Keeping IT simple: How to start an effective IT risk management program

Information technology has transformed the way companies conduct business. In most companies, key business processes are driven by IT ­–– from accounting to sales, project management, human resources, and customer relationship management.

But what happens when the IT processes your business depends on fail? System failure, downtime, or loss of key data can halt your operations, affect profitability, and stall essential business practices long term. Taken a step further, your business may encounter legal exposure as a result of damage to your customers, vendors, business partners, or shareholders.

All companies, regardless of size, should take action to manage the legal risks arising from their increasing dependence on IT. The process need not be overwhelming; in fact, you can make significant progress by starting with one simple step –– implementing an IT compliance portal.

An IT compliance portal is a centralized location for the placement of key legal and technical documents that you will use to manage your IT legal risk. An IT compliance portal should include the following basic features:

1. Key IT vendor agreements. Inventory your top-priority IT vendors, whether based on dollars spent or critical importance to your operations. Place the underlying contracts with these vendors in the portal. Review the list annually and update as appropriate with new contracts and amendments.
2. Corporate IT policies. Every company should have written policies governing employee use of corporate technology. These policies include a company information systems policy, workstation security policy, mobile device policy, electronic monitoring policy, data security policy, and document retention/destruction policy. Given the rapid changes in technology, these policies should be updated periodically.
3. Third-party IT assessment reports. Emerging laws across multiple industries (e.g., finance, banking, insurance, and health care) require that companies engage an independent third-party consultant to conduct security testing of the company’s IT environment. The requirement has become a common-sense practice for all types of businesses, regardless of industry. The consultant’s reports and follow-up remediation documents should be housed in the portal and revisited on an annual basis.
4. Data security breach protocol. Almost every company now possesses sensitive, personally identifiable information, whether of employees or customers. State and federal laws increasingly require that companies maintain data security safeguards and report any data loss or breach involving personally identifiable information. The legal and regulatory exposure from data losses has grown exponentially in recent years and affects even the smallest of companies, which may find the financial losses of a data breach to be so significant as to result in insolvency of the company. A company should prepare in advance a legal protocol to follow in responding to a data breach to best ensure compliance with applicable laws and minimize resulting damages. The protocol should be placed in the portal to ensure easy access and a uniform approach if a data breach is suspected.
5. Cyber risk/IT errors and omissions insurance. Every company should ensure that its insurance policies include coverage for cyber risk-related claims, such as loss of data or failure of IT systems. While this coverage was difficult to find five years ago, it is now readily available at a reasonable cost. Most insurers will offer this coverage through a cyber risk endorsement.
6. Critical date manager. The portal should include functionality to allow for the tracking of important IT compliance dates on an annual basis. Important dates might include expiration of key software agreements (licenses), dates by which notice to renew key agreements must be delivered to a vendor, annual reminders for a third-party IT assessment, and annual reminders to review IT policies.

(Continued)

Beyond these basic documents, a company should consider any unique qualities of the business that necessitate the inclusion of additional content in the portal. The site should be viewed as fully customizable and flexible to best meet the risk profile of the company.

If you are a chief information officer or other executive in charge of the corporate IT function, this type of portal will drive value in several significant ways. First, the portal will serve as a central repository and go-to resource for risk management information during a crisis, when you will not have time to properly identify and gather important documentation. Second, the initial process of creating the content and populating the portal will move your company along the path of implementing an effective IT risk management program. Third, the portal will serve as a visible sign to stakeholders that you have a plan in place to manage these risks.

Because the portal is meant to manage legal exposures, working with experienced IT legal counsel to establish the portal and your compliance program is encouraged. Counsel will provide insights on the materials listed above, which employees or third parties should have access to the portal, and methods for asserting attorney-client privilege over sensitive communications if an IT crisis arises.

Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.