Cybersecurity y Managing g the Risks

Transcription

1 Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking money, credit card #s, personal info. Governments: infrastructure, banks, rail, energy transmission, etc. Espionage (govt./competitors): corporate plans and intellectual property Truly international Everyone is at Risk 1.11 billion records over last 9 years 200 substantial attacks per day 30% on companies with employees 25% attacks directed at senior management or board level 100 1

2 Cybersecurity The Risks Are Real Impact of Cybercrime Global Cybercrime costs to companies may reach $1T in 2013 U.S. businesses spending averages $8.9M annually Hard Cost of a Cyberattack Average loss was $5.5M Defending an attack averages $500,000 / TJX $12M Q Litigation A single case resulted in settlements exceeding $100M Substantial government fines Soft Costs of a Cyberattack 5% drop in stock price for publicly traded companies 17% - 31% drop in brand value 101 Corporate Fiduciary Duties Officers, Directors & Senior Management An affirmative obligation to manage and mitigate risk Response must be commensurate with the level of risk A breach will be noticed Litigation shareholders & customers The government, both state and federal You will be judged in hindsight The risk will be deemed significant Part of our popular culture - news, movies, TV. The repercussions will be known 102 2

3 Corporate Fiduciary Duties Oversight Liability Caremark Claim Duty to actively monitor corporate performance and risks Cannot abdicate this responsibility It's complicated so we left it to the IT department Unconsidered Failure of the Board to Act Breach of the duty of loyalty Not exculpated by a 102(b)(7) Equals personal liability No decision is worse than a bad decision 103 Corporate Fiduciary Duties Exercising Reasonable Oversight Step 1: Understand your company s risk profile How likely are you to be attacked vs. repercussions Step 2: Speak to your peers and experts How are they addressing the risk Reasonable person standard - safety in numbers Step 3: Adopt and Monitor Best Practices IT talent on the Board / Risk Committee Regular updates from management Comprehensive Incident Response Plan 104 3

4 Advanced Planning For An Attack Do you have the right response team? Combination of legal, IT / risk management, privacy, business, and PR Regular meetings before the incident occurs Speak a common language and know their respective roles Implement a firm chain of command Filtering concise information up to decision makers Clearly disseminating decisions down the chain of command Established Outside Relationships Outside counsel Technical advisors Government: SEC, Homeland Security, FBI, etc. 105 Advanced Planning For An Attack Vendor audits / Vendor Contracts Importance of security at all links in the chain Not just a check the box activity Consider vendor subcontractors Training Build a culture of awareness Review insurance coverage Participate in standard setting process Pay attention to government communications / notices 106 4

5 Do You Have Adequate Insurance? Coverage under commercial general liability policies Exclusions and limitations have been added Specialty cyber products vary significantly First party and third party risks Consider information in the care of third parties White House encouragement of formation of insurance market 107 Will you know a breach occurred? Internal scans or signs indicate breach Notification by ISP Employee report Government inquiry or notice Vendor notice Customer notice 108 5

6 Look to your incident response plan / activate response team Stop additional data loss Contain attack Take affected machines offline Determine what happened What data were compromised? Should forensic experts be engaged? How did it happen? Allow the attack to continue? Need to observe the flow of data 109 Preserve evidence do not power down Self-Help? Can you retrieve data? Hack back legal? Don t go from victim to perpetrator Decide whether to contact law enforcement Decide whether to engage outside counsel to run internal investigation 110 6

7 Framework of Internal Investigation What is the purpose of the investigation? Identify what happened? Determine whether notification or disclosure is required Respond to government? Should independent outside counsel be engaged? Develop facts under protection of privilege Independence confidence in results Is there a reasonable anticipation of litigation? Should counsel engage forensic experts? 111 Planning the Investigation: Determine corporate decision-maker for investigation Define scope and goals of investigation Establish procedures for internal coordination OGC, IT, HR Determine procedures for submitting interim findings and the final report Should report be written or oral? Evaluate need to interview vendor employees Upjohn warnings Securing information and data Preserve privilege and maintain confidentiality Common interest privilege 112 7

8 Manage media relations in conjunction with counsel Cooperation with government agencies and law enforcement State laws require notice to regulators of incidents, in some cases even if company determines no breach occurs. Whose side are regulators on? Federal government encourages sharing of information Responding to state AG inquiries Steps to avoid waiving privilege 113 Determine legal obligations Individual notice? Regulator notice? Media notice? Pay attention to timelines Identify contractual obligations Consider mitigation of harm Should individuals be notified in absence of legal obligation? Offer identity theft protection service? Warn your competitors? 114 8

9 Contact insurer Establish call center / public relations SEC disclosures Document everything Lessons learned

10 117 10