Cybersecurity Questions for Nutraceutical Company Executives
January 4, 2017
While it may seem overwhelming, cyber threats can be managed with a focused approach.
While data breaches are in the news almost every day, only about 15% of companies reported a significant cyber-security incident or data compromise over the past 18 months, according to a survey from ALM Marketing Services (September 2015). Based on their experience, many companies perceive that the odds of an incident occurring are low, and therefore have not aggressively prepared.
However, the current cyber threat landscape and the increasing frequency of cyber-attacks make cyber-security risk management one of the top issues for executives across all industries. In this column, I have asked Yelena Barychev, a partner at Blank Rome LLP law firm, some of the questions nutraceutical companies should be considering with respect to their cyber-security planning.
To facilitate effective cyber-security risk management, company executives should be able to answer a few questions outlined in this column and evaluate whether the company has established necessary planning and preparedness mechanisms.
Question 1: Does the company have management personnel with the skill sets necessary for assessing cyber-security risks and handling cyber-security incident responses?
Ms. Barychev: As with any task, it is critical to have experienced people in place. Depending on the size and company structure, the role of cyber-security risk management may be outsourced or considered a responsibility of a designated senior executive officer, such as chief information officer, chief information security officer or chief security officer.
Question 2: Has the company evaluated and approved a cyber-security strategy addressing company-specific risks?
Ms. Barychev: The company should have a clear strategy of handling cyber-security risks that will take into consideration the specifics of the company’s business and the level of potential exposure to cyber-attacks. In developing such a strategy, the company should consider a wide range of issues, from the evaluation of protection costs that the company should incur (for example, the cost of hiring additional personnel, buying new software, training employees to follow prescribed IT procedures and engaging consultants and experts) to the evaluation of the coverage provided by, and the cost of, cyber insurance policies.
Cyber-security strategy should reflect the company’s assessment of potential consequences of cyber-attacks, including remediation costs in the aftermath of the cyber-attack; lost revenue; legal expenses related to customer, regulatory and shareholder actions launched against the company in connection with the cyber-attack; and reputational damage for the company and its executives.
Questions 3: Has the company allocated sufficient resources to cyber-security risk management?
Ms. Barychev: It is important to review annual budgets for IT security programs and provide adequate funding for technologies that can detect and prevent certain cyber-attacks and other protection costs discussed in this column, as well as for adequate insurance coverage. The company should also invest time and resources in reviewing its contracts with vendors that have access to the company’s data to address vendors’ cyber-security policies and responsibility for cyber-attacks.
Question 4: Has the company adopted and tested an incident response plan?
Ms. Barychev: The company should have an incident response plan that can be implemented in case of a cyber-attack. The plan should be aligned with the company’s cyber-security strategy discussed in this column and address, among other matters, the necessary communications with customers, vendors and regulators, as well as protocols for handling the consequences of the cyber-attack.
Question 5: If the company is planning to grow through acquisitions, does the due diligence checklist include cyber-security matters?
Ms. Barychev: Given significant adverse consequences of cyber-attacks, it is important to uncover potential cyber-security issues at the target company through the due diligence process. Due diligence questions may focus on whether the target company experienced cyber-attacks in the past, any consequences of such attacks and how it addressed those consequences.
Due diligence questions may also cover protective measures that the target company has put into place and whether the target company has adequate cyber insurance coverage. If cyber-security breaches present a significant risk for the target company’s business, then the acquiring company should back up its due diligence process with cyber-security representations and warranties in the acquisition agreement. Such representations and warranties may focus on the absence of any known security breaches and address the policies and procedures put in place and followed by the target company to minimize the risk of cyber-attacks.
Data breaches and other cyber-security threats are on the rise and can cause significant harm including customer data loss, interrupted business, regulatory penalties, class-action lawsuits and intellectual property theft. Although cyber-security planning may seem confusing or even overwhelming, it can be managed with a focused step-by-step approach most often supported by expert consultants.
“Cybersecurity Questions for Nutraceutical Company Executives,” by Yelena Barychev and Gregory Stephens was originally published in Nutraceuticals World on January 4, 2017. To view the article online, please click here.