Tackling the ever-changing cyber security threat in an agile and proactive way requires influential members from the whole business to work together. Here is a selection of key questions by which you can assess your business's cyber-readiness.
Board and C-suite
- What are our key information assets including IP and who is responsible to protect them?
- Do we know the reputational and financial impacts of a cyber security attack?
- Am I personally at risk?
- Can solutions be found that marry a desire for security with competiveness?
- How does our crisis response plan take information assets into account?
- How can we move from reacting to anticipating the threat?
- Are we considering cyber security when making investment decisions during mergers and acquisitions?
- Are we exposed further up or down the supply chain?
- How regularly do we review the cyber threat and update response plans?
- Have we created a culture where employees can raise issues before it is too late, and that those issues will be escalated appropriately within the business?
CIO and IT professionals
- What systems do we need to operate?
- Which of those systems have the most business critical or sensitive information?
- What would motivate a cyber-attacker specifically to attack our business? Do we know who and why?
- How regularly do we review and test processes in line with the ever-changing technology and security climate?
- What is cyber security best practice for my industry and are we keeping pace of changing regulation?
- Are there any trends that make our information vulnerable at certain times?
- What cyber attacks has our business suffered so far?
- How affective has our response been to date?
- Are training programmes in place to address data protection and cyber risks faced by our employees?
- Who is represented in our incident response team? (Legal, HR, PR, IT, Risk, etc)
- Who is empowered to act and make the decisions needed in the event of a crisis; what's the chain of command?
- Do we have a review mechanism in place to determine the cause of the incident and learn from the experience?
General counsel and legal professionals
- Do we know our regulatory and compliance obligations as they pertain to cyber security?
- Have these been adequately communicated to the other relevant stakeholders in the business?
- Do we have reporting processes in place to make appropriate regulatory notifications and reports in the event of a cyber security incident?
- Who regularly tests our incident response plans and should a representative from legal be involved?
- How do we keep up to date and implement cyber security policies across multiple jurisdictions?
- Do we have appropriate policies and procedures in place for our employees describing acceptable and secure use of the organisation’s information assets and systems?
- Are our policies and procedures formally acknowledged in employment terms and conditions?
- Are our stakeholders clear on how to interact with the media in the event of a crisis?
- What should happen if we suffer a breach through our supply chain?
- Have we adequately reviewed our inbound and outbound contracts in the context of cyber security risk?
- Are we adequately involved in assessing cyber security risk associated with any mergers, acquisitions or outsourcing arrangements?
- Do we have appropriate insurance in place to cover loss as a result of a cyber incident?
- How do we feedback the conclusions from an investigation into our policies and procedures and ensure that employees are given appropriate notice and training on them?
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2021