The data economy will further amplify the vulnerabilities of data, and expose businesses, governments and individual consumers to cyber threats.
By Shrikant Shitole
The last decade has spurred dramatic shifts in technology that have made the world a more connected and efficient digital realm. Businesses can now engage digitally with their stakeholders from across the world, at any time, across a bevy of screens. Remote workers and their personal devices in the modern enterprise, expose critical data to threat actors. The data economy will further amplify the vulnerabilities of data, and expose businesses, governments and individual consumers to cyber threats.
In most large enterprises, especially publicly listed ones, the general counsel (GC) plays a key role in the management and is also the vital link between the company and the executive board. While the GC addresses myriad legal and business challenges, none of them will be as harrowing as dealing with a cyber attack. general counsel, cyber breach,
The following are some key steps a GC can take to ensure their organisation is prepared for a cyber incident.
Connect: A strong partnership between the CISO and the GC is essential given today’s cyber landscape. It is important to know about the company’s data, how it is protected, where it is located and how it can be accessed, and what levels of visibility does the security team have into their IT assets.
Plan: Develop an incident response (IR) plan and identify the team needed to execute that plan. The response team may include the CEO, CISO, CMO, internal/ external legal counsel, communications professionals and external incident responders/ forensic specialists. It is necessary to examine the company’s contractual relationships with vendors that have access to sensitive information or data, to understand what cyber security measures and breach procedures are in place. It would be better to create a standard data security addendum that can be attached to vendor contracts and include risk allocation provisions that apply should the vendor be subject to a leak or breach.
Practice: Test the IR plan. Conduct tabletop crisis exercises and ensure that internal response team members and external experts are pre-identified and “on call.” In today’s mobile and social world, managing crisis response in a timely manner is critical. Note that there should always be takeaways from practice sessions—ways to refine and improve the overall process.
Protect: Establish and protect attorney-client privilege before (if possible) and at a minimum immediately after a breach by coordinating communications and incident response through the GC’s office.
Involve: Provide the Board with regular updates from the CISO. Fiduciary duties related to cyber security require Boards to meet a “reasonableness” standard akin to the business judgement rule.
Consider: Knowing the costs of a breach and evaluating the risk of a loss to the company may warrant the use of cyber insurance. A Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organisation’s risk level. Cyber security is a team sport. Developing and executing a strong IR plan requires cooperation between the GC and the CISO, and coordination across various internal groups such as finance and marketing, the C-Suite, senior executives, and outside specialists as well.
The writer is senior director & country head for India, FireEye