A company’s board of directors is given the responsibility to oversee all aspects of the company’s efforts regarding risk management, which includes minimizing the company’s exposure to cyber attacks. In today’s increasingly digital age, cyber attacks are inevitable and involve increasingly sophisticated methods. Breaches not only put valuable information at risk, but also negatively affect a company’s finances, reputation and shareholder value. Given the role that legal departments play in advising and directing a company’s efforts, they are also in a good position to help facilitate the board’s response to a data breach.
Don’t assume your company is immune.
The reality is that even small and medium-sized organizations are susceptible to a cyber attack. It’s not necessarily the size or the company’s reputation, but the information a company has that makes it an attractive target for cyber criminals. In fact, midmarket companies are often the targets of cyber attacks because they don’t have the same resources as larger companies.
Educate the board about the company’s vulnerabilities.
A key step in putting together your plan is understanding what is at risk. A key role for the in-house counsel can be to educate the board on the company’s most vulnerable cyber security points. What data does the company have that others may want? Where is it? Who can access it? Regardless of what protections a company has implemented, it’s only as good as the vendor’s policies. The in-house counsel should evaluate the vendor’s policies and conduct due diligence about their policies and practices.
Create a response plan.
The board should have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Cyber attacks happen fast, leaving the organization with only a matter of hours to respond, if they’re fortunate. The board should ensure the plan is sufficient to execute the necessary actions well in advance.
Document your efforts.
The board’s ability to have a comprehensive overview of cyber security issues is dependent on having sufficient information. Legisway has developed a new Compliance module for data privacy to register and control all your organization’s activities related to data privacy. The module provides a data breach function that includes the registration of when and where a data breach has occurred, which can be provided to authorities upon request.
Given that the methods of cyber attacks are constantly changing, so should any defense mechanisms. General counsel should keep the board informed of recent developments and trends and remind the board that cyber security response plans should be continually updated. Boards are very good at recognizing patterns. Therefore, it makes sense to conduct assessments and provide updates on a regular basis.