FEATURE
 Cybersecurity Risks
Jason Chipman
Managing
These four attributes pave the road to success in safeguarding data
When organizations think of cybersecurity, they too often frame the topic as something for the CIO or the IT department, a technical issue that requires management by technical people. That is a mistake. Cybersecurity is fundamentally a risk management exercise, and organizations that are effective at managing cybersecurity risks approach the topic as something for senior management to understand and oversee.
10 DELAWARE LAWYER SPRING 2020
There is no single solution to manag- ing cybersecurity risks, just as there is no single solution to managing risks associated with Foreign Corrupt Prac- tices Act compliance, developing sanc- tions compliance programs, or maintain- ing physical security. Cybersecurity risks present themselves in innumerable ways that change frequently. Organizations successful at navigating this environment do not rely on a single piece of technol- ogy or a smart hire, although technology and smart leaders are certainly important. Instead, they have directors, lawyers and executives who ask the critical questions and create the right environment to man- age their information security. These successful organizations typically have at least four attributes in common.
First Attribute: Evaluating Risks
Successful organizations evaluate their
risks, both from the perspective of po- tential attackers (who wants to steal our data and why?) and from a regulatory per- spective (where could we face liability for cybersecurity failures?). For some organi- zations, the risks are obvious. Businesses that collect payment card data face risks that bad actors will try to steal card in- formation, and the loss of card data may trigger notification obligations, Federal Trade Commission inquiries and simi- lar regulatory action intended to protect consumers. Organizations that do not handle sensitive personal data may still face threats to company IP, trade secrets, customer information and employee data.
In the United States, the regulatory environment for cybersecurity standards and breach response differs from sector to sector. Government contractors are gen- erally required to comply with special se-