topic
jurisdiction
downloadable assets
article
sample
There is a notion that once there is a regulatory requirement—like cyber incident disclosure requirements under SEC rules1—organisations tend to push accountability to the legal team. Why does this happen?
The moment something is framed as a compliance issue or a regulatory requirement, there is a feeling that it is “legal,” so it lands on Legal’s desk.
People assume that because it is part of a compliance or disclosure regime, Legal must be in charge.
However, cybersecurity involves highly technical matters relating to application technologies, processes and controls to protect systems, networks, and data that lawyers typically are not equipped to handle in detail. We can interpret regulations and advise on risks, but we are not the ones building or securing the systems.
.png)
Do you see this as a resource problem, or is it primarily about not wanting to hold the “hot potato” of accountability internally?
Ultimately, it is about accountability, not resources. Certainly, if a department is designated as “in charge” of cybersecurity, it can request budget for tools and training. But the more significant issue is: Who wants to be the person whose job is on the line if something goes wrong?
You have worked with large, globally distributed IT teams. What do you see missing on the IT side that keeps them from confidently taking full accountability?
Many IT teams are brilliant at coding, engineering or developing, operating, and maintaining an organisation’s IT system and managing third-party services. They may be experts in Java or infrastructure design, but they may not fully grasp the regulatory implications of failing to secure data. IT departments often do not have the formal governance or compliance training needed to interpret legal rules and then align these with technical controls. As a result, tasks like vendor due diligence, information security questionnaires, meeting security standards and data protection governance end up falling into a gap.
Legal professionals typically know the regulatory requirements very well. We can draft policies and operating procedures, as well as prepare guidelines. But we do not necessarily know which specific encryption standard an IT system should have—or whether a particular vendor’s patching process is secure.
Legal relies on IT to provide the factual underpinning. If the IT team does not fully document or communicate what is being done in practice, Legal cannot confidently sign off on statements in annual reports, disclosures, or vendor assessments.
Example: The CFO asks a senior IT manager to write the cybersecurity section for the annual report. That manager drafts something and then sends it to Legal, uncertain about the regulatory language. Legal revises it to align with legal obligations and returns it, but then we face the question: “Who’s actually taking responsibility for the final statement?” The IT manager might say, “Legal checked it,” and I might say, “IT provided the data.” Neither side fully “owns” it.
Virtually everything has a “legal shadow.” If Legal is seen as the sign-off for every organisational risk, accountability becomes meaningless. Have you seen solutions to this?
I have not seen the perfect solution yet. One idea is a robust maturity assessment for each critical system—sending targeted questions across the organisation and having the people doing the actual work respond with what is in place and what is missing. Then you could centralise that data in a risk/incident map, and both Legal and IT confirm it. This at least creates a joint work product; if regulators or auditors ask, you have evidence that both teams contributed and signed off.
However, even then, someone has to own the process, gather information, and validate that it is correct. We are still back to: “Who manages it, and does that person want to hold the ultimate accountability?”
How does the accountability gap play out when choosing or on-boarding vendors, particularly under time pressure?
This is a big problem. You may have urgent needs—say you need a security patch or an advanced AI tool like “DeepSeek” emerges that your competitors already use. You might not have the luxury of undertaking full due diligence for the business in the time available. Legal can say, “we must verify compliance and that information security standards are met” but if the IT team is rushing to deploy, they may bypass certain checks. Later, if something goes wrong, the finger-pointing starts again: “We told you to do due diligence,” vs. “We didn’t have time; we needed that tool immediately.”
.png)
If you were to offer a roadmap for bridging this gap, what would your key recommendations be?
I can offer a few suggestions:
- Define roles and responsibilities clearly: Make it explicit that IT owns the technical execution and factual accuracy, while Legal owns the interpretation of regulatory obligations.
- Joint governance mechanisms: Establish a cross-functional committee or working group that regularly reviews cybersecurity posture, ensuring both legal and IT insights are represented.
- Shared tools and assessments: Use a centralised maturity assessment or compliance tool that both teams contribute to and sign off on.
- Training and awareness: Invest in upskilling IT on basic regulatory concepts and Legal on core technical principles, so that these teams understand each other better.
- Board-level ownership: The board or a board committee should enforce who is accountable, ensuring it doesn’t default to one department.
Any final thoughts?
I think as regulatory frameworks become more stringent, the pressure on Legal to “rubber-stamp” cybersecurity processes will only increase—unless organisations implement structures and cultures that foster true shared responsibility. The time to address this is now, rather than after a costly incident or enforcement action.
Spencer Davis is the Chief Legal Officer of Lifezone Metals (LZM:NYQ).
Related publications
Sources
- The U.S. Securities and Exchange Commission (SEC) adopted the "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" rules on July 26, 2023. These rules mandate that public companies promptly disclose material cybersecurity incidents and provide detailed annual reports on their cybersecurity risk management strategies and governance practices.