How Legal Departments Can Conduct Effective Cyber Vulnerability Testing
By Beth Burgin Waller and Patrick J. Austin
April 3, 2024
Beth Burgin Waller is a principal and chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black in Virginia, and Patrick J. Austin is of counsel. They advise clients in a variety of industries on cybersecurity planning and in the days and weeks following incidents. They may be reached at beth.waller@wrvblaw.com and patrick.austin@wrvblaw.com.
Published in Today’s General Counsel, April/May 2024
In recent months, the Federal Communications Commission expanded its data breach notification rules while the U.S. Securities and Exchange Commission’s “incident disclosure” rule went into effect, requiring public companies to disclose “material” cybersecurity incidents within four business days.
These actions reflect a heightened interest by regulatory authorities in how organizations address cyber vulnerabilities and what procedures are in place to respond to a cyber incident. In-house legal departments play an integral role in cybercrime prevention, and testing is a prime place for them to take the lead.
Here are seven steps to conduct effective testing at your company:
- Identify, Classify, and Categorize Your Data: One of the best ways to get a proverbial grip on your organization’s data is to develop a data map. For context, data mapping is the creation of an inventory of an organization’s data that describes (i) the type of data that exists in the organization; (ii) where that data is stored; (iii) who the responsible party is for that data; and (iv) when the data is eligible to be archived or deleted. When your organization’s data is properly identified, classified, and categorized, it will go a long way in developing and strengthening your organization’s overall cybersecurity strategy, enhancing your ability to respond to a cyber incident.
- Review Third-Party Service Contracts: A notable risk to cybersecurity is not within the organization itself but with third-party service providers. This is why legal departments should review all contracts with third-party vendors to ensure sufficient cybersecurity measures are in place. All contracts should include provisions addressing data protection, confidentiality, data ownership, security incident reporting, and liability (in case of a data breach). In addition, vendors’ cybersecurity measures must be actively monitored to ensure they meet applicable rules and regulations and adhere to your department’s policies.
- Regularly Update Network Security: The security of your organization’s network – including firewalls, encryption, secure Virtual Private Networks (VPN), and intrusion detection systems – should be tested and regularly updated to ensure they are working harmoniously and are the most up-to-date versions.
- Establish Stringent Password Policies: It is critically important to enforce a strong password policy. This means employees must set up a complex password that must be changed regularly. In addition, multi-factor authentication (MFA) should be implemented. MFA will help strengthen your security posture by requiring users to identify themselves by more than just a username and self-generated password.
- Team Training: Human error is one of the leading causes of data breaches. A joint study by Stanford University and security firm Tessian discovered that employee mistakes cause a staggering 88% of data breach incidents. Similar research by IBM Security puts that number even higher: 95%. Excellent training demonstrates to team members that they have cybersecurity and legal obligations. It helps them understand data protection, how to safely and effectively use technology, and sound cybersecurity practices overall.
- Identify Gaps Through Testing: A key component to effective cyber vulnerability testing is actually testing the plans and procedures in place. In effect, organizations should stress test their cybersecurity and incident response plans. Examples of effective testing strategies include penetration testing and tabletop exercises. Regular testing will identify vulnerabilities and weak spots, enabling the legal department to institute mitigation and remediation measures to address these issues.
- Prioritize Actions: An effective cyber vulnerability test will likely identify issues and security vulnerabilities that must be addressed. Once identified, your action plan must prioritize the steps that will be taken. Remember, not all problems are equally critical. An assessment of each risk’s potential impact on your organization must be conducted. For example, addressing a vulnerability in protecting sensitive client data will likely take precedence over updating employee training materials.
When legal departments proactively conduct cyber vulnerability testing, it strengthens their ability to identify and assess potential cybersecurity risks effectively. Once identified, the legal department can outline strategies to mitigate risks and implement compensating controls, providing strategic counsel and a critical contribution to the organization.
Must read intelligence for general counsel
Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.