An interesting article by Jerome Roche, Caitlin Potratz Metcalf and Elias Gurewitsch from Linklaters setting out in detail the SEC's new guidance on cybersecurity and resilience. Irrespective of whether your firm is regulated by the SEC, cybersecurity is a boardroom issue and one that must be taken seriously.  The guidance set out in this article is a good starting point for anyone.

Starting with a risk assessment, above and beyond anything else, cybersecurity is a risk issue that must be understood and quantified by senior management, so that they can determine  what are the appropriate and effective controls to implement to reduce the risk.  It is no different from any other enterprise risk factor.

The article also touches on some familiar key controls such as: 

  • Limiting access rights so only people who need to have access to data and systems have access to it, rather than everyone;
  • Ensuring that the vendors that companies use also have appropriate cybersecurity controls in place;
  • Ensuring you have a documented and tested incident response plan;
  • Education, education, education: one of the key cybersecurity controls is to ensure that employees receive regular training on cybersecurity;
  • Implementing an appropriate BYOD policy - and enforce it;
  • Implementing procedures to prevent data loss and data breaches; and
  • Ensuring that you regularly revisit cybersecurity precautions and that they are inline with industry practice.

At the moment, with everyone working from home given the current crisis, there are additional risks that must be considered and assessed.  My colleague, Lorenzo Grillo has developed an excellent program to help companies perform a cybercecurity rapid assessment for remote working.  Please let us know if you'd like to know more!