With his techie background, Unisys GC for Emea Pavel Klimov is well placed to understand how lawyers can help combat the cyber threat
Mention cyber security to many in-house general counsel and the result will be a soft cough, an averted gaze and the sound of shuffling feet. For most, the world of cyber attacks and hacking is a mysterious land populated by goblins and ghouls so ghastly that the best response is to dive under the duvet and hope they pass without noticing the business’s vulnerabilities.
That’s not Pavel Klimov. He is a general counsel who eschews the comfort of the duvet in favour of wrestling with cyber security issues daily – and he likes to think he comes out on top.
As he should. Klimov is general counsel (Emea) for Pennsylvania-based technology giant Unisys. Any company that turns over more than $3.7bn (£2.3bn) annually in providing technology services and software to major businesses around the world will expect its top lawyers to have a handle on cyber security.
That is why London-based Klimov doesn’t fall into paroxysms of babbling confusion at the mention of the EU’s draft Network and Information Security Directive – or, for that matter, its US counterpart, the Presidential Executive Order on Network and Information Security.
“The Cyber Directive is not going to awaken us to the risk of cyber security,” says Klimov. “We are well aware of the issues, and in some respects we’re lucky because security solutions are part of the Unisys offering. It’s something we are alive to both internally and in terms of what we offer our customers.”
But awareness does not translate into smugness. Klimov empathises with general counsel in non-technology businesses as they struggle to grapple with the issues.
“It’s one of the risks that permeates all industries and companies. And it’s likely to continue to dominate the headlines – the risk will only get higher.”
How law firms can help
Klimov is concerned that private practice law firms are arguably not providing the most comprehensive service in helping floundering in-housers navigate the cyber swamp.
“Big firms have good expertise as far as data protection and communication regulation laws are concerned,” he says. “But cyber security can’t be put into those pigeonholes – doing that will not answer the questions a business needs answering.”
Law firms, he maintains, must build expertise that combines legal knowledge with an awareness of technology issues. That does not mean partners and senior associates should enrol in evening classes in programming techniques for the creation of impermeable firewalls, but they should at least know what a firewall is, where the vulnerability points are and how they can be addressed.
“Law firms need to be able to give a holistic view, and potential solutions to clients,” advises Klimov, “as opposed to only telling them what will happen on a legal front if something goes wrong. For example, instead of just advising what level of fine they might incur, a firm should be able to advise on practical ways of avoiding that fine. It isn’t just about how you write a perfect policy or propose relevant provisions in a cloud computing provider contract, but how things are done from a practical point of view.”
Klimov also warns that firms need to ensure they are not the soft underbelly of their clients’ security.
“They might be the entry point for hackers,” he warns. “For firms to be on top of the game they need to have not only the expertise in advising clients, but also have their systems set in such a way that their client data can’t be compromised.
“It’s something I am interested in understanding in relation to the firms we instruct. We’d expect the same level of cyber security at our law firms as we have ourselves. There’s no point in investing in all those internal measures if you then create a weakness through your law firm.”
Part of Klimov’s confidence in this area is rooted in his path to the Unisys general counsel slot. He joined the company in an IT role nearly 20 years ago. After gaining a law degree in his native Russia in 1994 he moved over to the legal department in the Moscow office. Two years later he transferred to London, requalifying as an English solicitor.
He now oversees an 11-strong team of lawyers and has slashed legal spend on external counsel by more than 30 per cent in the past six years. And he is adding value by bringing technological expertise to the cyber security issue.
“Any legal function in any organisation will have, as one of its key responsibilities, ensuring it is protected and that the business operates in a compliant manner,” he says. “The issue of cyber security involves not only protecting your business – and, to the extent that you handle client data, protecting your clients – but it’s also an issue of compliance, because there are more and more regulators on a sector and national basis.”
Klimov explains how the approach of in-house counsel to cyber security has had to evolve quickly.
“Before, it was thought that as long as you took some reasonable peripheral protective measure to avoid your network or database being penetrated it would be okay. But now the view is that peripheral protection isn’t going to work all the time, and it will often be vulnerable.
“Now the issue is not only thinking about how to protect your entry points, but also that the critical business data for your business or your client’s business is treated in such a way that even if your perimeter fails or is breached, the hackers won’t be able to cause damage. It’s all about layers.”
The Unisys lawyer points to a geekworld truism – you can only hack things you can see. In other words, even if hackers crack into a network the risk to the victim’s business is considerably reduced if the intruders can’t see any useful information once inside.
“The analogy,” explains Klimov, “is that while a burglar may be able to get through the front door of a house, it doesn’t necessarily mean he will be able to find and break into the safe and steal the family jewels. That’s the philosophy we have at Unisys, both internally and in advising our customers. You’ve got to think about how you protect the crown jewels of your business.”
Klimov emphasises that not all cyber risks emanate from external hackers but occasionally from within the company, or a mixture of both.
“You have to ensure the system you deploy against the cyber security risk – the way the information is transmitted, shared and stored – is such that if an unlawful user gains access to the system he won’t be able to see everything, or his ability to piece together the information will be limited.”
What are his tips for the role in-house legal departments can play in the cyber security battle?
“Legal is one of the key departments for a business in setting up a risk and compliance strategy,” Klimov maintains. “That involves looking at vulnerabilities and how they can be addressed, and reactive measures in the event of a breach.”
Training is crucial, he adds, and not just of frontline staff, but of senior executives as well.
Klimov’s department has the added responsibility of assisting the commercial side of the business in its offering to clients.
“That doesn’t mean providing legal advice direct to clients but helping the business formulate advice and solutions for them.”