4. Cybersecurity, and especially compliance, is a legal issue that requires a thorough understanding of the laws and regulations that are applicable to your organization. Do not forget about your contracts. Many organizations have far more “laws” governing them through their contracts than from any other source. 5. Your organizational risk assessment should include third parties you rely on for services or that have your sensitive data. As the Colonial Pipeline attack showed, a successful attack on one service provider in the energy sector shut down all organizations relying on its services. The same thing just occurred with the attack on Change Healthcare, which impacted all of the organizations relying on its services. The financial services sector is due for a similar attack. What service providers does your organization depend on, and how will you continue to operate if something were to happen to them? 6. Your organization must have a team-oriented approach to managing cyber risk, both internally and externally (with the partners you rely on or will rely on if you have an incident). Cyber risk is an overall organizational risk, not just an “IT risk,” and your team’s different perspectives are invaluable. At a minimum, your team should include members who focus on information security, information technology, legal, compliance, privacy, audit, risk, operations, human resources and communications. For smaller organizations, one person may fulfill many of those roles, and that is when having external partners with specific expertise can be very beneficial. Shawn Tuma is an attorney widely recognized in data privacy and cybersecurity law, areas in which he has practiced for over 25 years. He is co-chair of the Data Privacy & Cybersecurity practice group at Spencer Fane LLP and works with clients across the U.S. Shawn can be reached at stuma@spencerfane.com or (972) 324-0317.
RkJQdWJsaXNoZXIy MTg3NDExNQ==