Six Steps To Reduce Cyber-Risk

We’re likely to see more, and more intense, cyber-attacks as the technology continues to evolve. The author provides six steps that in-house and outside counsel can take to reduce the risk, cautioning at the outset that failure to do regular risk assessments is often cited by regulators as a factor in bringing data security enforcement actions.

All companies are advised to review their data security at least annually and any time new threats are revealed or new technology or processes are implemented. Ensure the review complies with applicable law. For example, the Gramm Leach Bliley Act requires financial institutions to have external auditors certify compliance with certain standards.

Make sure the review does not stop with security policies and procedures, but includes a technical assessment of risks posed by network and system configurations, code vulnerability reviews, assessment of network intrusion detection systems and/or intrusion prevention systems.

Take steps to ensure vendors are protecting sensitive information. Review data security provisions in all vendor contracts. Do they require vendors to protect sensitive data and detail the procedure and timing for vendors to notify your company of suspected data breaches, and not unduly limit the vendor’s liability for losses?

No network is invulnerable to intrusion, and the risks only multiply as greater amounts of data are generated and collected. Data security risks cannot be eliminated, but they can be reduced by ensuring that your clients are considering and addressing security challenges.