Your Pre-Breach Checklist
A significant breach can happen to any company.
Being prepared is the key to being resilient.
Become familiar with your company's risk tolerance and approach to information security to develop an understanding of your company's security posture. The time to ask the important questions isn't after a breach has happened.
01
Make Friends with your IT/IS Department
Many companies have an incident response plan. If your company does, dust it off to determine whether it needs to be updated based on the current breach environment. If you don’t have a plan, draft one, and follow it!
02
Have a plan.
Don’t test your plan for the first time in the middle of an actual high-stress incident.
03
Practice.
Determine who within your organization will be responsible for making the tough calls, (e.g., when will you go public, how will you respond to the media) and making sure the key decision-makers understand the broader issues that have to be considered.
04
Decisions, Decisions, Decisions.
Notice is driven by federal and state law and often non-U.S. laws. The number of jurisdictions with breach notification obligations is growing and in many instances includes the unauthorized disclosure of any type of personal information. Make an effort to stay abreast of the current landscape of breach-related requirements.
05
Know the Law.
Outside counsel who have a deep practice in this area will have worked on countless incidents, both large and small, and can advise on how other companies respond to similar incidents and how regulators have reacted. This is invaluable insight when the tough calls have to be made.
06
Go Outside.
In a significant breach incident, a company’s resources can be stretched thin. There are a wide variety of vendors that can help companies respond to a breach incident. Consider your capabilities and engage vendors before an incident occurs.
07
Engage Vendors.
The list of individuals and entities that you may need to contact in the event of a significant breach is probably longer than you think. While it seems simple, it can reduce stress in the heat of the moment if you have a comprehensive contact list.
08
In Case of Emergency, Call.
Cyber insurance is one of the fastest-growing areas of the insurance market today. It’s quite possible that your company already has a policy that would provide at least some coverage in the event of a security breach. If so, review the policy to get a sense of the breadth of the coverage, and consider whether that coverage is appropriate for your company’s needs. If your company does not have a policy, consider the costs and benefits of obtaining coverage.
09
Consider Coverage.
Although you can’t control whether a breach occurs, you can control how your company responds. Most companies with whom we work find that there is more that they can do to prepare for a potential breach event. In light of the public, regulatory, and internal scrutiny that a high-profile breach brings, don’t delay in considering your preparedness to respond to such an event.
10
Don’t Delay.
For more information, visit our
Cybersecurity Resource Center.