Cyber Risks in the Boardroom

Transcription

1 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat Environment June 12, 2015

2 Table of Contents 2 Overview 3 Governance 4 Assessing Your Company s Vulnerabilities and Risks 8 Mitigating Cybersecurity Risk 11 Response to Breach 1

3 Overview A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the respondents during 2014, an increase of more than 48% over 2013 Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013 The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013 Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S. The most costly breaches, however, are malicious in nature Being prepared to handle a data breach properly may reduce the costs related to an incident significantly Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey

4 Governance Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs Depending on your company s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company s security preparations The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review The board may consider it appropriate to meet with external advisors in the course of its oversight 3

5 Assessing Your Company s Vulnerabilities and Risks ASSESSMENT FRAMEWORK How should your company assess risk? Periodic self-assessment by an identified group of employees, overseen by an identified supervisor or committee of supervisors Client reviews and audits Governmental or regulatory reviews and audits Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry Use of external advisers Penetration/vulnerability testing continued on next page 4

6 Assessing Your Company s Vulnerabilities and Risks continued INFORMATION TO PROTECT Identify the kinds of sensitive information that your company holds Personal data of clients and employees (such as credit card data or financial or health-related information) Trade secrets Other commercially valuable or proprietary information Market-sensitive information, such as information on company results and/or potential transactions Other client information continued on next page 5

7 Assessing Your Company s Vulnerabilities and Risks continued SYSTEMS Assess the risks posed by your company s IT profile Cloud storage Mobile devices Distributed systems Third-party interconnection Physical security Consider the nature of the threats to which your company is exposed Theft of your company s information Theft of others information Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks) Harassment, hactivism and public exposure continued on next page 6

8 Assessing Your Company s Vulnerabilities and Risks continued THREAT ENVIRONMENT Employees, whether through malice, negligence or inadvertence Vendors and others with system access Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups Physical intruders PROTECTION OBLIGATIONS Identify the obligations to which your company is subject regarding how information is to be protected Legal and regulatory (federal, state, international) Contractual Professional (e.g., lawyers ethical duties) 7

9 Mitigating Cybersecurity Risk SECURITY POLICY Your company should have a comprehensive security policy intended to address the threats it faces The policy must comply with all applicable legal, contractual and professional requirements The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan EMPLOYEES Your company should establish measures to manage and mitigate the risks employees create Screening and background checks at hiring Continued monitoring during employment Requirements that employees review and confirm that they understand and will comply with the company s security policy Ongoing training in security awareness and risk mitigation continued on next page 8

10 Mitigating Cybersecurity Risk continued TECHNICAL CONTROLS Your company should implement up-to-date technical controls to address cybersecurity risks Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces Identify attempts to hack into the company s systems and attempts to access information that users are not authorized to see Identify unauthorized communications into and out of the company s network SECURITY CONSIDERATIONS Evaluation of security considerations relating to employees Passwords Use of personal devices and other non-firm devices Use of public networks Ability to write on transportable media Ability to download external programs onto the company s network or onto company devices Physical security of IT systems continued on next page 9

11 Mitigating Cybersecurity Risk continued CONTRACTORS AND VENDORS Address threats posed by contractors and vendors They must understand your company s security requirements and agree to comply with them Your company should review their cybersecurity vulnerabilities and their potential impact on your company Your company s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject INSURANCE Assess your company s position regarding cybersecurity insurance Confirm that your policies cover losses from data breaches, as many general liability policies may not Consider specific cybersecurity coverage in addition to your general liability coverage Secure the correct amount of coverage 10

12 Response to Breach RESPONSE TEAM There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it Identify the company personnel who will be on the team to handle the incident response Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management Specific responsibilities and leadership should be assigned in advance Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice COMMUNICATIONS STRATEGY Your company s goal should be to control external messaging, not react to it It may be preferable to volunteer disclosure before it is legally required Monitor media, including blogs and social media, for what others may be saying Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement continued on next page 11

13 Response to Breach continued NOTICE OBLIGATIONS Identify in advance all applicable notification requirements State notification laws for personal data Specific federal notification requirements (HIPAA, GLB) SEC and stock exchange requirements for public companies Legal obligations from jurisdictions outside the U.S. Contractual requirements Professional requirements, if applicable NOTICE RECIPIENTS Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them Law enforcement and DHS Regulators Customers and clients Contractual counterparties, vendors, contractors and other partners Public filings continued on next page 12

14 Response to Breach continued OUTSIDE SUPPORT Identify in advance outside advisers to assist with breach response and integrate them into response planning Technical advisers, including forensic consultants Legal advisers Public relations Government relations Credit monitoring services, if applicable Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations 13

15 new york. washington, d.c.. los angeles. palo alto london. paris. frankfurt tokyo. hong kong. beijing. melbourne. sydney Copyright 2015 Sullivan & Cromwell LLP LG5614 Attorney Advertising. Prior results do not guarantee a similar outcome.