Cybersecurity has shifted from a purely technical concern to major legal and business risk.
Statistics show a sharp rise in cyber incidents globally. According to AON’s 2024 cyber report frequency increased 29% year over year across APAC, and incidents are up 134% from 2020. These trends expose businesses to increased legal, regulatory, reputational and business challenges.
In HSF Kramer’s 2025 cyber risk survey it was found that:
- 58% of boards do not have a specific legal cyber incident response plan,
- 69% of organisations noted that it would take an actual breach to prompt cybersecurity improvements, and
- less than half of organisations actively involved their legal teams during an incident response.
This gap highlights the growing responsibility of General Counsels (GC) to not only advise but actively lead in managing cyber crises.
Preparation is the best defence
Effective cybersecurity begins well before an incident occurs. GC’s must work closely with CISO’s and risk officers to map the organisations data landscape, identifying high value assets such as trade secrets, regulated personal data, and contractually protected information. Building a data-centric cybersecurity strategy ensures legal and technical teams are aligned. Tabletop exercises, simulating breach scenarios are invaluable for stress testing response protocols and clarifying roles across departments.
Critical to succcess is engaging the board and senior leadership – and the GC plays an important role in translating cyber risk into business language to secure buy-in and resources. At the board level, it was identified in HSF Kramer’s report that while more than 50% of boards are being educated on cyber risk, there is a perceived lack of cyber skills and expertise on these boards.
Cyber hygiene and defence
Building robust cyber hygiene and defence now means more than just firewalls and antiviruses. Businesses should aim to adopt practices such as:
- Incident response training:
Drills like red team exercises simulating real attacks, and continuous vulnerability assessments ensure technical readiness. They also provide a platform for GCs to bring their critical perspective to preparation, and bridging IT and the boardroom by reframing details into real world of legal, business, and reputational risk to anticipate real-world challenges.
- Cyber insurance:
Robust insurance policy plans cushion financial shocks from incidents, covering breach investigations, regulatory fines, and business interruption. GCs play a crucial advisory role in aligning incident response plans with insurer expectations, as well as ensuring the business understands coverage terms.
- Company and employee cybersecurity policies:
Clear company policies set expectations for technology use, password hygiene, multi-factor authentication, and breach reporting. GCs should collaborate with IT and HR to ensure that policies are practical, communicated effectively, and compliant with APAC’s diverse regulatory landscape.
Effective cybersecurity requires a collective commitment; a shared responsibility, where leadership, management, legal teams, and every employee understands and actively fulfils their roles. A culture of vigilance and compliance through training and clear policy empowers response and resilience.
Third-Party Risks amid a fragmented regulatory landscape
Third-party vendors such as cloud providers and supply chain partners, represent one of the most significant cyber risks with PerisAi reporting that weak entry points in third-party services account for 45% of initial breaches.
These vulnerabilities are heightened by the diverse regulatory environment, meaning that companies operating across multiple regions face a minefield of overlapping rules that complicate risk management.
GCs can stay on top of third-party risk by proactively negotiating robust contractual protections in cloud and Software-as-a-Service (SaaS) agreements. A few clauses which are essential in managing risk include:
- Time-bound breach notification service level agreements (SLAs) to ensure prompt reporting of incidents.
- Audit rights and penalty provisions, to verify and enforce supplier compliance
- Data localisation warranties, that align with jurisdiction-specific laws.
The Coca-Cola ransomware attack in May 2024 serves as a cautionary tale of the consequences of insufficient vendor vetting. Attackers exploited decentralised regional IT operations with inconsistent control, lacking strong authentication on remote access platforms, causing substantial personal data leaks of employees. Following the breach, the Singapore Personal Data Protection Commission (PDPC) imposed an undertaking requiring Coca-Cola take measures to improve their compliance with Singapore’s PDPA.
This case underscores the necessity for GCs to integrate contractual rigor and cross-jurisdictional regulatory awareness into third-party risk management frameworks.
Incident Response and Crisis Management
In the event of a cyber incident, the GC becomes the legal linchpin of the response team. Here are a few steps to consider in response to a cyber incident:
- The first step is activating a cross-functional incident response team, including IT, communications, compliance, and external counsel.
- Legal privilege should be established early to protect sensitive communications.
- GCs must also manage expectations – investigations often unfold over weeks, and rushing can compromise accuracy.
- Co-ordinating internal and external communications is critical: regulators, customers, and employees all require timely, consistent messaging. A misstep here can potentially compound reputational damage.
From Crisis to Competitive Advantage
Beyond damage control, exemplary cyber crisis management can become a differentiator. Research by Integris in 2025 found that 37% of clients are willing to pay a premium for businesses demonstrating robust cybersecurity measures and transparent breach response.
As cyber threats grow in scale and sophistication, the GC’s role is no longer reactive – it’s strategic. By preparing thoroughly, responding with precision, and fostering a proactive legal and compliance culture, GCs can turn cybersecurity from a liability into a leadership opportunity.
Access the original article here
For further information, please contact:
Titus Rahiri, KorumLegal
titus.rahiri@korumlegal.com
