I was delighted to hear that our feature article in this month’s PLC Magazine has already attracted a lot of attention. Cyber security issues need to be placed on the board agenda sooner rather than later, and before a cyber breach occurs, not as a result of one. For further information, see our practice page.
One important issue we raise in the article is the fact that businesses must first acknowledge that cyber security is not just an IT issue. It is also a people and processes issue, requiring organisations to embrace education and awareness of cyber security issues across their workforce and supply chains.
So what questions should in-house counsel ask the board to ensure that their organisations are addressing the specific risks to, and effects on, the business of a cyber attack? We set out several questions to pose to different teams in the organisation to assess a business’s cyber-readiness. Here is a selection of questions we suggest asking the board and senior executives:
- What are the key systems and information assets, including intellectual property, and who is responsible for protecting them?
- What are the reputational and financial effects of a cyber security attack?
- Are any individuals personally at risk?
- Can solutions be found that marry a desire for security with competitiveness?
- How does the organisation’s crisis response plan take information assets into account?
- How can the organisation move from reacting to anticipating the threat?
- Is the organisation considering cyber security when making investment decisions during mergers and acquisitions?
- Is the organisation exposed further up or down the supply chain?
- How regularly are the cyber threat and update response plans reviewed?
- Is there a culture where employees can raise issues before it is too late, and where those issues will be escalated appropriately within the business?
For those in the mood for soul-searching, here are some more suggested questions for in-house counsel and legal teams.