What Is a Cybersecurity Legal Practice, 2.0?

Five years ago, our former colleague Dan Sutherland wrote in Lawfare about the pressing need to develop cybersecurity law practices among corporate lawyers and in-house counsel. Then the chief counsel of the Cybersecurity and Infrastructure Security Agency (CISA), Sutherland wrote that businesses and organizations of every size, shape, and sector needed lawyers who can operate fluently at the intersection of law, technology, and security risk.

Years later, Sutherland’s thesis still holds true, but the landscape has evolved significantly. With ongoing “hot” conflicts in Europe and the Middle East, computer network operations targeting economies and infrastructure around the world, and the strategic importance of the private sector to the newly issued U.S. Cyber Strategy, we seek to update Sutherland’s guidance to the cybersecurity bar. We intend this article to provide a road map for corporate general counsels looking to deepen their cybersecurity practice groups, government agencies looking to enhance collaboration across the mission space, and university professors seeking to update their cybersecurity law and policy courses. And if companies, agencies, or universities have not yet addressed cybersecurity law, consider this our urgent plea to do so.

In the world of national security and tech, five years is a long time. In 2021, CISA, where we worked with Sutherland, was still in its infancy. Major legal and policy developments such as the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF), the CIA’s Cybersecurity Performance Goals, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the finalization of a new UN Cybercrime Treaty had not yet come to pass. Operational threats such as ransomware had not yet materialized in full—Sutherland’s original article does not mention them at all. Even more complex risks, such as software supply chain attacks and cloud misconfiguration incidents, have highlighted the systemic nature of cyber risk that would have been difficult to predict five years ago. Of course, the rise of artificial intelligence (AI) systems that increasingly underpin business processes and security tools raises pressing new questions about confidentiality, accountability, and technical competence for lawyers.

As a result of these sweeping changes, the role of the cybersecurity attorney has broadened. In many organizations, the “cyber counsel” (a quick search on LinkedIn yields more than 1,000 cybersecurity counsel jobs) may be called upon to translate between legal and technical requirements, advise on risk-management frameworks, liaise with a range of regulators and law enforcement agencies, and manage C-suite relationships in a practice area where both counselor and client alike must contend with unceasing change. The field has also deepened, with increasing numbers of jurisdictions adopting legal frameworks on data breach reporting, incident response, supply chain security, personal data protection, and foreign investment. Even private lawyers now have to contend with globalized, legalized “hybrid” conflict with cyberspace as a key theater (we have written a forthcoming paper on such issues for the 2026 Cybersecurity Law and Policy Scholars Conference).

Accordingly, this article revisits and updates Sutherland’s original sketch for a cybersecurity legal practice. We survey the current state of the field, reexamine where the cyber attorney fits inside an organization, and outline the legal topics that remain essential, along with new ones that have emerged since. Our perspective is informed by government experience and by observing private-sector legal and technical teams working through real incidents, regulatory change, and global strategic considerations. Our experience shows us that national security depends on strengthening the public-private cybersecurity partnership. But this partnership remains a work in progress, for the reasons we sketch below. We believe that lawyers have an outsized role in making this partnership work better and, therefore, that growing the field of cybersecurity law has tremendous implications for a safer, more secure digital society.

What Is the Current State of the Cybersecurity Practice?

In 2020, the Association of Corporate Counsel (ACC) surveyed corporate law departments on cybersecurity issues, finding that half of chief legal officers reported cybersecurity and data protection as among their top concerns, expecting their role in cybersecurity to expand further. The role of lawyers and the size of legal teams advising on cybersecurity issues indeed grew, with the 2025 ACC Cybersecurity Survey showing that 38 percent of organizations have the chief legal officer in a leadership role on cybersecurity, up from a mere 15 percent in 2020.

In 2021, Sutherland observed that the field of cybersecurity law was “still very much in the early stages” and that “companies are all over the map.” At that time, 75 percent of organizations that did not proactively collaborate with the government lacked “the resources or knowledge base” to engage in existing government cyber threat information sharing programs such as the Cybersecurity Information Sharing Act of 2015.

It’s gotten worse, not better, in the past five years.

Today, 77 percent of organizations lack the resources or knowledge base to collaborate proactively with law enforcement and government security agencies. But the 2025 ACC survey also reports that 59 percent of organizations have not increased legal department spending to address cybersecurity risk and that 68 percent do not plan to add legal counsel exclusively dedicated to cybersecurity legal issues.

Beyond resources, the 2025 survey indicates that in the past five years organizations have not addressed some fundamental concerns about cybersecurity legal practice. For example, only 7 percent of organizations have the chief legal officer brief the board of directors on cybersecurity at every meeting, and a plurality (37 percent) report having only ad hoc briefings, remaining mostly flat since 2015. This demonstrates that despite the worsening cyber threat environment, cyber issues are not regularly rising to the level of company leadership. Perhaps this is because corporate counsel view cyber issues as mainly a matter of litigation or reputational harm: 70 percent of respondents cited “damage to reputation/brand” as one of the three most immediate concerns about a cybersecurity breach. Further, half of all organizations were not inclined to work with nonregulatory government departments, such as the Department of Homeland Security, compared to regulatory agencies. The survey data indicates possible stagnation in the public-private partnership to reduce cyber risk, even with the persistent cyber threats.

There is hope, though, for the continued growth of the practice area. For example, consensus-based groups such as the Sedona Conference have published detailed commentaries on incident response, data security and governance, and cross-border data transfers, while the American Bar Association’s (ABA) annualTech Report series tracks adoption of security practices inside law firms. Cybersecurity issues now feature prominently in government security strategies in a much wider range of jurisdictions (for example, the Bahamas has developed and begun to implement its own national cyber strategy).

Where Does the Cybersecurity Attorney Fit in the Organization?

Effective public-private cybersecurity collaboration often hinges on the work of the general counsel’s office. Placing well-trained cyber counsel strengthens both national security objectives and business outcomes. As Sutherland’s article observes, cybersecurity attorneys should be integrated into the operational cadence of technology and security teams. Attorneys must keep pace with evolving technology stacks and an expanding executive landscape that includes roles such as the chief information officer (CIO), chief information security officer (CISO), and chief AI officer. Cyber counsel should also serve as a bridge between technical teams and other legal disciplines—including privacy, litigation, regulatory, legislative affairs, and trade compliance.

Organizational structures will vary: Some companies may establish a dedicated cyber and national security team within their office of general counsel, while others may embed cyber attorneys within intellectual property or privacy groups. Function should take precedence over form; wherever positioned, cyber counsel needs routine access to key decision-makers and a mandate not only to respond to incidents but also to shape strategy with cyber risk in mind. Cybersecurity and privacy law intersect but differ in important ways. A robust privacy policy does not guarantee cybersecurity compliance, nor does meeting cybersecurity standards ensure privacy compliance.

To promote consistency across cybersecurity and legal functions, organizations should clearly assign responsibility for monitoring cybersecurity-related compliance and define interaction models among the CIO, CISO, chief technology officer, and other leaders. Organizations should formalize collaboration between cyber counsel and privacy and litigation teams and determine the optimal placement of cyber counsel within the legal department. Variability in incident response leadership should be addressed by adopting standardized frameworks that specify when the chief legal officer, versus the CIO or CISO, should lead. Finally, organizations should establish internal procedures to leverage federal information-sharing statutes; notably, 75 percent of surveyed corporate legal departments currently lack such processes, according to the 2025 ACC Survey cited above.

Legal Grounding for a Cybersecurity Attorney

The core legal foundation that Sutherland identified for cyber attorneys remains relevant today. Intimate knowledge of foundational statutes, regulations, and other documents, such as the Electronic Communications Privacy Act, the Stored Communications Act, and the Computer Fraud and Abuse Act (CFAA), is nonnegotiable. This is especially true if organizations are serious about addressing insider threats, especially in the wake of the Supreme Court’s decision in Van Buren v. United States, limiting the scope of “exceeds access” violations of the CFAA. To this list of statutes, we’d recommend familiarity with both long-standing and novel regulations and policies, such as the Securities and Exchange Commission’s (SEC’s) cyber incident reporting rule, the Health Insurance Portability and Accountability Act Security Rule (its requirements are a useful guide to all organizations), Executive Order 14028 (for its continued impacts on evaluating security practices), and Presidential Policy Directive 41 (PPD-41), which is the federal government’s cyber incident response playbook.

At the federal and state levels, the proverbial “Star Wars cantina” of cyber incident and data breach reporting requirements has only become more crowded. Since 2021, the government has finalized the SEC’s reporting requirements for data breaches, the Department of Defense’s Cyber Maturity Model Certification, and 17 state-level consumer privacy laws, according to the IAPP’s tracker. Internationally, the practical boundary between data privacy and cybersecurity legal practices has begun to blur. The European Union added rules for AI and cyber resilience on top of its General Data Protection Regulation. Large markets such as Brazil now have both cyber incident and data privacy regulations. And predictions about the increasingly tense future of cross-border trade in personal data have now come to the fore in the Department of Justice’s Data Security Program. Knowledge of all these statutes and regulations has become necessary to advise clients conducting business in multiple jurisdictions.

Beyond the substance, the administrative parts of competent legal practice have further increased the importance of cybersecurity legal practice. The ABA’s Model Rule 1.1, Comment 8, and related state bar opinions emphasize that attorneys must understand the “benefits and risks associated with relevant technology.” Fluency with new information technology (IT) and AI tools will only grow in relative importance (California is actively considering requiring AI courses in law school), especially as legal budgets might remain flat over time, as highlighted above.

Keeping abreast of all this change can prove challenging for lawyers whose time is in demand. We can offer a few observations on what has worked in our office at CISA, which intersects with many of these activities and handles litigation, regulatory development, transactions, and the fluid business of applying legal frameworks to how the agency carries out its mission (often known as “operational law”). We think successful cyber legal teams invest in opportunities for cross pollination between counsel and technical clients. Guest speaker series featuring subject-matter experts has grown our team’s collective knowledge base. We also encourage lawyers to jump at the chance to shadow their clients, work shoulder to shoulder during exercises or extended operations, and take on professional development opportunities.

In the public sector, we have offered task force details to attorneys to grow their expertise or build an entirely new knowledge base, as even far-flung assignments have a way of coming back around to enhance our team’s ability to handle new challenges in our mission area. For example, a yearlong stint prosecuting narcotics and human trafficking on the southern border enabled one of us to understand more the role of criminal prosecutions in protecting critical infrastructure, helping us identify gaps and impacts on the broader risk environment. In the private sector, this could involve pro bono projects with a tech or privacy focus, giving the chance to hone skills while building a more holistic perspective.

What Subject Areas Should Be in the Attorney’s Practice Area?

Back in 2021, Sutherland summarized several subject areas that shape a good cybersecurity legal practice. His original framework remains sound, though we have updated this with the benefit of hindsight.

Government

The relationship between governments and the private sector in addressing cybersecurity risk has never been more important. Still, too much focus has been on “what can agency X do to us?” and not enough on “what can agency Y do for us?” The key government players largely remain the same, though given the continued hesitance to work with the government, an overview is still warranted.

• CISA is the lead federal agency for cybersecurity and the national coordinator for critical infrastructure security. Cyber lawyers should understand and avail themselves of CISA’s voluntary programs (such as CyberSentry, CISA’s voluntary threat monitoring and detection capabilities), and vulnerability and incident response initiatives, while remaining mindful of forthcoming responsibilities under CIRCIA for covered organizations. CISA maintains an operational presence in all states and major cities, so cyber lawyers should have the contact information for local or regional CISA representatives.
• Law enforcement agencies investigate intrusions, ransomware, and cyber-enabled fraud. Lawyers must help structure engagement so that law enforcement can act without compromising their organization’s legal posture or operational needs. Importantly, cyber lawyers should not overlook the constellation of relevant agencies. While Presidential Policy Directive 41 designates the FBI as the lead for threat response for significant cyber incidents, other federal agencies, such as the Secret Service and Homeland Security Investigations, have similar powers and capabilities, including in particular topic areas such as financial crime and child exploitation.
• Regulatory agencies, such as the SEC, the Federal Trade Commission, the Department of Health and Human Services, state public utility commissions, and state attorneys general, conduct general and sector-specific rulemaking. Cyber lawyers should track rulemakings and enforcement trends, and maintain professional relationships with staff who handle cybersecurity issues.
• Intelligence agencies, such as the Office of the Director of National Intelligence’s National Counterintelligence and Security Center, can provide threat briefings and guidance on protecting critical technologies, combating insider threats, and maintaining trade secrets. For organizations that work on controlled or emerging technology or carry out important functions in the U.S. economy, these agencies should not be overlooked by cybersecurity lawyers.

As mentioned previously, lawyers are a bridge both within and between organizations. Cybersecurity lawyers should build and maintain contacts with relevant agencies mentioned above and should understand how to engage with important government programs such as CISA’s information sharing program, which underlies most public-private cybersecurity cooperation.

Litigation

Cybersecurity-related litigation continues to expand, touching issues from negligence, consumer protection, and securities fraud to national security and criminal liability. Since 2021, the Supreme Court has issued relevant opinions on Article III standing and the scope of CFAA liability in its TransUnion v. Ramirez and Van Buren decisions, respectively. New lower court opinions, such as the decision on AI chatbots’ legal privilege, also demonstrate the acute and growing complexity in the litigation realm.

Internal practices/risk assessment: As Sutherland points out, cyber risk assessments are not solely technical exercises. Regulators and courts continue to expect structured and meaningful compliance programs. Cyber lawyers must therefore be sure to participate in designing and scoping enterprise risk assessments that align with new frameworks, such as the NIST CSF 2.0, including its expanded “Govern” function or CISA’s Cross-Sector Cyber Performance Goals for critical infrastructure entities. To help lawyers and their clients identify issues beforehand, CISA offers dozens of cybersecurity exercises, some of which can be accessed and carried out on a “DIY” basis. The MITRE ATT&CK knowledge base of various cyber techniques and procedures can inform realistic threat modeling, detection engineering, and controls testing. Aligning policies and metrics to these frameworks enables more consistent reporting to leadership and regulators and supports defensibility in audits and disputes.

Update guidance and playbooks that predate modern privacy laws—if you rely on earlier analyses, note that some predate the California Consumer Privacy Act and other privacy statutes—so legal teams can account for data mapping, cross-border transfers, data subject rights, minimization, and vendor management under current regimes.

Communications with leadership and board: The cyber lawyer takes a leading role (whether it’s recognized or not) in building a culture of cybersecurity awareness throughout the organization, but particularly in communicating with organizational leadership. Beyond addressing compliance risks, a cyber lawyer should address specific issues with their leadership, such as “whaling” and social engineering risks aimed at senior leadership, bring-your-own-device policies (especially for those executives demanding “frictionless” tech experiences), and proper encryption, data retention, and legal hold policies that have downstream impacts on incident response and e-discovery.

Build training programs that develop technical fluency so that corporate lawyers can serve as “Rosetta Stones” between legal terminology and technological concepts. Practical modules should cover core IT architecture, identity and access management, cloud and software as a service models, vulnerability and patch management, and incident response workflows. Reinforce learning through joint tabletop exercises with security, IT, privacy, and communications teams, enabling counsel to translate technical facts into legally significant timelines, materiality assessments, and defensible documentation.

Incident response: The ACC 2025 survey shows that most organizations now have incident response plans that involve the chief legal officer. But in our view, the cyber lawyer should actually co-lead development of incident response plans and playbooks, with a particular focus on defining an incident and establishing the protocols for escalation, eventual notification and reporting, and post-incident remediation. Cyber lawyers will be called on to guide real-time decision-making during incident response, managing communications with regulators, law enforcement, and affected parties. The rise of ransomware presents tough legal and compliance challenges: Cyber lawyers should be prepared to advise on the sanctions and anti-money laundering implications of ransom payments as well as the risks of possible re-extortion or other data losses.

We mentioned Presidential Policy Directive 41 above, but it is worth revisiting in the context of incident response. PPD-41 enables the formation of cyber “unified coordination groups” (UCGs) in response to a significant cyber incident. For private-sector cyber lawyers, PPD-41 provides a helpful “roster” of federal agencies that may come in to help resolve a major cyber incident. Usually, these UCGs will consist of federal agencies for threat response, asset response, and intelligence support but will also include agencies that have particular sector-based experience (e.g., Health and Human Services for an attack on a hospital system). In addition, as required by the scope, nature, and facts of a particular significant cyber incident, a cyber UCG may include participation from other federal agencies, state and local governments, nongovernmental organizations, international counterparts, or the private sector. If cyber counsel can know the various government “players,” it can make the response and recovery proceed much more smoothly.

Evaluating contracts: Contracting for better cybersecurity has great potential to reduce client risks. Cyber lawyers who do business with the government should be cognizant of flow-down requirements from the Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulations, including agency supplements, and flow-down requirements such as Cyber Maturity Model Certifications and the Federal Risk and Authorization Management Program, given that so much private-sector business involves public procurements. The FAR now contains very detailed provisions regarding certain restricted vendors and imposes new certification requirements on contractors regarding the use of certain vendors—cyber lawyers should remain up to date on these and other FAR developments. Beyond these government requirements, cyber lawyers should maintain a library of standard data protection and cyber contract clauses to be used in vendor and customer agreements. These clauses should be reviewed and updated continuously and not treated as mere boilerplate. After SolarWinds (which represented a seminal example of a supply chain security compromise), programs should add deeper due diligence, contractual security baselines, and periodic audits or attestations for high-risk third parties.

Vendor risk management: In 2021, the security issues of untrusted vendors and technology had just begun to come to the foreground. Sutherland had been involved closely in the binding operational directive to remove Kaspersky software from federal networks using a novel procedure. Since then, the Federal Acquisition Security Council and other legislation have begun to address the security risks from a wider range of companies. Because of these developments, cyber lawyers must ensure that their organization’s third-party risk management programs incorporate legal review of vendor security posture, contract terms, and compliance with relevant statutes, executive orders, and regulations. Cyber lawyers must also stay current with laws and policies affecting high-risk vendors and technologies, including restrictions on certain foreign manufacturers of telecommunications and security products. Similarly, cyber lawyers should also build competence in advising on the legal implications of using open-source software and third-party libraries, including licensing, vulnerability management, and software bill of materials expectations. Cyber lawyers should also pay attention to their customers’ cybersecurity practices: While the security risks of vendors often capture a lot of focus, poor cybersecurity among customers can also serve as a possible source of risk exposure for organizations.

Economic security: In 2021, Sutherland wrote about the importance of cyber lawyers in managing mergers and acquisitions. But given the growing importance of trade and economic security issues at the federal level and the increasing number of deals, cyber lawyers need knowledge of corporate national security issues and authorities, such as the Committee on Foreign Investment in the United States and Team Telecom processes. Outbound investment screening, which comes up in “reverse FDI” situations involving critical technology, shows how cybersecurity concerns have become commingled with broader trade and national security policy. Lawyers who are managing an acquisition will need to consult with their cyber lawyer counterparts to factor data security risks into due diligence and merger structuring. Similarly, cyber lawyers will need to stay abreast of contractual commitments following a merger to adequately advise on the cybersecurity risk of various corporate activities.

Insurance: Modern cyber insurance policies have greatly diversified since 2021. These enterprise-based policies can now vary widely in their coverage and exclusions, and cyber lawyers must be cognizant of those insurance products’ limitations. For example, a typical “errors and omissions” policy might cover third-party litigation costs for a data breach, but it might not cover the replacement costs of compromised hardware. In a heightened geopolitical threat environment, cyber lawyers also need to understand that certain catastrophic cyber risks might not be insurable based on how the underwriters approach these scenarios. Standard form clauses developed in the London market, including Lloyd’s Market Association’s cyber war and cyber operation exclusions, are now being incorporated into many policies. Cyber lawyers must carefully review policies to understand what is covered, and they need to convey to their clients that insurance companies will have specific expectations for their policyholders regarding security posture and compliance obligations.

Conclusion

In the field of national security and computer technology, five years can feel like an entire career. Even so, Sutherland’s original work about the role and the importance of a cybersecurity law practice remains relevant. The past few years have only shown this type of law practice is important not just to protect client interests but also to ensure safety and security around the world. The fast-paced profusion of technology in every sector of the economy has made this legal work indispensable. But this indispensability requires constant effort to remain on top of the latest trends, whether one has been practicing for 30 years or for 30 days. We hope this article proves especially useful to new lawyers at the beginning of their careers and college students looking to plan their studies, as well as to the professors shaping the pedagogy of cybersecurity.

Five years onward, the cybersecurity bar still confronts “DayZero,” whether in actual zero-day exploits, addressing novel legal requirements, or unanticipated litigation developments that can drastically alter the state of play. The cyber lawyer’s toolkit must be continually updated and pressure tested to account for these developments. But above all, this area of practice remains a “team sport.” The best cyber lawyer is the one who can maintain close working relationships with their C-suite, engineers, government counterparts, and the broader community of legal practitioners. A mature cybersecurity practice will never have all the answers to every question, but it will have the durable structures and relationships to empower organizations to translate legalese and adapt quickly and responsibly to an era of endemic cyber risk.

National security relies on strong cybersecurity in the private sector, especially among companies managing critical infrastructure. Effective cybersecurity requires a mature public-private partnership and shared risk assessment. Cyber lawyers knowledgeable in best practices can help create a safer digital environment for everyone.