Checklists

Guidelines for Securing Effective Cyber Insurance Policy Terms

With no end in sight to high-profile cyber attacks, more companies are taking out insurance against an incident. While insurance does not mitigate all of an organization’s cyber risk, it is one way to manage it. This guide outlines steps and considerations for securing the right policy terms and amount of coverage, and receiving the optimal payment and services from the insurance company after an incident. See our three-part series on using cyber insurance to mitigate risk: “From Assessing the Need to Managing Existing Policies” (Oct. 3, 2018); “Getting Savvy About Cost and Policy Terms” (Oct. 10, 2018); and “Policy Management and Breach Response” (Oct. 17, 2018).

A Quick-Start Guide to Creating a Compliance Champion Program

Many companies do not have the budget to station a dedicated compliance professional at every company outpost around the globe, but having no compliance presence at all can make it more difficult to engage local employees and spread the company’s compliance message. Selecting well-respected local employees to serve as part-time compliance liaisons – often called “compliance champions” – in addition to their regular jobs is one creative way to address this common resource issue. To help companies that are considering this approach, we have put together a quick-start guide to selecting, training and utilizing local employees as champions of the compliance program. See also “How to Make the Most of Limited Compliance Resources” (Jan. 31, 2018).

Essential M&A Cybersecurity Due Diligence Questions

Pre-acquisition cybersecurity due diligence is critical to determine whether the deal is worthwhile, what price or term adjustments may be needed and also what future remediation or fixes should be anticipated. The Cybersecurity Law Report distills expert advice into this list of must-ask due diligence questions. See “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017); and “Cybersecurity Due Diligence in M&A Is No Longer Optional” (Aug. 24, 2016).

Ten Steps for Effective Crisis Communications

Following a cyber incident, companies face substantial reputational and financial harm, and poorly handled communication can magnify the problem. Controlling the message is essential not just for preserving the brand’s reputation, but also for properly handing the investigation, meeting regulatory obligations and responding to the breach as effectively as possible. The Cybersecurity Law Report has distilled valuable advice into ten specific actions to ensure effective communication. See also “Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)” (Jun. 14, 2017); Part Two (Jun. 28, 2017).

A Roadmap to Preparing for and Managing a Cyber Investigation

A successful cyber investigation starts before an incident with creating an effective incident response plan and fostering strong relationships between legal and information security teams to set the foundation for tackling the challenges that arise once an investigation has begun. In this guide, we provide a roadmap to help companies ensure they take a successful approach to preparing for and managing a cyber investigation. See “Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios” (Jun. 20, 2018) and “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

Fifteen Tips for an Effective Cybersecurity Board Presentation

Boards are becoming more engaged with cybersecurity issues as the risks have become more visible and the potential for director liability has risen. Directors want to be informed and are asking more detailed questions. For those providing the answers, an effective presentation is critical to obtain buy-in and budget in line with the company’s risk profile and tolerance. In addition, board presentations can be an opportunity to present cybersecurity efforts not as simply costing money, but also as creating business advantages. The Cybersecurity Law Report has compiled the following list to help with this task. See also “A CSO/GC Advises on How and When to Present Cybersecurity to the Board” (Feb. 22, 2017); and “How to Handle Rising Expectations for Board Cyber Education and Involvement” (Mar. 14, 2018).

Twenty Steps Toward Achieving an Effective Social Media Policy

Social media use is pervasive throughout the workplace for marketing and communication purposes, and given the complex security and privacy concerns it presents, crafting, enforcing and maintaining an effective policy is both challenging and important. The Cybersecurity Law Report has compiled a list of 20 considerations for an effective and up-to-date social media policy, whether a company is starting from scratch or looking to enhance its extant policy. See also “Crafting a Multinational Employer Social Media Policy After Cambridge Analytica” (May 16, 2018); “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017); and “Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media” (Apr. 5, 2017).

Checklist Approach to Effective Third-Party Vendor Oversight

Firms rely heavily on third-party vendors in their day-to-day operations, but these vendors can introduce great risks. To mitigate risk, companies should systematically and thoroughly oversee each relationship. Once a third-party contract is established, companies should assess the vendor relationship for ongoing risk and develop procedures to address issues and risks as they are identified. This guide details risk-assessment considerations and steps to address and mitigate ongoing risk and compliance issues. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).