Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.
Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.
The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:
- Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
- Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
- Evaluate and routinely measure employee security training levels.
- Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
- Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
- Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
- Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
- For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
- Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
- Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
- Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
- Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
- Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
- Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
- Consider the company’s overall insurance program and whether cyber risks are covered.