With cyber resilience top of mind for investors, shareholders, regulators and the plaintiffs’ bar, growing organizations can no longer afford to put their cybersecurity efforts on the back burner. Building a cybersecurity program has become an essential element in the growth strategy. But where do you begin? Cooley’s cyber/data/privacy lawyers put their heads together to offer maturing companies a starting point and a path forward. Have questions? Reach out to us at cdp@cooley.com.
Public and high-growth private companies need internal cyber/data/privacy governance structures that protect the integrity and value of digital assets and customer data and mitigate related risk and liability. Increased regulatory oversight and litigation risk put the obligation on directors and officers to ensure there are appropriate governance programs in place and that companies regularly address information security issues at the board level. This checklist contains essential steps that companies should consider to address cyber risks.
Action plan
- Assign senior leadership responsibility for understanding and managing cyber/data/privacy risks facing the company and understanding compliance obligations – for example, the SEC Material Risk Rule for public companies.
- Perform an early stage audit to understand and inventory critical data and digital assets, to recognize how data flows through the supply chain and to identify internal and external cyber risks.
- Adopt core internal policies and governance structures: information security; privacy governance; vendor management; and incident response.
- Prepare a detailed, thorough and step-by-step incident response plan for use in the event of a cyber incident.
- Identify and retain outside counsel, forensic experts, public relations specialists and other vendors to enhance the company’s readiness in the event of a cyber incident.
- Provide regular and relevant cyber risk preparedness training to key personnel, management and the board.
- Conduct periodic tabletop cyber response exercises to test the incident response plan; involve key internal and external stakeholders, including both technical and non-technical responders (at least annually).
- Consider obtaining cyber insurance and require partners and vendors to obtain adequate cyber insurance.
- Implement, test and protect data recovery infrastructure to guard against business disruption and critical data loss.
- Review reporting obligations and prepare template notices for use with regulators, consumers and contractual partners in the event of a cyber incident.
- Conduct regular stress tests, penetration tests, audits, assessments and reviews with management and board oversight.
- Actively monitor security events, including identifying, responding to, tracking and reporting security incidents.
- Implement a robust vendor management program to ensure vendors are appropriately safeguarding data and digital assets against cyber risks.
- Mitigate risks by monitoring and implementing technical best practices and maintaining a forward-looking threat assessment program.
- Future-proof information security practices by conducting periodic risk assessments and anticipating and addressing risks in light of desired business plans and outcomes – privacy and security by design; regulatory and litigation risk tracking; partner and vendor agreements; etc.
- Periodically brief the board regarding cyber risk management (at least semi-annually).