CHAPTER FOUR:
CYBERSECURITY DUE DILIGENCE OF
POLICIES, PRACTICES AND PROCEDURES
The cybersecurity policies, practices and procedures in place at any company provide a critical indicator of cybersecurity wellness and should be one of the primary focuses of any cybersecurity due diligence effort.
Threat landscapes, activists, random hackers and state-sponsored actors constantly evolve, refining their techniques, altering their motivations and shifting their resources, so the best approach for a cybersecurity due diligence team is to avoid checklists and conduct cybersecurity due diligence in a thoughtful and holistic manner. Effective cybersecurity due diligence carefully considers changing threat actors, advance network telemetrics and emerging attack vectors.
This chapter outlines the various policies, practices and procedures involved in any cybersecurity due diligence undertaking, organizing data points into broad categories to facilitate the most effective and efficient approach.
Incident Response Plan
Background. Having a cyber-attack incident response plan is a notion that has been preached over and over again to every company (public or private), and that is an important starting point for analysis during any cybersecurity due diligence exercise. Every company should have, available for review, a current documented incident response plan that is approved by senior management and is reviewed and re-approved at least annually.
When contemplating cybersecurity, most companies allocate significant resources to fortifying their networks and to denying access to cyber-attackers. However, it is now a cliché, well-founded in reality, that data breaches are inevitable. As cybersecurity experts have noted, “There’s a saying in the cybersecurity industry that there are two types of businesses today: Those that have been breached and know it and those thathave been breached and just don’t know it.” Along those lines, just as a company has a fire evacuation plan for a building, it should have a plan in place to manage data breaches, an art form less about security science and more akin to “incident response.” At the least, an incident response plan specifies the:
• Members/titles/contact details of the response team responsible for each of the functions of the plan (management, IT, information security, human resources, compliance, marketing, etc.);
• Communication lines in the event of a cyber-attack;
• Notification protocols and priorities (including law enforcement, regulators, customers, joint venture partners, vendors and anyone else who might require, or contractually be entitled to, notice);
• Documentation and logging plans in the event of a breach;
• Contact list of relevant outside parties such as outside counsel (who specializes in data breach response), outside digital forensics experts, local law enforcement agents, PR firms and relevant financial firms (including the company’s bank and insurer);
• Company employees who have authority to speak and make certain decisions about the investigation;
• Cyber insurance information;
• Containment, remediation, recovery, training and testing plans; and
• Nature and location of any data that is covered by other legal obligations, like medical records underHIPAA, financial records under theGraham Leach Bliley Safeguards Rule or specific, contractually created data protection/breach notification requirements. Company executive management should understand its current incident response plans; when the plan was last updated (and how often); who prepared the plan; who approved the plan; and the plan’s general approach and principles. There should also exist an accurate and current network topology diagram that is adequately documented and periodically re-assessed and revised as internal systems and external factors change. Company executives should also avoid using templates for incident response plan
