Advisory Article

Manage the business risks behind cybersecurity

You didn’t go into business to manage cybersecurity. Still, your business needs to manage cybersecurity if it manages data — and almost every business manages data.

For instance, professional services firms often receive, transmit and hold client data that are far more sensitive than some or all of their own records. These client data might be subject to various privacy regimes and regulatory obligations, depending on the clients the firm serves — and these obligations extend to the professional services firm, either through contractual obligation or good business practice. Yet, the firm’s technology providers, such as cloud-hosting platforms, usually have agreements that explicitly state that the use of their solutions does not indemnify against compromises of the data hosted there.

This combination of factors means that professional services firms must ultimately manage their own cybersecurity, even if their IT infrastructure is outsourced to third parties. This risk-inheritance dynamic can be significant.

The risks behind cybersecurity

If a business chooses to co-source or outsource its cybersecurity to a third party, that business must ensure that the third party addresses unique risks in a meaningful way.

Your cybersecurity provider must be a true partner, where the relationship is grounded in both cost considerations and risk management — especially data privacy and security risk management. If your provider does not understand your obligations and the risks you inherit from your clients, it cannot help you manage those obligations and risks. With cybersecurity in particular, it’s imperative to think both proactively and reactively. Your provider should articulate how it employs best practices for information security proactively and how it handles reactive incident response. Depending on the data you store, you might also need a provider with demonstrable capabilities in regulatory compliance, fiduciary obligations, industry trends and other areas.

Collaborative cybersecurity

Most cybersecurity providers focus either on proactive best-practice advisory work or on reactive forensic work.

Businesses need to be ready to respond to cybersecurity incidents, and they need to proactively secure, monitor and periodically revisit the controls environment with an independent assessor. They need to ensure that the way they defend the environment is appropriate for the ever-changing landscape within the environment and outside of it.

The key to cybersecurity resilience

Cybersecurity has always been a risk management domain.

To achieve resilience, businesses must identify cybersecurity risk for what it is: a threat to the enterprise. Like any enterprise threat, the proper response involves the engagement of a multidisciplinary team.

Grant Thornton library articles:

Manage the business risks behind cybersecurity

We are committed to keep you updated of all developments that may affect the way you do business in Puerto Rico. Please contact us for assistance in relation to this or any other matter, we will be glad to assist you.