Understanding the nuances between “due care” and “due diligence” is essential for effective risk management, especially in the complex domain of cybersecurity. While both terms are pivotal in establishing a robust security posture for risk mitigation, they differ significantly in their application and focus. In everyday life, these concepts relate to the general precautions and measures we take to avoid harm. In contrast, within a regulatory or compliance context, particularly in cybersecurity, they take on more specialized meanings and play distinct roles in safeguarding an organization.

Due Care in daily life refers to the habitual actions, policies, and procedures we employ to maintain safety and avoid risks. It’s about doing the right thing consistently. In a cybersecurity context, it translates to the ongoing efforts an organization makes to keep its data and systems secure. This includes implementing and maintaining appropriate security measures, regularly updating software to patch vulnerabilities, and ensuring that all employees are trained in security best practices.

Due Diligence, in a general sense, involves taking the necessary steps to avoid harm in a specific situation. It’s about doing the necessary homework. In the realm of cybersecurity, particularly within a regulatory framework, due diligence refers to the comprehensive process an organization undertakes to understand and manage the cyber risks associated with third-party partners, vendors, and acquisitions. This means thoroughly assessing the security posture of these external entities, continuously monitoring their compliance, and ensuring they align with the organization’s cybersecurity standards.

Both concepts are not only crucial in everyday risk management but become even more critical in a regulatory and compliance environment where the stakes are higher. Due care and due diligence in cybersecurity are about proactive and reactive measures. While due care focuses on preventing security incidents through ongoing maintenance and good practices, due diligence is about the investigative actions taken to ensure external parties do not introduce new risks into the organization.

In this article, we delve deeper into “due care” versus “due diligence” within the cybersecurity landscape, especially under the lens of regulatory and compliance frameworks. We’ll explore each concept’s nuances, how they interact, and why both are indispensable in a comprehensive risk management strategy. Additionally, we’ll provide actionable insights on integrating these principles into your organization’s cybersecurity practices to enhance your defensive posture and ensure compliance in an ever-evolving threat environment.

What Is Due Care in Cybersecurity?

Definition of Due Care

Due care refers to the effort made by an individual or organization to avoid harm to other people or property. In the context of cybersecurity and business, due care is the level of judgment, attention, and prudence that a reasonable person would reasonably be expected to exercise under particular circumstances. It’s essentially about taking proactive steps and implementing necessary measures to ensure an organization’s practices are safe and adhere to a standard of care that is recognized by industry norms or legal requirements. In cybersecurity, this might include regular updates to security protocols, ongoing staff training, and prompt responses to known vulnerabilities.

Here are updated and expanded examples of due care in today’s cybersecurity landscape:

Monitor and Protect Your Network from Malicious Activity

In an era of ever-evolving cyber threats, continuous monitoring of your network is critical. You must ensure that your security team is equipped with the latest tools and information to detect and respond to new vulnerabilities and threats promptly. This includes implementing advanced threat detection systems, employing real-time security monitoring, and regularly reviewing access logs.

Train Your Employees in Cybersecurity Awareness

Human error remains one of the significant vulnerabilities in cybersecurity. Provide comprehensive training to all employees covering topics such as phishing, password management, and secure internet practices. Regularly update training materials to reflect the latest cyber threats and ensure that all staff understand the implications of non-compliance with company policies.

Apply Policies, Standards, Baselines, and Procedures

Develop and maintain a clear, comprehensive cybersecurity policy that outlines your organization’s stance and practices. This should be based on a thorough risk assessment that considers the specific threats and vulnerabilities relevant to your business. Regularly review and update your policies to adapt to new cyber risks and regulatory changes. Ensure that all employees are aware of these policies and understand their role in upholding them.

Make Backup Copies of Critical Corporate Information and Data

Regular backups are a cornerstone of due care in cybersecurity. Automate your backup processes where possible to ensure consistency and reliability. Store backups securely, both on-site and off-site, and test them regularly to ensure they can be restored effectively. Consider employing cloud services for redundancy and ensure they comply with your security requirements.

Secure Your Wi-Fi Network

Wi-Fi networks are common entry points for attackers. Ensure your network is secure by using strong encryption (like WPA3), hiding the network SSID, and regularly changing passwords. Control access to the network and monitor it for unauthorized devices or unusual activity. Employ network segmentation to protect sensitive data and systems from being accessed via the Wi-Fi network.

Stay Informed and Compliant with Regulations

Due care also means staying informed about the latest cybersecurity regulations and standards relevant to your industry. This includes regulations like GDPR, HIPAA, or industry standards like ISO 27001. Ensure your practices comply with these regulations and implement a process for staying updated as they evolve.

Incident Response Planning

Prepare an incident response plan that outlines how your organization will react to a cybersecurity incident. This plan should include steps for containment, eradication, recovery, and post-incident analysis. Regularly test and update the plan to ensure it’s effective and that all relevant personnel are familiar with their roles during an incident.

By embracing these practices, organizations demonstrate due care in cybersecurity, significantly reducing their risk profile and enhancing their resilience against cyber threats. Remember, due care is not a one-time effort but a continuous commitment to maintaining and improving your cybersecurity posture in the face of a dynamic threat landscape.

What Is Due Diligence in Cybersecurity?

Definition of Due Diligence

Due diligence, on the other hand, is the investigation or exercise of care that a reasonable business or person is expected to take before entering into an agreement or contract with another party or an act with a certain standard of care. It is a more comprehensive process that involves researching and understanding the risks associated with a business activity or decision. In cybersecurity, due diligence often refers to the steps taken to assess the security posture and practices of third-party vendors or partners to ensure they meet the organization’s security standards. This includes assessing potential cybersecurity risks, verifying the vendor’s compliance with relevant standards and laws, and continuously monitoring their performance and adherence to agreed-upon security protocols.

Here are updated practices and considerations for due diligence in today’s cybersecurity environment:

Vendor Risk Management Policy

A Vendor Risk Management (VRM) policy is crucial for outlining how your organization assesses, monitors, and mitigates risks associated with third-party vendors. This policy should:

  • Document Decision-Making Processes: Include criteria for selecting new vendors, such as verification of their cybersecurity practices, certifications (like ISO 27001 or SOC 2), and potentially even background checks for key personnel.
  • Outline Ongoing Maintenance and Monitoring: Detail procedures for continuous monitoring and periodic reassessment of vendors’ compliance with cybersecurity standards. This might include regular security audits, reviews of security updates, and incident response planning.
  • Adapt to Emerging Threats: Update the policy regularly to reflect the latest cyber threats and regulatory requirements, ensuring that your organization and its vendors remain aligned in their defense against cyber risks.

Monitor Third-Party Vendors

Effective due diligence requires a deep understanding of the potential security threats posed by third-party vendors. Key practices include:

  • Baseline Security Assessment: Conduct thorough initial security assessments of all vendors to establish a baseline for future monitoring. This should cover their security policies, incident response plans, data handling practices, and any previous security incidents.
  • Continuous Monitoring: Implement systems and procedures for continuously monitoring vendors’ security postures. This might involve regular security reports, real-time alerts, or automated scanning tools.
  • Independent Audits and Penetration Testing: Depending on the sensitivity of the data and systems involved, consider conducting independent security audits or penetration tests of vendors’ systems, or request access to their most recent security assessments.

Perform Annual Security Audits

Regular security audits are a cornerstone of due diligence in cybersecurity, helping to identify and address vulnerabilities before they can be exploited. These audits should:

  • Examine a Wide Range of Factors: Look at IT systems, configurations, technologies, infrastructure, data handling practices, and compliance with relevant regulations.
  • Result in Actionable Findings: Ensure that any vulnerabilities or areas for improvement identified during audits are promptly addressed. This might involve working with the vendor to implement necessary changes or reevaluating the vendor relationship if they cannot meet your security standards.
  • Be Conducted by Qualified Professionals: Use experienced auditors or cybersecurity firms to conduct these audits, ensuring a thorough and expert examination.

Update to Reflect Regulatory Changes

Due diligence in cybersecurity isn’t just about protecting against cyber threats; it’s also about ensuring compliance with an increasingly complex regulatory landscape. Regularly update your due diligence practices to comply with laws and regulations like GDPR, HIPAA, or CCPA, and industry-specific standards.

Incorporate Cybersecurity Frameworks

Incorporate established cybersecurity frameworks like NIST or ISO 27001 into your due diligence processes. These frameworks provide structured methodologies for assessing and improving cybersecurity practices, both within your organization and among your third-party vendors.

Due diligence in cybersecurity is a dynamic and critical process for mitigating the risks associated with third-party vendors and partners. By implementing a robust vendor risk management policy, continuously monitoring third-party security postures, performing regular security audits, and staying updated with regulatory changes, organizations can significantly enhance their cybersecurity defenses and demonstrate a commitment to protecting their data, systems, and reputation.

The Importance of Due Care and Due Diligence in Cybersecurity

In the intricate world of cybersecurity, due care and due diligence are not just buzzwords but fundamental principles that underpin a robust security posture. Their importance cannot be overstated, as they collectively contribute to a proactive and responsible approach to managing and mitigating cyber risks.

Due Care refers to the ongoing efforts an organization makes to maintain and improve its cybersecurity measures. It’s about taking reasonable steps to protect data and systems from harm, which includes regular updates to security protocols, continuous training of staff, and prompt responses to known vulnerabilities. Practicing due care means an organization is actively working to meet a standard of security that is recognized as reasonable and sufficient by industry and legal standards.

Due Diligence, on the other hand, is the investigative process an organization undertakes to understand the cybersecurity risks associated with external partners, vendors, or acquisitions. It’s about ensuring that these third parties have adequate security measures in place and that their practices align with your organization’s security requirements and standards. Due diligence is critical in the supply chain and partnership context, where the security weaknesses of one entity can lead to vulnerabilities across the board.

Why are they important?

  • Legal and Regulatory Compliance: Both principles are often required by various regulations and laws. Organizations that fail to demonstrate due care and diligence can face legal repercussions, including fines and penalties.
  • Reputation and Trust: Customers and partners trust organizations that take cybersecurity seriously. Due care and diligence are visible signs of an organization’s commitment to protecting its and its customers’ data.
  • Risk Management: Proactively managing risks through due care and diligence helps prevent security incidents and reduces the impact when they do occur. This is critical in minimizing downtime, financial loss, and damage to reputation.
  • Strategic Decision Making: Due diligence provides valuable insights that can inform strategic decisions, particularly concerning mergers, acquisitions, or entering into partnerships. Understanding the security posture of another entity helps in assessing the risks and benefits of a business relationship.

Best Practices for Ensuring Due Care and Due Diligence are Integral to Your Security Policies

Embedding due care and diligence into your organization’s cybersecurity policies isn’t just a best practice; it’s a necessity in today’s threat landscape. Here’s how you can ensure these principles are an integral part of your security strategies:

  1. Establish Clear Policies and Procedures: Develop and document clear policies that outline your organization’s commitment to due care and due diligence. These should include guidelines for regular security assessments, incident response, vendor management, and employee training.
  2. Regular Risk Assessments: Conduct regular and thorough risk assessments to identify and prioritize potential vulnerabilities. This should be a continuous process, adapting as new threats emerge and your organization’s circumstances change.
  3. Continuous Monitoring and Improvement: Implement continuous monitoring of your IT environment to detect anomalies and potential threats quickly. Regularly review and update your security measures to ensure they are effective and meet current standards.
  4. Vendor Management Program: Develop a comprehensive vendor management program that includes due diligence checks before onboarding new vendors and continuous monitoring of existing ones. Ensure that your vendors adhere to the same security standards that you do.
  5. Training and Awareness: Foster a culture of security within your organization. Provide regular training to all employees on the latest cybersecurity threats and best practices. Ensure they understand their role in maintaining the organization’s security posture.
  6. Legal and Regulatory Awareness: Stay informed about the latest cybersecurity laws and regulations that affect your industry. Ensure that your policies and practices comply with these requirements, demonstrating both due care and diligence.
  7. Incident Response Plan: Have a robust incident response plan in place. This plan should outline how to respond to a security incident effectively, minimizing damage and recovering quickly. Regularly test and update this plan to ensure it’s effective when needed.
  8. Document Everything: Keep detailed records of all your cybersecurity efforts, including risk assessments, vendor evaluations, training sessions, security updates, and incident responses. This documentation can provide evidence of due care and diligence in the event of a legal issue or security breach.

Incorporating due care and due diligence into your cybersecurity policies is not a one-time effort but a continuous commitment defined by legal terms and regulatory compliance requirements. By adhering to these best practices, organizations can not only protect themselves against a myriad of cyber threats but also build a reputation for being trustworthy and responsible in the digital age.

FAQs: Related Topics

What is Reasonable Care in Cybersecurity?

Reasonable care in cybersecurity refers to the standard of behavior expected of an organization or individual to protect information systems and sensitive data from cyber threats. It’s the level of diligence and precaution that a prudent person or entity would reasonably be expected to exercise under similar circumstances. This concept is particularly important in legal and regulatory contexts, as failing to demonstrate reasonable care can lead to liabilities and penalties.

Here are some key aspects of what reasonable care might involve in the context of cybersecurity:

  1. Regular Risk Assessments: Conducting ongoing assessments to identify and understand the potential cybersecurity risks faced by the organization.
  2. Implementing Security Measures: Adopting appropriate and industry-standard security measures such as firewalls, encryption, anti-virus software, and intrusion detection systems to safeguard against known threats.
  3. Employee Training and Awareness: Providing regular training to all employees on cybersecurity best practices, potential threats (like phishing), and the importance of following security protocols.
  4. Policy Development and Enforcement: Developing, implementing, and enforcing comprehensive cybersecurity policies and procedures that are regularly reviewed and updated.
  5. Incident Response Planning: Having a well-defined and tested incident response plan to quickly and effectively address security breaches or incidents.
  6. Data Management: Ensuring proper data management practices, including regular backups, data encryption, and secure data disposal methods.
  7. Vendor Management: Conducting due diligence on third-party vendors to ensure they also follow reasonable cybersecurity practices and standards.
  8. Compliance with Laws and Regulations: Understanding and adhering to relevant laws, regulations, and industry standards that pertain to cybersecurity and data protection.
  9. Continuous Monitoring and Improvement: Regularly monitoring the security infrastructure for breaches or weaknesses and continually seeking to improve security measures based on evolving threats and best practices.

By demonstrating reasonable care, an organization not only protects itself from the myriad of cyber threats but also establishes a foundation for legal and regulatory compliance, builds trust with customers and partners, and fosters a culture of security awareness and responsibility throughout the organization.

What is Ordinary Care in Cybersecurity?

Ordinary care” in the context of cybersecurity refers to the standard of care that a reasonable person or organization should exercise under normal circumstances to protect information and systems from cyber threats. It’s a legal concept often used to determine negligence or liability in cases of data breaches or cyber incidents. The idea is that if an individual or organization fails to take the precautions that any prudent entity would reasonably take, they may be considered negligent.

In cybersecurity, exercising ordinary care typically involves:

  1. Implementing Basic Security Measures: This includes using firewalls, antivirus software, and encryption, keeping systems patched and up-to-date, and securing physical access to critical infrastructure.
  2. Risk Assessment: Regularly assessing the cybersecurity risks faced by the organization, understanding potential vulnerabilities, and the impact of different types of cyber attacks.
  3. Employee Training: Providing basic cybersecurity awareness training to all employees, including how to recognize phishing attempts, the importance of using strong passwords, and the proper handling of sensitive data.
  4. Policy Development: Developing and enforcing policies and procedures for data security, acceptable use of IT resources, incident response, and other relevant areas.
  5. Incident Response Plan: Having a basic plan in place for how to respond to various types of cyber incidents, including who to notify and what steps to take to contain and mitigate the damage.
  6. Data Management: Ensuring that data is appropriately classified, stored securely, and disposed of when no longer needed.
  7. Regular Monitoring: Keeping an eye on system logs, access records, and other indicators of potential security incidents.
  8. Compliance: Understanding and complying with relevant laws, regulations, and industry standards that apply to the organization’s data and cybersecurity practices.

While “ordinary care” doesn’t require organizations to implement every possible security measure or to be impervious to all cyber threats, it does require a basic, reasonable level of effort to protect data and systems. What’s considered “reasonable” can vary depending on several factors, including the size and type of organization, the nature of the data it handles, and the current landscape of cyber threats. As such, ordinary care in cybersecurity is a baseline standard that will evolve over time as technology and threats change.

What is CISSP?

CISSP stands for Certified Information Systems Security Professional. It is an advanced-level certification for IT pros serious about careers in information security. Offered by ISC² (International Information System Security Certification Consortium), the CISSP certification is recognized globally for its standard of excellence in the field.

The certification is aimed at experienced security practitioners, managers, and executives interested in proving their knowledge across a wide array of security practices and principles. It’s often sought by those in positions such as Security Managers, Security Analysts, Chief Information Security Officers, or any IT professional seeking to affirm their knowledge and expertise in cybersecurity.

Key aspects of the CISSP include:

  1. Domains: The CISSP covers a range of topics across eight domains in the Common Body of Knowledge (CBK) that ISC² determines are critical to cybersecurity. These domains are Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, Security Operations, and Software Development Security.
  2. Experience Requirement: Candidates must have a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight domains of the CISSP CBK. ISC² offers a one-year experience waiver for candidates with a four-year college degree or equivalent or an approved credential from the ISC²-approved list.
  3. Examination: The CISSP exam is a rigorous test that assesses the candidate’s knowledge and ability to apply it to real-world scenarios. The exam format is a mixture of multiple-choice questions and advanced innovative questions.
  4. Endorsement: After passing the exam, candidates must be endorsed by an active (ISC)²-certified professional, who can attest to the candidate’s professional experience.
  5. Continuing Education: CISSPs must earn and post Continuing Professional Education (CPE) credits regularly and pay an annual maintenance fee to maintain their certification status.

The CISSP certification is highly respected and often considered a requisite for many senior-level cybersecurity roles. It demonstrates an individual’s commitment, depth of knowledge, and expertise in the field of information security. As cyber threats become more complex and pervasive, the demand for qualified and certified security professionals, like those holding the CISSP, continues to grow.

ZenGRC Is an Integral Part of Any Cybersecurity Strategy

ZenGRC is a comprehensive risk management software designed to navigate the complexities of the modern cyber risk environment effectively. Recognizing the dynamic nature of cybersecurity threats, ZenGRC offers a sophisticated suite of tools that streamline workflows and eliminate the need for manual task management.

Streamlined Workflow Management: ZenGRC simplifies the process of risk management by automating routine tasks and workflows. This allows your team to focus on strategic decision-making rather than getting bogged down in administrative tasks.

Dynamic Visualization Tools: With its advanced visualization capabilities, ZenGRC provides a clear, intuitive understanding of your organization’s risk landscape. This feature helps in identifying and prioritizing risks, enabling more informed and timely decision-making.

Technical Risk Assessment Tools: ZenGRC is equipped with robust technical risk assessment tools that help organizations identify potential vulnerabilities and assess their impact. By eliminating duplicate work and minimizing the time required for policy implementation and monitoring, ZenGRC ensures a more efficient and effective risk management process.

Customizable Solutions: Understanding that each organization has unique needs, ZenGRC offers customizable solutions to align perfectly with your specific IT and cyber risk strategy. Whether you’re a small business or a large enterprise, ZenGRC scales to meet your requirements.

Stay Compliant with Ease: ZenGRC helps ensure that your organization stays compliant with the latest regulations and standards in cybersecurity. With continuous updates and alerts, you’ll be always one step ahead in your compliance journey.

Incorporating ZenGRC into your cybersecurity strategy not only enhances your ability to manage risks but also significantly improves your organization’s information security, risk, and compliance practices. Contact us for a free demo and discover how ZenGRC can transform your cybersecurity approach, providing you with a more secure, compliant, and resilient operational environment. Schedule a demo today to see how ZenGRC can streamline your third-party vendor risk management program.

How to Upgrade Your Cyber Risk Management Program with NIST


The terms “due diligence” and “due care” are both important to risk management, but have different meanings depending on the context in which they are used. Most importantly, the two concepts differ depending on whether you are referring to real-life scenarios or a regulatory environment.

In day-to-day life, due care refers to our habits, policies, and procedures that we use to keep us safe and out of trouble. Due diligence means that we take necessary precautions in a given situation. For example, we perform due diligence when investigating a potential problem that has been detected.

In a regulatory or compliance environment, due care still means you have policies and procedures in place to protect your organization. Due diligence, on the other hand, focuses on third-party risk management activities.

In this article we’ll explore “due care” versus “due diligence” in cybersecurity, and particularly in a regulatory and compliance framework. We’ll also review actions you can take to integrate either one into your overall risk management strategy.

See also

5 Steps to Reduce the Web of Uncertainty in Third-Party Risk Management

What Is Due Care in Cybersecurity?

Due care refers to the continuing maintenance required to keep something in excellent operating order or to meet universally accepted standards. This is especially important if due care arises from a contract, regulation, or law. We apply due care when carrying out mitigation procedures; the lack of due care is negligence.

Here are some examples of due care in cybersecurity:

Monitor and Protect Your Network from Malicious Activity

Monitoring your cybersecurity controls is necessary to secure your firm and demonstrate that you’re doing everything you can to prevent unnecessary risk. You must assure that your security staff is alerted to new dangers or gaps as part of these procedures.

Cybersecurity is a moving target. To combat threats and act with due care, you must maintain a network monitoring routine. As new forms of cyber-attacks and threats emerge, it’s necessary to implement risk mitigation with continuous monitoring.

Train Your Employees in Cybersecurity Awareness

Implement guidelines on managing and protecting customer information and other sensitive data. Assure that access controls are in place, and train your staff on cybersecurity hygiene. Clearly define the consequences of violating company policies.

Apply Policies, Standards, Baselines, and Procedures

To protect critical company information, establish security policies. Your cybersecurity policy should be a written document that outlines your company’s best practices for cybersecurity. Before drafting your policy, your company should do a risk assessment to determine the measures that need to be employed to manage cyber risk.

Make Backup Copies of Critical Corporate Information and Data

Back up all of your company’s critical data at least once a week. Word processing documents, spreadsheets, databases, financial files, human resources files, and accounts receivable or payable files are all examples of critical data. If possible, perform automatic backups.

Secure Your Wi-Fi Network

If you have a Wi-Fi network at your workplace, make sure it is secure and hidden. To hide your Wi-Fi network, configure your wireless access point or router not to broadcast the network’s name.

What Is Due Diligence in Cybersecurity?

Due diligence means that you investigate and verify your third-party partners and supply chain to assure that they meet your cybersecurity standards. An organization should perform various activities to detect and remediate the cyber threats that third-party providers bring to your ecosystem.

Following are some examples of due diligence and how they fit into a cybersecurity strategy:

Vendor Risk Management Policy

Your vendor risk management policy details the steps you take to mitigate third-party risk. As part of this policy, document the decision-making processes for accepting new vendors. This may include verification of their information security procedures and maybe even background checks for key shareholders.

The policy will also outline ongoing maintenance activities and continuous monitoring metrics to assure third-party compliance in the future.

Monitor Third-Party Vendors

Understanding the potential security threats that a third party exposes to your business is essential for third-party risk management (TPRM) and due diligence. Documenting all concerns in your initial assessment will give you a baseline for continuous monitoring and metrics that should be reviewed periodically with each third party.

Depending on the information the vendor is collecting, storing, or processing, you may conduct an independent investigation. For example, you may want to hire a penetration tester to look for security flaws, or request the vendor’s most recent penetration test report.

Perform Annual Security Audits

Security audits are technical examinations of an IT system’s configurations, technologies, infrastructure, and other factors to reduce the risk of a data breach. By taking action on findings from security audits, you are demonstrating due diligence in your business practices and how you manage third-party relationships.

ZenGRC Is an Integral Part of Any Cybersecurity Strategy

The ZenGRC is risk management software built specifically to meet the needs of an ever-evolving cyber risk landscape. It streamlines workflows so you don’t have to manage all tasks manually.

In addition, ZenGRC contains dynamic visualization and other technical risk assessment tools to help organizations eliminate duplicate work and minimize the time required to implement and monitor policies, making it the ultimate solution to better manage your IT and cyber risk strategy.

Contact us for a free demo! Learn how we can help improve your organization’s information security and risk and compliance practices.

How to Upgrade Your Cyber Risk
Management Program with NIST