February 18, 2020

Cyber Response Plan Testing

When it comes to “cyber response plans,” the planning stage is a lot more useful if it’s actually been tested. A blog discussing the recently issued SEC OCIE Cybersecurity and Resiliency Observations says if you’re not practicing what to do when you experience a cyber attack, you’re not being realistic about your chances of effectively responding to it.

Although the SEC OCIE observations are primarily directed toward broker-dealers and investment advisors, the recommendations seem worthwhile for any company, one being testing and monitoring:

Establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis.  Testing and monitoring can be informed based on cyber threat intelligence.

It also recommends testing the incident response plan and potential recovery times, using a variety of methods including tabletop exercises.  If an incident occurs, implement the plan and assess the response after the incident to determine whether any changes are necessary.

This recent blog from McGuireWoods is helpful because it summarizes how to run an effective tabletop exercise to test your response plan. Here’s a few recommendations:

– Objectives – set ground rules for the exercise, who speaks first, is there a budget for the response, level of detail to be provided, determine the focus of the exercise – detection, containment, etc.

– Evaluation – think about how to evaluate the exercise, identify a note-taker during the exercise, detail the evaluation process

– Full participation – ensure key participants coordinated their responses, ensure contractual partners are included, determine who has authority to resolve disagreements

– An experienced facilitator – bringing in an experienced facilitator can help ensure all areas have a voice and that the exercise stays on track so the result is measurable

Tips for Improving Data Privacy Provisions

Besides testing your cyber response plan, another thing to consider is the data privacy provision in contracts.  I recently came across this memo in that provides 8 tips for improving data privacy provisions in contracts.  Most of us can think of a few service provider arrangements at our companies that we know house sensitive customer or employee data.  The last thing we want is for that service provider to experience a data breach and soon we are pulled into the crisis with them.

Improving data privacy provisions of these contracts can boost risk management efforts – here’s an excerpt from the memo with some of the tips:

– Synch the indemnification and limited liability provisions – no need to have a great indemnification provision if it’s all wiped away by a limited liability provision that says the vendor’s liability is limited to some small dollar amount

– Avoid early termination fees – especially important if you’ve already been working with the vendor in certain capacities, early termination as a result of a data breach seems reasonable and it’s hard to see what costs the vendor would have a right to recover

– Vendor should agree to comply with all applicable data privacy and security laws – with rapidly changing laws, the vendor may not want to do so but stressing that you don’t accept carve outs for this is necessary – how do you explain to the board that you have a vendor that doesn’t agree to abide by all applicable laws?

Tomorrow’s Webcast: “Audit Committees in Action – The Latest Developments”

Tune in tomorrow for the webcast – “Audit Committees in Action: The Latest Developments” – to hear Deloitte’s Consuelo Hitchcock, EY’s Josh Jones and Gibson Dunn’s Mike Scanlon discuss recent SEC, FASB & PCAOB guidance impacting audit committees, evolving practices for audit committee charters, agendas and meetings and how the audit committee should manage its relationship with the independent auditor.

Lynn Jokela