What is the difference between privacy and cybersecurity? Privacy generally applies to an individual’s right to not have his or her personal information shared. Cybersecurity generally applies to the processes and technology in place to protect information that an organization maintains. You could say an organization’s cybersecurity processes help to meet its privacy obligations.
WealthForge is at the forefront of applying financial technology to provide greater efficiency for private capital markets. As with any financial institution, we process a lot of important, private information that needs to be protected. Therefore, we consider it an inherent responsibility to also be a leader in cybersecurity and privacy processes and technology. We recently attended Practicing Law Institute’s 18th Annual Institute on Privacy and Data Security Law in Chicago, and want to share some of what we learned along with our own experience.
Rather than cybersecurity specifically, I prefer to think of it as “information security,” because even the most high-tech organizations have information physically stored and have manual information processes in place. As we’ll discuss later, a good cyber/information security framework will consider privacy implications involved in the type of information it receives, uses, and stores.
We’ve previously reviewed some cybersecurity basics when it comes to spear phishing attacks and vulnerabilities related to employees, but today we are taking a higher-level look. Here are 4 ways to establish and maintain a successful cybersecurity program.
1. Take Inventory
Some organizations implement risk management meetings across all business units. However, from a cybersecurity and privacy standpoint, you will uncover key risk points by “data mapping.” This is an exercise to identify the types of data your organization keeps and where.
A comprehensive data mapping exercise will not only show where information is stored, but how it is transferred into, within, and out of the organization. The more sensitive the information (as dictated by whether privacy implications are involved and the information’s value to the company and its stakeholders), the more focus it should receive in an organization’s ongoing risk assessment process. In this way, your organization can objectively prioritize where it plans to take action.
Two important considerations for a data exercise:
- Where are your people involved? Invest in training and invest in your employees. Part of your ongoing efforts should involve developing a culture attuned to privacy and security issues. Your employees can be your biggest vulnerability—make them your biggest asset.
- Where are other people involved? Increasingly, companies are dependent upon outside providers and relationships for day-to-day operations. Do not gloss over how third-parties use and store your information (or information that may not be “yours” but that others are entrusting you to keep safe). Vendors are increasingly willing to discuss or give you documentation on their security practices. And you should address these issues with your own clients or even potential investors or purchasers of your company. Negotiating the terms of information flow, ownership, and protection in your agreements with all third parties upfront is well worth it to avoid the headache of an unplanned reaction down the line.
2. Start with a Framework
Once you understand what data you have and how it flows, you need a plan to protect it. A framework is the base upon which an organization builds its entire cybersecurity and privacy approach. In certain industries, the framework your organization starts with will be dictated by regulations. Other companies will have more leeway with where to begin. If you don’t have a framework at all, at best, you will have an incohesive set of policies.
Common model frameworks are NIST (the National Institute of Standards and Technology) and ISO (International Organization of Standardization). Use aspects of a model framework that apply most to your organization, with its unique size, scope, number of employees, type of information used and processes. Be honest with yourself about how mature your organization is with respect to privacy and cybersecurity issues.
3. Iterate and Get Better
The framework is not solution to all problems but rather a tool to help address what otherwise might be complex, unmanageable cyber-risk issues.
Your framework should be a living, breathing, and dynamic part of your organization and its processes. Once your framework is in place, in whatever form it starts, the point is to use it, and change it, to make your organization better. As you conduct several months or quarters of your policies within the framework, you should make adjustments to better reflect how your business operates.
You may find it helpful to conduct regular meetings to assess risks, current risk mitigation steps, and plans to execute improved mitigation steps. In proceeding through these meetings in a systematic way and executing improvements between them, your organization’s framework will get better over time.
4. Practice Incident Response
A best practice is to conduct “desktop exercises,” by bringing together key internal stakeholders to practice certain aspects of operations within a cybersecurity framework, including disaster recovery and incident response plans. And, while finding the time to bring together the relevant personnel is easier said than done, it is essential to ensuring you are ready in the event of an actual cybersecurity incident.
A desktop exercise that can illuminate several issues that an organization may want to consider in conducting an individualized exercise includes the following:
- Escalation Plan - A basic incident response plan will address broad steps if, for example, certain aspects of a system go down for a day or so. Thinking one step deeper, however, what if the event continues for multiple days? What if it gets worse? Your organization should know who it needs to report to and when, regarding certain types of cyber events. Know the relevant laws and notice periods and have a plan on who to contact and when. As an issue progresses, it may be best to include more people or take different actions than when an issue first arises.
- Establish Expert Relationships - As a related point, many companies may generally know who to call, but may not have a relationship in place to get the responsiveness they need when they need it the most. Cyber events may require outside IT vendors to help the internal team conduct forensic analysis. Do you have a vendor in mind that knows you and your business, or will you be vetting and asking for referrals when you need help immediately? Specialized outside counsel can be invaluable in helping to quarterback an organized response. Again, do you know someone who is willing to take your case if something arises, or will you be forced to cold call anyone who will answer without vetting? What enforcement officials will you call? What regulators might be calling you? This is great information to know ahead of time instead of trying to figure it out in the heat of what may be a stressful situation.
The cybersecurity and privacy space is interesting because the laws and practices are fast-evolving and the issues are not going away. For the same reasons, it is easy to get overwhelmed. Use a framework and develop a system to address risk based on the type and scope of information your company touches. This way, you can more easily conceptualize and address the issues that apply to your unique business.
Disclaimer: WealthForge provides this information to our clients and other friends for educational purposes only. It should not be construed or relied upon as legal advice.
Want more private market insights and content?
Follow WealthForge on social media