1. What is your risk management knowledge:
The first question to ask senior management and legal counsel is not a question about how to mitigate the litigation risks. You should first evaluate their understanding of risk management, critical assets to protect, the risk appetite of the company, their knowledge of the differences between cyber risk management and compliance and if they know how their personal liability may arise.
2. Do you know the legal rules:
Do you have a clear understanding of the laws, regulations (NIS, PCI DSS, GDPR,…), contract clauses, self-enforcing standards that apply to your industry, geographic territory and the consumers you serve.
3.How do you assess the legal risks:
Who is currently doing the assessment of the litigation risks and what audit standards and procedures are in place to ensure compliance? How do you measure compliance? Are you able to measure and demonstrate compliance with global data privacy regulations?
4. How do you manage EU Personal data/GDPR:
Are processing personal data of EU consumers? If yes, do you know GDPR compliance steps that need to follow when collecting, processing and storing individuals’ personal data of EU consumers?
5. Do you manage third-party risks:
Has management taken steps to mitigate the cybersecurity risks associated with outsourcing business functions to third parties (e.g. due diligence, periodic review of contractual agreements)? Have you included legal and regulatory obligations in their contracts and SLAs?
6. What is your actions plan:
What kind of resources (people & budget) are management willing to commit to the identified compliance efforts? Have you calculated the financial impact of high-risk data if leaked? How do you measure the potential costs associated not to be compliant?
7. Are you prepare for the worst:
Have you set up an appropriate incident response plan to handle a security incident? How prepared is the business to work with state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community? Do you have procedures in place to communicate with your customers? Is there a team (e.g. Crisis Committee) established that will address these kinds of situations? Are you aware of any notification or reporting requirements (e.g. 72 hours max for GDPR)?
8. How do you stay up-to-date:
Does management has an effective system in place for staying abreast of and complying with evolving state and international data security laws and regulations that apply to operations?
9. Do you have Cyber Insurance: Did management assess their risk exposure and take out adequate cyber insurance as part of the firm’s overall cybersecurity risk mitigation strategy? Does cyber liability coverage cover the costs related to a data breach, including privacy breach, notification expenses, litigation, loss of income, regulatory fines and penalties, and other expenses?
10. How do you make cyber risk management part of everybody job:
Has management instituted an effective training program that instructs employees on the appropriate handling and protection of sensitive data and avoids litigation Do you document the company’s efforts to train employees on information security, phishing, password creating/ protection and network/access? Do you maintain appropriate data privacy and cybersecurity policies, agreements and communicate them to the workforce?
If you need help to answer these questions, contact us today!
firstname.lastname@example.org or +32 2 318.12.71