What governance mechanisms should General Counsel look to establish between the board and C-level executives in order to best manage officer reporting and liability – particularly in areas such as risk management, cybersecurity, and technology?

Rowin Corporation BV always respects the role of the General Counsel in relation to its company. Therefore, our approach is always that of a trusted advisor, instead of an imposer. Together with the General Counsel, we will look into the most suitable options for every situation in an open and a constructive manner.

We could, for example, investigate the possibility of a specific internal and corporate-related mechanism, if not yet (fully) in place. In doing so we will consider whether the General Counsel may be the best candidate for such a monitoring role from a cost efficiency perspective. This always, however, remains up to the General Counsel and the company to make the final decision and allocate the exact responsibilities.

In addition, we notice that General Counsels are often interested in the warranting of an ongoing flow of reports by the C-level executives and follow-ups concerning these reports. If the General Counsel needs specific legal expertise, we support them. This could be, for example, a regime in which C-level executives could periodically be required to report on the state of matters concerning risk evaluation and cyber security. A possible execution of the latter may be to require the C-level executives to regularly make a risk assessment and test systems that shield against cyber threats.

Lastly, when dealing with data technology, risk management and cyber threats in general, there are certain interfaces with the upcoming European General Data Protection Regulation. Failing to meet this regulation can lead to liability, therefore, we are never surprised when General Counsels approach us for . As a response to them, we always say that, in specific circumstances, the abovementioned regulation can oblige an organisation to designate a so-called Data Protection Officer. It is this individual’s responsibility to ensure that all data processing internal regulations are drafted and respected and that the relevant cyber hazards have been inventoried and protective precautions put in place. Not all enterprises are obligated to appoint such an officer, but we emphasise that creating such a position can be beneficial with regard to data protection.