Q: Does my business need cybersecurity insurance?
Due to the high level of cyber risk in today’s business environment and exclusions for cyber events in other types of insurance policies, most businesses need cyber liability insurance coverage. However, the terms and exclusions contained within cyber insurance policies vary widely, so businesses should select and review cyber policies carefully. Obtaining legal assistance in assessing policy terms is recommended to ensure the policy adequately addresses risks unique to the business. Furthermore, startups and emerging businesses should pay attention to exclusions, such as coverage exclusions for failure to obtain minimum security standards, to ensure that they do not fail to adopt necessary cybersecurity measures and thereby undermine the coverage they have purchased.
Q: How do I put a cybersecurity policy in place?
A cybersecurity policy should be specific to your business and may vary depending on your industry and the information your business collects. It is important to first assess your overall compliance and conduct a security audit of your IT assets and practices, as well as develop a thorough understanding of the data your business collects and stores. A cybersecurity policy should inform company employees and contractors of their requirements in protecting the IT assets of the company and identifying the primary threats to those assets. A policy will outline acceptable use of the company’s IT assets, including protocols related to password management, secure file transfers, software updates, malware scans, use of social media and privacy settings, and other security guidelines designed to protect your business from cyberattacks.
Q: What are the best methods for protecting my business against ransomware attacks?
Ransomware attacks are often delivered through phishing emails that appear as if they were sent from legitimate sources. Such phishing schemes are growing more sophisticated, and it is more important than ever to routinely train your employees and independent contractors on how to spot these and other cybersecurity threats. Businesses should implement mandatory trainings throughout the year (or on an annual basis at minimum) and follow such trainings with phishing simulations to test real-world response. Businesses can protect against the impact of interruption from a ransomware attack by regularly performing backups of their systems and important files. Backups should be stored separately so they cannot be accessed on the main system network.
Q: What are some best practices to share with our team?
There are several best practices that can be used as preventative measures when it comes to cybersecurity and attacks. The tactics below could make a huge difference.
- Install internal and external firewalls to protect your network systems, invest in antivirus and malware software, and regularly backup all data.
- Educate your employees on security protocols and how to recognize phishing emails and suspicious or unknown links.
- Require strong passwords for network access and mandate that employees change their passwords on a regular basis.
- Use multi-factor authentication for accessing sensitive networks or systems.
Q: What is an incident response plan and tabletop exercise?
An incident response plan is a game plan created to guide your organization in detecting, responding to, and recovering from cyber incidents. An incident response plan is necessary to help businesses quickly identify the individuals who need to be involved in incident evaluation and response, the issues they need to consider, and the steps that they need to take. The goal, of course, is to avoid lost time and critical missteps while making an organization’s recovery as smooth as possible.
A tabletop exercise is an attempt to test the incident response plan and readiness by walking through a cyber event hypothetical. An organization’s team will consider the hypothetical and discuss the parties it needs to involve, the issues is needs to consider, and the steps it needs to take. If possible, organizations should have a cybersecurity expert present to help facilitate the conversation, grade the management of the incident, and make suggestions for improvement.
Q: Why should we spend money on legal services related to data privacy?
According to the old saying “an ounce of prevention is worth a pound of cure,” the dollars you spend now on cyber preparedness and prevention could save your business many more dollars in the future. For example, if your organization has privacy or security-related regulatory obligations and fails to satisfy those obligations by putting required measures in place, it could incur significant regulatory fines and other liabilities in the event of a cyberattack. Legal counsel can help your business identify and implement measures necessary to meet specific legal requirements and those implied by applicable standards of care. As another example, it is not uncommon for an organization to incur significant costs due to cyber events caused by the actions of a vendor and then subsequently find that large portions of the costs are not covered by their cyber insurance policy and that their ability to recover from the vendor is impeded by contractual limitation of liability provisions. Legal counsel can help you protect your organization’s ability to recover in the event of a cyberattack and avoid surprises.
Q: My company doesn’t have a whole lot of personal data. Do we even need to worry about an attack?
Not having much personal data may not necessarily mean that your business will not become a target. If your business holds any valuable proprietary business information, it could become a target for cybercriminals, whether that information includes personal data or not. You never know what assumptions cybercriminals will make about your business. On the other hand, cybercriminals often cast a wide net, and you could be targeted randomly. Regardless of the data that your business does or does not possess, it is not safe to assume that cyberattacks on your organization are not likely to occur.
If you have any further questions about cybersecurity and prevention, please reach out to one of our experienced startup attorneys who will be happy to assist you.
*This blog post is brought to you by Willa Kalaidjian and Cal Marshall.