8. Legal, compliance, and corporate control

Digital Preparedness

8 min read
8. Legal, compliance, and corporate control
Photo by Tingey Injury Law Firm / Unsplash

The Shock happened thirty-six hours ago. The infrastructure team has stabilized the core systems. A few services are responding again. Leadership exhales. Then the CFO calls.

Payroll is due in two days. The finance team has moved to a backup system and can technically process payments. But the bank is refusing to cooperate: they are in the middle of their own storm, and are trying to cope with the ongoing bank run. So they have become overzealous and ask dual authorization from two named signatories. Unfortunately, the board resolution that designates those signatories is stored in the company’s contract management platform. That platform runs on the same cloud infrastructure that went down. Without the resolution, they treat the request as unverified.

Meanwhile, the legal team is triaging inbound requests. A key enterprise customer’s procurement department has sent a formal letter: they characterize the past 36 hours as an SLA breach, and are suspending payment. Unfortunately, nobody knows whether this is legit as signed contracts are leaving in DocuSign - which is unreachable.

The systems are recovering. The company is not.

Banks, regulators, partners, insurers, and customers do not interact with infrastructure. They interact with a company that must prove who it is, who represents it, and what obligations it is meeting. When access to legal and compliance artifacts fails, operations can stall even if technology is recoverable.

Failure modes

Companies rarely lose legal control because documents disappear. They lose it because access disappears.

Common failure scenarios include:

  • Corporate documentation (incorporation, by-laws, shareholder agreement) stored exclusively in cloud-based legal or document management platforms, preventing the company from proving its legal existence or taking decisions lawfully
  • The cap table or share ledger disappears because it lives only in a SaaS tool, making it impossible to verify ownership or authorize equity transactions.
  • Customer contracts, amendments, and SLAs are locked in e-signature or contract management platforms, causing customers to suspend payments for lack of an authoritative copy.
  • The bank refuses to release funds because the company cannot produce the board resolution that designates authorized signatories.
  • Regulatory filings (tax returns, VAT declarations, financial reports) cannot be completed because the underlying data lives in cloud-based accounting or ERP systems that are unreachable.
  • Powers of attorney and delegation documents are inaccessible, leaving no one able to act on behalf of the company with banks, notaries, or public authorities.
  • The company cannot respond to legal requests, regulatory inquiries, or data subject access requests because the relevant data or correspondence is locked in unavailable SaaS tools.
  • Insurance claims cannot be filed within the contractual notification window because the policy terms and insurer contact details are stored only in cloud-based systems.

In these situations, the company may still function technically but be unable to transact, comply, or defend itself legally. Legal paralysis does not require data loss. It only requires loss of access at the wrong moment.

Objectives

The company must be able to:

  • prove its legal existence and ownership structure,
  • demonstrate authority to act and sign on behalf of the company,
  • and meet minimum regulatory, tax and disclosure obligations under applicable deadlines, produce authoritative copies of key commercial contracts,
  • and notify insurers and comply with policy conditions within required timeframes.

These capabilities must survive loss of cloud access, SaaS tooling, and normal communication channels.

Solutions

Proving company ownership

Prepared companies treat corporate records as operational assets, not archival files. If your cap table only resides in Carta, if your corporate documentation lives in a cloud-based legal platform, you are at risk. 

You need to maintain offline or independently hosted copies of certificates of incorporation, bylaws and articles of association, shareholder and cap table records, board resolutions and signatory authorizations.

These records must be current, verifiable, and accessible without relying on SaaS legal tools or identity providers.

Deliverables
- Current documentation of legal and signatory authority, including board resolutions designating authorized signatories with scope and limits clearly defined
- Offline-accessible incorporation and shareholder records (PDF copies stored locally or on independent infrastructure, updated after every corporate event)

Proving authority to third parties

In crisis scenarios, banks often become conservative to the point of paralysis. Even when funds are technically available, financial institutions may refuse to execute transfers, release cash, or honor instructions if they cannot clearly verify who has authority to act on behalf of the company. From the bank’s perspective, delaying action is safer than risking fraud or regulatory exposure. From the company’s perspective, this hesitation can be existential. Payroll, vendor payments, and emergency expenses may be blocked not because funds are missing, but because the company cannot prove conclusively who is authorized to give instructions.

The same dynamic applies to notaries, registrars, and public authorities. Any third party that requires proof of authority before acting on the company’s behalf will default to caution during a crisis. Prepared companies eliminate this friction in advance by ensuring that proof of authority exists independently of the platforms that normally store it.

Deliverables
- Keep up-to-date lists of authorized signatories, with scope and limits clearly defined
- Pre-register secondary contact channels with your bank (e.g. a phone number or email address from a separate domain) so that emergency instructions can be verified through an independent path
- Maintain a physical or locally stored “authority pack”: a single folder containing the current incorporation certificate, signatory list, board resolution, and a specimen signature page, ready to be presented to a bank or notary at short notice

Commercial survivability

During a crisis, contractual uncertainty quickly translates into revenue loss. Customers who cannot access their contracts, service terms, or negotiated agreements may suspend payments, dispute invoices, or initiate churn. Not necessarily out of bad faith, but because their own legal and finance teams lack documentation to justify continued payments. 

When contract management systems are unavailable, the company may be unable to produce authoritative copies of signed agreements, amendments, or SLAs. In this vacuum, customers default to risk avoidance: withholding payment, freezing renewals, or invoking termination clauses. Revenue disruption in these scenarios is not caused by service failure, but by the inability to prove contractual obligations at the moment they are questioned. 

If you cannot produce the contract, the customer’s obligation becomes optional. Commercial survivability requires treating contracts as critical operational artifacts.

Deliverables:
- For your largest or most critical customer relationships, maintain a summary sheet listing: contract start date, renewal date, key SLA commitments, termination clauses, and the contact details for the customer’s legal and procurement team. This should be accessible offline.
- Maintain offline-accessible copies of key customer contracts, amendments, and SLAs. Ensure documents include signatures, dates, and version history, and are in formats that are readable without proprietary platforms.

Regulatory and compliance obligations during disruption

Regulators might not pause their calendars because your infrastructure is down. Tax filings, financial reporting deadlines, data protection obligations, and sector-specific compliance requirements may continue to apply regardless of the company’s operational state. A disruption that prevents compliance does not excuse non-compliance, it merely changes the conversation from routine to adversarial.

Several categories of obligation are particularly vulnerable:

  • Tax and financial reporting. VAT filings, corporate tax returns, payroll declarations, and statutory financial reports are governed by strict deadlines. The data required to complete them typically lives in cloud-based accounting, ERP, or payroll systems. If these systems are unreachable, the company may be unable to calculate, let alone submit, the required figures. Late filing penalties and interest accrue automatically in most jurisdictions, and in some cases, repeated delays can trigger audits or administrative sanctions.
  • Data protection (GDPR and equivalents). Under GDPR, companies must respond to data subject access requests (DSARs) within one month. They must notify the relevant supervisory authority of a personal data breach within 72 hours and, in some cases, notify affected individuals without undue delay. If the systems containing personal data, breach logs, or correspondence with data subjects are inaccessible, the company may be unable to meet any of these obligations. Crucially, the 72-hour breach notification clock starts when the company becomes “aware” of the breach, and a widespread disruption may itself constitute or mask a breach.
  • Sector-specific obligations. Companies operating in regulated sectors (financial services, healthcare, critical infrastructure) face additional reporting and continuity requirements. These may include mandatory incident notifications to sectoral regulators, continuity-of-service obligations, or requirements to maintain minimum operational capability. Failure to comply can result in fines, license revocation, or loss of regulatory approval.
  • Contractual compliance and SLA obligations. Many enterprise contracts include specific SLA commitments, breach notification requirements, and audit cooperation clauses. During a disruption, the company may simultaneously be in breach of SLA commitments and unable to prove otherwise. Prepared companies know which contractual obligations are time-sensitive and have pre-drafted communications to manage these situations proactively.

The key insight is that regulatory exposure does not require negligence. It only requires inability to act within a deadline.

Deliverables:
- GDPR breach response kit: an offline-accessible package containing the contact details of your Data Protection Officer and lead supervisory authority, a breach notification template, a DSAR response template, and the company’s data processing records.
- Pre-drafted regulatory communications: template letters for tax authorities, data protection supervisory authorities, and sector regulators explaining the disruption, requesting deadline extensions where possible, and demonstrating good faith. These should be ready before a crisis, not composed during one.
- Offline compliance data: for the most time-critical obligations, maintain periodic offline snapshots of the data needed to complete filings (e.g. VAT-relevant transaction summaries, payroll records, breach notification logs).
- Compliance calendar: a list of recurring regulatory deadlines (tax filings, financial reports, GDPR obligations, sector-specific notifications) with the data sources and systems required to meet each one. Identify which deadlines would be at risk if cloud access were lost for 7, 14, or 30 days.

Insurance: access, notification, and documentation

Insurance is one of the most overlooked dependencies in a crisis. Companies purchase cyber insurance, business interruption coverage, or professional liability policies precisely for scenarios like a major disruption - and then discover that the policies themselves are inaccessible when they are needed most.

Most insurance policies impose strict notification requirements. Cyber insurance policies typically require the insured to notify the insurer within 24 to 72 hours of discovering an incident. Business interruption policies may require immediate notification and ongoing documentation of losses. Late or incomplete notification is one of the most common grounds for claim denial. During a widespread disruption, the company may be unable to locate its policy documents, identify the correct notification contacts, or produce the documentation required to substantiate a claim.

Policies also frequently contain cooperation clauses that require the insured to take reasonable steps to mitigate loss, preserve evidence, and avoid actions that could prejudice the insurer’s position. If the company has no record of what steps it took during the crisis (because logging, ticketing, and communication systems were down) it may struggle to demonstrate compliance with these conditions.

An insurance policy you cannot find, notify, or document against is an insurance policy that does not exist.

Deliverables:
- A designated insurance liaison: a named individual (and a backup) who knows where the policies are, understands the notification requirements, and is responsible for contacting insurers within the required timeframe during a crisis.
- Pre-drafted incident notification letters for each relevant insurer, including the minimum information typically required: policy number, date and nature of the incident, initial assessment of impact, and steps being taken to mitigate loss.
- Offline-accessible copies of all active insurance policies, including cyber, business interruption, professional liability, and directors & officers coverage. Store the policy number, coverage summary, notification deadlines, and claims contact details separately from the full policy document for quick reference.

Conclusion

Digital preparedness means ensuring that the company can still prove who it is, act lawfully, and meet its obligations when systems, tools, and communication channels fail. Infrastructure enables operations. Legal authority enables existence. A company that recovers its servers but cannot pay its employees, produce its contracts, file its taxes, or notify its insurers has not recovered. It has merely restored the appearance of function while remaining paralyzed in every dimension that matters to the outside world.

The deliverables in this chapter are not complex. They do not require new technology or large budgets. They require discipline: the willingness to treat legal and compliance artifacts with the same seriousness as production databases and encryption keys. A printed board resolution, an offline contract archive, a compliance calendar, and a pre-drafted notification letter are unglamorous. They are also the difference between a company that weathers a crisis and one that discovers, too late, that survival requires more than uptime.

Read more