Cybersecurity Policies

Recent studies show that data security has become the number one concern of directors and general counsel at public companies. ¹ Cybersecurity is the responsibility of each employee and consultant in an organization, not just those in security, IT, or executive management. Employees and contractors must be educated about the importance of cybersecurity and their role in it.

Cybersecurity policies are important because they put mechanisms in place to help prevent cyber events, such as business interruptions and data breaches, which are very costly. It is a known fact that employees are often the weakest links in a firm's cybersecurity. Poor cyber hygiene, such as sharing passwords, clicking on malicious links and attachments, using unapproved software applications, and neglecting to encrypt sensitive files are just some of the employee related issues that are concerning. According to the 2020 Verizon Data Breach Investigation Report ² , “it is a bit disturbing when you realize that your employees' mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” Cybersecurity policies set the standards of how employees and consultants must understand the mechanisms to maintain the security of data and systems.

Everyone from the small medium enterprise to the multinational colossus are expected to meet minimum standards of IT security and could be fined and/or criminally prosecuted in some cases for a cyberattack that results in the loss of sensitive data when the organization is deemed to be willfully negligent. As of this writing, many states, including California, Colorado, New York, and Virginia, have instituted cybersecurity or privacy regulations for organizations conducting business in their states and with their residents.

Reputational damage can drive away customers and cause stock prices to dive. Cybersecurity policies are a mechanism to help to ensure that the public image and trust of an organization are unblemished. Regulators require evidence that the organization has an effective cybersecurity program. Cybersecurity policies are the beginning of how an organization provides this evidence.

Cybersecurity policies are essential in public companies and in organizations that are regulated. They are required by federal, healthcare, finance, and the insurance industries. These organizations run the risk of large fines if their cybersecurity programs are not fit for purpose and it all starts with cybersecurity policies.