The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Risk Assessment

  • From Vol. 3 No.8 (Apr. 19, 2017)

    How to Ensure Cyber Risks Do Not Derail an IPO

    In preparation for a public offering, companies should expect scrutiny of their cybersecurity risks and the measures they take to address them, just as they do with other aspects of their business. Cyber risks and incidents can derail an IPO if they are not handled correctly. Gibson Dunn partners Andrew L. Fabens, Stewart L. McDowell and Peter W. Wardle spoke with The Cybersecurity Law Report about steps companies should take in preparing for an IPO, as well as the potential impact cybersecurity can have on the IPO process and stock price. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part Two of Two)

    The core value of a risk assessment as a critical component of a robust cybersecurity program is in its findings and recommendations. With perspectives and advice from various experts, including the CISO of a large global cloud services provider, attorneys and technical consultants, this second part in our two-part series on risk assessments details what the written report should include, with whom it should be shared and how companies can use it to strengthen their cybersecurity program. It also provides recommended actions for assessment follow-up, explores common challenges to the process and offers tips and solutions to overcome them. Part one covered the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and examined what the risk assessment evaluation process entails. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Attorney-Consultant Privilege? Structuring and Implementing the Kovel Arrangement (Part Two of Two)

    So-called “Kovel arrangements” provide unique opportunities for companies and their legal counsel to extend the attorney-client privilege to consultants. After deciding to use the arrangement, the next (and most important) step is ensuring that the entire Kovel engagement is performed correctly so that the privilege will be recognized by regulators and courts, and documents detailing the company’s operational deficiencies are not unnecessarily made available. This article, the second in a two-part series, provides practical guidance regarding the provisions that need to be included in an engagement letter with a consultant, details daily steps a company must take to ensure it remains Kovel-compliant, and examines circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. The first article in this series detailed the legal requirements of the Kovel doctrine, as well as considerations for companies when deciding whether to invoke or waive the privilege. See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)

    By identifying an organization’s risk areas, gaps in how it is addressing those risks and, ultimately, by providing recommended actions for closing those gaps, cybersecurity risk assessments have become a critical part of a robust cybersecurity program. With input from attorneys and technical consultants with experience conducting these audits, our two-part series takes a deep dive into the topic. Part one covers the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and also examines what the risk assessment entails, including initial steps and the evaluation of technical, administrative and physical safeguards. Part two will offer details on what the written report looks like and how it is used, recommend actions for follow-up, and provide a discussion of common roadblocks and solutions. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)

    As organizations increasingly engage consultants to conduct cyber risk assessments and to assist in the event of a breach, a logical concern is whether the attorney-client privilege is available to protect those efforts. The Kovel decision in the Second Circuit extended the attorney-client privilege to third parties assisting attorneys in representing clients under certain circumstances. This two-part series describes the use of so-called “Kovel arrangements” by companies to extend the attorney-client privilege to interactions with consultants. This first article describes the requirements of the Kovel privilege as established by case law, as well as critical considerations for deciding whether to invoke or waive the privilege when interacting with regulators or litigants. The second article will detail the requisite features of a fully compliant Kovel arrangement and will examine circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. See also “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Cybersecurity Preparedness Is Now a Business Requirement

    How can companies make cybersecurity preparedness an integral part of their business practices? During a recent panel at ALM’s cyberSecure event, JoAnn Carlton, general counsel and corporate secretary at Bank of America Merchant Services, Edward J. McAndrew, Assistant U.S. Attorney and Cybercrime Coordinator at the U.S. Attorney’s Office, and Mercedes Tunstall, a partner at Pillsbury, gave their perspectives on steps companies can take to enhance cybersecurity. They discussed how the evolving nature of cyber attacks requires evolving business models. Simply establishing an incident response plan is not enough: companies must build privacy preparedness across the organization and engage in a continuous cycle of planning and response to stay ahead of cyber threats. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); “The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two)” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Defining, Documenting and Measuring Compliance Program Effectiveness

    The risks of having a cybersecurity compliance program that exists only on paper are well-known, but measuring whether the program is actually working, how it is working and documenting those findings for internal and external stakeholders present challenges. A recent program at the SCCE Annual Compliance & Ethics Institute considered how compliance professionals can measure and document steps taken to demonstrate the effectiveness of their compliance programs for cybersecurity and other areas of law. The program featured Scott Hilsen, a managing director at KPMG’s forensic unit and Jean-Paul Durand, a vice president and chief ethics and compliance officer at Tech Data Corporation. See also “Eight Ways Compliance Officers Can Build Relationships With the ‘Middle’” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part Two of Two)

    The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries.  This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy.  Part one in the series covered navigating the placement proces –  having the proper individuals involved, finding the right insurer and securing the best policy for your company.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)

    With cyber attacks continuing to strike companies of all sizes, cyber insurance has become an important component of corporate risk management strategies.  While cyber risk insurance can provide coverage for the litany of potential damages that a company may suffer in the wake of a data breach, it is wildly different from the usual insurance marketplace – it is nascent, changing and varied.  This, the first article in our two-part series on getting the right cyber coverage in place, provides guidance on navigating the insurance placement process, selecting the individuals who should be involved, finding the right insurer and securing the best policy for your company.  Part two will explore lessons from recent cyber insurance coverage litigation, including steps companies can take to increase the likelihood of insurance coverage under their cyber policy and what policy exclusions and pitfalls to watch out for.  See also “Transferring Risk Through the Right Cyber Insurance Policy,” The Cybersecurity Law Report, Vol. 1, No. 15 (Oct. 28, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    How to Protect Intellectual Property and Confidential Information in the Supply Chain

    Sharing information, including intellectual property, with third parties such as suppliers, distributors and consultants is essential for the operations of many companies but exposes them to various points of cyber risk.  Pamela Passman, President and CEO at the Center for Responsible Enterprise and Trade (CREATe.org), spoke with The Cybersecurity Law Report about how to assess and mitigate third-party and supply chain risk.  CREATe.org, a global NGO, works with companies and third parties with whom they do business to help put processes in place to prevent corruption and protect intellectual property, trade secrets and other confidential information.  See also “Protecting and Enforcing Trade Secrets in a Digital World,” The Cybersecurity Law Report, Vol. 1, No. 13 (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Transferring Risk Through the Right Cyber Insurance Coverage

    As companies recognize that they cannot ignore the risk of a significant cyber breach, they are looking to insurance policies to bear at least some of that risk.  Selecting the right cyber insurance, however, presents challenges in an ever-changing cyber insurance market.  In a guest article, BakerHostetler partner Judy Selby explains the cyber insurance options available, how to select the best insurance for your company and what to expect from the often-intrusive application process.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part One of Two)

    Two senior-level executives in the financial industry, leading cybersecurity experts, recently offered their views on how they are balancing the lure of new technology with the associated risks.  In this article, the first in a two-part series covering the PLI program “Cybersecurity 2015: Managing the Risk,” Jenny Menna, the cybersecurity partnership executive at U.S. Bancorp and Greg Temm, vice president for information security at MasterCard, and responsible for MasterCard’s cyber intelligence program, address: the current cyber landscape; the most pressing threats across industries; and how the government, regulators and private companies are responding to those threats.  In the second article, they tackle mitigating cybersecurity risk, including industry projects geared toward improving the overall cybersecurity ecosystem; and tips for avoiding cyber threats at work and home.  See “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    The SEC’s Updated Cybersecurity Guidance Urges Program Assessments 

    With its new Investment Management Guidance Update on cybersecurity, the SEC is “now looking at more comprehensive assessment of controls and threats, not just from external sources but also internal sources,” Marc Lotti, a partner at ACA Aponix, told The Cybersecurity Law Report.  “Right now, investors and SEC don’t see [disregarding technology risk] as ignorant, they see it as negligent.”  The Guidance discusses actions that investment advisers and companies should consider to mitigate those risks and enhance their cybersecurity programs.

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read Full Article …