Cybersecurity & Risk Management

Cybersecurity risks are now enterprise risks, which must be understood and managed in the context of your enterprise as a whole and with your resources in mind. We offer practical solutions to build robust, risk-responsive frameworks to assist your organization in developing agile cyber risk management strategies that can adapt to keep pace with evolving threats. We provide a rigorous and holistic approach to cybersecurity risk assessment, grounded in practical, implementation-level advice to address sophisticated domestic and international data protection issues that require knowledge of your engineering capabilities, technology environments, and corporate culture. 

Clients come to us for our global experience in cybersecurity risk management and data security program development and compliance, our flexible and knowledgeable team members, and our long-standing strong relationships with numerous leading global cybersecurity consultants. With all of these skills under the same practice umbrella, we are uniquely equipped to assist you—regardless of your company’s cyber maturity level—to build effective cyber legal infrastructure. We have seen it all, from startups breaking into highly regulated security environments to Fortune 100 companies seeking to advance their existing cyber programs to the next level. 

Our clients stay with us and develop trusted relationships with our team because we focus on listening intently to their business needs and help them develop practical, risk-based solutions, all while understanding that cybersecurity does not exist in a vacuum. We combine our knowledge of cyber with strong business acumen to balance security with usability and enterprise architecture needs, always keeping in mind the need to responsibly stretch cyber spend. With this holistic approach, we help legal and security teams continue to strengthen internal relationships and build security as part of the business for the long term. 

We apply our extensive technical knowledge of security engineering, evolving cybersecurity threats, and international legal standards and leverage our global relationships to craft effective, forward-looking cyber risk management strategies to support our clients’ business objectives. Let us help you further develop, implement, maintain, or enhance your cybersecurity risk management strategies.

Our cyber risk management, data security counseling, and program development experience includes structuring, implementing, and enhancing enterprise-wide privacy and cybersecurity policies and strategies as well as targeted, technical risk-based reviews of core areas of a company’s data security and risk management programs. We are prepared to help clients boost compliance with relevant legal, industry, and technical standards across the globe.

We assist some of the largest global brands with implementing global data protection compliance programs and analyzing data privacy laws and regulations around the world. Alston & Bird’s Global Privacy and Security Network formalizes our relationships with leading privacy counsel in jurisdictions around the world, providing clients with access to true specialists in each country.

Cyber Risk Management

• Cyber Risk Assessment. To effectively manage cybersecurity risk, organizations need to know both where their cybersecurity program currently stands and where they think it needs to be. To understand what controls and safeguards are necessary to mitigate cybersecurity threats, and implement effective detection methods for those areas, the starting place is often a cybersecurity risk assessment. Our team performs privileged cybersecurity risk and legal assessments of a company’s cybersecurity program, often working with third-party security consultants that specialize in this area to take advantage of their technical expertise and sophisticated tools. These assessments typically consist of two phases: (1) onsite interviews with subject-matter experts to understand how they view the organization’s practices and to identify relevant documentation for our review; and (2) presentation of our findings in a written report.
• Internet of Things and Technology Cybersecurity Risk Review. With the increasing attention to security vulnerabilities in products and services, and connected devices in particular, companies are increasingly expected to be actively, and even proactively, engaged with vulnerability management and incorporating sound security practices into the design of new products and services. We assist clients in cybersecurity risk reviews of new products and technologies early in the development process to help ensure the security practices are consistent with regulator expectations and industry standards. We also conduct reviews of security-related technologies to identify whether specific uses may raise any federal or state statutory or constitutional concerns, such as implicating the federal Computer Fraud and Abuse Act or state and federal Wiretap Acts.
• Advice to Public Company Boards and the C-Suite. We provide cyber-risk consultation services to senior management and directors to highlight the cyber-related risks faced by the company as well as the directors individually. Our services assist in providing board-level and senior management information security and cyber-risk presentations and training regarding their pre-breach and post-incident responsibilities, emerging trends in cybersecurity corporate governance, and strategies to minimize cyber risk exposure. We educate boards on the importance of the information life cycle and help companies achieve a clear understanding of the data they create, where it is located, how it is used, and how it is retained. We also provide advice to senior officers on day-to-day management of cybersecurity risks and preparation of board and officer materials so that the board and its advisors properly address cybersecurity risks with sound and balanced documentation. We routinely calibrate these services across the spectrum of publicly held companies, from relatively small and recently listed companies to some of the largest financial institutions and industrial concerns in the world.
• SEC Disclosures Review. Many public companies are well aware of the SEC’s guidance on cyber-risk disclosures and the SEC’s continued interest in reviewing such disclosures in the wake of a significant cyber event. Our team has assisted many public company clients in reviewing their cyber-related public filings to ensure that they are appropriate and sufficient, including by comparison to the disclosures of industry peers based on their industry presence and market capitalization.
• Cyber Insurance Review. As a key part of their incident response plans and procedures, companies should carefully consider whether they have adequate insurance coverage for cybersecurity risks, including coverage for forensic investigation, consumer notification, credit monitoring, call center operation, public relations, cyber extortion, regulatory investigations, payment card brand assessments, and other third-party claims. Our team has assisted many clients in assessing their current level of cyber insurance coverage, as well as identifying exclusions, conditions, and limitations that they should avoid.