Business cybersecurity and global data protection were once largely led by IT and risk management teams, but today, legal teams are taking on more responsibility to tackle evolving regulations and internal governance. In this article, we explore how general counsels can manage this enhanced role in cyber and data security.

Enterprise cybersecurity and data protection were once seen as technological issues best managed by the chief information officer (CIO) or chief information security officer (CISO). However, as cyber threats evolve, general counsels (GCs) are increasingly expected to not just understand the material risks created by cyber incidents, but to collaborate with colleagues across their organization to mitigate such risks.

One of the key drivers behind this shift in responsibility is the rising tide of digital regulations, and the significant penalties businesses face if they don't comply. GCs are acutely attuned to such risks. Research for CSC's recent "General Counsel Barometer 2025" report found that the changing regulatory landscape was ranked number one in terms of risks to legal operations, followed by artificial intelligence (AI), then the General Data Protection Regulation (GDPR), data privacy, and cyber risks.

Indeed, the introduction of Europe's GDPR in 2018 brought new requirements for businesses handling personal data and stricter rules on data processing -- as well as large penalties and fines for noncompliance. In this case, the most severe infringements can incur fines of €20 million EUR or 4% of global annual turnover, whichever is higher.

This, along with other regulations, have been a wake-up call for businesses. The potential penalties, and the impact of them being widely publicized, led to GCs becoming more involved in data protection and mitigating cyber attacks that could harm a company's data and reputation.

From legal advisor to risk strategist -- how is the GC's role evolving?

In many organizations, GCs are now a central stakeholder in crisis planning, breach response, and board-level governance, co-owning enterprise cybersecurity policy with CIOs and CISOs, which has increased in importance as businesses, and their digital infrastructure, continue to grow. If left unprotected, a company's digital domains are targets for attacks such as domain name system (DNS) hijacking and cybersquatting. These attacks rarely occur in isolation. CSC is seeing steady growth in the number of hybrid cyber incidents that begin with a domain-led attack then develop into a full-blown ransomware or malware incursion. Even worse, technologies such as AI are now helping cyber criminals launch such attacks at an alarming scale by streamlining their search capabilities and creating more convincing phishing scams as well as other threat vectors.

Mitigating against these risks -- and the penalties they might incur -- certainly requires strong digital security measures, but it also requires robust internal governance and education across the business. This is why GCs and their IT security counterparts must be fully aligned to ensure internal policies keep up with the evolving threat landscape.

Key regulations GCs face in a fast-moving cyber landscape

In addition to GDPR, which affects every business operating in the E.U. and the U.K., GCs face potential challenges from new and established regulations designed to protect corporate data and digital assets.

Notably, these include the Network and Information Security Directive 2 (NIS2), the E.U.'s updated framework for cybersecurity that came into fruition in 2023, introducing fines of up to €10 million EUR or 2% of global annual turnover for noncompliance -- and the Digital Operational Resilience Act (DORA), another E.U. regulation that requires financial entities to improve their digital operational resilience. This was enforced in January 2025, and financial institutions face fines up to 2% of their global annual turnover or €10 million EUR for noncompliance with its laws.

Meanwhile in the U.S., the Corporate Transparency Act (CTA), which is still relevant to foreign reporting companies, may have significant implications when entity information is compromised, with fines of up to $10,000 USD per violation.

Keeping track of these regulations is further complicated for businesses operating across different jurisdictions. Cross-border data transfer rules, especially in the E.U. and Asia, are heavily nuanced and must be fully understood and adhered to. Indeed, respondents to our "General Counsel Barometer 2025" cited understanding local legal systems and compliance as a key challenge.

The GC's cybersecurity toolkit -- strategy, partners, and governance

To stay on top of changing regulation and evermore potent cyber threats, GCs must feed into a cohesive, systemic, and proactive cybersecurity policy implemented companywide. Close collaboration with IT, security, and privacy teams may involve:

An often overlooked, or at least untested, element of the policy is a well-documented business continuity and disaster recovery plan, together with a crisis communication strategy. The latter element should include messages for regulators, clients, and suppliers in the event of a breach.

Corporate service providers can also play a crucial role in helping GCs stay compliant with regulations across multiple jurisdictions. Dedicated compliance platforms, designed to manage regulatory updates and incident workflows, offer each stakeholder group the same window on data governance across their organization. This real-time visibility across all entities and jurisdictions globally is invaluable to GCs tasked with a greater responsibility for cyber risk management.

Building a cyber-secure legal function in three steps

One critical task for GCs is to create an internal legal risk matrix, which identifies the potential known risks created by factors such as forthcoming regulation, the use of AI, and inconsistent data sets.

It's also important to appoint a compliance point person for data governance at every regional entity. This is particularly pertinent now because it will be mandatory under NIS2 for organizations to maintain computer security incident response teams who will be obliged to report a data breach within 24 hours.

Finally, it can be highly beneficial to bring in a global partner like CSC to help maintain consistent global compliance. CSC operates in 140 different jurisdictions and can provide comprehensive support with entity management, as well as digital asset protection and domain monitoring services.

CSC also operates as an effective bridge between all stakeholders, including GCs, IT, and risk management to make sure everyone is aligned with the same cyber strategy. At a time when GCs are stepping up to help businesses deliver on cybersecurity and global data protection, having access to this extra expertise can deliver real value.