Cybersecurity has shifted from a purely technical concern to major legal and business risk.
Statistics show a sharp rise in cyber incidents globally. According to AON’s 2024 cyber report frequency increased 29% year over year across APAC, and incidents are up 134% from 2020. These trends expose businesses to increased legal, regulatory, reputational and business challenges.
In HSF Kramer’s 2025 cyber risk survey it was found that:
This gap highlights the growing responsibility of General Counsels (GC) to not only advise but actively lead in managing cyber crises.
Effective cybersecurity begins well before an incident occurs. GC’s must work closely with CISO’s and risk officers to map the organisations data landscape, identifying high value assets such as trade secrets, regulated personal data, and contractually protected information. Building a data-centric cybersecurity strategy ensures legal and technical teams are aligned. Tabletop exercises, simulating breach scenarios are invaluable for stress testing response protocols and clarifying roles across departments.
Critical to succcess is engaging the board and senior leadership - and the GC plays an important role in translating cyber risk into business language to secure buy-in and resources. At the board level, it was identified in HSF Kramer's report that while more than 50% of boards are being educated on cyber risk, there is a perceived lack of cyber skills and expertise on these boards.
Building robust cyber hygiene and defence now means more than just firewalls and antiviruses. Businesses should aim to adopt practices such as:
Effective cybersecurity requires a collective commitment; a shared responsibility, where leadership, management, legal teams, and every employee understands and actively fulfils their roles. A culture of vigilance and compliance through training and clear policy empowers response and resilience.
Third-party vendors such as cloud providers and supply chain partners, represent one of the most significant cyber risks with PerisAi reporting that weak entry points in third-party services account for 45% of initial breaches.
These vulnerabilities are heightened by the diverse regulatory environment, meaning that companies operating across multiple regions face a minefield of overlapping rules that complicate risk management.
GCs can stay on top of third-party risk by proactively negotiating robust contractual protections in cloud and Software-as-a-Service (SaaS) agreements. A few clauses which are essential in managing risk include:
The Coca-Cola ransomware attack in May 2024 serves as a cautionary tale of the consequences of insufficient vendor vetting. Attackers exploited decentralised regional IT operations with inconsistent control, lacking strong authentication on remote access platforms, causing substantial personal data leaks of employees. Following the breach, the Singapore Personal Data Protection Commission (PDPC) imposed an undertaking requiring Coca-Cola take measures to improve their compliance with Singapore’s PDPA.
This case underscores the necessity for GCs to integrate contractual rigor and cross-jurisdictional regulatory awareness into third-party risk management frameworks.
In the event of a cyber incident, the GC becomes the legal linchpin of the response team. Here are a few steps to consider in response to a cyber incident:
Beyond damage control, exemplary cyber crisis management can become a differentiator. Research by Integris in 2025 found that 37% of clients are willing to pay a premium for businesses demonstrating robust cybersecurity measures and transparent breach response.
As cyber threats grow in scale and sophistication, the GC’s role is no longer reactive - it’s strategic. By preparing thoroughly, responding with precision, and fostering a proactive legal and compliance culture, GCs can turn cybersecurity from a liability into a leadership opportunity.