10 Key Questions to Guide Cyber Risk Management

Asking the right questions within your organization is key to effectively managing cyber risk. Here are 10 questions that you should ask your team:

1. What information and systems do we care about and why? 

• What information do we have that we care about? (personal information of employees or customers; proprietary information (trade secrets); third-party confidential information)
• What systems are critical for our continued operation?

2. What are the risk scenarios that create exposure for us based on answers to #1?

• Internal risk (e.g. malicious or error)
• External attack (e.g. phishing; brute force)
• Supplier/third party issue (e.g. victim of attack or error)

3. What measures do we have in place to manage third party risk?

• Contractual provisions? (e.g. restrictions on use/retention of information; obligation to safeguard and implement specific security measures on issues such as backup storage; notification in event of suspected/confirmed incident; obligations in event of incident (investigate/share information); right to audit; optional provisions: third party security certification; obligation to have insurance)

4. What regulatory obligations do we have in relation to cyber?

• Do we have defensible documentation to establish compliance with our obligations?

5. What is the estimated financial exposure from the risk scenarios materializing?

• Do we have exposure from: unauthorized access, lack of integrity, inability to access?
• What is the dollar value for every day of business interruption, loss of goodwill?
• What are the potential claims by data subjects (how many data subjects; categories of information/sensitivity; should we even have this information)?
• What are the breach of contract consequences?

6. What technical tools do we have in place and how do they protect against risk scenarios?

• What are we using as our benchmark and why is that relevant baseline?
• Are we up to date with newest threat actor tactics? 
• How will we know if there is unauthorized access to our network? Does someone get an alert if there is unusual activity? 
• How do we define scope of what is ‘unusual’? (e.g., connection from unusual location; connection from two different locations)
• If intruder gains access, how easily can they move around without being detected? How have we protected most sensitive information?
• Have we configured all tools to maximize security and create exceptions where necessary for business objectives (e.g., firewall only permits certain inbound/outbound connections)?
• Can we impose restrictions to limit risk? (e.g., multi-factor authentication always required; password restrictions; restrict ability of users to install software; encryption; limit ability to download)?

7. How could a risk scenario materialize notwithstanding all technical tools in place?

• Have we considered the role of the following in giving rise to risk scenarios: human error; third party/supplier issue?

8. What policies and protocols do we need in place to manage risk scenarios?

• Do we have appropriate governance in place to manage these risks? (e.g. applicant vetting; employee training; outsourcing; rules around use of personal devices; patching; data retention; review and updating of security strategy; escalation of security observations/concerns)?

9. In what ways are we prepared for an attack?

• Do we have reliable and tested backups?  How current?
• Are we collecting and preserving logs?
• Is our defensible documentation in place?
• Have we tested our preparedness through tabletop exercises and incorporate learnings into strategy
• Do we have the right experts on speed dial?

10. Are we accessing all available external resources?

• Have we looked at available resources such as the Canadian Centre for Cyber Security or industry groups for information sharing and coordination?
• Have we consulted experts about our preparedness strategy?

If you have questions about cybersecurity risk management, reach out to Bennett Jones' Data Governance Protection and Cybersecurity team.

Download PDF