Board Governance & Cyber Risk Management

Cyber risks are now enterprise risks, which means they must be understood and managed in the context of your entire company. With extensive global experience in board governance, cyber risk management, and data security program development, our flexible and knowledgeable team offers you practical solutions that will help you build robust, risk-responsive frameworks and governance strategies that can adapt as threats evolve. Our rigorous and holistic approach to cyber risk management is grounded in implementation-level advice that is informed by a clear and comprehensive appreciation of your engineering capabilities, your technology environment, and your corporate culture—regardless of your company’s cyber maturity level.

Given the growing importance of board and C-suite oversight in cyber risk matters, we provide consultation services that highlight the cyber risks faced by both the company and its directors. This includes training directors and senior management about their pre-breach and post-incident responsibilities and about emerging trends in cyber risk corporate governance and strategies to reduce exposure. We routinely calibrate these services across the spectrum of publicly held companies, from relatively small and recently listed enterprises to some of the largest and most established companies in the world.

Understanding that cyber risk management does not exist in a vacuum, we combine our knowledge of cyber issues with strong business acumen to balance security with usability and enterprise architecture needs, always keeping in mind the need to stretch cyber investments responsibly.

Toward that end, we apply our extensive technical knowledge of security engineering, evolving cyber threats, and international legal standards as we leverage our global relationships to craft effective, forward-looking cyber risk management strategies that support your business objectives. This includes not only structuring, implementing, and enhancing enterprise-wide privacy and cyber risk policies and strategies but also conducting targeted, risk-based assessments of your current data security and risk management programs, often with the assistance of third-party security consultants.

As the emergence of new products, services, and devices introduce new security vulnerabilities, we are prepared to help you perform risk reviews of these new technologies early in the development process. This ensures that your security practices remain consistent with both regulator expectations and industry standards and allows you to build security into your business for the long term.

Our cyber risk management, data security counseling, and program development experience includes structuring, implementing, and enhancing enterprise-wide privacy and cybersecurity policies and strategies as well as targeted, technical risk-based reviews of core areas of a company’s data security and risk management programs. We are prepared to help clients boost compliance with relevant legal, industry, and technical standards across the globe.

We assist some of the largest global brands with implementing global data protection compliance programs and analyzing data privacy laws and regulations around the world. Alston & Bird’s Global Privacy and Security Network formalizes our relationships with leading privacy counsel in jurisdictions around the world, providing clients with access to true specialists in each country.

Cyber Risk Management

• Cyber Risk Assessment. To effectively manage cybersecurity risk, organizations need to know both where their cybersecurity program currently stands and where they think it needs to be. To understand what controls and safeguards are necessary to mitigate cybersecurity threats, and implement effective detection methods for those areas, the starting place is often a cybersecurity risk assessment. Our team performs privileged cybersecurity risk and legal assessments of a company’s cybersecurity program, often working with third-party security consultants that specialize in this area to take advantage of their technical expertise and sophisticated tools. These assessments typically consist of two phases: (1) onsite interviews with subject-matter experts to understand how they view the organization’s practices and to identify relevant documentation for our review; and (2) presentation of our findings in a written report.
• Internet of Things and Technology Cybersecurity Risk Review. With the increasing attention to security vulnerabilities in products and services, and connected devices in particular, companies are increasingly expected to be actively, and even proactively, engaged with vulnerability management and incorporating sound security practices into the design of new products and services. We assist clients in cybersecurity risk reviews of new products and technologies early in the development process to help ensure the security practices are consistent with regulator expectations and industry standards. We also conduct reviews of security-related technologies to identify whether specific uses may raise any federal or state statutory or constitutional concerns, such as implicating the federal Computer Fraud and Abuse Act or state and federal Wiretap Acts.
• Advice to Public Company Boards and the C-Suite. We provide cyber-risk consultation services to senior management and directors to highlight the cyber-related risks faced by the company as well as the directors individually. Our services assist in providing board-level and senior management information security and cyber-risk presentations and training regarding their pre-breach and post-incident responsibilities, emerging trends in cybersecurity corporate governance, and strategies to minimize cyber risk exposure. We educate boards on the importance of the information life cycle and help companies achieve a clear understanding of the data they create, where it is located, how it is used, and how it is retained. We also provide advice to senior officers on day-to-day management of cybersecurity risks and preparation of board and officer materials so that the board and its advisors properly address cybersecurity risks with sound and balanced documentation. We routinely calibrate these services across the spectrum of publicly held companies, from relatively small and recently listed companies to some of the largest financial institutions and industrial concerns in the world.
• SEC Disclosures Review. Many public companies are well aware of the SEC’s guidance on cyber-risk disclosures and the SEC’s continued interest in reviewing such disclosures in the wake of a significant cyber event. Our team has assisted many public company clients in reviewing their cyber-related public filings to ensure that they are appropriate and sufficient, including by comparison to the disclosures of industry peers based on their industry presence and market capitalization.
• Cyber Insurance Review. As a key part of their incident response plans and procedures, companies should carefully consider whether they have adequate insurance coverage for cybersecurity risks, including coverage for forensic investigation, consumer notification, credit monitoring, call center operation, public relations, cyber extortion, regulatory investigations, payment card brand assessments, and other third-party claims. Our team has assisted many clients in assessing their current level of cyber insurance coverage, as well as identifying exclusions, conditions, and limitations that they should avoid.