Banner artwork by puhhha / Shutterstock.com
Cyber risk is no longer the exclusive domain of IT. As regulatory, reputational, and business-continuity stakes escalate, legal leaders are being pulled into the driver’s seat. According to the ACC Foundation’s 2025 State of Cybersecurity Report, 38 percent of chief legal officers now hold leadership roles in cybersecurity — up from only 15 percent five years ago.
Check out the new ACC Executive Cybersecurity Risk Credential (ACC ECRC) program.
A priority focus for Legal
For general counsel, the message is clear: You can’t outsource cyber risk entirely and walk away. Your expertise as a steward of legal risk, governance, and corporate strategy positions you to own and elevate cybersecurity oversight across the enterprise.
“One of the misnomers in the marketplace is that cybersecurity is a unique concern that only applies to a specific group of people,” said Keyaan Williams, Managing Director of CLASS-LLC, which has teamed up with ACC to develop the Executive Cybersecurity Risk Credential (ACC ECRC). “In reality, cybersecurity risk is a component of enterprise risk. Given that chief legal officers are some of the best risk managers within the organization, the objective of the program is to make sure that everybody has the right vocabulary, the right perspective, the right understanding of the problem, so that competent solutions can be recommended.”
That reframing captures today’s reality perfectly: Cyber risk is enterprise risk, and in-house counsel must lead accordingly.
The new reality: Cyber risk is a core business issue, not a technical one
Gone are the days when cybersecurity was treated purely as an IT challenge. Today, cyber incidents trigger regulatory investigations, investor scrutiny, reputational fallout, and board-level concern.
When a breach hits, questions won’t just be about how the firewall failed — they’ll focus on whether governance frameworks held up, whether leadership understood the risks, and whether the organization was prepared.
That means Legal must be ready to engage upstream: calibrate risk appetite, shape oversight structures, inform board reporting, and drive enterprise resilience.
Why legal leaders are central to cyber governance
In-house counsel occupy a strategic vantage point: they sit at the intersection of regulation, enterprise risk management, contract exposure, and business operations. They are uniquely suited to translate cyber risk into the language of the board and the C-suite.
Regulators are also intensifying expectations around disclosures, third-party oversight, and breach readiness. The CLO or GC who actively engages in cybersecurity governance is already proving the value of legal beyond compliance — as a strategic business leader.
As Williams explained: “What we’ve done with the program was we thought about all of the legal and regulatory concerns, enterprise risk management and everything that in-house counsel is already equipped to lead. We just focused on a specific subset of concerns that fall under the umbrella of corporate governance, to make sure that the participants in the program are positioned well, have good information, and the information is relevant and current to make sure that they provide competent advice.”
His point underscores the ACC ECRC’s purpose: to build on counsel’s existing strengths — risk management and governance — and apply them to the emerging frontier of cybersecurity.
The competency gap: Technical fluency vs. executive risk literacy
Many legal teams feel under-prepared: More than half of CLOs report lacking confidence in their organization’s data-risk readiness, according to the 2025 ACC Chief Legal Officer Survey.
The result is a risk of disconnect between IT operations and the boardroom. In-house counsel need to increase their cybersecurity acumen to bridge that gap and speak authoritatively about risk mitigation, investment, and accountability.
Introducing the ACC ECRC: A credential for cyber-ready counsel
The ACC Executive Cybersecurity Risk Credential (ACC ECRC) is the first credential specifically designed for in-house legal professionals to build executive competency in cyber risk management — not as technicians, but as governance leaders.
Developed by ACC in collaboration with CLASS-LLC, the program covers governance fundamentals, risk culture, strategy, performance measurement, and enterprise-risk alignment. It’s designed for senior legal leaders responsible for oversight of cyber risk — with no technical prerequisites required.
Participants complete online modules and a 2.5-day in-person workshop emphasizing collaboration and applied learning. The credential demonstrates readiness to lead enterprise-level cybersecurity governance.
What credentialed counsel bring to the table
Earning the ACC ECRC isn’t just a professional milestone — it transforms how legal leaders operate within the enterprise. Graduates will emerge with the insight, language, and credibility to elevate legal’s role from advisor to leader of cyber resilience:
- Enhanced credibility: Credentialed GCs can speak to boards and executives about cyber oversight with confidence and authority.
- Cross-functional leadership: They align IT, risk, compliance, and operations around a unified governance framework.
- Resilience readiness: They’re prepared to manage incidents, disclosure, and stakeholder communication in line with enterprise risk appetite.
- Strategic differentiation: Legal evolves from advisor to enterprise leader — a visible driver of resilience and trust.
A cybersecurity program designed for in-house counsel
“We didn’t have one program that was just a random program and relabel it,” Williams noted. “We worked directly with the ACC. Members participated, provided feedback, and shaped the content. So this is for ACC members — and to an extent, it’s by ACC members — to make sure the program is as valuable as possible.”
That community-driven approach reflects what the ACC ECRC ultimately stands for: a credential built by in-house counsel, for in-house counsel, equipping today’s legal leaders to guide their organizations through one of the most complex governance challenges of our time.
By earning the ACC ECRC, you’re not just protecting the enterprise — you’re redefining what modern legal leadership means.
Visit acc.com/ecrc to learn more and secure your place in the next cohort. Your board expects it. Your business demands it. Don’t wait.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers.
This article was produced with the assistance of GenAI.
