What governance mechanisms should General Counsel look to establish between the board and C-level executives in order to best manage officer reporting and liability – particularly in areas such as risk management, cybersecurity, and technology?

Lorenzo BacciardiPartner, Bacciardi and Partners

General Counsels frequently report that they are consulted by executives and/or the top management of the company only when a problem actually arises following a previous decision.

We strongly believe that a good governance system does require that the General Counsels be always involved early on in the decision-making process, particularly when the decision is strategic in nature. We believe that the sooner the General Counsel is involved in the decision-making process, the lower the risk of future claims or litigations.

The timely referral by C-level executives to General Counsel, is also necessary to allow them to source legal assistance from private practices when the decisions to be taken needs to be supported by specialised legal advice.

In light of the above, we strongly advocate for the implementation of a governance system placing General Counsels at the very top level of the management of the company and allowing them to be engaged by executives and top management early on in the process.

Involving General Counsel early may also help to prevent additional liability deriving from cyber-attacks and/or intrusion, in the event that the intruding party succeeds in getting access to confidential data.

In this regard, the governance mechanism to be established between the board and C-level executives should identify the cyber risks, protect and safeguard the IT system from intrusions and detect any intrusion into the IT system.

It should also implement plans and procedures aimed at containing damages resulting from cyber-attacks and/or intrusion, helping to resume normal operations and implement recurrent reports to the Board of Directors, in order to assess the vulnerability of the IT system of the company.

To achieve the above, a company should implement a best-in-class cyber security governance model involving the main governance functions of the company including, but no limiting to, the IT security, the HR and compliance, as well as the legal, regulatory and privacy department offices.

The implementation of the best-in-class cyber security governance model implies the delegation of powers and responsibilities to those holding the aforesaid offices, so that all of them are intimately involved in the cyber security management. To achieve such aim, the involved functions within the company must also be held accountable, based on the powers received and obligations assumed.

In light of the above, it is imperative that General Counsels commit time and resources to educate themselves, the board members and the C-level executives on the ongoing and dynamic cybersecurity and technologic threats posed by the present digital age.

“Minimising Corporate Liability: Advice from Outside Counsel” is an IR Global report including contributions from 23 outside counsel across multiple jurisdictions. It touches on the key areas of director liability and governance mechanisms between board and c-suite executives; as well as current trends within regulatory agencies and courts of which in-house counsel should be aware. Download the full publication here.