The document highlights that cybersecurity is a critical business risk, rather than just an IT issue, emphasizing the importance of comprehensive cyber risk management. It outlines a cyber incident response checklist and best practices for cybersecurity, including risk assessments, employee training, and the implementation of multi-factor authentication. Additionally, it discusses the significance of understanding cyber insurance coverage and the potential challenges businesses may face regarding cybersecurity compliance and incident response.

1. Spencer Fane LLP | spencerfane.com
Real World Cyber Risk
Understand It. Manage It.
Renaissance Executive Forums
2019 CEO Summit
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma

2. Spencer Fane LLP | spencerfane.com

3. Spencer Fane LLP | spencerfane.com
Cybersecurity is no longer just an IT issue –
it is an overall business risk issue.

4. Spencer Fane LLP | spencerfane.com
“But … we are not a large
company and our data is not that
valuable.”

5. Spencer Fane LLP | spencerfane.com

6. Spencer Fane LLP | spencerfane.com
Let’s play a game …

7. Spencer Fane LLP | spencerfane.com
Cyber Incident Response Checklist
1. Determine whether to escalate incident
2. Begin documenting decisions and actions
3. Begin mitigation of compromise
4. Phish all workforce (esp. leadership).
5. Engage experienced legal counsel to guide through
the process, determine privilege vs. disclosure
tracks, likelihood of “breach”
6. Activate Incident Response Plan and notify and
convene Incident Response Team
7. Notify cyber insurance carrier
8. Notify affected business partners per contractual
obligations
9. Engage forensics to mitigate continued harm,
gather evidence, and investigate
10. Assess scope and nature of data compromised
11. Preliminarily determine legal obligations based on
type of data and jurisdictions
12. Determine whether to notify law enforcement
13. Begin preparing public relations message
14. Engage notification / credit services vendor
15. Investigate whether data has been truly “breached”
16. Determine when notification “clock” started
17. Remediate and protect against future breaches
18. Confirm notification / remediation obligations
19. Determine proper remediation services
20. Assemble contact information for notifications
21. Prepare notification letters, frequently asked
questions, and call centers
22. Plan and time notification “drop”
23. Implement public relations strategy
24. Administrative reporting (Ags, HHS, FTC, SEC)
25. Implement Cyber Risk Management Program

8. Spencer Fane LLP | spencerfane.com
Is it really always the Russians?
• 63% confirmed breaches from weak, default, or
stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017

9. Spencer Fane LLP | spencerfane.com
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on
cybersecurity.
– Social engineering, password, security
questions
3. Training of all workforce on P&P, then
security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware
detection.
7. Encrypt your devices.
8. Internal controls / access controls.
9. No outdated or unsupported software.
10. Security patch updates management policy.
11. Backups segmented offline, cloud,
redundant.
12. Incident response plan.
13. Encrypt sensitive and air-gap hypersensitive
data.
14. Adequate logging and retention.
15. Third-party security risk management
program.
16. Firewall, intrusion detection and prevention
systems.
17. Managed services provider (MSP) or
managed security services provider (MSSP).
18. Cyber risk insurance.

10. Spencer Fane LLP | spencerfane.com
What is
reasonable
cybersecurity?
Too little – “just
check the box”
Too much –
“boiling the ocean”

11. Spencer Fane LLP | spencerfane.com
Overview: Cyber Risk Management Program

12. Spencer Fane LLP | spencerfane.com
Cyber / Privacy Risk Insurance
Key presumptions about cyber
insurance:
• If you don’t know you have it, you don’t.
• If your broker doesn’t really “get” cyber, you don’t have the right
coverage.
• If you don’t know you can use your lawyer, you can’t.

13. Spencer Fane LLP | spencerfane.com
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• Board of Directors & General Counsel, Cyber Future
Foundation
• Board of Advisors, SMU Cyber Program
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy Law Trailblazers,
National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-18
• Best Lawyers in Dallas 2014-18, D Magazine
(Cybersecurity Law)
• Council, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on
Science & Technology Committee of the American Bar
Association
• North Texas Crime Commission, Cybercrime Committee
& Infragard (FBI)
• International Association of Privacy Professionals (IAPP)