Chief legal officers are increasingly stepping into leadership roles in cybersecurity governance as organisations face a complex and evolving threat landscape, according to a new report suggests..
The 2025 State of Cybersecurity Report, published by the Washington, DC-based Association of Corporate Counsel (ACC) Foundation, showed a significant shift towards greater integration of legal expertise in cybersecurity risk management across 278 organisations in 16 countries, including Australia.
The percentage of chief legal officers (CLOs) with leadership roles in cybersecurity has more than doubled since 2020, rising from 15 per cent to 38 per cent.
Half of CLOs now participate in cybersecurity teams, while only nine per cent report having no cybersecurity responsibilities.
The report emphasises that cybersecurity is no longer solely a technical issue relegated to IT departments.
Instead, cybersecurity now presents complex legal, reputational, and operational challenges that demand strategic attention from the highest levels of leadership.
The survey found that one-third of legal departments now have a dedicated in-house cybersecurity lawyer, up from 22 per cent in 2022.
A further 18 per cent are planning or considering adding such expertise.
These specialist roles are increasingly senior, with 68 per cent of dedicated cybersecurity counsel holding executive-level positions, compared to 56 per cent three years ago.
While reputational damage remains the top concern following a breach (70 per cent), organisations are increasingly focused on liability to data subjects (61 per cent) and threats to business continuity (60 per cent).
The findings highlight a growing recognition that cybersecurity breaches are not just IT issues but are legal and governance crises waiting to happen.
Nearly all organisations (95 per cent) now mandate cybersecurity training for employees, compared to just 62 per cent in 2018.
Quarterly training has increased from five per cent to 13 per cent over the same period.
Document retention (81 per cent), acceptable use (78 per cent), and password security (73 per cent) remain the most prevalent company policies.
Notably, 62 per cent of organisations now have artificial intelligence policies in place.
Legal departments are also becoming more involved in vendor risk management.
The percentage of organisations actively evaluating vendors for cybersecurity risks has increased from 74 per cent to 83 per cent, with more than half requesting questionnaires and proof of certification.
The proportion of legal departments "often involved" in third-party risk management has grown from 31 per cent to 38 per cent, with a corresponding decrease in those never involved.
ACC said the report serves as a call to action for in-house lawyers to embrace their expanding role, develop their cybersecurity expertise, and to proactively address the legal and regulatory challenges presented by an ever-evolving threat landscape.
"By taking a leadership role in cybersecurity, in-house counsel can protect their organisations from significant financial, reputational, and legal harm, ensuring business continuity and building a more resilient future," the ACC Foundation's report said.
The report was authored by ACC president and chief executive Veta T RIcharson, and its executive director, Jennifer Chen.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
