FEATURE
 • Drafting other crisis communica- tions.
These efforts call for a cross-disciplin-
ary approach and that requires the right people to be part of the dialogue about how to respond to an incident. It is near- ly impossible to pull together the right groups to address such complex issues from a holistic perspective if no one has thought about who should be involved, how they will communicate and who is making decisions.
It is also particularly important for or- ganizations responding to serious cyber- security incidents to involve their lawyers, and to do so in the right way. For most incidents, the preferred response is to make sure that attorney-client privilege is preserved at all times during any in-house investigations. But this will not be easy if response efforts are disjointed. Response efforts are more likely to enjoy privilege protections if the general counsel’s of- fice (and preferably outside counsel) are part of the initial response. Indeed, they
The key to success is asking the right questions, evaluating the responses, and treating cybersecurity as a problem to be managed over time.
should ideally be helping to lead and or- ganize the response, and should serve as a key reporting hub for information about the events in question.7
Fourth Attribute: Testing Effectiveness
Fourth, organizations that successful- ly manage cyber risk engage third parties to test the effectiveness of their efforts.
This often involves hiring experts to per- form “penetration testing” or to evaluate overall cybersecurity maturity. Such tests tell management where security efforts are successful and where they need im- provement. These tests might also gener- ate lengthy lists of recommendations and a catalog of weaknesses that need atten- tion. In light of the potential sensitivity of such information, it is a best practice to be prepared to address recommenda- tions and, ideally, to engage counsel to assist in pursuing such testing efforts un- der privilege.
Fundamentally, cybersecurity is an issue to be thoughtfully managed by company leadership. Technical knowl- edge about IT systems and data security is great, but it is not sufficient and it is not necessary to build an effective cyber- security risk-mitigation program. Rather, the key to success is asking the right ques- tions, evaluating the responses, and treat- ing cybersecurity as a problem to be man- aged over time, not a problem to be fixed with clever technology or some smart IT people. 
NOTES
1. 23 NYCRR 500.
2. FINRA, Cybersecurity Guidance, available at https://www.finra.org/rules-guidance/ key-topics/cybersecurity.
3. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer. Notice, Part III of Supplement A to Appendix, at
12 C.F.R. Part 30 (OCC), Supplement A to Appendix D-2, at 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision), 70 Fed. Reg. 15736 - 15754 (March 29, 2005).
4. Federal Bureau of Investigation, Worldwide Sweep Targets Business Email Compromises (Sept. 10, 2019), available at https://www.
f bi.gov/news/stories/operation-rewired-bec- takedown-091019.
5. Framework for Improving Critical Infrastructure Cybersecurity, NIST (April 16, 2018), available at https://nvlpubs.nist.gov/ nistpubs/CSWP/NIST.CSWP.04162018.pdf.
6. U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents (September 2018), available at
h t t p s : // w w w . j u s t i c e . g o v / c r i m i n a l - c c i p s / file/1096971/download.
7. See In re Experian Data Breach Litigation, 2017 U.S. Dist. LEXIS 162891 (C.D.
Cal. May 18, 2017) (holding that where outside counsel engaged forensic vendor to investigate and assist counsel, report and communications were privileged).
                                   Party Best
THURSDAY
BEACH GUIDE
NEWSLETTER
Your weekly guide to the hottest things to do from Lewes to Fenwick
       with August 10 the
                                                                                                                August 10
WWW.BESTOFDE.COM
CHASE CENTER ON THE RIVERFRONT
   Sign up today at DelawareToday.com/signup
                 D
                           12 DELAWARE LAWYER SPRING 2020
2017
2017