What in-house counsel need to know about “reasonable” data security measures

This Reuters article attempts to put some of the responsibility for cyber risk management on the in-house legal team. I wonder if most in-house lawyers see their remit stretching beyond compliance to whatever legal frameworks apply to their business (GDPR, HIPAA…):

[…] In-house counsel can help their businesses routinely manage cyber risks and avoid attacks, or at least minimize their impact, by developing and maintaining reasonable risk-based information security programs.

[…]

Original article