The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Training

  • From Vol. 2 No.7 (Mar. 30, 2016)

    Twenty Ways a Company Can Use Behavioral Psychology to Improve Compliance

    Limited compliance resources can be a challenge, but there are ways to get the compliance message across without breaking the bank. Whether it is a cybersecurity or an anti-corruption compliance message, behavioral psychology can be used to encourage people to do the right thing in their jobs, Virginia MacSuibhne, vice president and general counsel of Ventana Medical Systems, explained during a recent Clear Law Institute program. MacSuibhne presented 20 inexpensive, but effective, communication tools that can be used to assure that a compliance message hits home. See “Defining, Documenting and Measuring Compliance Program Effectiveness” (Jan. 20, 2016).
    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Three of Three)

    An effective employee cybersecurity program does not start or end with a single training session. To combat evolving threats, companies need to establish ongoing communications with employees and continuously evaluate their training program. In this final article in our three-part series on the topic, outside counsel, consultants, and in-house experts provide actionable insight and recommendations on how companies should follow up after the initial training. They also address the challenges of establishing an employee cybersecurity training program and how to handle training when dealing with third-party vendors. Part one of the series discussed tailoring policies and training to the type of company and universe of employees and part two highlighted ten important topics to cover during training, as well strategies for engaging employees and getting the message across. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)

    Cyber threats, commonly attributed to outside malfeasance, often originate from within – employees’ negligence or lack of awareness can open the door for cyber criminals. Establishing an effective employee cybersecurity training program can go a long way in combating that threat. The process can be distilled into three phases: (1) designing the relevant policies and planning the best training approach, considering the type of company and universe of employees; (2) ensuring the necessary topics are covered effectively during the actual training sessions; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively. In this second part, outside counsel, consultants, and in-house experts provide insight on ten important topics to cover during training, as well as strategies for engaging employees and getting the message across. Part one provided advice for developing the proper program based on the company’s industry and types of employees. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part One of Three)

    While cyber threats are frequently attributed to outsiders, many breaches are caused, often inadvertently, by company employees. The effective training of employees to keep data secure and respond properly to breaches is a hallmark of any cybersecurity program. The development and implementation of a good training program can be broken down into three phases: (1) designing the training policies and planning the best training approach, considering the type of company and types of employees; (2) conducting the actual training sessions and ensuring the necessary topics are covered effectively; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively, with insight from outside counsel, consultants, and in-house experts. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Minimizing Breach Damage When the Rubber Hits the Road

    When a cybersecurity incident is discovered, a company’s first steps are crucial to minimize the damage. Kirk Nahra, a partner at Wiley Rein, gave candid, practical advice for breach response at the recent IAPP conference. He discussed, among other things, the importance of training employees about breach reporting; how the terms a company uses for a breach may come back to haunt them; when privilege should not be preserved; and how getting all of the healthcare providers and vendors in the country into the Dallas Cowboys’ stadium to streamline their contracts could save billions of dollars. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies (Part One of Two)

    Many companies now allow employees to use their own devices for work email and other work-related functions.  Allowing employees to “bring your own device,” or BYOD, provides companies with cost savings and employees with flexibility, but also presents serious cybersecurity challenges.  This first article in our two-part series on designing cybersecure BYOD policies discusses BYOD risks and recommends strategies to reduce these risks, including employee training.  Part two will discuss mobile device management tools and software as well as handling lost devices, outgoing employees and discovery.  See “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Eight Ways Compliance Officers Can Build Relationships with the “Middle”

    Whether it is cybersecurity, privacy or any other type of regulatory compliance, the much-talked-about “tone at the top” is often cited as crucial for an effective compliance program.  See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two, Vol. 1, No. 4 (May 20, 2015).  Ensuring that tone is conveyed throughout the organization, however, is equally important.  Getting the compliance message across typically falls on an organization’s middle managers.  A recent Society of Corporate Compliance & Ethics program featuring Charlotte Nafziger, director of compliance of T-System, Inc., explored the importance of middle management in developing an effective ethics and compliance program and the ways compliance officers can engage middle management in doing so.

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Prevent and Manage Ransomware Attacks (Part Two of Two)

    Even when companies take each recommended step to prevent a ransomware attack (such as properly training employees, backing up files, segregating data and limiting network access), a ransomware attack can still sneak through, and without a rapid proper response, cause widespread damage.  This article, the second of a two-part series, addresses how to handle a ransomware attack, when and how to report the incident, and strategies for working with law enforcement.  The first article in the series explained the threat and provided steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    How to Prevent and Manage Ransomware Attacks (Part One of Two)

    Ransomware attacks can cause substantial disruption and damage by tempting a single employee to click on a link or visit a malicious site.  “The threats are getting more and more sophisticated every day in terms of the malware itself and the delivery,” Judy Selby, a partner at BakerHostetler, said.  This article, the first part of a two-part series, explains the threat and suggests steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  The second article will address how to handle a ransomware attack and when and how to report and work with law enforcement.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)

    Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness.  Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA).  The program was moderated by Mark C. Amorosi, a partner at K&L Gates.  The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki.  This article, the first in a two-part series, details the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  See “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read Full Article …