Broadly stated, risk management is the process of the identification, prioritization, and mitigation of business risks. Identification and prioritization of risk happens in all businesses at some level. To be effective, the process requires an open mind capable of considering and evaluating realistic “what if” scenarios. Mitigation of risk includes pre-loss risk avoidance or minimization measures for example by implementing “best practices,” and risk transfer through the contracting process with vendors and customers, or through data breach insurance. Once the risk has materialized, post loss review can identify weaknesses and the need for revisions to existing risk management strategies. Managing cyber risk involves all of these elements and because of the potentially devastating impact of data breaches on your enterprise’s reputation, the priority of managing cyber risk is, or should be, very high for every enterprise that maintains personal and/or financial data (which is to say “all businesses”).
In the increasingly digital world we live in, most experts would agree that it is not a question of whether a particular business will suffer a data breach or other cyber risk event, but a question of when. The inevitability of a data incident counsels strongly for the development, dissemination, and updating of a number of important privacy and cyber security-related documents which are either recommended or required by applicable law. We will be profiling the most common in the months ahead this year. All of these privacy and cyber security documents are important, but one of the most important given that a data breach is truly only a question of when, is the Data Incident Response Plan, specially tailored to your business, in the event of such an incident.
While such plans can and should be developed by those with deep institutional knowledge of your business, confirmation bias (the tendency to interpret new evidence as confirmation of one’s existing beliefs) may blind business leaders to operational risks and/or effective mitigation strategies. Thus, objective, qualified third-party review of your business’s proposed Data Incident Response Plan is strongly recommended.
In high-level outline format, such a plan should:
If you need help in developing your business’ Data Incident Response Plan or in otherwise managing your cyber risk, including the use of data breach insurance as a risk management tool, please contact the author of this alert, Joe Sano firstname.lastname@example.org, (617) 456-8145, or Bill Rogers, Data Privacy and Security Practice Group Chair, email@example.com, (617)456-8112.