The cybersecurity capabilities of a company may be reviewed using cyber risk assessments. The overarching goal of a cyber risk assessment is to identify any deficiencies in cybersecurity that could pose material risks to the business. A cyber risk assessment naturally follows from committing the resources to review the risks, threats, and vulnerabilities of a company. The results of an assessment can include recommendations to change the governance structure and information security management systems currently employed by a company.
Some companies wonder what a cyber risk assessment looks like. Here are 10 things to bear in mind when performing a cyber risk assessment.
- An effective assessment merits an oral presentation to company leadership and proper documentation, including a written report. The report is rooted in an internal audit conducted by the cybersecurity team, which includes the company’s chief information security officer, its IT team and its attorneys.
- The strategic objective of a cyber risk assessment is to define what the company is doing correctly and identify the gaps in cybersecurity that need to be remedied. It provides a roadmap to security through a series of milestones and checklists that management and counsel can use to identify the risks, threats, and vulnerabilities that confront a company.
- The assessment should lay out short, medium and long-term objectives for company officers and the board of directors or the cybersecurity committee of the board. Every medium or large company would be well advised to form a cybersecurity committee that is charged with responsibility to review and protect against cyber breaches or incidents.
- Reports need to be carefully written. They may be discoverable in litigation. A written report needs to identify what needs to be done in language that does not provide ammunition for a hostile party to use against the company. Some elements of a report might be reserved for a verbal presentation. Other elements may be reserved for counsel to present to management or the board in order to preserve confidentiality under the attorney-client privilege. There is no set formula. Companies and counsel need to exercise good judgment in what is reported and in how findings and recommendations are presented.
- It is better to prepare one substantive final report rather than a preliminary report followed by a more thorough one. A preliminary report can be too general or, because it lacks detail and depth, lead to injudicious conclusions. For example, hostile parties in litigation may compare a preliminary report with a final report to identify apparent inconsistencies and discredit a company.
- Written reports can be critically helpful in dealing with regulators. They show that a company is exercising due diligence to identify weaknesses and to correct them. Regulators like the U.S. Federal Trade Commission and the Office of Civil Rights in the U.S. Department of Health & Human Resources may give a pass to a company whose judgment it disagrees with, providing that company has taken reasonable and adequate steps to assure cyber security and documented its rationale.
- Cyber risk assessment reports require recommendations for action in implementing or strengthening controls. Controls include how a company manages key components of cybersecurity, including access and privileges to sensitive, confidential or proprietary data; authentication procedures; encryption; physical security; and other controls that can prevent data breach or other losses. The recommendations need to be tailored to the individual requirements of each company.
- Recommendations in a cyber risk assessment should address the company workforce. This embraces the wide range of employee education, training, monitoring and supervision.
- A cyber risk assessment should include budgeting and spending recommendations. Many companies resist hiring cybersecurity attorneys or conducting cyber risk assessments to save money. They may skimp on implementing the latest cutting edge technology that detects and prevents intrusions in their systems and networks. Unfortunately, waiting until a breach or loss occurs to address cybersecurity can produce expensive results, including direct and indirect losses, lawsuits and regulatory issues.
- Finally, cyber risk assessments lay a foundation for future planning. Hackers are growing more sophisticated every year. Over half of companies in the U.S. can expect to experience a data breach or loss. It is important to be forward thinking. Companies are well advised to look over the horizon, understanding the benefits that come from understanding how to strengthen cybersecurity. One of the first things that hostile parties seek to identify in litigation is what actions a company could have taken to prevent a data breach or other loss. Having a cybersecurity strategy in place, informed by a cyber risk assessment, guards against not only hackers, but also litigious parties.
No one can eliminate the threat of cyber security losses, but the threats and legal exposure can be managed. Conducting a thorough cyber risk assessment with actionable recommendations is key to preventing such losses.
James Farwell and Geoff Elkins are attorneys with Elkins PLC of New Orleans and have expertise in cybersecurity law. They have co-authored a new book with Virginia Roddy and Yvonne Chalker, “The Architecture of Cybersecurity.” Michael Bagneris, former chief judge for the Orleans Civil District Court, is Of Counsel to Elkins PLC for cybersecurity.