The recent Tech GC Roundtable featured an evening of insightful discussion with in-house lawyers on lessons learned from the CrowdStrike incident.
Lessons Learned:
- Third-Party Vendor Management and Exposures – Review and update your vendor contracts regularly, including clauses addressing cybersecurity responsibilities and incident reporting. Have a formal due diligence process in place that is reviewed frequently.
- Insurance Coverage – Evaluate your cyber insurance program to understand its policy terms and coverage (including errors and omissions coverage), exclusions, claims process, and other benefits, such as complementary “tabletop” exercises for management. Review your policy carefully and assess any coverage gaps.
- Understand the Laws – Conduct a Data Inventory and Risk Assessment to identify and categorize personal and sensitive data within your organization, assess potential risks and vulnerabilities, and know where critical tech dependencies are.
- Legal Liability and Risk Management – Avoiding any potential legal exposure to a substantial cybersecurity incident is practically impossible. However, be prepared with a solid legal strategy that includes a response to possible litigation, a public communications plan, and the preservation of evidence.
- Mitigate Director and Officer Liability – Ensure directors and officers know their fiduciary duties, including the duty of care and loyalty, especially emphasizing “red flags” and development and deployment of processes and procedures to monitor and safeguard the business. Verify that D&O insurance policies cover cybersecurity-related claims, provide adequate protection for directors and officers, and understand the policy terms, exclusions, and coverage limits.
- Reputation Management – Create a plan and identify key messages and actions to demonstrate commitment to security, customer support, and recovery. Communicate transparently with affected customers and partners and offer support, such as credit monitoring services.
- Crisis Communications - Develop a clear internal and external communication plan that includes guidelines for employees and critical messages, updates, and corrective actions for customer, partner, and media communications. Consider engaging your outside counsel.
- Regulatory Compliance Plan – Identify which data protection regulations apply to your business and stay informed about data protection laws and regulations.
- Post-Incident Analysis – Conduct a post-incident review of what happened, form an improvement plan, and update your incident response plan. No plan is perfect. Use the opportunity to improve it.
- Create a Culture of Security and Preparedness – Create a cyber training program for employees that regularly sends out drills and simulations. Encourage employees to report suspicious activities and potential threats.
*Note: the above are presented for educational purposes only and are not intended to constitute legal advice.
Our attorneys are happy to answer any questions about Cybersecurity & Privacy.
About the Tech GC Roundtable:
The Roundtable’s mission is to bring together general counsels and top legal advisors from tech companies to promote the exchange of ideas, share best practices, and learn about current issues impacting fast-growing technology companies.