We’re all reading about the increasingly common risk of cybersecurity exposure, the bad actors launching attacks from all over the world, and the embarrassing press announcements by companies that have been victims of these attacks. What doesn’t make the news is what company management teams should know to protect themselves from such attacks, or to recover from them if the protection wasn’t adequate (and when DoD gets hit with an attack, you know your defense will NEVER be adequate if you get in the crosshairs of a really skilled bad guy).

So what constitutes “protection”? There are a growing number of laws, state, federal and international, that dictate actions we must take to protect our data and the data of the people we do business with. They’re all different – not surprising since there’s no foolproof set of rules to follow – and it’s not possible, even if it were financially affordable, to comply with them all. Now what?

Since your protection can’t be perfect, you can be sued by regulators or those whose data you compromised. Dollar cost and a huge hit to your reputation. The makings of a perfect storm if you’re the target. A panel held earlier today by SecureTheVillage.org, a nonprofit dedicated to educating us about this challenge, raised some challenging questions and offered some potentially helpful answers. For example:

• What makes a lot of sense as a starting point is to get a thorough cybersecurity risk assessment by someone other than your IT department or your contract provider. Try to understand why you might be a target, because that will tell you something about where to start to develop a defensible policy. Given your business, what laws are you subject to? What might “defensible” mean if you are challenged under those laws?
• If you’re hauled into court, your defense could be that your protective policies were in compliance or were reasonable in the circumstances. Short of compliance with all the disparate rules that exist, saying your control practices were reasonable can be pretty hard to define and perhaps even harder to defend. A more effective approach might be to develop controls that are defensible in the circumstances, meaning they would hold up in a courtroom. Again, what that means in practice is not a slam dunk, but it’s a strategy to guide your processes that could help you avoid a successful attack in court on top of the attack on your data.
• Insurance is nearly impossible to get today, or to keep, for cyber risks unless you know exactly what your insurer requires you to have in place, and then you implement and maintain exactly that. Do they require compliance? And what does that term mean to their claim adjusters? If you have insurance today, checking this out could avoid a nasty surprise: a non-renewal decision or a claim made but denied by your insurer, again trying to avoid the double hit to your bank account and reputation.
• Given all that information, how much risk are you willing to accept? Can you put an estimated dollar amount on that, and can you accept that as a cost of doing business?

No one knows the perfect answers to those questions. But you have to ask. Or be prepared for whatever comes down the road. Do you feel lucky?

We are Your CFO for Rent.