis the US put on national security recently. Developing comprehensive framework for each is difficult and takes time, but now that our systems have been hardened, privacy should be added to the legislation list as well.’

On that list there is already the Information Transparency and Personal Data Control Act, introduced in March 2021 by Representative Suzan DelBene. While the proposed Act is not as wide-ranging as the European Union’s General Data Protection Act (GDPR) or existing Acts applying in certain US states such as the California Privacy Rights Act (CPRA) and Virginia Consumer Data Privacy Act (VCDPA) in particular – it does not contain the right to access personal information or the right to collect or delete information held by a controller – it does include a pre-emption provision, meaning that, if adopted, it would supersede state laws relating to data privacy.

This, believes Cameron Kerry, points toward a credible impetus for legislative change. ‘There is still the opportunity, interest and conditions to get it done [in the US]. A lot of good work has been done by Capitol Hill in both Houses to understand the issues. Key Republican and Democratic bills in the Senate are pretty close on these issues. A few points still need to be resolved, particularly pre-emption and private right of action, but there are some potential paths ahead.’

Speaker of the House of Representatives Nancy Pelosi has already stated that the House would oppose any federal law that does not include the same level of protection as COPRA, and it is likely that the question of the pre-emption is going to be a huge stumbling block.

However, comments Julia Reinhardt, Mozilla fellow in residence, privacy consultant, and a former German diplomat specialising in EU privacy policy, ‘the Biden administration realises how important this is for industry, for people, for consumers and for international data transfers, so I really hope that it will find ways push this project ahead.’

‘Privacy is a big horizontal topic that regulators have been working on for decades. GDPR may have a few gaps, but it was a big step ahead to have one regulation for a large, contiguous market. The EU member states each had their own privacy laws before GDPR harmonised a general law for the 27 countries.’

Hurry up and wait

While there are of course certain differences of context between the US and EU, the European experience shows that none of the problems facing federal data privacy legislation are insurmountable. Except perhaps one.

Bob Jett, head of global privacy and risk at Crawford & Company, the world’s largest independent provider of claims management to the risk management and insurance industry, believes North America is sufficiently culturally distinct to make any parallels problematic.

‘The unique difference between data privacy in North America and in Europe is that Americans and Canadians, for the most part, do not consider their personal information to be a fundamental right. Most of us are willing to give up our rights to privacy for convenience or speed.’

‘In the US, we are much more worried about cybersecurity, because of the potential impact that has on our infrastructure, our ability to use our credit cards, or to get gasoline and to travel.’

A difference in European and American cultures of litigation could also become an issue. While Europe has yet to witness a wave of GDPR-specific class actions, the long-tail of these types of cases makes its difficult to know whether that is because they do not exist or because they are currently working their way through the system. If it turns out to be the latter, it could be a big warning sign for US businesses.

‘Regulations can become litigation tools’, adds Jett. ‘This is one of the things I have been tracking, because in the US, there is a fear for class action lawsuits around this. And such lawsuits have actually started to be filed in California.’

Even supporters of a federal data privacy law concede there is more groundwork to be completed, particularly around the issue of private rights. ‘The question around the rights for individuals to bring lawsuits for privacy violations coming from companies is crucial’, notes Reinhardt.

‘The volume of cases and magnitude of fines tend to be significantly higher in the US compared to Europe, so it may be necessary to include some provision that only allows attorneys general at the state level to sue.’

While these debates play out among lawmakers, GCs will have to go about complying with an increasingly complex patchwork of laws on a state-by-state level. But deliberation among lawmakers does not mean that legal teams can or should take a patient approach to managing privacy.

‘Data protection – both the privacy and security aspects of it – is quickly becoming a risk management function rather than a technological challenge’, says Benegas. ‘Gone are the days when only the chief technology officer needed to know or care about the issues. Nowadays, all levels and functions within a company need to know and be prepared.’

‘GCs and corporate counsel will play a pivotal role in helping shape the response to this challenge, not only because risk management is part of the job description but because of the broad view legal teams have into company operations, from human resources to vendor management to customer contracts.’

Ann Cavoukian, former Information and Privacy Commissioner for the Canadian province of Ontario and originator of the concept of privacy by design, which was subsequently incorporated in GDPR, also advocates a proactive stance when it comes to data privacy in the c-suite.

‘In these times of legal limbo, I always encourage companies to get a certification. First, it builds trust and business relationships, which has been lacking for a long time. Second, it increases the quality of the information they collect.’

‘There is no inherent tension between granting privacy and exploiting economic value when it comes to data. You can capitalise on data but strip it of all personal identifiers. One of the seven foundational principles I established with my privacy by design approach is to abandon the zero-sum models, where it is either-or or win-lose. There should not be a conflict between business interest and privacy. We should be aiming to satisfy both.’

The tip of the iceberg: Data protection and cyber risk

Bob Jett, chief privacy officer at Crawford & Company notes ‘People used to joke that when a GC hears of a cyber attack or data breach they breathe a sigh of relief and say, “Thank God, that one falls to the IT team”. Today that joke wouldn’t make sense. No serious corporate legal professional thinks cyber and data risks are off their radar.’

Britton Guerrina, deputy global general counsel for technology and shared services with Deloitte Touche Tohmatsu Limited, echoes this view. ‘Cyber and data protection are increasingly important and should be top of mind for any legal team. The legal and regulatory risks in these areas have increased and continue to do so, with countries introducing increasing regulatory requirements, many of which are contradictory.’

Corporate counsel may be increasingly aware of the dangers posed to their organisations from cyber attacks, but the results to our survey of over 200 senior counsel across the US and Canada suggest their organisations take a very different view.

While 91% of legal teams were aware of their organisations’ cybersecurity efforts, only 18% said they were heavily involved in these efforts. In fact, an alarmingly high number of teams (39%) were not involved at all, while nearly two thirds (63%) were either not involved or only involved to a small extent.

Even legal teams that are involved in their organisations’ cybersecurity strategy are typically confined to a fairly narrow role. By far the most likely task falling to legal teams is ensuring the security of their own communications, data and files (84%) or providing strictly legal opinions on regulatory compliance (47%). Just under a fifth of teams (19%) reported being involved in their organisation’s wider cyber response planning, while only 7% were monitoring cyber threats across the organisation as a whole.

Businesses not involving legal teams in their cybersecurity efforts should take note: over half (53%) of the senior counsel surveyed rated their organisations’ cybersecurity defences as either poor or average. Just 13% said their organisations had excellent protection against cyber threats.

The limited involvement of legal teams when it comes to cyber security efforts is particularly puzzling given the obvious advantages lawyers would bring to the process. As Britton Guerrina notes:

‘Legal involvement is critical for various reasons, and lawyers are able to guide efforts in a wide range of areas, from helping to design the security programme to comply with privacy, employment and other local laws to advising the cybersecurity team on cyber regulatory requirements.

Legal teams can also assist with the roll out of security tools while addressing any legal impediments. They can advise which legal and regulatory requirements apply to a breach based on the facts and circumstances presented, determine whether breach notification requirements (regulatory or contractual) have been triggered, and craft notifications, interact with regulators, law enforcement, and so on. In my view, legal and cyber need to partner together, along with risk, in order to protect the organisation effectively.’

However, as Michael Shour, general counsel and secretary for Banyan Software, observes, this is likely to change as the regulatory and reputational stakes increase.

‘Legal is actually very well positioned to spearhead this area, but it is often not an area where management wants legal to focus, due to the limited resources. As class actions and cyber-related litigation increase over time, I suspect that this will continue to require an increasing amount of legal involvement.’

Plugging the leaks

Monitoring cyber risks may still be deemed a low priority for legal counsel, but the related issue of data privacy is fast becoming a key part of the legal team’s role. As one respondent, senior counsel for data and privacy at a global media and telecoms business, puts it:

‘Data protection is a growing issue, and not just because of the rise of serious and very damaging incidents which we all read about in the news. From a compliance perspective, it is the increase in country-wide and global regulations. Business has to operate as smoothly as possible, and it is our job as legal to help it do so within these regulatory boundaries.’

When asked to identify the most pressing cyber threats their organisations faced, nearly half (49%) of corporate counsel pointed to the risk of customer data being compromised. Theft of confidential business information was seen as the next most pressing risk, reported by 28% of those surveyed. As Naseem Bawa, general counsel for InteraXon, a leading maker of brainwave-controlled computing technology and applications, points out, in the digital economy data is a chief driver of value. ‘Data is part of a company’s IP and without stringent safeguards to protect and enhance its value you are leaving your doors unlocked.’

For comparison, just 2% said that direct monetary loss through theft was their organisation’s most pressing concern. While theft can be costly, it is often nowhere near as expensive as dealing with the regulators. For businesses that have yet to experience a significant data breach, comments one senior legal and compliance counsel at a large retailer, the uncertainty over consequences can be troubling.

‘The big unknown here is the way a regulators will respond. The marquee cases have been in the financial services industry, and there is some evidence that regulators will look at what a retailer is doing around data and compare it with the systems and controls that have been put in place by financial institutions. Obviously, these financial institutions have far more robust data-security arrangements in place, which is potentially something that could damage our position in any litigation.’

These risks are especially pressing, continues the respondent, in a world where customer interaction is increasingly digital.

‘Mobile payment apps and e-commerce are becoming the principal vector through which fraudsters are able to infiltrate business systems. It’s a data security issue but it’s also a cybersecurity issue that goes right to the heart of our business. That means the legal team needs to know how our IT systems work, with at least some degree of accuracy, and how those systems can sink us.’

For those unfortunate enough to suffer a breach affecting customer data, knowing how to respond is key. The advice from one general counsel at a large US medical insurer is to bare all. ‘If customer data has been compromised then you need to tell them, and you need to help them take whatever steps are needed to mitigate the risk they now face. In the first day or so after an incident everyone is scrambling around to collect as much information as possible before the company needs to report the incident, but often it will be too late for the customer if you wait a day. Bite the bullet and tell them what has taken place. And, of course, have a plan ready so you aren’t worrying about drafting the message during a firestorm. If you are facing a situation where you need to email potentially millions of customers, you will really be thankful that you planned ahead of time.’

This planning, many agreed, is among the most important steps that GCs can take. As Richard Brzakala, director of external legal services at Bank of Canada, comments, ‘The old maxim “Trust but verify” applies here. You may have best-in-class cybersecurity in place, but it needs to be tested continuously. It’s not a question of if things go wrong. They will go wrong. You will experience a cybersecurity incident or data breach eventually, so be prepared.’

Held to Ransom

On 7 May 2021, Colonial Pipeline, the largest petroleum pipeline in the US, was shut down following a cyber attack. It remained closed for five days, causing panic buying, fuel shortages and national security soul-searching. For cybersecurity experts, the most surprising element of this episode was that a key part of US infrastructure was not brought down by the actions of a hostile state (at least directly), but by a small group of cyber-criminals deploying a devastating form of online extortion software: ransomware.

After gaining access to a company or individual’s system, the attacker will make files inaccessible in some way. At the lower end of the scale, the malicious programme may simply lock the computer, an easily fixable situation for an IT professional and no great problem for a large company. But when deployed by more sophisticated attackers, the software will encrypt the victim’s files so effectively that recovering them without the decryption key is virtually impossible.

The Colonial Pipeline ransomware attack was just one of several high-profile events that have struck ostensibly secure organisations over recent months. May 2021 also saw a ransomware attack on meat processor JBS Foods, a $53bn company that is deemed vital to US food security. The attack, which led to closure of some of the company’s facilities, was reportedly ended after an $11m ransom was paid.

While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field.

‘My first response to the upsurge in ransomware attacks lately was that we analysts have been warning about this for over a decade, and we all predicted this was going to happen’, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations.

‘Now it’s here we have another round of gnashing of teeth, but opportunities to mitigate the danger have been missed time and time again over the intervening years.’

Fortunately, even for those who may have missed the early warning signs, hope is not lost. GC speaks to some of the leading counsel and cyber experts to find out what the rise of ransomware means for business, and what lawyers can do to help prepare their defences.

The unlocked door

The rise in attacks affecting everything from water and energy utilities to fuel distribution systems is a sign of things to come. From a cybersecurity perspective, the truly frightening aspect of these attacks is that, once systems have been compromised, there is little IT professionals can do to regain control. Bhavani Thuraisingham, Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Institute at The University of Texas at Dallas, comments:

‘When the malware enters the system, it has access to almost everything, and in a ransomware attack [hackers] will encrypt everything and demand a payment in exchange for the key to unlock the files. As of today, AES 256 encryption cannot realistically be broken with modern computing methods. Unfortunately, this means that if the attack progresses to this stage, you have really no access to anything in the system unless you get the key to decrypt the data’.

Richard Forno, senior lecturer in the University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering, puts it even more succinctly: ‘If you haven’t been conducting cybersecurity best practices and a sophisticated attack takes hold of your systems, you’re screwed’.

As a result, victims of high-profile ransomware attacks have been left with little option but to pay up. In the case of Colonial Pipeline, hackers demanded a ransom payment of $4.4m in the form of bitcoin, which they promptly received in exchange for codes to unlock the company’s systems.

More troublingly, the lines of attack hackers are exploiting are not easy to defend against. For example, phishing attacks in which members of staff are fooled into downloading malicious software by seemingly genuine emails are becoming increasingly effective. This, says Forno, is increasingly dangerous given the rise of social media as a means of validating an unknown person’s identity.

‘Using artificial intelligence and machine learning, you can identify, develop and even create fake personas that are very detailed. This can allow you to make a phishing email that is much more convincing to the target, particularly if
you’re targeting a particular individual, such as the CEO of a company.

What’s more, even those who follow every reasonable security protocol and measure can, unwittingly, become a victim of the more sophisticated hacks. Increasingly, [malicious] software is being downloaded through perfectly legitimate websites via ad networks. [If a hacker] is able to compromise a content or software distribution network, malware could be injected into this such that users of a legitimate website would then be downloading malware through the network.’

React and respond – preparing for times of crisis

As the realities of new digital attack vectors and how to respond to them become increasingly evident for major corporates and their counsel, leading private practice practitioners from the WSG network share their insights and advice to help businesses prepare for the worst.

‘Ransom attacks, including larger supply chain-type attacks, continue to lead the headlines and pose a sophisticated threat to a business’s ability to operate or recover, now more than ever,’ says Batya Forsyth, partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice.

With cyberattacks increasing in frequency, severity and variety, the need for general counsel and their teams to be prepared to react and respond accordingly has fast become a business imperative, irrespective of company size or sector.

‘A response plan should set the expectations high for the organisation,’ says John Babione, a partner at Dinsmore & Shohl LLP.
‘Responding effectively to security incidents and potential data breaches should be emphasised as critical to the success, and in some cases survival, of the organisation.’

Exactly what a response plan looks like will be different for every organisation, with individual risk factors and tolerances both likely to heavily influence the final plan and procedures. However, the experts we spoke to agree on several common elements that featured in successful response plans.

‘A good security response plan sets forth a process that is easy to understand at all team levels – from general staff to general counsel – and functions well across a variety of attack scenarios,’ says Forsyth.

‘Most importantly, the plan must explain how the plan gets triggered, who makes that decision, who needs to know about that decision and the first next step for the team.’

Getting buy-in from the wider organisation and ensuring that everyone understands their individual roles in times of crisis were also seen as essential parts of successfully managing a response, with time often a critical but limited commodity in any attack scenario.
‘The plan should enlist all affected personnel as partners in a team effort in which everyone knows their daily efforts and diligence on the front line are valuable and needed,’ says Babione.

This engagement though, shouldn’t be limited to times of crisis says Babione, who instead advocates for an always-on approach to monitoring for threats and being prepared to respond – an approach that emphasises mitigation as much as it does preparedness.

‘To do this, the day-to-day IT environment, applications and tools must support and encourage employees to be watchdogs, looking for trouble and reporting it up the chain of command,’ he explains.

‘This engagement of the workforce and management as the hands and feet of the response plan turn the plan from a piece of paper into what it needs to be – the means by which the organisation can respond quickly to incidents to prevent them from turning into a data breach or other harmful cyberattack.’

This type of attack, say the cybersecurity experts interviewed for this report, has already been detected on some of the world’s largest website, often with little or no awareness among their users.

Adds Thuraisingham: ‘Ransomware spares no one. It could attack an 80-year-old great grandmother, a major financial company or even critical infrastructure. With that said, the more pain the attacker causes, the more publicity they get and the more money they can extort; sectors that allow them to cause maximum damage may therefore be more vulnerable. These will include major hospitals, government organisations and, especially, financial companies.’

Of course, cyber experts are aware that ransomware attacks are now big news, and that reporting biases undoubtedly skew toward them. Even so, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations, the underlying reality is that such incidents are on the rise. In fact, says Fidler, the true extent of the problem has probably been under-reported.

‘There has been an increase in ransomware attacks, and that increase has been felt across the entire corporate sector in North America and beyond. Beyond this, there is a large number of institutions – typically hospitals or
other bodies that hold large volumes of data – that have been victims of ransomware attacks without the public or media ever becoming aware of it. So the problem is growing and the scale of the problem is perhaps larger than one would imagine.’

The GCs who came in from the cold

From the perspective of the US government, ransomware is a clear and present danger. The increase in the size, sophistication and public awareness of these attacks, as well as their ability to damage critical infrastructure, puts general counsel on the fault line of what, for some organisations, will be the most important challenge of the coming months.

‘The connection between criminal ransomware attacks and how the United States government perceives our adversaries as providing havens for cyber criminals is key’, says Fiddler.

The government has already accused Russia and China of tacitly allowing cyber criminals targeting US companies to operate free of constraints. We’re seeing movement toward more offensive actions on the part of the US government aimed at cyber-criminal organisations based in potentially hostile territories because, clearly, our defences are not effective in preventing these attacks.

If the government does move in that direction, that is a much more dangerous context for businesses to be in, because we do not know cyber-criminal groups are going to respond. They could become even more sophisticated and try to test how much further we’re willing to escalate’.

The thought that corporations might unwittingly get caught in this cat-and-mouse game of testing and defending critical infrastructure is no longer an abstract item on the risk agenda. Even smaller companies that are not deemed essential parts of the US economy now face the prospect of becoming collateral damage in the tit-for-tat exchanges brought on by the escalation of opportunities for cyber attacks and the escalation of deterrence by punishment.

‘For GCs, understanding the potential threat is key’, adds Fidler. ‘Understanding what the threats are from this potential escalation on the part of the government may help persuade the C-suite of the need to make more investments in their own cyber defence.’

Of course, only a minority of companies will fall victim to the most serious of incidents, but indirectly almost every single organisation will end up paying the price, whether through increased demands on security and compliance or changes to their relationships with customers and commercial partners.

Insurance has long been one of the major tools used by corporates to mitigate their exposure to cyber risk, but as the number of cyber-related insurance pay-outs topping seven figures grows, policies are being hastily rewritten.

‘[Last year] was an unprecedented year for ransomware attacks and the payment of related insurance claims’, notes Lavonne Hopkins, senior managing legal director for security, resilience and digital at Dell. ‘As a result, the cybersecurity insurance market is hardening as insurers revaluate how to keep their cyber insurance offers profitable.

I have observed that insurers are focusing more on evaluating organisational cybersecurity maturity and preparedness when making coverage decisions and determining premiums and deductibles. We can only expect this trend to increase. Organisations should start to prepare for a future that potentially excludes ransomware coverage from cyber liability policies and requires self-insurance models.’

A worrying thought. And even those who can find suitable policies should not be complacent against the threat, says Thuraisingham.

‘Certain insurers are now offering specific products that cover the threat of ransomware attacks but relying on this can be extremely risky. To activate the coverage a company must first lose its data in a ransomware attack; only then will the insurer release funds to pay the ransom.

This is obviously not ideal, as the protection offered does not typically compensate for the reputational damage or staff costs associated with the incident. I would advise taking all the preventive measures you can before relying on insurance.’

The price of this sort of ‘kidnap insurance’ coverage is also likely to increase markedly as insurers keep a watchful eye on cybersecurity developments. A report issued recently by Hiscox, an Anglo-Bermudan insurance provider that specialises in niche categories of risk, noted insurers faced a 50% year-on-year increase in pay-outs for cyber-related policies, with ransomware attacks accounting for the biggest contributor to this growth.

Outsmarting the hackers

Even the most generous insurance policy can only be triggered once a cyber attack has taken place, by which time financial compensation alone may not be enough to repair the damage. For general counsel, the only real way to defend against risk is to go on the attack.

David Mace Roberts, general counsel of transport information systems provider Electronic Transaction Consultants (ETC), has been working to keep one step ahead of cyber attackers for many years. For Roberts, the most notable feature of a good cyber risk plan is that it looks unlike anything else on the market.

‘A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry.

Thuraisingham echoes Roberts’ comments. ‘Just as with health concerns, the best method is prevention. Protect all your systems, data and processes so that the attackers cannot gain access in the first place. Perhaps most important, companies that do not mandate backups and do not have extremely stringent security policies are most in danger. Do continuous backups of data and processes. I cannot emphasise proper backup procedures enough’.

Indeed, as Richard Forno notes, none of these measures are difficult to implement, but business has tended to ignore expert advice for too long.

‘The problem I see is that a lot of companies and governments of all sizes fail to do basic cybersecurity best practices, things that we in the industry and academia have been urging people to do for 20, 30, 40 years. This can be things as simple as having a really strong password or using multiple forms of authentication for critical or sensitive systems’.

The most important aspect of effective defence against a ransomware attack, however, comes with employee training. Human error is overwhelmingly likely to be the biggest weakness in a cybersecurity defence package, as well as the first thing a criminal group will look to exploit. To guard against this, says Roberts, the only option is to train relentlessly, ‘If you only train once a year then training loses its impact and offers minimal protection.’

Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware most frequently originates from human error, and over half of ransomware victims suffer repeat attacks. Training and education are critical to ensure a comprehensive cyber preparedness strategy and prevent these ransomware attacks. Organisations should mandate cybersecurity training, including phishing training, for all employees and contractor. Employees are the first line of defence and need to be equipped with the knowledge to help prevent an attack’.

Before any of the above can take place, senior management needs to take the risk to business from cyber attack seriously. As Thuraisingham notes, it is all too common to encounter business leaders who consider cyber strategy as a matter for IT professionals.

‘When you’ve hired the best risk analysts and cyber teams money can buy it is very easy to conclude that you’ve done everything you can. This is fundamentally wrong. Businesses will always be vulnerable to these attacks, so there needs to be a constant awareness of just how serious the consequences can be.’

Unfortunately, awareness of cyber risk as among the c-suite seems to remain limited. Our survey of over 200 general and corporate counsel in North America revealed that while legal teams felt there was a very high risk of cybersecurity breaches to their organisations, fewer than half were actively involved in shaping cybersecurity risk planning.

For many organisations, it may come back to haunt them. As Roberts concludes, ‘If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. Do you want this on the front page of the Wall Street Journal or the Washington Post? Do you want to have to answer to the boards, or to the securities regulators? If not, then taking the risk seriously now is the best defence.’

The red pill: How legal teams are embracing the freedom to be replaced

In 1954, The Westinghouse Electric Corporation unveiled the world’s first colour TV. With a price-tag of $1,295 – or nearly $20,000 in today’s money – the H840CK15 was the type of luxury purchase that stood as a solid signifier of economic success.

‘I grew up in a world where lawyers were among the few middle-class professionals who could afford the latest technology’, comments one senior lawyer at a large multinational bank.

‘Now, we are among the few middle-class professionals that ignore technology. It’s a strange thing that so many lawyers have chosen to overlook the transformative power tech has had on the world of work, and I am part of a growing number of in-house professionals that seeks to address the oversight.’

To rephrase the problem – well-known in economics – why does the cost of technology consistently fall relative to the rate of inflation while the cost of services, encompassing everything from healthcare to education continues to rise?

The answer, in short, is that machines cannot (yet) do what humans do. What machines can do, however, are the things humans do not want to do. From this perspective, technology is not a threat but an opportunity. It allows lawyers to move higher up the value chain. And, let’s be honest, no one wants to be stuck doing low-level work.

‘Lawyers are afraid of technology taking their jobs’, comments Lisa Marcuzzi, general counsel and country counsel for ArcelorMittal Dofasco in Canada. ‘But I don’t know of a single lawyer that feels unhappy that they will have to give up reviewing NDAs or sales agreements. As far as I can see, technology will free lawyers to do the jobs they trained for.’

The wider in-house legal community in the US and Canada clearly agrees. While 90% of respondents felt that technology had disrupted the legal profession over the last five years, and nearly all (97%) felt it would do so over the next five years, over three quarters (76%) said this disruption was a positive outcome for the legal profession.

Far from fearing tech, in-house lawyers are waking up to the freedom it can grant them – 87% of those we surveyed said their wider teams were receptive to the use of technology, while 78% said their businesses were supportive of finding new ways to work.

This widespread optimism, many respondents pointed out, was based on direct experience of available technologies. ‘I spent many years reviewing and negotiating documents that were up to 100 pages long’, commented one general counsel in the finance sector. ‘Typically, 90% of that document would either be boilerplate or unnecessary. If I add up the time I have spent reviewing superfluous material and account for cost then it comes to a shocking level of waste.’

In short, corporate counsel are looking forward to the freedom tech will grant them, and few fear their jobs are at risk. As one respondent commented, ‘The idea that lawyers will be replaced is just not realistic. Imagine a Fortune 500 company dismissing its legal team and saying, “we’ll just rely on technology to do all this stuff.” It won’t happen – it would be insane.’

What will happen is a continuation of the trends that have been in play for several years. The in-house legal team will move closer to the time-critical or economically important aspects of the business, law firms will be brought in to help with the types of matters where it just doesn’t make economic sense to employ a team of internal specialists, and technology will be used to remove a lot of the work that was never strictly legal work in the first place.

Eleanor Lacey, head of legal and general counsel for work management platform Asana, comments: ‘In the knowledge sector, tech never works by replacing people. It works by augmenting people and freeing them up to work on higher-value matters.’

‘There is a great sense of freedom now that we as corporate legal teams can really solve a lot of the problems we have seen time and again by introducing often inexpensive tech fixes. It’s a great time to be working in the legal industry. Anyone who says otherwise is just not seeing the big picture.’

Moving up the value curve

What are the grounds for this optimism?

Let’s take the single most important item an in-house lawyer deals with – the contract. Lawyers deal with contracts. Lots of contracts. So too do their employers. As Chris Young, general counsel for digital contracting platform Ironclad, puts it, ‘At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. It’s the most fundamental unit that commerce is based on.’

In this contract-driven world, the central hub for contract review runs through the legal department. When a business grows, how does its legal department choose to scale? Does it add bodies, or does it use technology to scale up and meet demand?

For the last several decades, the answer to that question would have been the former. General counsel had one demand above all else: more staff. As our survey of legal teams in the US and Canada shows, attitudes are changing, and the answer is increasingly likely to be “new ways of working”.

Central to the evolving skillset of the in-house counsel is getting comfortable with communication. Those we surveyed were clear: documentation can be automated, and any lawyer who is essentially reading a document aloud can be replaced at will. But that, many feel, is a good thing. The rise of legal tech means the in-house team can finally sound like the rest of the company.

‘We don’t need to tell business, “The documents say this”’, comments one respondent, senior counsel at a large US medical services provider. ‘Any literate person can see what the documents say. We’re guardians of nothing but the obvious if we tell them what they can read for themselves.

‘That’s great – being freed from routine tasks is not a case of lawyers being replaced. It’s a case of lawyers being able to use their skills for the benefit of business. We should embrace it. Lawyers have been trained to do some very sophisticated work, but large parts of the contracting process are not that work. If we can relegate that to a system or use technology to complete it then we are going to have a lot more time to do the work that is expected of business leaders. The days of pushing paper around may finally be over.’

Schrödinger’s Tech: Opening the box on law firms’ use of technology

Chris Young, general counsel for digital contracting platform Ironclad notes that ‘In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers.’

For many firms, this will come as unpleasant news. But there is an upside. As Young points out, ‘In-house lawyers will always need law firms, and the industry won’t be transformed by one side alone. The more forward-thinking law firms should see this moment of change as an opportunity to gain a competitive advantage and become a true strategic partner to their clients.’

Judging by the results of our survey, it is an opportunity many have failed to grasp. Under half (45%) of the more than 200 senior counsel we polled for this report said their firms were using technology to deliver legal services and solutions, while a similar number (41%) were unsure how their external firms were resourcing matters.

As one respondent noted, ‘Knowing what goes on at a lot of firms is a game of Schrödinger’s Cat. They may be using some pretty sophisticated software to bulk process our matters, but they are unlikely to tell us about it unless we push them.’

This lack of transparency was widely cited as a source of frustration. Indeed, nearly three quarters (74%) of those we spoke to said they were not satisfied with their firms when it came to technology.

Law firms should take note: 88% of legal teams said it was important that their law firms kept up with developments in technology, with 32% saying it was crucial for them to do so.

We should not place the blame entirely on law firms here. In-house lawyers may complain that their firms behind the curve, but fewer than half (44%) are asking about their external advisers’ use of technology when undertaking
panel reviews.

With so many GCs either unsure of or dissatisfied with their firms’ use of technology, it is no surprise to see that few are looking to them as a source of inspiration. Just over a third of respondents (38%) said they now looked to their firms for guidance when it came to finding or implementing legal technologies, while under a quarter (23%) reported having been advised by their firms on the use of specialist legal technology. Only 21% of respondents said their firms had offered to share technology with them.

This, for some GCs, has been a dealbreaker. ‘One of the factors that motivated me to change firms was the lack of use of technology by my old external firm’, comments the general counsel of a large commodities business.

Of course, the technology used by law firms is often very different to the technology needed by corporate legal teams. Firms tend to operate in scales and volumes that are far beyond the requirements of their clients, making tech transfer a far from simple matter.

Even so, it may trouble those in private practice to know that legal teams are beginning to look for solutions elsewhere. Almost half (47%) of those surveyed said use of technology within the legal team had already impacted their relationships with external firms.

The good news? Law firms that take a proactive approach are winning clients. As Michael Shour, general counsel and secretary of Banyan Software, concludes:

‘If a firm is wise to the implementation of appropriate technology solutions, it can allow them to complete tasks more efficiently and cost-effectively. When I see a firm doing things like this, I can’t help but appreciate that they are driving efficiently for their clients and am impressed that they are on top of things – and that can only be a good thing for business.’

Risk, Litigation and GC Evolution Report 2021

Following on from our highly informative Risk and Litigation Report 2019, GC has partnered with Freeths once more to gather the opinions of over 100 general and senior counsel across the UK and Europe, to see how their approach to risk and litigation management has changed over a period that has tested even the most accomplished legal leaders. While undoubtedly a challenge, the Covid-19 pandemic also gave in-house counsel the chance to show their businesses just how useful they can be in a crisis; we also took the opportunity to examine how true this was, and how far the general counsel role has grown over recent months in response. Finally, our survey asked how legal teams felt they dealt with the lockdowns and subsequent shift to remote working.

Download and read the report offline.

James Hartley

This partnership project with GC magazine is a valuable opportunity for Freeths to engage with senior in-house legal colleagues and to pool the latest thinking on how best to create value, in the face of ever increasing litigation and regulatory risks.

We’re fascinated to see this survey data, which aligns with what we’re seeing through our risk advisory work. We see more businesses focusing on preparing for unforeseen, high impact, strategic risks, which have the potential to materially disrupt the business. On the positive side, this data also highlights an increasing awareness that the more sophisticated approaches to legal risk management are starting to emerge as factors which have the potential to enhance business value and give a competitive edge. Undoubtedly, the pandemic and Brexit have played their part in this heightened risk awareness.

There are plenty of theories on how GCs can convert risk into opportunity and create value for the business – but how are GCs actually achieving these things in the real, commercial world?

This survey data, webinar, and the roundtable discussions that will follow, should give us all a fascinating insight into how successful GCs are in achieving results, despite the risks and pressures.

Working with GCs to convert that insight into proactive risk management strategies is something we excel at here at Freeths.

James Hartley, Partner and National Head of Dispute Resolution

(Hartley is recognised as a leading individual by The Legal 500 in the fields of commercial litigation and dispute resolution. He uses his litigation experience to help clients undertake and implement complex risk management strategies, most notably in the recent successful claim against the Post Office.)

Download the report

Risk & Litigation Management

Risk and litigation management has become an essential skill for GCs. Boards are increasingly focused on preempting and minimising disputes and, as one respondent put it, ‘the responsible management of regulatory and compliance risks is a genuine competitive advantage that our management is acutely aware of’. Given the fact that the business landscape has changed so radically since the previous report, and that management varies across firms in different jurisdictions, GC took a fresh look at how general counsel now tend to deal with risk and litigation.

Our survey demonstrates just how important risk and litigation management strategies have become to corporate legal teams; all respondents said litigation risks and transactional risks, including contracts and projects, were part of their overall responsibilities. But the legal support they provide does not extend into other business areas, and GCs are not always aligned with their boards when it comes to the definition of risk. While only a third of respondents said that environment, social and governance (ESG) and corporate social responsibility (CSR) were part of their main responsibilities, all agreed that these areas are increasingly important business value metrics with an associated risk profile that in-house counsel are well-placed to manage.

Have the remarkable circumstances of the past 18 months given the impetus needed for a radical shake-up of how GCs are approaching their risk and litigation management, or is it business as usual? Based on the results of our survey, the latter is a more accurate statement; 60% of respondents stated that the events of the pandemic have not changed the order in which they prioritise the risks to the business. Of the remaining 40%, quite a number said their risk and litigation management has led to rigorous cost/benefit analysis in order to keep costs low; for example, one GC stated that the ‘challenging economic period requires us to now analyse, in detail, every single opportunity to save money’. Others pointed to changes such as placing greater emphasis on risks related to the pandemic, for instance prioritising the well-being of customers and colleagues.

While in-house legal departments are happy to manage risk internally, and in the main feel competent to do so, almost half of the respondents said they would benefit from external law firms providing more sophisticated and bespoke litigation risk advisory services as well as, if it was offered, dedicated financial cost/benefit analysis. For legal services providers who take pride in their risk advisory services, this may indicate an opportunity.

It also suggests that respondents are aware that improvements can be made in their corporate risk management, and the survey offers some insight into where these improvements can be made. 28% of respondents stated that they are reactive rather than proactive in terms of their risk management, while others were concerned that the many moving parts of their organisations are not working as one; 16% reported their risk management response to be wholly un-holistic in its approach.

Freeths Comment

‘We’re certainly seeing within our Dispute Advisory practice a growing awareness among corporates that decisions around litigation and regulatory situations need to be viewed as investment decisions – requiring cost/benefit analysis, and outcome scenario planning, that can be presented clearly and decisively to boards’. – James Hartley, Head of Dispute Resolution, Freeths

Creating Value

General counsel are now more likely than ever before to view their risk and litigation work in business terms and are expert at explaining this to other stakeholders within the business. As one GC eloquently put it, ‘Taking a sensible approach to risk, and having a mitigation strategy, enables the business to also take on appropriate risk, which can generate returns. All businesses take on a degree of risk and the key is finding the right balance to optimise these opportunities in order to not lose out to competitors’.

Other GCs agreed, with many focusing on how the ability to assess the merits and demerits of a case in its early stages allows for a cheaper resolution. As another GC stated, ‘from a cost perspective, gaining an early view of potential risks allows commercial decisions to be made well before expenses are incurred’. Others mentioned that being able to predict – somewhat – the cost that a case might incur as being a major boon to business-legal team relations, as the corporate side often appreciate being given a ball-park figure to be able to base their strategy around. Others still mentioned the importance of being able to avoid adverse consequences like claims and fines, and how effective mitigation efforts can also improve their company’s knowledge of the legal landscape and contribute to the good reputation of the company.

We asked respondents to score four metrics out of ten for how far they allowed them to demonstrate positive contribution to the growth and value of their business: enhancing the legal and regulatory risk profile of the business; horizon-scanning to predict and neutralise legal and regulatory risks to growth and profitability; quantifiable financial savings achieved through proactive, decisive and strategic resolution of issues and obstacles; and generating cash through the monetisation of meritorious claims or litigation by deploying external litigation funding solutions. This, also, demonstrates that general counsel still see their main contribution to the business’ bottom line to be as cost-avoiders rather than revenue-makers themselves. ‘Generating cash through the monetisation of meritorious claims or litigation by deploying external litigation funding solutions’ achieved far and away the lowest average score out of ten: 3.3. The other options, ‘legal and regulatory risk profile enhancement’, ‘horizon-scanning’ and ‘proactive, decisive and strategic resolution of issues’ received generally high average scores; 7.9, 7.3 and 7.1 respectively.

So much for the theoretical side, but how have in-house counsel actually been performing when it comes to avoiding risks before they develop? On the evidence of GC’s survey, one positive conclusion that can be made is that the in-house teams that have managed risk in a conscientious and responsible way over the last 18 months have been noticed and supported by their companies; more than half of respondents said that the pandemic has not impacted how adequately resourced their teams are. In a similar vein, 62% of respondents have not considered financing options to improve their litigation and regulatory risk management.

From Risk to Opportunity

Sixteen months after the order to work from home where possible, many of us have forgotten just how profound a shift in working practices it has been. But it is worth considering whether the changing approach to risk management within legal teams is part of a broader ‘post-pandemic’ shift in the way businesses are looking to safeguard long term stability. Intuitively, it seems that general counsel, given their risk management expertise and the analytical skills given to them by their legal training, could have been seen as ideal personnel to lean on for companies under the circumstances. The data appears to bear this out; almost half of respondents stated their greatest challenge of the past 12 months was increased responsibility, while only 15% answered that their role has not appreciably changed. This trend remained approximately the same across legal teams of vastly different sizes, indicating that general counsel at companies of all sizes have been relied on to fight fires for their companies in their hours of need. That they have been fighting fires is evidenced in the report as well; roughly four fifths of respondents reported they have been involved in litigation or regulatory activity over the past year.

But how exactly have in-house counsel seen their risk management and prevention responsibilities grow over the past year? A shade under half of those surveyed noted the greatest change in their responsibilities as an increased emphasis on unforeseeable or unpredictable risks; undoubtedly the Covid pandemic has shaken the business world into taking such threats more seriously. Interestingly ‘increased time with the board or taking on a board position’ was the second most popular way in which respondents have seen their responsibilities increase. Clearly, a significant minority of in-house counsel have raised their profile within their companies who have trusted them to safeguard them in a difficult business environment.

Those that weren’t afforded this increased level of face-to-face time with the board probably feel as though they should have been. An overwhelming majority of respondents, 93%, believe they work best as a combination businessperson and lawyer rather than as a lawyer first and foremost. With that said, most benefit from something of a separation of power with the board; 57% believe they work better as an independent advisor at arms-length rather than a fully-fledged member of the board.

Freeths Comment

‘In my experience, lawyers who are seen by boards as those who “grasp the nettle” in difficult litigation and regulatory situations, and who shape a strategy so as to gain some control, are the ones who are seen as highly valuable in the business – this applies to both internal and external legal teams’. – James Hartley, Head of Dispute Resolution, Freeths

Lessons Learned

The Covid-19 pandemic was an unprecedented business challenge that came at a time when uncertainty already gripped a UK business scene which was trying to get its head around the ramifications of leaving the European Union. That these should have changed the way in-house counsel operate seems elementary, but what have they meant in terms of how much legal work is outsourced vs kept in-house? Legal providers can take heart from the fact that results were even; half of respondents to GC said they would send a greater proportion of their legal work externally while the remainder said they would grow their in-house team in response. There is an interesting caveat to this, though; larger companies are far more likely to be relying on their in-house teams going forward. Of respondents with the largest in-house legal teams comprising over 25 members, two thirds reported they will be growing their in-house legal team as opposed to sending more work to firms. The thinking behind this tends to be based on cost. As one respondent put it, ‘While decisions will always be taken depending on work type, carrying out more work in-house generally tends to be more cost effective’.

Away from the nuts and bolts of specifically legal concerns, the day-to-day life of the average general counsel has changed markedly over the course of the pandemic and subsequent lockdowns. For most, the greatest change of all has been the need to work remotely for long periods. While there are perks to working from home, for example a decrease in commuting, greater flexibility and a better work and life balance, it does come with issues. The lack of face-to-face conversations and the drop in productivity some feel comes with not being supervised are perhaps chief among these. How do in-house lawyers feel the move to remote working has been, then? As it turns out, only roughly one in ten respondents reported a decrease in productivity when working away from the office. While this tenth of respondents may be facing obstacles in home working, such as an increase in distractions or lacking a good working environment, this does seem to be a resounding endorsement for remote working. Working from home does not appear to be hindering productivity noticeably, which more than explains why some employers are looking at making this a permanent change in the future.

The Covid pandemic and subsequent lockdowns were – hopefully – a once-in-a-lifetime business challenge that caught the vast majority of general counsel off-guard. How does the average general counsel feel they met the challenge? To find out, GC’s survey also asked the million-dollar question: would they have done anything differently about their strategy during the lockdown period if they were able to have the time over? Several responses focused on measures such as moving earlier, acting more proactively and being more conscious of how the pandemic would impact the demands of work. For example, as one GC put it, ‘[we would have] sped up getting the technology in place to permit home working at the beginning of the crisis’. Likewise, another stated ‘Planning for negotiating agreements with landlords on rent levels and review of office use’. In the main, though, respondents were pleased with how they handled the situation, and proud of how their teams rose to the challenge. ‘We identified the seriousness of the problem early’, recalls one GC, ‘and sent our employees into home working before companies were asked to do so by government. We even saw a boost in productivity soon after home working, and, now, we’re ready for the return to the office’.

Freeths Comment

‘Recalibrating resilience plans in light of the events over the last two years is now high on the corporate agenda, with more focus now on identifying and evaluating major shocks – including litigation and regulation – which might disrupt strategic objectives.’ – James Hartley, Head of Dispute Resolution, Freeths