3 Keys to Managing the Legal Fallout From Cyberattacks

Marketing Program Specialist

January 31, 2024

23 min. read

Andrew Brandt, ESPN business and legal analyst. Image from Sports Agent Blog.

ESPN’s resident legal expert, Andrew Brandt, is synonymous with one simple phrase: There will be lawyers. He’ll tweet it in response to any developing story in the sports world that catches his eye, like Carolina Panthers owner David Tepper throwing a drink at fans from his owner’s box.

It’s this phrase that inspired Illumio’s latest webinar, a collaboration with legal firm Fenwick and West speaking on the legal consequences of cyber breaches. Michael Sussmann, a cybersecurity and privacy lawyer at the firm, joined John Kindervag, godfather of Zero Trust and Chief Evangelist at Illumio, and Aaron Margolis, Head of Legal at Illumio to share insights on the rarely covered topic of cyberattack legal fallout.

Just as in the world of sports, there will be lawyers.

Here are three key takeaways from their discussion to help you stay prepared for the legal fallout of breach response. You can also watch the full recording here, and get a preview of their discussion below:

1. There’s ROI in proactive security investment

Many organizations are still lagging when it comes to building breach containment strategies that reduce risk and bolster cyber resilience. According to Kindervag’s research, the majority of cybersecurity incidents could’ve been mitigated for far less than the cost of the legal fees associated with the incident.

“It feels to me like we're penny wise and pound foolish,” Kindervag said, “and we're not thinking about all the costs that could be associated with an attack.”

But investing in proactive security strategies that prepare for the next inevitable breach will deliver ROI next time a breach happens. Sussman and Margolis recommended implementing basic cyber hygiene best practices in addition to security tools that limit network access, contain breaches, and stop lateral movement.

While these strategies may not prevent a breach, they can certainly ensure a breach is less destructive than it otherwise could be — and less costly to remediate legally.

“Being proactive can make the difference between a low-level security vulnerability versus a high-profile breach that becomes mission-critical to the whole company,” Margolis said.

2. Prioritize communication

Breaches can no longer be prevented or detected quickly enough to stop them from becoming catastrophic incidents. Organizations can't expect perfection from their security teams — and CISOs can’t expect that the rest of the organization will understand what their teams needs to build cyber resilience.

“Speak up when you need resources,” Sussman recommended. “Everyone's out there doing their best in difficult circumstances.”

When a breach does occur, Kindervag noted that bringing in outside counsel can be helpful. Sussman agreed, encouraging organizations to “always” speak with lawyers when a breach occurs. This can help security teams better communicate the breach’s impact to internal and external stakeholders while mitigating any unexpected legal issues that may arise.

3. Investment starts at the top

Kindervag addressed the long-time issue in the cybersecurity industry of procrastination: “Why do companies avoid or delay investing in projects that could help them, like segmentation? Why do we see so many folks saying ‘it costs too much’ when there's so many downsides to not doing the right thing?”

Margolis agreed that many organizations are still focused on outmoded security models that prioritize prevention and detection instead of breach containment. These lead to costly breaches and legal fallout.

“I think the reason that it can be deprioritized is that when we're running the business, there's an incentive structure there that puts a big premium on growth. So a lot of the investment and focus gets put on that,” explained Margolis

However, he does see change happening. In today’s threat landscape, boards are starting to take notice of cybersecurity issues. Security risk is becoming a top business risk to mitigate, and legal teams are increasingly involved in security planning.

“It’s becoming less true over time as cyber becomes more of a strategic imperative,” he said.

“There's less of the procrastination mindset and more of becoming more proactive, and there's a need for cyber expertise within the boardroom.”

Contact us today to learn about how Illumio Zero Trust Segmentation can help your organization build cyber resilience and reduce the risk of catastrophic cyberattacks.