Security and cybercrime
Preventive actions and client support
- Assessment of the security level of companies;
- Audit, mapping and inventory with regard to security and cyber-risk prevention;
- Governance of security and cyber-risk prevention: risk anticipation and implementation of protective measures upstream (technical security measures and human management (awareness, information and training));
- Cyber-risk management through contracts (security, commitments and liability) / contract management;
- Assistance in establishing crisis management plans and procedures (identification and mapping of necessary internal resources and relevant external resources; establishment of cyber crisis management directories; implementation of alert and escalation chains; organization of internal communication with respect to employees, shareholders, social partners and external communication with respect to customers, service providers, supervisory authorities, journalists, social networks, etc.; organization of emergency communication resources);
- Documentation framework: information security policy, information systems security policy, IT charters (internal and for third parties) and management of their enforceability (cf. annexed to the internal rules in particular), crisis management plan, business continuity plan and disaster recovery plan, physical security procedure, etc.;
- Security adviser/point of contact: outsourcing, legal assistance, coordination of stakeholders;
- Service providers: assisting our service provider clients in completing and negotiating security questionnaires (SIG questionnaire), demonstrating their compliance, formalising existing procedures, etc.
Actions during the crisis (cyber attack) and post crisis
- Coordination of the intervention of third parties in the management of the crisis (“cybersecurity firemen“, logistics providers, etc.);
- Direct intervention on the legal aspects of crisis management and on internal communication towards employees, shareholders and social partners, and external communication towards clients, service providers and supervisory authorities in particular;
- Implementation of all actions, in particular judicial and urgent actions, that need to be carried out (request for identification, request in futurum, request for the appointment of an expert, bailiff coordination, complaint, direct summons, civil claim for indemnification, prosecution of a faulty service provider, negotiations, etc.);
- Management of data breaches with respect to the French data protection authority (CNIL notification) and other authorities, where applicable (ARS, ANSSI, Banque de France, ACPR, AMF, etc.), as well as with respect to individuals whose personal data has been compromised (notification to the individuals concerned);
- Post-crisis, feedback analysis, identification and implementation of actions and processes to avoid or limit the impact of a cyber-attack or cyber offense.
Training and publications
- Training for Dalloz Formation – Cybercrime: anticipating and reacting effectively.
- Publication: Cybercrime in 11 sheets and action plans (la cybercriminalité en 11 fiches et plans d’actions), Collection l’Expert, Editions LGDJ Lextenso