29T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Cyber Risk Impacts All BusinessesThe headlines over the past few years demonstrate that no

company, organization or industry is immune from the risk of cyber-attacks or security breaches (“security incidentS”). Hackers are no longer just interested in credit card informa-tion; they are also targeting medical information, insurance information, voter and political interest data, employment his-tory, children’s information, and businesses’ proprietary data.1

Based on the increasing sophistication of hackers and the proliferation of data stored on mobile devices, it is likely that the number and severity of security incidences will continue to grow. Every company and every organization needs plans, procedures and processes in place to detect, mitigate, respond to and remediate the impact of such security incidences. This article outlines proactive strategies to assess and address the cyber risk for any company that collects, stores and maintains confidential information or employee, customer or client data.

Holistic Company Approach, Starting from the Top

In an effort to combat the increasing likelihood of a security incident, companies must review, and be willing to change, their overall approaches and attitudes toward cyber risks. No longer is the security and privacy of sensitive data just an IT issue. As noted by the former U.S. Securities and Exchange Commissioner Luis Aguilar, cyber risk is a board level issue.2 As such, starting at the top, companies need to take a holistic approach to protecting data. Going forward, leadership on cyber risk management needs to come from executives of the company and should include, at the very least, direction, sup-port, and approval for adequate budgets for privacy and IT security programs. Further, in addition to increasing executive focus on cyber risks, companies need to realize that adherence to protections put in place against a security incident, as well as

feature article

Proactive Strategies for Businesses to Assess and Address Cyber Risk

by Amy Roland and Amy Bagge

Amy RolandAmy Roland earned her law degree from The Catholic University of America in 1999 and received a B.A. degree from Marquette University in 1996. She joined McGrath North in 2014 and leads the firm’s Intellectual Property and Technology group. For over fif-teen years, Amy has helped local and national companies in a broad spectrum of industries. Her prac-

tice is dedicated to information technology, licensing, out-sourcing, intellectual property, social media and marketing.

Amy BaggeAmy Bagge earned her law degree from the University of Iowa College of Law in 2011 and received a B.A. degree from the University of Northern Iowa in 2008. Amy joined McGrath North in 2014 and practices in the Intellectual Property and Technology group. Her expertise covers a wide vari-ety of intellectual property and information technology matters,

including trademark clearance and protection, technology licensing and professional services agreements, and regula-tory matters, including privacy and security issues.

➡

30T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

the effective handling of a security incident, are shared respon-sibilities of every functional group of the organization. Cyber risk management cannot just be an attitude of compliance, but needs to be the responsibility of every employee. Cyber risk management requires the cooperation and teamwork of every employee company-wide, including legal, IT, human resources, accounting, payroll, sales, customer service and audit. The cul-ture of the company must emphasize that every employee plays an important part in maintaining the security of the company’s sensitive data.

Including a company’s legal department in the com-pany’s cyber risk management approach is especially important because of the patchwork of legal and regulatory require-ments. Depending on where a company is located and where its customers whose data it collects and stores are located, a company can be responsible for complying with varying local, state, and federal laws and regulations. Also, depending on the company’s industry, the company may be subject to dif-ferent federal regulations, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, Sarbanes-Oxley, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, the Privacy Act, the Electronic Signatures in Global and National Commerce Act, the Federal Information Security Management Act or the Homeland Security Act of 2002. Additionally, various federal agencies may also have oversight over how a company handles data, such as the Federal Trade Commission, the Department of Health and Human Services and the Office of the Comptroller of the Currency. Furthermore, in addition to the complying with applicable local, state and federal laws and regulations, a com-pany may also need to comply with various international laws.

The impact of a security incident can be staggering. The legal and regulatory costs alone can have a major impact on the financial viability of a company, not to mention the repu-tational damage caused by a security incident. Customers may abandon their relationship with the company or the company may lose out on future sales. A security incident could also affect current negotiations with new business or bring negotia-tions related to a merger to a halt.

Overview of Cyber Protection ProgramSo now that it is clear that the potential of a security inci-

dent happening is not “if,” but “when,” where does a company start?

The following is an overview of steps a company could follow to develop a cyber risk management plan. This is not legal advice and should in no way be considered an exhaustive list of all steps needed to take to prevent or deal with security incidences.

• Assess current security, risks and gaps;

• Develop an implementation plan;

• Implement solutions;

• Analyze documents, decisions and rationale for decisions; and

• Reassess continuously.

Assessment of Current Security, Risks and Gaps

Companies should start by conducting a self-assessment by assessing their cyber risk management policies and pro-grams against conceptual frameworks, industry standards and best practices. There are several resources available for such an assessment, including “2016 Data Protection and Breach Readiness Guide,” released by the Online Trust Alliance on January 26, 2016;3 “Start with Security, A Guide for Business, Lessons Learned from FTC Cases,” published by the Federal Trade Commission in June 2015;4 and the U.S. Cybersecurity Framework, developed by the National Institute of Standards and Technology (NIST) in February 2014,5 amongst others.

Regardless of the framework used, a company needs to identify its potential security risks and determine the magni-tude and the probability of the occurrence of such risks. A company should also analyze and identify how data flows through the organization. What data is created, received, maintained or transmitted by the company? What are some of the less obvious sources of sensitive data, such as portable devices? What are external sources of sensitive data? Do ven-dors or consultants create, receive, maintain or transmit sensi-tive data on the company’s behalf? What are the human, natu-ral, and environmental threats to the company’s information systems that contain sensitive data? What security measures are already in place to protect sensitive data? Is executive lead-ership and/or management involved in the risk management and mitigation decisions? Are security processes being com-municated throughout the organization? Does the company need to engage other resources to assist in risk management?

Once a company has identified its current security risks, it should ascertain where it needs or wants to be in terms of such identified risks. The company should then assess where the gaps are between where the organization is and where it needs to be.

Once the company has identified potential security risks and assessed the gaps in where it is and where it needs to be, the company can use such information to inform budget planning, communicate risks to senior leadership, and work to effectively and continually manage its cyber risk. This assessment step is not a one-time event. Companies need to continuously assess and manage risk, especially as technology changes, personnel and leadership change, and the legal land-scape continues to evolve.

ASSeSS And AddReSS CyBeR RISk

31T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

ASSeSS And AddReSS CyBeR RISk

pany’s data and information systems should be done regularly, especially when environmental or operational changes occur that may affect the security of the system or data. A company should conduct evaluations on a scheduled basis and should review the technical and non-technical aspects of the cyber risk management plan. A company should consider whether to include penetration and vulnerability testing in its evaluations, in addition to whether or not it is necessary to hire a third party to evaluate the company’s security.

Physical Safeguards

Physical safeguards are intended to protect a company’s information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Physical safeguards may extend outside an actual office and include workforce members’ homes or other physical locations where sensitive data is accessed. Physical safeguards include door locks, electronic access control systems, security officers, identification badges, visitor badges, escorts for large offices, and/or video monitoring. Meticulous records should be kept on all maintenance repairs and changes made to any physical safeguards (such as changing locks and installing new security devices).

Physical safeguards also include protecting workstations that store or access sensitive data from public access or viewing. Safeguards related to workstations should also include policies and procedures related to workstation use and security. Such safeguards may include keeping an inventory of all current workstation locations and analyzing the appropriateness of any workstations located in public areas or laptops used as worksta-tions. Evaluating whether workstations are in areas that are more vulnerable to unauthorized use, theft, or viewing of the data they contain and relocating any vulnerable workstations to enhance physical security may help alleviate risk.

Physical safeguards should also address the company’s poli-cies for the disposal, re-use, accountability, backup and storage of devices and media.

Technical Safeguards

Technical safeguards are the technology used to protect sensitive data and control access to it. As stated earlier, there is no one-size-fits-all for specific technology solutions. Each company needs to determine which security measures to imple-ment based on what is reasonable and appropriate for the orga-nization given its own unique characteristics.

Typically, technical safeguards include access controls, specifically unique user identification, emergency access proce-dures, automatic logoff, encryption and decryption. Technical safeguards may also include audit controls with a reporting method. In addition, technical safeguards typically provide integrity standards that are used to confirm that sensitive data

Develop an Implementation Plan

After completing a self-assessment and identifying the gaps in its cyber risk management plan, a company should develop a plan to address those gaps.

Keep in mind that there is no one-size-fits-all security plan or program. Every company needs to consider its size, com-plexity and capability, as well as its technology infrastructure, hardware, and software security capabilities. Every company also needs to consider the costs of various security measures, together with the probability and criticality of potential risks to sensitive data.

A comprehensive cyber risk management plan should include a combination of administrative, physical and technical safeguards to protect sensitive data. The plan may also include training, vendor management, response plans and cyber insur-ance requirements.

Administrative Safeguards

Administrative safeguards are intended to address risks that arise as a result of administrative functions, such as the following:

Assigned Security Responsibility. It is recommended that a company has at least one individual who is operationally responsible for the company’s cyber security program. This should be an individual with adequate authority to make deci-sions and delegate responsibility.

Sanctions Policies. The administrative safeguards should include a sanctions policy so employees understand the conse-quences of violating the company’s cyber security policies and, in effect, assist in deterring non-compliance.

Information System Activity Review. Companies should have procedures in place to review information system activity in order to determine if any sensitive data is used or disclosed in an inappropriate manner. This would include review of audit logs and activity review reports generated by the information systems. The cyber risk management plan should dictate the specifics of the reviews and how often such reviews should be conducted.

Information Access Management. A company should restrict access to sensitive data to only those persons and enti-ties with a need for access and only provide the minimum nec-essary access required for a person or entity to do his, her or its job. This includes workforce security procedures dictating the grant of authorization to the sensitive data, workforce clear-ance procedures, and termination of any previously granted authorizations. Information access management should also include processes for granting, modifying and revoking access privileges.

Evaluation. Ongoing evaluations of the security of a com-

➡

32T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

ASSeSS And AddReSS CyBeR RISk

Vendor Management

Another key step in implementing a cyber risk manage-ment program requires that a company manage its vendors. The company itself may have very rigorous security policies, procedures and safeguards in place, but if it allows its third party vendors access to its networks or sensitive data without applying the same rigors, all of its efforts may be for naught.

Due Diligence. Before allowing any third party vendor or partner access to the company’s data or networks, the company should conduct due diligence on the vendor. Such due dili-gence should include a background check, an evaluation to see if the vendor is financially viable, and a review of the vendor’s privacy and security policies. The company has gone to the trouble of putting security policies and procedures in place. Has the vendor done the same? Conducting an on-site visit to the vendor’s data center or the location where the vendor intends to perform the services should highlight the physical safeguards (or lack thereof) the vendor has in place.

Storing Data Offshore. In addition, the company should find out where its data will be accessed and stored. Will such data be accessed or stored offshore? If the vendor plans to access or store the company’s data offshore, the company must consider additional security issues, including an examination of the privacy and security laws of the host nation. The company should also complete an examination of its own customer con-

has not been altered or destroyed in an unauthorized manner, address person or entity authentication standards to verify that users are who they claim to be, and assure transmission security through the use of strong passwords and encryption.

Implement Solutions

Training

A company with the best and most robust cyber security policies in place may still be unprotected and unprepared for a security incident if its personnel are not aware of the policies or their role in adhering to and enforcing such policies. As such, all new and existing members of the workforce should be trained on the company’s cyber security policies. A signifi-cant number of security incidences each year are caused by a company’s own workforce members’ activities that are usually preventable, such as losing an unencrypted portable device con-taining sensitive data, forgetting to log out of a remote session accessing the company network through a public computer, or downloading a malicious virus. Training on a company’s cyber security policies can consist of security reminders (notices in printed or electronic forms, reminder posters, agenda items at monthly meetings, etc.), protection from malicious software (education related to malicious software included in email attachments or downloaded from the Internet), and password management (guidelines for creating strong passwords and changing them regularly).

33T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

ASSeSS And AddReSS CyBeR RISk

Response Plan

A cyber breach response plan is needed in order to respond to security incidents with immediacy. The cyber breach response plan should include the following:

• Procedures for reporting security incidents, including the names and contact information for individuals within the com-pany that should be notified in the event of a security incident;

• A response team: The company’s response team needs to include an executive with decision-making authority who reports to the company’s board of directors. In addition to at least one executive, the company’s response team should be comprised of representatives from every functional organiza-tion within the company, together with “first responders” who are available to respond 24/7;

• Notification trees and communication templates;

• Procedures for documenting the incident and outcomes and the process for evaluating and mitigating the incident;

• Contact information for legal counsel responsible for assisting with a cyber attack or security breach, law enforce-ment personnel with whom the company has already estab-lished a relationship, public relations experts, and forensics experts;

• To the extent any of the necessary resources for respond-ing to a security incident include third parties or outside con-sultants, such relationships and agreements should be estab-lished and executed well before the occurrence of a security incident. Time or leverage to negotiate a services agreement with a public relations firm or credit monitoring firm while the company is in the midst of responding to a crisis are, unfortu-nately, luxuries the company will not have;

• Backup and contingency plans in case; and

• A contingency plan to recover access to the company’s data in the event the security incident shuts down or impairs the information systems of the company or disrupts critical business operations. Such contingency plan may include plans for data backup, disaster recovery, emergency mode operation, and testing procedures. It is also a good idea to prioritize in advance which applications and data are most critical to help determine which applications or information systems should be restored first and/or which must be available at all times.

In addition to having a cyber breach response plan written down on paper, the company should regularly practice and test its response plan and revise the plan based on the test results.

Cyber Insurance

Another key component to minimize the risk associated with cyber-attacks is to obtain and carry cyber insurance. The increase in the number and sophistication of data breaches in

tracts to see if there are any prohibitions or additional require-ments if customer’s data is accessed or stored offshore.

Written Agreement. If the company is satisfied with the vendor’s level of security and privacy safeguards and is ready to move forward with the vendor, a written agreement should be entered into with the vendor obligating the vendor to abide by certain key provisions specific to the privacy and security of the company’s data. At the very least, such agreement should include an agreed-upon set of security policies and procedures or standards, which require the vendor to abide by, and main-tain, safeguards against the unauthorized access, destruction, loss or alteration of the company’s data. The agreement should also include an incident response plan for addressing security and privacy breaches. How soon after an incident is the vendor required to notify the company and who should they notify? For example, if the company is under regulatory require-ments to notify customers of the unauthorized disclosure of their personally identifiable information within 30 days of the disclosure, the company will need to be notified sooner than the 29th day after the incident. Further, the company should consider including the following ongoing vendor obligations in the agreement:

• an ongoing and immediate right for the com-pany to retrieve its data at any time;

• audit rights to allow the company to continually monitor the vendor’s compliance with the agree-ment;

• if applicable, a requirement that the vendor hire a third party to audit the vendor (e.g. SOC1/SSAE16) and provide the results of such audit to the company;

• a list all third party certifications or attestations that the vendor is required to maintain (e.g. ISO 27001, PCI DSS, etc.); and

• as discussed in detail below, adequate insurance coverage for security and privacy breaches.

Further, if the company has the leverage and ability, the agreement with the vendor should specify the locations where the vendor will store and access the data and indemnification for breaches of confidentiality, privacy and security obliga-tions and failures to comply with applicable law, together with unlimited liability (or at least a very large cap) on the part of the vendor for damages related to such indemnification.

A company’s agreement with a vendor is the tool to manage the relationship with the vendor. However, note that while executing an agreement with the vendor is a positive first step, the company needs to actively monitor the vendor’s perfor-mance and compliance with the agreement, enforce the terms of the agreement and use the tools included in the agreement (i.e. audit rights).

➡

34T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

ASSeSS And AddReSS CyBeR RISk

provided by its third-party partners and vendors. The company should constantly be looking for new and better ways to protect itself, especially as laws and regulations change and its technol-ogy and environment evolve.

ConclusionCompanies in today’s technology-driven environment will

never be able to eradicate the risk of a security incident; however, with the efforts of the whole organization, includ-ing executives, companies can help minimize such risk with a cyber risk management plan. The development of a cyber risk management plan can assist a company in assessing current and future risks, while putting in place administrative, physical and technical safeguards. Further, a cyber risk management plan requires a company to consider security risks and protections perhaps never previously considered, including security policies and procedures of vendors and the need for cyber insurance. With careful planning and continued monitoring through a cyber risk management plan, companies can manage security threats and mitigate the impact of such security threats.

endnotes1 Anthem breach, http://www.computerworld.com/arti-

cle/2888267/anthems-now-says-788m-were-affected-by-breach.html; Voter data, http://www.forbes.com/sites/meta-brown/2015/12/28/voter-data-whats-public-whats-private/; The Office of Personnel Management breach contained over 21 million records of government employees and contractors; and VTech breach impacted 6.3 million children, including their names, home addresses, passwords, selfies and chat logs https://motherboard.vice.com/read/hacked-toymaker-vtech-admits-breach-actually-hit-63-million-children.

2 On June 10, 2014, Commissioner Aguilar spoke at the New York Stock Exchange. “Cyber Risks and the Boardroom Conference.” http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.

3 https://otalliance.org/resources/data-breach-protection 4 https://www.ftc.gov/news-events/blogs/business-blog/2015/06/

start-security-new-guide-offers-lessons-ftc-cases 5 http://www.nist.gov/cyberframework/index.cfm

the last few years has led to an increase in demand for cyber insurance; however, there is a lack of uniformity in the policies and terms being offered in the market today. It is important to work with an insurance broker that has expertise in the field of cyber insurance. More and more insurance companies are looking at a company’s security practices, past history and business sector to determine premiums. Many times, insur-ance companies also require an audit and risk assessment with review of data types collected and retained, as well as whether a disaster response plan is in place to help prevent, detect and mitigate the impact of a data loss incident. Broadly-worded exclusions should be understood and negotiated and companies should be wary of warranty statements on applications.

Document Analysis, Decisions and Rationale for Decisions

Whenever a security incident occurs or a company discovers gaps in its security protections from completing a self-assess-ment or third-party assessment of its cyber security program, it is important to document, in writing, the analysis the company went through and the decision the company came to on how to respond, react, address or not address the security incident or gap, together with the rationale for such decision. Such analysis may help document that the company was diligent in its cyber security efforts and made rational and reasonable decisions based on the circumstances in place at the time of the occurrence.

Continuously Reassess

Minimizing cyber security risks is a constant effort. Even after the company expends the time and resources to assess itself, create policies, procedures and programs, conduct train-ing and obtain cyber insurance, it needs to be continually evalu-ating and reassessing its safeguards, policies, vendor relation-ships and vendor compliance and insurance coverage amounts. The company should regularly conduct self-audits and review audit logs and reports produced by its information systems and