5 Preliminary Elements of Cyber Security Risk Assessment

Apr 07, 2016

5 Preliminary Elements of Cyber Security Risk Assessment


Between 2012 and 2014, the number of companies in the US hit by cyber security breaches doubled. There is now a common expression in the information security industry: “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”  What is interesting about malware cyber attacks is that few attack are targeted at a specific company. Rather, 90% of  malware is hovering around the internet programmed to attach to unprotected persons and businesses. More than 317 million new pieces of malware -- computer viruses or other malicious software -- were created last year. That means nearly one million new threats were released each day. (CNN Money, April 14, 2015). From a practical standpoint this means is that small and large businesses are equally likely to suffer an attack. Companies can, and should, take steps to assess, monitor, and protect themselves from cyber security breaches.  Failure to do so can result in devastating financial damages to the company and its clients.  The board of directors and officers of companies have a duty to the company and shareholders that they serve.  With the significant uptick in high profile cyber security breaches, officers and the directors can no longer play naïve to the risks of data breaches.  A lack of oversight and management of cyber security risks can result in members of the company’s board of directors and officers being found personally liable for damages.  The following is a general overview of 5 main areas that a company should assess related to its cyber security protocols and procedures.

 1. Data Management Risk

  • § An effective due diligence process should analyze what data the company holds on its networks and work stations and where it gets that data from. Does the Company retain PCI (personal credit card information) or HIPPA materials for its clients? It is important to quantify how valuable and confidential the retained data is to the business (and customers) and then focus on how the company protects and exploits it. Track the flow of data.  Where is data stored? How is data received? How is data transmitted? How is data destroyed?  Who has access to company data?

2. Technical Risk

  • § If valuable data is used in an internet environment, a forensic IT security consultant should be retained to assess how the data is encrypted and what firewalls and other systems are in place to keep it safe. A business is only as secure as its third-party suppliers, these systems should also be analyzed. 

3. Contractual Risk:

  • § A company’s contracts with its third-party suppliers, vendors, customers, and insurance carriers should be evaluated and reviewed by legal counsel. What contractual obligations has the company assumed? What risk shifting mechanisms are in place? What indemnification provisions are required? What are the jurisdictional and venue requirements for lawsuits/arbitrations? Are there any express limitations of liability?  What insurance policies are in effect and what do those policies cover and exclude?  

4. Employee Risk

  • § Effective cyber security is about more than just expensive and complex technical systems and contractual safeguards. Human behavior is a bigger risk to data security than even the most sophisticated hacker. It is vital to assess what processes a business has in place to protect its data and how these are reflected in its employee and subcontractor relations, contracts, and operations. Are their confidentiality/trade secret/NDA contracts in place with employees? An IT security firm should be retained to analyze and evaluate all employee workstations, emails, networks, tablets, laptops, passwords, and phones to determine potential weak links in cyber security. Protocols should be established, monitored, and reviewed on an ongoing basis.

5. Track Record/ Past Risks

  • § If a business has already suffered a known data breach in the past, that risk needs to be reviewed and evaluated on an ongoing basis to prevent future similar attacks.  An assessment should then be made of how the company dealt with the breach and what procedures were put in place to guard against a repeat attack.  

As the number and frequency of cyber attacks continue to rise, companies must remain diligent and continually monitor and improve their cyber security protections.  Officers and directors who underestimate or overlook cyber security threats face the potential of personal liability for company damages.  In future blog posts we will continue to explore this ever increasing business and legal risk.

The attorneys at MLMW are experienced in working with clients on cyber security related issues including in litigation, employment contracts, transactions, and mergers and acquisitions.  We also work regularly with specialized IT cyber security firms.  Please contact us if you would like to speak more about your company’s cyber security issues.


(Mallon Lonnquist Morris & Watrous, PLLC, is a business, employment, real estate, and litigation law firm. Craig T. Watrous is a Colorado business attorney with MLMW, based in Denver, Colorado. Craig regularly represents clients on cyber security matters. Craig can be reached at and (303) 722-2165)


Category List

Tag List

Non-Compete, Colorado non-compete restrictions, enforcing non-compete, protecting Colorado business (1)
CO Ski and Snowboard Gear Recall (1)
Tax (2)
Colorado Judicial Institute (1)
Colorado Real Estate (11)
Spanish Legal Services (7)
Estate (4)
Panelist (1)
Denver arbitration (1)
County Court (1)
Helmet Recall (1)
Estate Planning (4)
Colorado Wrongful Death (1)
Colorado attorney mentor (1)
LLC Law (2)
Colorado Construction (1)
Denver Business Journal (2)
Non-Solicitiation (1)
Wrongful Death Settlement (1)
Stock Options (1)
Business Contracts (2)
Master Services Agreement (2)
CO Business Non-Solicitation Restrictions (1)
Colorado Business (56)
Legal Services (1)
cause for termination (1)
Estate Protection (2)
Landowners (1)
Overtime Wages (2)
Denver Business Law (1)
Colorado business disputes (1)
Colorado LLC (1)
Non-Solicitation (1)
Mergers & Acquisitions (5)
Community (29)
Incentive Plans (1)
Colorado at-will employment (1)
American Bar Association (2)
Property Surveys (1)
Our Courts Colorado (1)
attorney-client privilege (2)
Non-Disclosure (1)
Colorado Enforcement of Non-Compete (2)
Denver Broncos (1)
Business Services (1)
Denver Real Estate (1)
Arbitration (2)
Denver Colorado Business Attorney (9)
Colorado Courts (2)
Colorado Employment (20)
Leases (6)
Non-Competition Agreements (12)
St. Anthony, Minnesota (1)
Credit Card Data (1)
courts (1)
News and Updates (2)
Wills (1)
Trade Secrets (6)
Denver Sustainable Law Firm (1)
Resolving Business Disputes (1)
Leasing Standard (1)
cyber security (3)
Reed Morris (1)
Research (1)
Data Breach Settlement (1)
Co-Ownership Agreement (1)
Colorado Spanish Legal Services (1)
Commercial Property (2)
Phantom Stock (1)
Colorado Lis Pendens (1)
Cell Tower Leases (1)
Alternative Dispute Resolution (5)
Data Breach (2)
Ethics (1)
indemnifications (2)
Taxes (2)
Skiing Gear (1)
ABA Article (1)
Employment Law (1)
Certifiably Green Denver (1)
Construction Contracts (5)
Construction Bond Claims (2)
Cherry Creek Chamber of Commerce (1)
Non-Compete (2)
Snowboard Gear (1)
Employment (4)
Enforcing Non-Solicitation Agreement (1)
ABA (1)
Colorado Hispanic Bar Association (1)
subcontractor negotiations (2)
Finance Law (2)
CO Attorney Mentoring Program (1)
Real Estate Law Firm (3)
Mechanic's Liens (1)
Construction (6)
Lease Negotiations (1)
Corporate Law (8)
Labor (3)
Real Estate (4)
Colorado Foundation for Water Education (1)
Litigation (15)
Commercial Real Estate (2)
Colorado Retail Leasing (1)
Spanish Business Law (9)
Spanish Speaking Lawyers Committee (1)