A cyber breach can have serious legal, financial, and reputational consequences for a company, as described in our previous post. As such, cybersecurity threats must be treated as business risks, not just a potential IT problem. Senior management at a company should take the lead to ensure that the company is taking appropriate actions to protect itself against cyber risks. There are several steps that senior management can guide the company to take to prevent breaches from occurring and to mitigate the impact when they do occur.
Careful planning and preparation, including appropriate policies and procedures, is critical for the creation of an effective cybersecurity program. The program should include a Cyber Risk Assessment and a Cyber Incident Response Plan.
Perform a Cyber Risk Assessment
- Information: Identify the information and data that is most sensitive and important to the company. Commentators often refer to this as the “crown jewels.” This will often include information about finances or personally identifying information (“PII”). PII can include individuals’ names, addresses, social security numbers, and other sensitive information about a person.
- Resources: Devote appropriate staff for the supervision and oversight of cybersecurity measures on an ongoing basis, including having personnel responsible for staying up-to-date on evolving threats, and maintaining all cybersecurity related reports and information.
- Compliance: Ensure compliance policies satisfy the company’s agreements, such as customer agreements.
- Ensure vendor compliance: Review the cyber risk protocols of any vendors who may have access to company data. In particular, the SEC has been especially focused on third party service providers that may have custody of, or access to, PII.
- Test: Stress test the relevant computer networks in order to identify and assess vulnerabilities.
- Implement prophylactic measures: Regularly backup important data to guard against ransomware attacks. If the victim has backup copies, the hacker no longer holds the upper hand.
- Audit: Institute recurrent security audits to identify potential risks.
- Insurance: Consider whether to purchase cybersecurity insurance.
Cyber risk assessment is an ongoing process that should be continually revisited and revised to account for the changing regulatory landscape and technological advances.
Adopt a Cyber Incident Response Plan
- Assign a “quarterback” to lead response efforts, including coordinating mitigation efforts, remediation actions, and possible law enforcement referral.
- Coordinate with outside counsel who can act quickly if a breach does occur, and who can coordinate other professionals, such as forensic and IT professionals, while working to protect information through the assertion of privilege.
- Outline a plan for coordinating with regulators and law enforcement agents.
- Evaluate the potential need to communicate with investors or customers in the event of a breach.
- Retain a public relations consultant to monitor social media and news reports regarding the company after a breach for the purpose of brand protection.
Counsel should assist with these tasks to ensure that the company is prepared and protected.
Follow the Plan
An effective Cyber Incident Response Plan should provide a roadmap for the company in the event of a breach. Speed is crucial when responding to a breach, particularly in the first twenty-four hours, to try to minimize the impact.
- Contact counsel identified in the Cyber Incident Response Plan, to engage relevant professionals including, among others, an IT provider and/or a forensic investigator.
- Define the scope of the breach and assess what systems and data have been compromised. Determine if a backup of any lost data is available.
- Consider whether notice to law enforcement and/or regulators is necessary or appropriate.
- Assess with counsel whether the breach has triggered notification requirements to customers or others under any applicable laws or contracts.
- Evaluate with counsel potential insurance coverage, along with regulatory and/or civil litigation risks.
If questions arise concerning the risk-reduction measures outlined above, we are available to consult as needed.