Spurred By Data Breaches, CLOs Are Increasing Cybersecurity Leadership Role

Chief information officers still bear the brunt of cybersecurity worries at many companies. But a study by the Association of Corporate Counsel Foundation finds that chief legal officers are increasingly taking a leadership role in cybersecurity strategy.
The trend follows numerous corporate data breaches in recent years and prominent federal prosecutions of chief information security officers. The latter includes the conviction of former Uber security chief Joseph Sullivan in 2022 for concealing a data breach at the company.
Also likely driving greater participation by CLOs are Securities and Exchange Commission rules that took effect in late 2023 giving public companies just four business days to report a cyber incident once they’ve determined it was material. The rules also require companies “describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats.”
The ACC Foundation survey of 278 in-house lawyers in 16 countries found that 38% of CLOs now have a leadership role regarding cybersecurity responsibilities — more than double the 15% in its 2020 survey.
Fully half of CLOs surveyed said they are part of a cybersecurity team, even if they don’t hold a formal leadership position on that team.
Of organizations with incident response teams, 93% had a member from the legal department on board, with the CLO a member 73% of the time.
That’s important because often CLOs report cybersecurity concerns and strategies to their company’s board of directors.
The study also showed an encouraging rise in awareness of cyber risks posed by vendors: 83% of organizations “actively” evaluate vendors for cyber risks compared with 74% in 2020.
“This heightened scrutiny reflects the understanding that a breach at a vendor can have just as devastating consequences as a direct attack,” stated the 57-page “2025 State of Cybersecurity Report: An In-House Perspective.”
ACC President Veta Richardson said in a statement that the study “clearly shows the rapid expansion of (CLOs) and their teams being involved to lead and help navigate the complex terrain of cyber-related preparation, deterrence and response.”
Companies have become all too aware of consequences of data breaches. In 2023, for example, hackers scooped up sensitive personal data of nearly 7 million customers of genetic testing service 23andMe over a five-month period.
Last year, the company, which filed for Chapter 11 bankruptcy in March 2025, agreed to a $30 million settlement. While the settlement itself likely did not lead to bankruptcy — the company says it has $100 million to $500 million in liabilities — the breach undercut confidence in the genetic testing service.
In 2023, the SEC sued the IT software company SolarWinds, calling its cyber risk disclosures overly general and its characterization of a massive 2020 breach misleading. A judge last year gutted most of the case, however, deeming it overreach.