CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison"

Transcription

1 CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers of Ashley Madison, an adulterous liaison website operated by a Toronto-based company, has once again brought home to Canada the risks in using computer networks to carry on business. The company's CEO has departed, and the company is reportedly involved with numerous class action lawsuits and regulatory and criminal investigations in Canada and the United States. According to purported s of the company's former CEO, which were also leaked by the hackers, the hack occurred as the company was attempting to undertake an initial public offering in London, England after other financing and sales efforts failed. For the directors of the company whose tag line is "Life is short. Have an affair" the days are now (likely) very long. The daily news reports of successful hacks of computer networks of notable organizations such as the U.S. federal government, the Canada Revenue Agency and SONY Entertainment have made it abundantly clear that no network is safe. While hacking is an important cyber security issue, recent studies have found that most cyber security incidents are not produced by hackers. Rather, they are "inside jobs" arising from deliberate attacks by disgruntled former employees, or they arise from the carelessness or inadvertence of current employees. The main takeaway for directors is that it is just a matter of time until an enterprise faces a cyber security incident. How well the enterprise responds to that incident * Mr. Solway is Managing Partner of the Technology, Media and Entertainment Group at Bennett Jones LLP. will be determined to a large extent by how well it prepares. This article will examine the board's role in an enterprise's preparation, monitoring and response to cyber security incidents. Preparation Directors have a duty of care, that applies to both "for profit" and "not for profit" enterprises in Ontario. The standard that directors must meet is "the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances."' Directors have unlimited personal liability. Consequently, directors who breach this duty of care have unlimited exposure. The duty of care inherently requires that directors identify and manage key risks facing the enterprise. Risks are commonly measured in terms of the potential for significant financial harm or physical damage, but the spectrum of risk also includes reputational risk, which does not have a precise financial cost. Cyber security is a major risk in terms of potential financial harm, physical damage and (especially) reputational damage. Cyber security is a business continuity issue, just like the risk of fire, and it needs to be treated in a similar fashion, with proper planning. The Ashley Madison hack is a very clear example of a business that is on fire (not in a good way). Cyber security preparedness begins with board oversight and the "tone at the top." Directors need to be engaged in understanding the risk and how the enterprise is managing it. The board may delegate aspects of its oversight role to a board committee such as the audit or risk committee. In its publication, Cyber-Risk Oversight,2 the U.S.-based National Association of Corporate Directors ("NACD") identified the following five 1 This standard is set out in the Canada Business Corporations Act, R.S.C. 1985, c. C-44 (s. 122(1)(b)), the Ontario Business Corporations Act, R.S.O. 1990, c. B.16, (s. 134(1)(b)) and the Canada Not-for-profit Corporations Act (s. 148(1)(b)). It will apply to Ontario's Not-for-profit Corporations Act (s. 43(1)(b)) when it becomes law (likely in 2016). The common law "duty of care applies under current Ontario not-forprofit legislation. 2 Director's Handbook Series 2014, National Association of Corporate Directors. 590

2 principles to define the director's role in cyber security. Principle 1 Directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an IT issue. The director's role is an oversight role. The board needs to make sure all facets of the enterprise are involved. Cyber security is not solely an information technology ("IT") department, issue it involves many other issues. For example, if the enterprise needs to transact business online, the IT department needs to support those needs. It cannot simply say it is too dangerous. That process requires a dialogue between various departments within the enterprise so that business objectives and security objectives can both be satisfied as much as possible, based on the board's risk tolerance. The board needs to supervise the development of policies and procedures that will apply across the enterprise. All aspects of the enterprise need to be involved in their development. For example, the development of a proper Cyber Incident Response Plan may involve legal, financial, sales, marketing, communications, accounting and human resources aspects of the enterprise. The IT department will not be effective if it is isolated and left to its own devices. The board's role is to ensure that all relevant parts of the enterprise are involved and cooperating. All employees need to understand the importance of and embrace security, because one weak link (e.g., a weak password) makes the entire enterprise vulnerable. Principle 2 Directors should understand the legal implication of cyber risks as they relate to their enterprises' specific circumstances. The board should have a basic understanding of: (a) what data the business has; (b) why it has it; (c) where it is stored; (d) who has access to it; and (e) how it can be accessed. For certain types of information or certain industries (e.g., health or financial information), there may be applicable legislation that sets out special rules that govern how that information is to be handled (e.g., geographic rules, encryption rules, disclosure rules). Cyber risks can be external (e.g., hackers, malware) or internal (employees). With respect to internal risks, the board should consider what information employees are entitled to access and why they have or need that access. It may also be desirable to keep certain information (such as "crown jewels") offline altogether. Principle 3 Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. Boards are entitled to rely on experts to help the directors fulfill their duty of care.3 Directors are not expected to be experts on everything, but they are expected to inform themselves sufficiently to fulfill their oversight role. Boards (or board committees) conduct their work through meetings. Therefore, to fulfill the cyber oversight role, the board (or a committee) must meet to review these issues. Also, given directors' general lack of expertise regarding cyber security and technology, it may be helpful to recruit a director who is technology literate. If the board cannot or does not want to add a member with that expertise, they can consider having a technology consultant engaged by and reporting to the board to supplement their knowledge to the extent required. Hewlett-Packard's Cyber Risk Report concludes that the threat landscape is still populated by "old problems and known issues." Most of these issues can be addressed. For example, some can be addressed simply by applying patches provided free of charge by the software developers. Consequently, it is important to involve experts who know how to identify and deal with these issues. The board does not want to be embarrassed by a cyber 3 Canada Business Corporations Act, s. 123(5). Business Corporations Act (Ontario), s. 135(4). 4 HP Security Research, at

3 breach caused by "old problems and known issues." Mobile computing and the "Internet of Things" bring new challenges for the board to address. Expert advice is critical to assist the board in assessing the risk that the enterprise faces. Principle 4 Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. As noted, the board's role is an oversight role. Management, not the board, is responsible for developing and implementing the cyber security framework, including developing budgets, hiring and coordinating personnel (or third party service providers), and developing, implementing and monitoring policies, procedures and response plans. Management should report to the board regularly on cyber security so that the board is kept up to date at a high level. The board may determine that the enterprise does not have the appropriate personnel and systems and cannot afford them or does not want them. In that case, the board may decide to outsource cyber security. Outsourcing is acceptable, but the board needs to ensure that diligence is done on, and sufficient contractual commitments are made by, third party providers. Principle 5 Board and management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. The board should understand what risks the enterprise is taking on.5 It may not be possible to address everything through security measures alone. Cyber insurance can help protect against deficiencies, although considerable expertise is required in procuring suitable cyber coverage (it is not a commodity and all programs are not created equal). 5 The board should have its directors' and officers' insurance policy reviewed to make sure there is no cyber exclusion even if the board has done nothing wrong, there could be defence costs if the enterprise does not have money to indemnify. The lawsuit against the directors of Wyndham Worldwide Corp,, 6 an international hotel chain, is an example of the exposure that directors face if they are perceived not to be fulfilling their duties to the enterprise. In that U.S. case, the Wyndham directors were sued by certain shareholders for failing to take steps to prevent recurring data breaches of hotel guest information. In its October 2014 decision, the Court concluded that directors had fulfilled their duty of care. The Wyndham board's actions are a good example of what responsible boards should do. The board discussed cyber security issues at every quarterly board meeting (14 of them), the audit committee had investigated the breaches, and the company had, under the board's direction, hired a technology firm to recommend security enhancements and begun to implement those enhancements. The Court was satisfied with the directors' efforts (although the U.S. Federal Trade Commission is continuing its own proceedings against Wyndham, initiated in 2012, challenging the adequacy of what the company has done). The Wyndham case is a reminder that directors will want to ensure that they have appropriate indemnification agreements and directors insurance in place so that they are protected from the defence costs and potential liability associated with any claims, whether or not the claims are meritorious. Part of that "insurance may involve the identification of and ready access to a skilled communications expert, who may help to mitigate the reputational damage that often ensues in these cases. Monitoring Once the cyber security plan is completed, the board needs to ensure that it is properly implemented, functioning and updated. The board should be receiving reports of any problems such as major cyber security incidents, elements of the plan that have not been implemented as planned, or problems in staff training. Cyber security should be a regular agenda item at board or committee meetings. Cyber security is not a one-time exercise it is ongoing because cyber security is evolving and the threat is constantly changing. 6 Palkan v. Holmes et al., No. 2:2014cv01234 (D.N.J. 2014). 592

4 Response A properly prepared cyber security plan will enable the enterprise to promptly respond. The plan will identify how to escalate an incident, including when to inform the board and what role the board will have in the response. There are many issues that need to be considered in a response plan such as: How does the enterprise know that there has been a breach and how serious it is? Who is on the crisis response team (internal and external)? Who is in charge of what when an incident occurs? How does the breach get fixed, if fixable? Who is responsible for informing the board, regulators, police, public, employees, customers, suppliers and insurers? What information will be communicated to each group? Is there any required reporting under applicable law? What can be done to limit liability? What records need to be maintained for court/regulatory proceedings and what will be protected by legal privilege? How should the investigation be conducted and who should conduct it (internal versus external)? Proper advance preparation is extremely important. There are a great number and variety of experts needed to respond to an incident, both internally and externally. They include the board, the CEO, the CFO, the CTO, the privacy officer, the risk manager, the human resources head, the internal communications team, heads of departments that use the network, third party service providers, internal and external legal advisors, external communications advisors, external cyber security consultants, external forensic investigators, insurance agents and insurers. The directors do not want the project team assembly exercise to start only after an incident has arisen. There is often no learning time available at time of breach because there is frequently a need to act immediately. The enterprise needs a team that is up to speed and ready to go, not busy chasing down contact numbers, clearing conflicts and sorting out retainer terms. If no plan has been prepared that is suitable for the type of cyber breach that has occurred, the board will have an ad hoc role, if it is informed about the breach. If the board has not let management know that it wants to know about cyber breaches, the board may not be informed until actions have been taken that the board may not like. A review of the numerous press releases issued by Ashley Madison in response to the hack highlights the myriad of issues and parties involved in responding to hacks of this sort. The website has attempted to fix the security lapse that allowed the hack, has hired experts to review and improve its security, and is cooperating with numerous police agencies in Canada and the U.S. in attempts to find and prosecute the hackers, including offering a $500,000 reward, while at the same time taking steps to assure its customers the site is now safe, and using the international publicity from the incident to promote its business. The website has not disclosed whether it had a suitable cyber incident response plan in place prior to the hack. It first learned of the attack on July 12, but no announcement was made until the hackers posted their threats on a website on July 19 announcing that they were giving Ashley Madison a month to cease operations or face disclosure of customer information. It is not yet known when the directors were informed of the hack and what steps they took during the week of July 12 to avoid disclosure of the hack. Also unknown is what steps the directors took to avoid disclosure of the hacked information in the following month. Given the litigation now underway, it is likely that all those details will be revealed in the coming months and years. Avoid Embarrassment or Worse Cyber security is not just an IT issue to be left to the IT department. It involves the entire enterprise and can only be effectively implemented if it is handled seriously from the board level on down. Directors do not want to be in the embarrassing position of having to reveal that they did not know enough to ask any questions or take steps to supervise the 593

5 implementation of appropriate cyber security measures. Nor do they want their enterprises to suffer the harm and financial and reputational liabilities that can arise from failing to take simple steps to fix known issues or apply free security patches to safeguard the enterprise's information. Given their unlimited personal liability, and their reputational exposure, directors should do what is necessary to ensure that they have fulfilled their duty of care to the enterprise. They should also have appropriate indemnities and liability insurance to protect them from the costs associated with claims that they failed to carry out their duties properly. 594

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

ARDMORE SHIPPING CORPORATION AUDIT COMMITTEE CHARTER

ARDMORE SHIPPING CORPORATION AUDIT COMMITTEE CHARTER ARDMORE SHIPPING CORPORATION AUDIT COMMITTEE CHARTER This Audit Committee Charter ("Charter") has been adopted by the Board of Directors (the "Board") of Ardmore Shipping Corporation (the "Company"). The

More information

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released February 3, 2010 Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior

More information

ERM Symposium April 2009. Moderator Nancy Bennett

ERM Symposium April 2009. Moderator Nancy Bennett ERM Symposium April 2009 RI4-Implementing a Comprehensive Privacy Program John Kelly Joseph Nocera Moderator Nancy Bennett Data & Identity Theft: Keeping sensitive data out of the wrong hands Presented

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014 CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014 Purpose The Audit Committee (the Committee ) is created by the Board of Directors of

More information

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER Page 1 of 7 A. GENERAL 1. PURPOSE The purpose of the Audit Committee (the Committee ) of the Board of Directors (the Board ) of Teck Resources Limited ( the Corporation ) is to provide an open avenue of

More information

BOARD OF DIRECTORS MANDATE

BOARD OF DIRECTORS MANDATE BOARD OF DIRECTORS MANDATE Board approved: May 7, 2014 This mandate provides the terms of reference for the Boards of Directors (each a Board ) of each of Economical Mutual Insurance Company ( Economical

More information

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am 1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing

More information

Cybersecurity. Considerations for the audit committee

Cybersecurity. Considerations for the audit committee Cybersecurity Considerations for the audit committee Insights on November 2012 governance, risk and compliance Fighting to close the gap Ernst & Young s 2012 Global Information Security Survey 2012 Global

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015 Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Cyber/ Network Security. FINEX Global

Cyber/ Network Security. FINEX Global Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over

More information

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The Legal Pitfalls of Failing to Develop Secure Cloud Services SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global

More information

Executive Management of Information Security

Executive Management of Information Security WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without

More information

operated by it (as the case requires).

operated by it (as the case requires). 1 Definitions In this document: ASX Board Chair CEO CFO Company Secretary Corporations Act Director means ASX Limited ACN 008 624 691 or the securities exchange operated by it (as the case requires). means

More information

Anatomy of a Hotel Breach

Anatomy of a Hotel Breach Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

DIRECTORS OF OWNER MANAGED COMPANIES: MANAGING THEIR ROLE, DUTIES AND LIABILITIES

DIRECTORS OF OWNER MANAGED COMPANIES: MANAGING THEIR ROLE, DUTIES AND LIABILITIES DIRECTORS OF OWNER MANAGED COMPANIES: MANAGING THEIR ROLE, DUTIES AND LIABILITIES Phil Thompson Business Lawyer, Corporate Counsel www.thompsonlaw.ca The subject of directors roles, duties and liabilities

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français. Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released June 24, 2010 How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior Vice President, ACE North America Marketing

More information

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal Managing Cyber Threats Risk Management & Insurance Solutions Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal Overview Recent Trends and Loss Exposures Risk Management Strategies

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

CYBER-ATTACKS THE GLOBAL RESPONSE

CYBER-ATTACKS THE GLOBAL RESPONSE R E P R I N T CYBER-ATTACKS THE GLOBAL RESPONSE REPRINTED FROM: Risk, Governance & Compliance for Financial Institutions 2015 RISK GOVERNANCE & COMPLIANCE for F I N A N C I A L INSTITUTIONS 2 0 1 5 Visit

More information

ACE European Risk Briefing 2012

ACE European Risk Briefing 2012 #5 ACE European Risk Briefing 2012 IT and cyber risk respondent profiles The research was carried out between 13 April and 3 May 2012. The sample comprised 606 European risk managers, CROs, CFOs, COOs

More information

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator

More information

CORPORATE GOVERNANCE FRAMEWORK

CORPORATE GOVERNANCE FRAMEWORK CORPORATE GOVERNANCE FRAMEWORK January 2015 TABLE OF CONTENTS 1. INTRODUCTION... 3 2. CORPORATE GOVERNANCE PRINCIPLES... 4 3. GOVERNANCE STRUCTURE... 5 4. THE BOARD S ROLE... 5 5. COMMITTEES OF THE BOARD...

More information

Ramsay Health Care Limited ACN 001 288 768 Board Charter. Charter

Ramsay Health Care Limited ACN 001 288 768 Board Charter. Charter Ramsay Health Care Limited ACN 001 288 768 Board Charter Charter Approved by the Board of Ramsay Health Care Limited on 23 October 2012 Ramsay Health Care Limited ABN 57 001 288 768 Board Charter Contents

More information

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat

More information

Defining the Gap: The Cybersecurity Governance Study

Defining the Gap: The Cybersecurity Governance Study Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

RISK AND COMPLIANCE COMMITTEE CHARTER

RISK AND COMPLIANCE COMMITTEE CHARTER 1. GENERAL SCOPE AND AUTHORITY 1.1 Introduction This charter governs the operations of the Risk & Compliance Committee of Redflex Holdings Limited (RHL or Company). 1.2 Purpose The Risk & Compliance Committee

More information

Insurance for Data Breaches in the Hospitality Industry

Insurance for Data Breaches in the Hospitality Industry The Academy of Hospitality Industry Attorneys The Pl Palmer House Hilton Chicago, IL April 25, 2014 Insurance for Data Breaches in the Hospitality Industry Presenters: David P. Bender, Jr. dbender@andersonkill.com

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Cyber Security: Not if, but when...

Cyber Security: Not if, but when... Cyber Security: Not if, but when... Gerry Stegmaier Partner, Privacy and Data Security, Goodwin Procter Paul Luehr Managing Director & Chief Privacy Officer, Stroz Friedberg June 2015 Costs of Data Breaches

More information

Echo Entertainment Group Limited (ABN 85 149 629 023) Risk and Compliance Committee Terms of Reference

Echo Entertainment Group Limited (ABN 85 149 629 023) Risk and Compliance Committee Terms of Reference (ABN 85 149 629 023) Terms of Reference Contents 1 Introduction to the Terms of Reference 1 1.1 General 1 1.2 Authorities 1 1.3 Board approval 1 1.4 Definitions 1 2 Role of the Committee 1 3 Duties and

More information

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

erisks Policyholder s Guide to Privacy & Security Breach Response Planning erisks Policyholder s Guide to Privacy & Security Breach Response Planning Professional Indemnity Financial Institutions Directors & Officers Management Liability Medical Malpractice Media Liability Level

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

Session 1B DON T LET THEM EAT YOUR LUNCH The Prevention Method for Cyber Risk!

Session 1B DON T LET THEM EAT YOUR LUNCH The Prevention Method for Cyber Risk! Session 1B DON T LET THEM EAT YOUR LUNCH The Prevention Method for Cyber Risk! Patrick Bourk, Integro Insurance Brokers (Moderator) Senior Vice President Office: 416.619.8097 Mobile: 416.619.8099 patrick.bourk@integrogroup.com

More information

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors

More information

Addressing Cyber Risk Building robust cyber governance

Addressing Cyber Risk Building robust cyber governance Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber

More information

Audit Committee Charter

Audit Committee Charter Audit Committee Charter Role The Audit Committee of the Board of Directors assists the Board of Directors in fulfilling its responsibility for oversight of the quality and integrity of the accounting,

More information

6/8/2016 OVERVIEW. Page 1 of 9

6/8/2016 OVERVIEW. Page 1 of 9 OVERVIEW Attachment Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion [Fotnote1 6/8/2016 Managing risks is fundamental to

More information

Cyber Security Strategy

Cyber Security Strategy NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use

More information

CHARTER OF THE FINANCE AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF SPECTRA ENERGY CORP (April 2013)

CHARTER OF THE FINANCE AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF SPECTRA ENERGY CORP (April 2013) CHARTER OF THE FINANCE AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF SPECTRA ENERGY CORP (April 2013) I. General Focus The Finance and Risk Management Committee (the Committee ) shall: Review

More information

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SERVICEMASTER GLOBAL HOLDINGS, INC.

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SERVICEMASTER GLOBAL HOLDINGS, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SERVICEMASTER GLOBAL HOLDINGS, INC. Adopted by the Board of Directors on July 24, 2007; and as amended June 13, 2014. Pursuant to duly adopted

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and

More information

Infratil Limited - Board Charter. 1. Interpretation. 1.1 In this Charter:

Infratil Limited - Board Charter. 1. Interpretation. 1.1 In this Charter: Infratil Limited - Board Charter 1. Interpretation 1.1 In this Charter: Act means the Companies Act 1993. Board means the Board of Directors of Infratil Limited. Business means the business of Infratil

More information

What you need to know and what you can t afford to ignore!

What you need to know and what you can t afford to ignore! Cyber Risk: What you need to know and what you can t afford to ignore! James Johnston Directors' and Officers' Insurance Underwriter Daniel Fletcher Cyber Insurance Underwriter Financial & Specialty Markets

More information

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER MASTERMYNE GROUP LIMITED AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER Purpose of Charter 1. The Audit and Risk Management Committee Charter (Charter) governs the operations of the Audit and Risk Management

More information

Is your Organization SAFE?

Is your Organization SAFE? Is your Organization SAFE? About Enterprise Risk Management (ERM) About The Presenter Mike Sanchez, Senior Vice President at ERM Captain, USMC (Ret.) COBIT 5 Certified Possesses over 20 years of experience

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

Cyber security guide for boardroom members

Cyber security guide for boardroom members Cyber security guide for boardroom members 2 Cyber security guide for boardroom members Cyber security at strategic level Our society is rapidly digitising, and we are all reaping the benefits. Our country

More information

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02 Intelligize // 02 As is tradition, at the beginning of the year, the U.S. Securities and Exchange Commission outlined both its current state of affairs and annual goals for maintaining proper compliance

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:

More information

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial

More information

Reducing Cyber Risk in Your Organization

Reducing Cyber Risk in Your Organization Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

Cyber Security Risk Management

Cyber Security Risk Management Cyber Security Risk Management For November 6, 2014 Jim Halpert Co-Chair Global Privacy & Security Practice jim.halpert@dlapiper.com Trends Point of Sale Attacks Malware Skimming Industrial Control Systems

More information

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server HIPAA Cyber Security: Your Vendor is a Back Door to Your Server Prepared for the American Health Lawyers Association s Fraud and Compliance Forum held October 6, 2014 John E. Kelly, Esq. Member Bass, Berry

More information

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM WWW.CYBERSTRAT.CO INFO@CYBERSTRAT.CO

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM WWW.CYBERSTRAT.CO INFO@CYBERSTRAT.CO CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM WWW.CYBERSTRAT.CO INFO@CYBERSTRAT.CO CYBER, INFORMATION SECURITY - OVERVIEW A cyber security breach is no longer just an

More information

Brevan Howard Asset Management LLP Pillar 3 Disclosures. Brevan Howard (2014). All Rights Reserved.

Brevan Howard Asset Management LLP Pillar 3 Disclosures. Brevan Howard (2014). All Rights Reserved. Brevan Howard Asset Management LLP Brevan Howard (2014). All Rights Reserved. Regulatory Context The following disclosures are provided pursuant to the Pillar 3 disclosure rules as laid out by the Financial

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

HALOGEN SOFTWARE INC. AUDIT COMMITTEE CHARTER. oversee the qualifications and independence of the independent auditor;

HALOGEN SOFTWARE INC. AUDIT COMMITTEE CHARTER. oversee the qualifications and independence of the independent auditor; HALOGEN SOFTWARE INC. AUDIT COMMITTEE CHARTER PURPOSE The Audit Committee is a standing committee appointed by the Board of Directors of Halogen Software Inc. The Committee is established to fulfill applicable

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

HEWLETT-PACKARD COMPANY BOARD OF DIRECTORS NOMINATING, GOVERNANCE AND SOCIAL RESPONSIBILITY COMMITTEE CHARTER

HEWLETT-PACKARD COMPANY BOARD OF DIRECTORS NOMINATING, GOVERNANCE AND SOCIAL RESPONSIBILITY COMMITTEE CHARTER I. Purpose HEWLETT-PACKARD COMPANY BOARD OF DIRECTORS NOMINATING, GOVERNANCE AND SOCIAL RESPONSIBILITY COMMITTEE CHARTER The purpose of the Nominating, Governance and Social Responsibility Committee (the

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

Cyber Risks Connect With Directors and Officers

Cyber Risks Connect With Directors and Officers Cyber Risks Connect With Directors and Officers Implications of the New SEC Guidance on Cyber Security February 2012 Lockton Companies, LLC The Securities and Exchange Commission (SEC) has changed the

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360 Page 1 of 6 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com How GCs And Boards Can Brace For The Cybersecurity

More information

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE promontory.com INFOCUS JUNE 3, 2015 BY EARL CRANE Five Questions to Guide Cybersecurity Risk Management The quick transformation of cybersecurity risk management from obscure specialty to top-of-thehouse

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Cyber Security: Protecting your business survey stats

Cyber Security: Protecting your business survey stats Cyber Security: Protecting your business survey stats Researched and authorised by Pitmans LLP in partnership with techuk. Report prepared in January 2014 by Philip James, Partner and Rob Jarrett, Solicitor.

More information

HEALTH, SAFETY & ENVIRONMENT AND BUSINESS RISK COMMITTEE CHARTER

HEALTH, SAFETY & ENVIRONMENT AND BUSINESS RISK COMMITTEE CHARTER HEALTH, SAFETY & ENVIRONMENT AND BUSINESS RISK COMMITTEE CHARTER DATE OF ISSUE: VERSION NO.: 1 PROCEDURES: N/A North American Energy Partners Inc. Health, Safety & Environment and Business Risk Committee

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

The Internal Audit fraud challenge Prevention, protection, detection

The Internal Audit fraud challenge Prevention, protection, detection The Internal Audit fraud challenge Prevention, protection, detection Contents Introduction to survey 1 Key findings 2 What are the views of senior management? 3 Adequately resourced? 6 Current trends and

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

I n joining a public company board of directors, you

I n joining a public company board of directors, you Corporate Law & Accountability Report Reproduced with permission from Corporate Accountability Report, 23 CARE, 2/4/16. Copyright 2016 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.

More information

cyber invasions cyber risk insurance AFP Exchange

cyber invasions cyber risk insurance AFP Exchange Cyber Risk With cyber invasions now a common place occurrence, insurance coverage isn t found in your liability policy. So many different types of computer invasions exist, but there is cyber risk insurance

More information

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the Remarks by Carolyn G. DuChene Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar Washington, D.C. October 22, 2012 Good afternoon,

More information