Cybersecurity Planning Basics

by Jed Weiner

Cyber attacks on businesses are becoming increasingly common and can cause substantial harm to business assets and reputation. In addition, a company may face legal liability for data breaches. It is important for emerging companies to strike the right balance on cyber security compliance spend due to limited resources and competing priorities. 

Below we identify key components of cybersecurity compliance. 

Audit. Management should take an inventory of the Company’s information assets. This includes: 

• establishing data mapping catalogs of the organization’s confidential information;

• listing and tracking IT assets, including computers, networking elements, storage devices, and other resources; and

• conducting an audit of personal information collected and stored.

Management should affirm that it has cybersecurity software and other tools customary for its type of business activities.

Company Obligations. Management should determine the company’s cybersecurity obligations under contract and law and regulations. These obligations usually apply a “reasonability” standard, and legal counsel or compliance specialists can advise on what this means in practice. 

Risk Assessment. Management should perform a cybersecurity risk assessment by considering threats to information assets, vulnerabilities to information security, the likelihood of a breach, and potential damage cause by breach.  

Written Information Security Program. Management should develop a written information security program (WISP). A WISP often includes risk assessment analysis; information security policies, procedures and safeguards; and incident response protocol and oversight. The WISP should include an employee training program. Management should develop and test a cyber incident response plan which will identify the incident response team with set roles. It will also provide the protocols for an incident investigation, which should usually involve an attorney to create attorney client privilege. 

Vendor Risk. Management should conduct diligence on the adequacy of vendor information security assets and procedures. Vendor contracts should include clauses requiring vendors to meet customary information security standards. 

Insurance. Many companies purchase cyber insurance coverage to mitigate data breach damages. Companies often purchase standalone cyber policies as cyber breaches are generally excluded from commercial general liability policies.

If you would like further information on cybersecurity or data privacy compliance, please contact Jed Weiner, Head of Corporate at Mei & Mark LLP and Founder of grIP Venture Studio at: jweiner@meimark.com.