Five Cyber Hygiene Action Areas To Improve Business Resilience

Maintaining a robust cybersecurity framework is an enterprise-wide responsibility that requires everyone's attention. This checklist addresses five critical areas in which businesses are vulnerable to emerging cybersecurity risks and offers practical steps you can take to strengthen your organization's cyber hygiene.

1. Maintain Robust Incident Response Policies and Processes

Incident response policies and practices require consistent maintenance and must adapt to evolving technologies. Whenever possible, companies should prioritize real-world testing to validate existing protocols and identify areas for improvement.

Action Steps

• Establish relationships: Identify and engage external counsel and key vendors in advance. Define responsibilities and complete engagement paperwork.
• Review your Incident Response Plan: Ensure your plan serves as a real-time action guide for addressing cyber incidents. Tailor it to your organization's specific needs, include key steps and stakeholder responsibilities, and develop separate playbooks for common risk scenarios.
• Conduct tabletop exercises: Run mock cybersecurity incidents that allow stakeholders to practice their roles, test your teams' decision-making processes, and identify gaps in your company's response capabilities before a real incident occurs.
• Provide regular employee training: Ensure all employees can recognize and report suspicious activity. Educate key personnel, including executives, finance, and IT administrators, about the advanced sophistication of social engineering attacks. Train incident response team members on their specific responsibilities, expected actions, and escalation procedures.

2. Educate the Board

Boards are responsible for cybersecurity risk oversight, and regulators such as the Securities and Exchange Commission (SEC) expect appropriate governance. This responsibility requires ongoing education so board members can effectively question and guide management.

Action Steps

• Implement regular cyber briefings: Provide the board with regular updates on emerging threats, incident metrics, and the company's security posture. Engage experts to share insights on new developments.
• Expand cyber expertise at the board level: Consider recruiting board members with cybersecurity backgrounds or providing existing members with specialized training.
• Establish clear reporting protocols: Define what types of incidents require immediate board notification versus routine reporting in scheduled meetings.

3. Assess the Cyber Regulatory Landscape

Cybersecurity regulations and enforcement priorities continue to evolve across multiple jurisdictions and agencies, including the offices of state attorneys general, Federal Trade Commission, and SEC, and financial regulators, such as the New York Department of Financial Services.

Action Steps

• Monitor regulatory developments: Assign responsibility for tracking new and proposed regulations relevant to your industry and business model.
• Conduct compliance gap assessments: Systematically evaluate your current cybersecurity practices against new requirements, such as the SEC's updated Regulation S-P for registered investment advisers.
• Build compliance into your timeline: Create implementation plans well ahead of time to avoid last-minute scrambling and ensure thorough integration.

4. Manage AI Security Risks

Artificial intelligence (AI) systems introduce new risks to security and expand opportunities for traditional cyberattacks. As generative AI capabilities continue to evolve, your organization must adopt AI-specific security measures to address both external threats and internal vulnerabilities.

Action Steps

• Stay informed on AI security guidance: Increase your awareness of risks and controls by consulting knowledge bases, including the OWASP GenAI Security Project and MITRE ATLAS. Goodwin's Global Investigations Review primer on AI cyber risks can get you started.
• Conduct comprehensive vendor due diligence: Before adopting third-party AI tools, verify the vendor's security certifications, data handling practices, audit procedures, and incident response capabilities.

5. Ensure Your Cyber Insurance Policy Fits Your Organization's Needs

Cybersecurity insurance is an industry standard, but many companies still face claim disputes, coverage gaps, or unexpected out-of-pocket costs during incidents.

Action Steps

• Retain preferred counsel and vendors: Work with your insurance broker to negotiate favorable terms with your cyber insurer regarding the use of preferred vendors and forensic and legal experts, including agreed-upon reimbursement rates when possible.
• Evaluate policy limits and address any coverage gaps: Regularly review your coverage limits and deductibles and assess whether your policy adequately covers appropriate losses and risk scenarios for your business operations.
• Know When to Involve Your Cyber Insurance Coverage: Prompt notice to your cyber insurer of security incidents is critical to preserve coverage. Also make sure that the insurer has agreed, in advance, to all professionals you have engaged to respond to any incident.

Getting Started

These five action areas form a foundation for improved cyber resilience. Begin by assessing your current state in each area, prioritizing those that pose the greatest risk to your organization, and creating a realistic implementation timeline. Remember that cybersecurity is not a one-time project but an ongoing commitment that requires regular attention and adaptation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.