Chief legal officers at smaller companies are less confident about their organizations’ ability to deal with emerging legal, regulatory and cybersecurity risks than their peers at larger companies, according to a recent survey by the Association of Corporate Counsel.
Organizations with less than $2 billion in revenue were 3.5 times more likely than larger organizations to say they were “only slightly confident” or “not confident at all” about mitigating these risks, according to the 2021 Chief Legal Officers Survey. The survey results are based on responses from nearly 950 general counsel and chief legal officers across 21 industries.
CLOs from smaller organizations reported they are less prepared to handle cybersecurity and data security risks than companies with more than $2 billion in revenue. Among big companies, 67% said they have a comprehensive data management strategy in place to ensure compliance and security, while just under 59% of smaller companies reported having such a strategy.
While around half of CLOs at smaller companies said they are “very” or “moderately” confident about their organizations’ ability to respond to cybersecurity incidents and breaches, about 16% reported they were “not at all confident” or “only slightly confident.”
Businesses also face new obligations when it comes to cybersecurity, data privacy and protection. Earlier this month, Colorado became the third state to adopt a comprehensive data privacy law, which takes effect in July 2023. Virginia also enacted a data privacy law this year, which will go into effect January 2023.
In November, California voters passed the California Privacy Rights Act, also effective in 2023, which builds on the state’s first-in-the-nation data privacy law and imposes even stricter requirements for companies doing business there. The California Consumer Privacy Act — the CPRA’s predecessor — took effect last year.
More than 15% of CLOs at companies of all sizes said they had done nothing in the past 12 months to prepare their organizations to comply with data privacy regulations, according to the ACC survey. About 34% of CLOs at large businesses reported they started employing dedicated legal operations professionals to help with data privacy compliance, while small companies were more likely to outsource the task, with 27% reporting they had increased their use of non-law firm vendors in the past year.
The survey also provides insight into the priorities and structure of corporate legal departments. Almost 38% of CLOs from companies of all sizes said their department’s most important strategic initiative is related to “legal operations,” while nearly 15% answered “insourcing of legal resources” and 8.4% said their most important initiative involves data security.
About two-thirds of all respondents said they expect the volume of regulations affecting their business to increase in the next year, and 40% expect enforcement to increase. To defend against litigation and compliance threats, about 38% of CLOs said they plan to adopt new processes. About 26% of CLOs at small companies and just over 30% of those at big companies said they plan to invest in new technology.
The survey found that a majority of CLOs report directly to the organization’s CEO. Of those who don’t, CLOs in small organizations were most likely to report to the chief financial officer (48.2%), the chief operating officer (17.5%) or “other” (19.3%). Meanwhile, CLOs in large companies who report to someone other than the CEO are most likely to report to the chief administrative officer (29.5%) followed by the chief financial officer (23.4%).