Of course, there is nothing new per se below, but it is a good refresher from the National Law Review website.  I find #6 and #9 really interesting.

1. No, or inadequate, security program in place.
2. No recently conducted vulnerability and risk assessments.
3. No evaluation of weaknesses or gaps in your controls in light of statutory requirements and potential common law claims.
4. No formalized patching process or inadequate enforcement of the current process to ensure its systematic implementation.
5. No insider threat program.
6. Lack of connection to the cybersecurity community
7. Lack of stringent configuration management.
8. Lack of stringent remote access management.
9. Failing to consider available cybersecurity data. .
10. No incident response plan in place

The Takeaways

1. Compare your plans in your security program with the above items at a high level
2. If #1 does not exist, fight for and win the budget for completing an IT Security Function Maturity assessment by Deloitte, PwC, E&Y or KPMG