top of page
  • Writer's pictureAlex Keeley

Cyber Risk Part II: Assessing Your Level Of Cyber Risk?

Updated: Dec 21, 2021

Knowledge is Power/The More You Know: Being aware of cyber risk is only the tip of the iceberg; you must also understand what information needs protecting and how to mitigate your risks. The first step in assessing an organization’s cyber risk is to understand what information and company assets need to be protected and why. For your organization:

  1. What are your most critical cyber assets? What are your “crown jewels?”

  2. What information do you handle that you have a legal obligation to protect?

Every company has “crown jewels,” which are defined by Investopedia as, “the most valuable unit(s) of a corporation, as defined by characteristics such as profitability, asset value and future prospects”. [1] Examples of information that need to be protected by law and/or contractual obligation, and would be at risk of a cyber attack are data such as Personally Identifiable Information (“PII”), and Protected Health Information (“PHI”), and confidential information of your customers, suppliers, etc. PII includes information such as one’s name, social security number, address, date of birth, among other personal information.[2] PHI includes people’s medical history and insurance information among other sensitive data.[3] All of this data can potentially be compromised in a cyber attack.

Assessing Your Cyber Situation: After identifying what information needs to be protected, the next steps are to recognize the threats to that information, and to make a plan to minimize the potential damage. Ask yourself, with regards to the safety of your data:

  1. How do you store the information?

  2. Who has access to the information?

  3. How do you protect your data?

  4. What steps are you taking to secure your computers, network, email and other tools?

If you do not immediately know the answer to any of those questions then now is the time to resolve them before it is too late. As a way to answer these pressing questions, each company should have their own internal risk assessment strategy.

Worst Case Scenario: As said in Part I of this blog, “…The question is not ‘if’ your company will have a data security breach, it’s ‘when’ will that breach occur, and ‘how’ bad will it be.” Another way to ask that question is to forecast the “Doomsday Scenario” cyber attack, and to examine what the result of a fully successful cyber attack against your company would look like. While it is certainly not pleasant to plan for a potentially catastrophic attack on your company, if you are prepared for the worst you are better able to mitigate the damage caused by a cyber attack or breach.

Consult With Experts: Proper preparation allows you to forecast the consequences of a successful attack, but in order to do so, you need experts. First, always engage immediately with your attorney, whether they be in-house or outside. In doing so, you can then ensure that all of your preparations are kept under attorney-client privilege. This means that all communications regarding your cyber risk assessments and preparations would be confidential and not discoverable if legal action commenced out of a cyber breach.

Next, utilize your in-house specialists such as information technology staff or a chief information security officer, if your organization has hired those positions. If you have yet to hire such positions, start by doing exactly that. These specialists can better enable you to quantify the financial risk, so you won’t be blindsided by the monetary repercussions of such attack.

Next Steps: In Part III, we will address how to handle your Cyber Risk responsibly, to mitigate the damage it can cause, and to limit your exposure to breaches.

This Blog, and the information contained herein, are intended for informational use only. Nothing in this Blog should be construed as legal advice.

1 view0 comments

Recent Posts

See All


Post: Blog2_Post
bottom of page