senior executive officer, such as chief information officer, chief
information security officer or chief security officer.
Question 2: Has the company evaluated and approved a cyber-security strategy addressing company-specific risks?
Ms. Barychev: The company should have a clear strategy of
handling cyber-security risks that will take into consideration
the specifics of the company’s business and the level of potential exposure to cyber-attacks. In developing such a strategy,
the company should consider a wide range of issues, from the
evaluation of protection costs that the company should incur
(for example, the cost of hiring additional personnel, buying
new software, training employees to follow prescribed IT procedures and engaging consultants and experts) to the evaluation of the coverage provided by, and the cost of, cyber insurance policies.
Cyber-security strategy should reflect the company’s assessment of potential consequences of cyber-attacks, including remediation costs in the aftermath of the cyber-attack;
lost revenue; legal expenses related to customer, regulatory
and shareholder actions launched against the company in
connection with the cyber-attack; and reputational damage
for the company and its executives.
Questions 3: Has the company allocated sufficient resources
to cyber-security risk management?
Ms. Barychev: It is important to review annual budgets for IT
security programs and provide adequate funding for technologies that can detect and prevent certain cyber-attacks and other
protection costs discussed in this column, as well as for adequate
insurance coverage. The company should also invest time and resources in reviewing its contracts with vendors that have access
to the company’s data to address vendors’ cyber-security policies
and responsibility for cyber-attacks.
Question 4: Has the company adopted and tested an incident
Ms. Barychev: The company should have an incident response
plan that can be implemented in case of a cyber-attack. The plan
should be aligned with the company’s cyber-security strategy
discussed in this column and address, among other matters, the
necessary communications with customers, vendors and regulators, as well as protocols for handling the consequences of the
Question 5: If the company is planning to grow through ac-
quisitions, does the due diligence checklist include cyber-
Ms. Barychev: Given significant adverse consequences of
cyber-attacks, it is important to uncover potential cyber-se-
curity issues at the target company through the due diligence
process. Due diligence questions may focus on whether the
target company experienced cyber-attacks in the past, any
consequences of such attacks and how it addressed those
Due diligence questions may also cover protective measures that the target company has put into place and whether
the target company has adequate cyber insurance coverage. If
cyber-security breaches present a significant risk for the target
company’s business, then the acquiring company should back
up its due diligence process with cyber-security representations
and warranties in the acquisition agreement. Such representations and warranties may focus on the absence of any known
security breaches and address the policies and procedures put
in place and followed by the target company to minimize the
risk of cyber-attacks.
Data breaches and other cyber-security threats are on the rise
and can cause significant harm including customer data loss,
interrupted business, regulatory penalties, class-action lawsuits
and intellectual property theft. Although cyber-security planning
may seem confusing or even overwhelming, it can be managed
with a focused step-by-step approach most often supported by
expert consultants. NW
WELCH, HOLME & CLARK CO., INC.
7 Avenue L, Newark, NJ 07105
973-465-1200 • Fax: 973-465-7332
Refined • USP/NF
Kosher • cGMP Compliant