Legal Team Outlook

The role of legal teams as key players in managing organisational cyber risk is clear, with 76% of respondents reporting that legal functions are central to incident response.

Notably, there are two key areas where the importance of the legal-cyber nexus are best highlighted – the increase in legal-focussed cyber incident response plans (CIRP) and simulation participation. These figures clearly illustrate legal expertise is valued and, in many organisations, viewed as critical to cyber security risk management, incident response, regulatory compliance and reputation management.

Jones reflected that one of the key strengths of a general counsel during a cyber crisis is the ability to manage tension and stressful situations analytically and objectively, enhancing clarity and assurance for boards. "They are good at taking the heat out of situations and focussing on the matter at hand," he said.

"I also think the ability many lawyers have to manage multiple streams of work is also something that is typically very important, and critical when an incident has occurred. They can balance the need to move quickly with best protecting an organisation."

Organisational structure can create siloes

The HSF Kramer team has observed some general counsel still report a disconnect between cyber, digital teams and broader business operations. A key reason for this disconnect was identified as the existence of multiple overlapping teams across cyber and digital, compliance, legal and IT, which can result in coordination difficulties, opposing priorities and duplication. In addition, third-party involvement adds complexity.

However, despite their growing importance, in-house legal teams are also stretched. Heather Kelly observed a pervasive climate of economic and geopolitical uncertainty was impacting the role of legal teams, expanding their remit and forcing them to become more reactive to risks, including cyber. "The evolving role of the general counsel – from ring-fenced lawyer to risk advisor – means that legal teams are stretched very thin. They don't have the capacity to invest in the myriad of risk management activities they would like to. So, it is very heartening to see that there has been an uptick in their preparedness in relation to cyber. Their budget and bandwidth are precious resources," Kelly said.

Christine Wong said that she had noticed general counsels and in-house legal leaders were increasingly focussed on getting a handle on data, which represents a significant challenge for organisations, especially those with legacy systems and large data stores. "Organisations are grappling with the Hydra like nature of their data – so much data across so many systems has given rise to significant complexity in understanding what is there and whether the control and security settings are adequate. Given recent law reforms and the prevalence of data extortion attacks, I think data risk management will continue to be a real driver of concern for in-house teams," Wong said.

Kelly noted the rise of AI had also made many organisations focus on data in a way the risk of a potential future cyber attack had not, with "legal teams harnessing the newfound momentum to spearhead projects aimed at cleaning up aged and inaccurate data".

Cyber insurance

Anne Hoffmann, Partner in HSF Kramer's Disputes and insurance practice, shared the following insights regarding the cyber market

• The market continues to grow. One insurer projects that the global cyber insurance market will reach USD 16.3 billion in 2025, driven by increasing digitisation and the growing frequency and severity of cyber incidents.
• Underwriters continue to expect that organisations commit significant investment to cyber security as a pre-requisite for coverage.
• As the threat landscape evolves, policy wordings should be reviewed and amended to ensure adequate coverage.

• Legal risks from class actions and regulatory scrutiny are becoming more prominent. We have now seen a number of cyber-related class actions emerge, though the loss is difficult to quantify.
• The market is seeing new entrants, increasing capacity and competition. We have generally observed a soft market which should be in policyholders' favour, decreasing premiums and increasing limits.

"We are sadly seeing time and time again that our clients' expectations of what is covered by their cyber policy does not keep up with the pace at which threat actors change their tactics," Hoffmann said.

Is legal professional privilege under threat?

On 4 April 2025, the Federal Court published its judgment on the application of a consumer class action to access a suite of technical reports from Deloitte, who provided expert cyber and IT support to Medibank after it suffered a significant cyber attack in October 2022. Medibank asserted these materials were privileged and therefore did not need to be discovered. However, the Court found that privilege did not apply over three reports prepared by Deloitte: a root cause analysis, a post incident review and a report on compliance with APRA's CPS234. Medibank is currently appealing the decision, which has set an important precedent for privilege and how it applies in the context of cyber incidents. According to Wong, privilege is often more complex in cyber contexts due to the overlay of the issues being operational in nature, blurring the lines between communications that are privileged and not privileged. "Even if business continuity isn't impacted by a cyber event, the issues are still occurring in the context of an IT security environment having been impacted. Following a significant event, many corporates understandably want to review position, to ensure that settings are appropriate and consider whether some defences need to be strengthened," Wong said. "As soon as you're thinking about things against that background, there are likely to be multiple purposes. For privilege to apply, legal purpose must be king."

Jones highlighted "legal professional privilege is not a service we can sell as lawyers". "We can't just emblazon 'Legally Privileged' on documents – that's not how it works. Organisations need to be aware of the limits of privilege and that is certainly something lawyers should be communicating," he said.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.