You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

November 20, 2015

Cyber Security Preparedness: It’s a Dangerous World Out There

Subscribe to Updates
Informed Counsel

Virtually all of us are dependent on the use of the Internet and Internet-connected devices. People are plugged in, online, and in constant communication through wired and wireless telecommunication networks coupled to the Internet.

By virtue of this dependency, we entrust Internet-enabled applications, programs, and connected devices with our most private communications and personal and financial details. Yet we read, almost on a daily basis, of hacks and compromises on a gargantuan scale, of the very systems we entrust with our private business and personal data.

The disclosures of Edward Snowden and others have increased public awareness about the need to be mindful of cyber security and cyber threats in our IT-centric world of smartphones, Internet, and Cloud-based services.

Businesses are faced with many of the same cyber security risks as individuals, but businesses are made to bear greater legal and financial responsibility in the event of a compromise.

Today, cyber security, including data protection, is a board-level critical business risk area. A major compromise of a corporate IT system may raise significant business continuity and business reputation risks, in addition to possible lawsuits by customers and actions by the government/regulators, such as investigations, penalties, and fines. Companies now find their risk management committees devoting more and more time to cyber security issues.

The cyber risk landscape is highly dynamic, making ongoing proactive prevention necessary but difficult. Moreover, it is very difficult for a business to keep a breach of its IT system private, irrespective of legal obligations or attempts to control public disclosure that a system has been hacked.

Worse still, the detection of a compromise or hack often happens many months or even years after the initial compromise. Clearly, dealing with cyber risks requires diligent attention. But given the dynamic nature of cyber risks, what areas should a business focus on when establishing a program of cyber security preparedness?

Cyber security preparedness necessarily involves much more than board supervision and risk management committee oversight. It also requires a review of what cyber security processes, structures, and mitigation measures government regulators expect in each of the jurisdictions where a company does business and/or where the relevant data resides. Going beyond legal issues, the review must also take account of practicalities, including costs, perceived risk, and objective reasonableness.

One key component of such a review is an assessment of vendor risk management, which has become even more important given the broad adoption of Cloud services. The review should include consideration of vendor policies, procedures, and contracts to ensure the sufficiency of security obligations and legal remedies to protect the company against a compromise by, or through, any of its vendors.

Cyber security risk assessment has also become a core component of due diligence, particularly in mergers and acquisitions. In addition to considering whether there are any ongoing regulatory investigations or enforcement actions relating to breaches or other compromises, a due diligence review should address whether the target company has critical data assets (e.g., personally identifying information of customers and/or credit card data) and whether the target has experienced data breaches, and if so, provide an explanation of the damage and how it was mitigated. It should also take account of the risk of future breaches, and more generally, whether the target’s cyber security program is adequate using both industry benchmark standards as well as legal requirements.

For example, a cyber security program should include an incident response plan that is tested through tabletop exercises with senior management, technology representatives, and legal counsel, and it should be kept up to date, taking account of new threats that are identified. The incident response plan should be developed using multiple scenarios to realistically simulate potential incidents including Advanced Persistent Threat (APT) intrusions, data theft, insider attacks, and denial of service attacks. The plan must also take account of the type of business.  For example, retailers should consider point-of-sale attack scenarios.

While important, detection is merely the first step. Businesses should also have in place policies and procedures for a proper response, providing for appropriate escalation within the organization’s management structure, mitigation of risk, and preservation of forensic evidence once a compromise is discovered. It should also protect attorney-client privilege materials and the company’s legal rights, in case lawsuits or government or regulatory investigations subsequently arise.

In today’s world, companies need to take a proactive stance in dealing with cyber security.  Companies’ dependence on IT systems and Cloud-based services will only increase, and cyber security will continue to become ever more important. Companies must prepare for attacks from the inside as well as from outside third parties (including both criminally-motivated individuals as well as state-sponsored attacks).

Company executives, hand in hand with legal counsel and the technology team, must work together to continually evaluate a company’s preparedness and develop and implement defense and mitigation strategies to prevent and limit damage due to cyber attacks.

Download Full Article
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice