Checklist Covering CSRB Recommendations on Five Areas for Strengthening Cyber Defenses

A report released by the Cyber Safety Review Board (CSRB) in 2023 (Report) framed five critical spheres for cybersecurity improvement based on weaknesses leveraged by Lapsus$ during attacks carried out in 2021 and 2022. Organizations can use this checklist derived from the Report, and incorporating related commentary from Manatt partner Paul H. Luehr, to strengthen measures in areas the Report highlighted, including identity and access management, building resilience, mitigating third-party risk, mitigating telecommunications vulnerabilities and addressing law enforcement challenges. For in-depth coverage on the Report, see our two-part series “CSRB Report on Lapsus$ Attacks”: Key Takeaways and Law Enforcement Cooperation (Sep. 20, 2023), and Moving Beyond MFA, Building Resilience and Mitigating Third-Party Threats (Sep. 27, 2023).

Checklist for Selecting Privacy Tech Solutions

Companies are eager for software tools to encode privacy compliance into their data operations. Yet, selecting remains difficult, particularly with the mix of incumbent and start-up vendors touting their privacy technologies’ distinctive features. While data discovery and privacy automation vendors offer improvements in an array of features, their product may rely on methods that do not work well with some companies’ data compliance approaches and constraints. This checklist, derived from our in-depth coverage on the topic, offers practical steps for selecting privacy technologies. See our two-part series on selecting the latest technology solutions for managing privacy: “Four Preparatory Steps” (Aug. 2, 2023), and “How to Kick the Tires and Decide” (Aug. 9, 2023).

Checklist for Framing and Assessing Third-Party Risk

Effective risk management involves four basic measures: (1) framing the risk; (2) assessing the risk; (3) responding to the risk; and (4) monitoring the risk. Building or enhancing a third-party risk management (TPRM) program to address third parties’ compliance with data protection and privacy regulations should include each of these steps. This checklist, derived from our previous in-depth coverage on managing third-party vendor privacy and data security risks, is intended to serve as a guide for the first two measures of a successful TPRM program – framing and assessing the risk. See “The Increasing Threat of Supply Chain Cyberattacks: How to Avoid Being a Statistic” (Sep. 28, 2022).

Checklist for Addressing Employee Data Rights Requests

The ramp‑up period for honoring employees’ rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is over. On July 14, 2023, the California AG announced an investigative sweep focused on employee data, with letters sent to unnamed large employers in the state “requesting information on the companies’ compliance with the CCPA with respect to the personal information of employees and job applicants.” The sweep puts California companies on notice that the AG's office is not waiting to enforce the CCPA/CPRA's requirements around PI collected in the recruitment and employment context. This targeted checklist, based on our previous articles and input from a Littler Mendelson expert, can help companies subject to the CCPA as they respond to employee rights requests. See “In‑House Insight on Handling Data Subject Access Requests Under Multiple Privacy Regimes” (Nov. 3, 2021).

Ransomware Incident Response Checklist

Ransomware is a multi-billion-dollar global criminal industry. Although no two incidents are the same, this checklist, derived from our in-depth content and takeaways from a recent Incident Response Forum panel, offers some streamlined best response practices in the moments, hours and days that follow a ransomware attack. See also our two-part series on lessons from the multinational takedown of Hive ransomware: “A Broad Impact” (Feb. 15, 2023), and “Coordination and Defensive Priorities” (Feb. 22, 2023).

Checklist for Preserving Privilege of Forensic Analyses Post Breach

Questions of privilege and work-product protection routinely arise in post-breach litigation, especially concerning forensic consultants’ analyses. Plaintiffs target these materials in discovery because they often provide a roadmap to the attack and include details regarding the victim business’ defenses and internal steps taken in response to a breach. Courts have grappled with these issues and reached varying holdings. This checklist, derived from our in-depth content, offers practical direction for companies seeking to preserve privilege amidst the realities of tightening judicial scrutiny. See “Looking Back on the Breach: Fundamentals of Preserving Privilege of Forensic Analyses in the Wake of a Data Breach” (Jul. 20, 2022); “Steps to Protect Privilege for Data Breach Forensic Reports” (Jan. 27, 2021); and “After Capital One Ruling, How Will Companies Protect Forensic Reports?” (Jun. 10, 2020).

Compliance Checklist for Consumer and Employee DSARs

Companies will have an expanded set of obligations to data subjects in 2023. New laws in Colorado, Connecticut and Virginia, along with new rights for employees in California, have broadened data subject access requests (DSARs). This checklist distills the steps for handling DSARs in the new year and how to adjust for the new requirements, including considerations for employee requests. See “In-House Insight on Handling Data Subject Access Requests Under Multiple Privacy Regimes” (Nov. 10, 2021).

A Checklist to Help Fund Managers Assess Their Cybersecurity Programs

Demonstrating its keen focus on cybersecurity, FINRA recently released a tool to help small firms identify key cybersecurity risks and enhance their customer information protection, cybersecurity written supervisory programs and related controls. The tool, entitled “Core Cybersecurity Threats and Effective Controls for Small Firms” (Tool), highlights the most common and recent categories of cybersecurity threats facing small firms, includes questions to assist firms with addressing those threats, provides a summary of core controls small firms should consider and contains relevant questions for firms to answer when evaluating their current cybersecurity programs. We digest these Tool components and provide a checklist created from the questions in the Tool that firms can use to assess the sufficiency of their cybersecurity programs. See “FINRA Report Addresses Common Cybersecurity Risks and Recommends Mitigation Measures” (Feb. 13, 2019).  

Checklist Guide to Six Phases of Privacy and Cybersecurity Due Diligence in M&As

The primary objectives of privacy and cyber due diligence in an M&A transaction are to identify and understand risk factors, and decide whether they should be mitigated before or after the deal closes and how to factor the cost of post-deal remediation into the financial analysis. This checklist, derived from our in-depth content on due diligence, goes beyond the questionnaire to break down the steps within six phases of the process: target risk evaluation; deal and response diligence; pre-closing network diligence; the due diligence memorandum; contract terms; and post-closing implementation. See “Privacy and Security Due Diligence in M&A Transactions: Going Beyond the Questionnaire” (Jan. 19, 2021); How to Conduct Effective Privacy and Data Security Diligence to Assure Value Realization in Mergers, Acquisitions and Divestitures” (Oct. 27, 2021); and “Privacy and Cyber Due Diligence in M&A Transactions” (Mar. 11, 2020).

Compliance Checklist for AI and Machine Learning

AI is no longer "some science-fiction side of technology – it is normal computer programming now,” Eduardo Ustaran of Hogan Lovells told the Cybersecurity Law Report, and efforts to regulate AI and machine learning are proliferating. This checklist is a convenient guide that companies can use to shape a compliance program for AI/ML innovation. Adapting the Three Lines of Defense risk management framework that financial companies have used for decades to ensure that earlier generations of automated decision making adhered to equal-opportunity laws, this checklist is adjusted for the latest generation of powerful algorithms to help companies gain public and regulator trust in their sensitive AI projects. See our AI Compliance Playbook series: “Traditional Risk Controls for Cutting-Edge Algorithms” (Apr. 14, 2021); “Seven Questions to Ask Before Regulators or Reporters Do” (Apr. 21, 2021); “Understanding Algorithm Audits” (Apr. 28, 2021); and “Adapting the Three Lines Framework for AI Innovations” (Jun. 2, 2021).

Checklist for Building an Identity-Centric Cybersecurity Framework

Robust digital identity management is a key part of an effective cybersecurity program. An identity-centric approach to cybersecurity can help protect against authentication threats when attackers catch up with technology, and it can also address convenience issues and mitigate insider risks. In this checklist, derived from our in-depth article series on digital identity management in a post-pandemic world, we provide a framework to assist with building an identity-centric cybersecurity program. See our two-part series on digital identity management in a post-pandemic world: “A Framework for Identity-Centric Cybersecurity” (Mar. 24, 2021); “SolarWinds, Zero Trust and the Challenges Ahead” (Mar. 17, 2021).

Essential Technology Contract Elements

Managing a company’s technology contracts is more difficult than ever, with agreements now governing thousands of corporate tasks completed using hundreds of device types. Complicating the picture, provisions from traditional IT product licenses cannot be shoehorned into the service contracts needed for cloud computing. This checklist, derived from our in-depth articles on the subject, offers a convenient summary of some of the latest tech contract terms. It is intended to help companies navigate negotiations and contract renewals as they scramble to access the latest tech products and services. See “Negotiating Reps, Warranties and Remedies in Technology Contracts” (May 19, 2021).

Post-Pandemic Workplace Vaccines and Testing Policy Checklist

As companies plan to welcome employees back to the physical workplace, uncertainty surrounds what employers can ask employees, how the information should be handled internally, how to manage access to information and whether the information can be disclosed externally. This checklist, derived from our in-depth article series, is designed to help employers take an approach that balances equal employment, safety and privacy concerns. See also our three-part series on how to facilitate a safe and privacy compliant return to work: “Laws and Guidance” (May 13, 2020); “Policies and Protocols” (May 20, 2020); “Contact Tracing” (May 27, 2020).

Checklist for IoT Security Audits

Though still in their infancy, IoT security audits can be a useful tool in managing the security challenges that may arise from the use of unmanaged connected devices such as printers, security cameras, conference room tablets and remote property sensors. These devices, rife with risk, now comprise 30 percent of business’ network endpoints. This checklist, which stems from our in-depth article on how to address enterprise IoT risks, can serve a guide to use when conducting an IoT audit. See “How to Address Intensifying Enterprise IoT Security Risks” (Oct. 14, 2020).

Action Steps to Respond to Ransomware Attacks

Businesses are facing a surge of ransomware attacks during the COVID-19 pandemic as cybercriminals exploit employee distraction and the increased attack surfaces due to widespread remote working. Even before the pandemic, ransomware was transforming into a double-damage attack, as several criminal groups began adding theft of sensitive data to the crippling of computer systems. Maze-style attacks, named after the pioneering Maze Group gang, also often include threats to publicize the hack. This checklist offers direction for companies to prepare and respond to these complicated cyberattacks and includes considerations for developing a ransomware plan and a corporate ransomware payment policy, as well as ten immediate communication steps to take after an attack. See also “Managing Ransomware’s Mutation Into a Public Data Breach” (May 6, 2020).

Privacy Compliant Return-to-Work Checklist

Our return-to-work checklist is designed to help balance health and safety concerns with privacy and other legal considerations, which can be overwhelming when implementing plans to get employees back into a physical workplace. See our three-part series on how to facilitate a safe and privacy compliant return to work: “Laws and Guidance” (May 13, 2020); “Policies and Protocols” (May 20, 2020); “Contact Tracing” (May 27, 2020).

Eleven Key Components of an Effective Privacy Program

This article lists 11 essential elements companies should include in their privacy programs – and tailor to their risks and needs – and provides references to Cybersecurity Law Report content that contains more in-depth tips and operational advice on how to develop and implement these components. See also “How GoDaddy Built an Effective Privacy Program” (Nov. 7, 2018).

30 Creative Ideas for Compliance Messaging

Communicating compliance messages to the right people in the right format outside of formal training sessions is a perennial challenge. Using concepts from behavioral science, along with creativity and a sense of fun, the compliance professionals we have spoken with have come up with some surprising ways of getting their compliance messages across. Here we have compiled 30 real-life examples from over a dozen multinational companies to use as a jumping off point for companies looking to take a fresh approach to their compliance messaging. See “How the World’s Most Ethical Companies Are Aligning Corporate Culture and Strategy” (May 15, 2019).

Dos and Don’ts of Choosing a Cyber Insurance Broker and Navigating the Application Process

Cyber liability insurance should be part of a company’s plan to combat the inevitable damage and business loss caused by a cyber attack. Complex insurance decisions require expertise and know-how, and to make it through the maze of cyber liability insurance options, many companies opt to work with qualified cyber liability insurance brokers. This guide outlines some dos and don’ts when selecting a broker and navigating the application process. See our three-part series on using cyber insurance to mitigate risk: “From Assessing the Need to Managing Existing Policies” (Oct. 3, 2018); “Getting Savvy About Cost and Policy Terms” (Oct. 10, 2018); and “Policy Management and Breach Response” (Oct. 17, 2018); and “Guidelines for Securing Effective Cyber Insurance Policy Terms” (Apr. 17, 2019).

Guidelines for Securing Effective Cyber Insurance Policy Terms

With no end in sight to high-profile cyber attacks, more companies are taking out insurance against an incident. While insurance does not mitigate all of an organization’s cyber risk, it is one way to manage it. This guide outlines steps and considerations for securing the right policy terms and amount of coverage, and receiving the optimal payment and services from the insurance company after an incident. See our three-part series on using cyber insurance to mitigate risk: “From Assessing the Need to Managing Existing Policies” (Oct. 3, 2018); “Getting Savvy About Cost and Policy Terms” (Oct. 10, 2018); and “Policy Management and Breach Response” (Oct. 17, 2018).

A Quick-Start Guide to Creating a Compliance Champion Program

Many companies do not have the budget to station a dedicated compliance professional at every company outpost around the globe, but having no compliance presence at all can make it more difficult to engage local employees and spread the company’s compliance message. Selecting well-respected local employees to serve as part-time compliance liaisons – often called “compliance champions” – in addition to their regular jobs is one creative way to address this common resource issue. To help companies that are considering this approach, we have put together a quick-start guide to selecting, training and utilizing local employees as champions of the compliance program. See also “How to Make the Most of Limited Compliance Resources” (Jan. 31, 2018).

Essential M&A Cybersecurity Due Diligence Questions

Pre-acquisition cybersecurity due diligence is critical to determine whether the deal is worthwhile, what price or term adjustments may be needed and also what future remediation or fixes should be anticipated. The Cybersecurity Law Report distills expert advice into this list of must-ask due diligence questions. See “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017); and “Cybersecurity Due Diligence in M&A Is No Longer Optional” (Aug. 24, 2016).

Ten Steps for Effective Crisis Communications

Following a cyber incident, companies face substantial reputational and financial harm, and poorly handled communication can magnify the problem. Controlling the message is essential not just for preserving the brand’s reputation, but also for properly handing the investigation, meeting regulatory obligations and responding to the breach as effectively as possible. The Cybersecurity Law Report has distilled valuable advice into ten specific actions to ensure effective communication. See also “Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)” (Jun. 14, 2017); Part Two (Jun. 28, 2017).

A Roadmap to Preparing for and Managing a Cyber Investigation

A successful cyber investigation starts before an incident with creating an effective incident response plan and fostering strong relationships between legal and information security teams to set the foundation for tackling the challenges that arise once an investigation has begun. In this guide, we provide a roadmap to help companies ensure they take a successful approach to preparing for and managing a cyber investigation. See “Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios” (Jun. 20, 2018) and “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

Fifteen Tips for an Effective Cybersecurity Board Presentation

Boards are becoming more engaged with cybersecurity issues as the risks have become more visible and the potential for director liability has risen. Directors want to be informed and are asking more detailed questions. For those providing the answers, an effective presentation is critical to obtain buy-in and budget in line with the company’s risk profile and tolerance. In addition, board presentations can be an opportunity to present cybersecurity efforts not as simply costing money, but also as creating business advantages. The Cybersecurity Law Report has compiled the following list to help with this task. See also “A CSO/GC Advises on How and When to Present Cybersecurity to the Board” (Feb. 22, 2017); and “How to Handle Rising Expectations for Board Cyber Education and Involvement” (Mar. 14, 2018).

Twenty Steps Toward Achieving an Effective Social Media Policy

Social media use is pervasive throughout the workplace for marketing and communication purposes, and given the complex security and privacy concerns it presents, crafting, enforcing and maintaining an effective policy is both challenging and important. The Cybersecurity Law Report has compiled a list of 20 considerations for an effective and up-to-date social media policy, whether a company is starting from scratch or looking to enhance its extant policy. See also “Crafting a Multinational Employer Social Media Policy After Cambridge Analytica” (May 16, 2018); “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017); and “Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media” (Apr. 5, 2017).

Checklist Approach to Effective Third-Party Vendor Oversight

Firms rely heavily on third-party vendors in their day-to-day operations, but these vendors can introduce great risks. To mitigate risk, companies should systematically and thoroughly oversee each relationship. Once a third-party contract is established, companies should assess the vendor relationship for ongoing risk and develop procedures to address issues and risks as they are identified. This guide details risk-assessment considerations and steps to address and mitigate ongoing risk and compliance issues. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).