Cybersecurity Guidance for Small and Medium Size Enterprises

Small and medium size enterprises are increasingly being targeted by cyber criminals. In November 2016, the U.S. National Institute of Standards and Technology (“NIST”) issued an interagency report titled Small Business Information Security: The Fundamentals to provide cyber risk management guidance for small businesses. The Report summarizes a four-step process for creating a basic, risk-based information security program: (1) identify and prioritize information types; (2) create an inventory of technologies that access, process and store information; (3) identify threats, vulnerabilities and incident likelihood for each kind of information and technology; and (4) prioritize, implement and monitor information security efforts. The Report uses the NIST Framework for Improving Critical Infrastructure Cybersecurity to organize some basic risk mitigation practices, procedures and activities into five categories – identify, protect, detect, respond and recover.

The Report and other government guidance, including the Government of Canada’s Get Cyber Safe Guide for Small and Medium Businesses, provide helpful advice regarding basic cybersecurity practices that are useful for all organizations.

Read more here.

Regulatory Guidance for Reporting Issuers’ Continuous Disclosure of Cybersecurity Risks and Incidents

Data Security Incident Response Plans — Some Practical Suggestions