CLE FOR LUNCH: MARITIME CYBERSECURITY

Transcription

1 NYCLA CLE I NSTITUTE CLE FOR LUNCH: MARITIME CYBERSECURITY Prepared in connection with a Continuing Legal Education course presented at New York County Lawyers Association, 14 Vesey Street, New York, NY scheduled for January 29, 2015 Program Co-sponsor: NYCLA s Admiralty Committee Faculty: Alan M. Weigel and Kate B. Belmont, Blank Rome LLP This course has been approved in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2 Transitional and Non-Transitional credit hours: 2 Professional Practice/Law Practice Management. This program has been approved by the Board of Continuing Legal education of the Supreme Court of New Jersey for 2 hours of total CLE credits. Of these, 0 qualify as hours of credit for ethics/professionalism, and 0 qualify as hours of credit toward certification in civil trial law, criminal law, workers compensation law and/or matrimonial law. ACCREDITED PROVIDER STATUS: NYCLA s CLE Institute is currently certified as an Accredited Provider of continuing legal education in the States of New York and New Jersey.

2

3 Information Regarding CLE Credits and Certification CLE for Lunch: Maritime Cybersecurity January 29, 2015; 12:20 PM to 2:00 PM The New York State CLE Board Regulations require all accredited CLE providers to provide documentation that CLE course attendees are, in fact, present during the course. Please review the following NYCLA rules for MCLE credit allocation and certificate distribution. i. You must sign-in and note the time of arrival to receive your course materials and receive MCLE credit. The time will be verified by the Program Assistant. ii. iii. iv. You will receive your MCLE certificate as you exit the room at the end of the course. The certificates will bear your name and will be arranged in alphabetical order on the tables directly outside the auditorium. If you arrive after the course has begun, you must sign-in and note the time of your arrival. The time will be verified by the Program Assistant. If it has been determined that you will still receive educational value by attending a portion of the program, you will receive a pro-rated CLE certificate. Please note: We can only certify MCLE credit for the actual time you are in attendance. If you leave before the end of the course, you must sign-out and enter the time you are leaving. The time will be verified by the Program Assistant. Again, if it has been determined that you received educational value from attending a portion of the program, your CLE credits will be pro-rated and the certificate will be mailed to you within one week. v. If you leave early and do not sign out, we will assume that you left at the midpoint of the course. If it has been determined that you received educational value from the portion of the program you attended, we will pro-rate the credits accordingly, unless you can provide verification of course completion. Your certificate will be mailed to you within one week. Thank you for choosing NYCLA as your CLE provider!

4

5 New York County Lawyers Association Continuing Legal Education Institute 14 Vesey Street, New York, N.Y (212) Admiralty In Committee: Maritime Cybersecurity Thursday, January 29, :00 PM to 2:00 PM Program Co-sponsor: NYCLA's Admiralty Law Committee Faculty: Alan M. Weigel and Kate B. Belmont, Blank Rome LLP AGENDA 12:00 PM 12:20 PM Lunch 12:20 PM 1:45 PM Discussion 1:45 PM 2:00 PM Questions and Answers

6

7 Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented cybersecurity challenges present in today s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness. Focused on corporate security solutions BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

8 Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure. The only source of knowledge is experience. Albert Einstein A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises. Experience That Matters We provide the following services: Steven L. Caponi, Esq Caponi@BlankRome.com Advise the Board and senior management to identify the company s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making. Elizabeth A. Sloan, Esq Sloan@BlankRome.com Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment. Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement. Prepare a tailored Strategic Action Plan ( SAP ) that enhances your organization s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness. Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile. Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies. To learn more about how we may help you, please contact any member of our team listed on page 11. Richard A. Clarke RClarke@goodharbor.net Jacob Olcott Jacob.Olcott@goodharbor.net 11 2 CyberBro[Master] indd Emilian Papadopoulos Emilian@goodharbor.net

9 O N G O ING SUPPORT AN D M AINT ENA NC E Yesterday s solutions are just that solutions to solve yesterday s problems. But in today s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company. As with the evolving nature of today s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance. BOA R D O F D IR E C TO R S A N D S E N IO R M A N AG E M E N T C Y BE R S E C U R ITY A S S E S S M E N T Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident. Understanding that each client has different needs, we provide various levels of maintenance and support. Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. We help senior leaders to discharge their risk oversight role by ensuring their organization s cyber risk management policies and procedures are consistent with the company s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to: Develop effective corporate governance structures, policies and procedures, including establishment of appropriate committees, for managing cybersecurity risks. Identify Building on the benefits detailed above, our next level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP. the material cyber risks their company faces in a timely manner; Implement Management is all about managing in the short term, while developing the plans for the long term. In addition to the aforementioned levels of cybersecurity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP. appropriate cyber risk management strategies responsive to the company s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds; Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and Transmit Jack Welch necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees. Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats. 10 3

10 CYBER RISK MITIGATION EXERCISE Threat Awareness Exercise Our Threat Awareness Exercise is an interactive presentation conducted by a senior member of the Good Harbor team and cybersecurity attorneys from Blank Rome to increase awareness of the cybersecurity threats your company and industry segment are facing. Through a thoughtprovoking analysis with your senior executive team, as well as other C-suite officers, we will cover the following issues in the workshop session: Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Targets: An overview of who is being targeted and why. We will discuss the need for every company to understand its own threats and risks as a key part of an effective and resourceful strategy. Industry Threats: A discussion of the unique threats and risks facing your company and specific industry sector, including who is conducting the attacks, the purpose of the attacks, the type of data being targeted, and an analysis of recent attacks in your sector. Legal Implications: A high-level overview of the laws, regulations, and best practices relevant to your industry sector. We will also cover directors and officers liability, fiduciary obligations, and governance changes to ensure successful implementation of cybersecurity policies across your organization. Command and Control: A review of why the directors and officers in your company need to understand the current cybersecurity threat landscape in order to mitigate and manage any potential risks. We will discuss the necessity of giving your technical security teams a proper level of support; test and adopt cybersecurity plans, protocols, and a post-breach response plan; and implement an internal reporting and review infrastructure to ensure compliance with the objectives articulated by management. Following the Threat Awareness Exercise, our team will deliver a white paper outlining the over-arching cyber risk exposure for your company and industry sector, core cybersecurity threats, key takeaways from the exercise, and perceptions of the current and specific cybersecurity threat environment, as well as provide a report on sector-wide trends. Executive Cyber Crisis Simulation The Executive Cyber Crisis Simulation ( ECCS ) can either be a stand-alone service or used to test the effectiveness of your cybersecurity SAP. The ECCS is a realistic simulation of a cyber breach led by Richard A. Clarke, Chairman of Good Harbor and a renowned cybersecurity expert, and Blank Rome s cybersecurity attorneys. The ECCS tests the management team s preparedness through a challenging, real-life scenario, but in a safe environment, with a focus on executives working collaboratively, uncovering capabilities and resources, and identifying areas for improvement in a constructive, low-risk environment. The ECCS is not designed to make individuals pass or fail, but rather to help the company improve its collective preparedness. To simulate a real life cyber breach, the ECCS will confront your senior executives with a barrage of rapidly changing facts coming from a multitude of sources, and force them to consider what decisions they would make. Throughout the exercise, we will explore the pros and cons of every critical decision, with the understanding that there are rarely any objectively right or wrong answers. For companies without an existing SAP, the simulation will demonstrate the need for adopting one before a real incident occurs. For companies with an existing SAP, the exercise will test the adequacy of your current SAP protocols and identify areas needing improvement. By conducting the ECCS under the supervision of legal counsel, you will have peace of mind in knowing that your self-assessment will remain privileged and confidential. Finally, our team will deliver an After Action Review memorandum with key findings, lessons learned, and recommendations from the exercise. 4

11 Before developing the simulation parameters, our team will gain an understanding of your organization, operations, and desired objectives to ensure that the exercise is realistic and aligned with your corporate priorities. Relying on this information, we will then design an interactive, engaging, multimedia ECCS that will help corporate leaders achieve the following key objectives: Evaluate assumptions, capabilities, and the effectiveness of existing response planning. Analyze cybersecurity measures to determine whether they comport with current laws, regulations, and contractual obligations. Strengthen the awareness of senior leaders and crisis management teams regarding the need for response plans and the importance of crisis preparedness. Consider whether the corporate fiduciaries have implemented the protocols, best practices, and information reporting structures necessary to minimize their personal liability. Improve the ability of multiple teams from across the organization to communicate and work together quickly and effectively in a real crisis. Following the ECCS, our team will hold a group debrief with the participants in an after action review meeting, which will extract the key lessons learned and allow our team to identify and articulate specific action items. STRATEGIC ACTION PLAN Preparation and advanced planning separate those who succeed from those who fail in the face of a significant threat. In the world of cybersecurity, there is simply not enough time to consider your options after an attack or breach is detected. Consider the following: Retail companies can expect to lose an average of $3.4 million in brand damage every hour their systems are offline. Depending on the industry and nature of the data breach, brand value can decline by as much as 17 percent to 31 percent. Success depends upon previous preparation and without such preparation there is sure to be failure. Confucius Publicly traded companies may experience a drop in their share price after announcing a breach. To the extent that third-party data is involved, costs for a breach may include liability for stolen assets, repairs to information systems, and remediation expenses to address stolen identities. A cyber thief using the average cable modem can transfer approximately 15,000 documents per second or nearly 100,000 per hour. The magnitude and emergent nature of cybersecurity risks requires the adoption of a SAP before an incident occurs. Can your company afford to wait the 5-, 10-, or 24-hours it would take to locate your senior executives, apprise them of the developing situation, and answer all of their questions before obtaining direction on how to respond to a cyber breach? Understanding that each client has a unique profile and different needs, we offer two programs to help assess your company s cyber risks and develop an effective SAP. 5

12 OPTION 1: Cyber Risk Profile and Recommendations Preparing a comprehensive SAP requires a candid assessment of your company s cybersecurity risk profile ( Cyber Profile ). Your Cyber Profile is determined by considering the likelihood your company will suffer from a cyber attack, the potential severity of a breach, the sufficiency of your existing cybersecurity policies, and your company s crisis response policies. Every company will have a unique Cyber Profile, falling within a spectrum ranging from high- to low-risk. High-risk companies will be expected to implement more comprehensive defensive measures as compared to low-risk enterprises. A company in the critical infrastructure sector, or one with particularly sensitive intellectual property, would be considered high-risk; for them, it is not a question of if they will be attacked, but rather of when and how frequently. Additionally, an attack on companies in these sectors can cripple not only their internal operations, but also have a ripple effect across the economy at large. Given the stakes, companies with a high-risk Cyber Profile will be expected to adopt rigorous policy procedures and crisis management plans to address the threats they face. Our comprehensive Cyber Profile will help senior executives in your company to understand their unique cyber risk exposure and to mitigate the impact of a significant cyber event. Working collaboratively with your executives, we will assess the essential elements of your company s cyber risk status, cyber risk management strategy, corporate governance structure, policies and procedures, existing technologies, sector-specific risks, and crisis management protocols. We will then use our findings to identify significant gaps or areas needing improvement. At the end of the assessment period, your company will receive an Executive Cyber Risk Profile Report. The report is a tailored analysis designed for C-suite executives that summarizes your company s current state of cybersecurity, outlines key findings, and includes recommendations for strengthening cyber defenses in a way that balances security considerations with operational needs. Your company can then use the report to create, enhance, or implement your own SAP on a schedule that is consistent with your operational needs. OPTION 2: Cyber Risk Profile and SAP Implementation If your company is seeking greater assistance in addressing cyber risks, this option includes the aforementioned Cyber Profile and allows our cybersecurity team to further build on the insights gleaned from the report by testing your company s cyber risk management programs against your material cyber risks. We will also perform a gap assessment and recommend specific changes in your company s policies, programs, and technologies to help mitigate those material risks and identify significant gaps or areas needing improvement. Following our review, we will deliver a report containing a detailed SAP that is unique to your company, as well as work with you to implement the SAP. Included in our final report, you will receive the following: Crown Jewels and Worst-Case Scenarios Identification Report: Identification of your company s most valuable assets and a forecast of worst-case scenarios to avoid, which are then weighted and mapped on a risktolerance scale and incorporated into the SAP. Strategy Profile: Evaluation of whether your company s strategy and governance systems adequately address not only internal considerations and direct external risks, but also third-party risks, including supply chain security and vendor risk management. Final Policies and Procedures Recommendations: Presentation detailing our execution plan to implement your company s SAP, as well as procedural recommendations to mitigate your most significant risks. Technology Roadmap: Examination of the current state of your company s technology and legal issues, and a proposal of their future state to effectively implement the new policies. 6

13 NIST CYBERSECURITY FRAMEWORK ORIENTATION AND WORKSHOPS On February 19, 2014, the National Institute of Standards and Technology ( NIST ) released the long-awaited Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework or Framework ) In part, the Cybersecurity Framework is intended to aid in the development of cybersecurity practices for managing cyber risks. Properly applied, the Cybersecurity Framework enables companies to create a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs. At its core, the Cybersecurity Framework rk affirms the belief that cyber risks are enterprise risks that warrant the attention of C-suite executives. Working with our clients, we utilize proven methods to apply the Cybersecurity Framework to develop specific protocols essential to secure the processes, information, and systems directly involved in the delivery of your critical services. Our methodologies include overlaying the Cybersecurity Framework on top of current cyber security practices to determine gaps and to develop a detailed roadmap to improvement. We stand ready to provide our extensive experience to help our clients navigate the complex features of the Framework to help protect their core assets, minimize liability exposure, and reduce risks through our NIST Cybersecurity Framework services. NIST Cybersecurity Framework Briefing By failing to prepare you are preparing to fail. Benjamin Franklin Through an interactive presentation, we work with our clients to explore and analyze the practical implications of the Cybersecurity Frame work, including what it means for businesses, how it can be effectively applied, its purpose, and its objectives. Consisting of an orientation and series of workshops (typically one to three), the NIST Cybersecurity Framework Briefing is designed to help executives achieve several key objectives: Understand the Cybersecurity Framework and how it is used by leading companies to manage cyber risk; Understand how the Cybersecurity Framework can help manage and mitigate a wide range of liability, policy, and cyber threats facing companies; Facilitate the unification of company leaders (e.g., the CEO, CFO, CIO, CISO, General Counsel, and senior officers for human resources, communications, and key business lines) around cyber risk management policies in a NIST context; and Make key decisions regarding whether and how to use the Cybersecurity Framework to manage cyber risks. Following the Briefing, our team will deliver a white paper that summarizes the collaborative discussion, outlines the purpose and objectives of the NIST compliance, reviews how companies in your industry sector are implementing the Cybersecurity Framework, provides key takeaways and recommends next steps for your organization. 7

14 The NIST Cybersecurity Framework Assessment The NIST Cybersecurity Framework Assessment provides comprehensive services for companies seeking an independent assessment of their current cybersecurity practices to assess alignment with NIST, identify gaps and provide a tailored maturity rating for the company based on our unique methodology. We are also able to assist organizations who wish to conduct a self-assessment in the context of a NIST Framework risk management model. Under either assessment model, we help our clients determine their desired Target Market Profile and develop an action plan with improvement milestones and timelines to help the company achieve its Target Maturity Profile. This independent NIST Cybersecurity Framework Assessment affords a helpful tool for companies whose cybersecurity is being reviewed by customers, vendors, investors, insurance carriers, or other third parties. The Framework Core The heart of the NIST Cybersecurity Framework Assessment is the application of the Framework Core, which is intended to identify a set of cybersecurity activities, desired outcomes, and applicable references that are common across your organization and industry sector. When applied correctly, the Core provides a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risks. We assist clients in achieving this objective through applying the five concurrent and continuous NIST Framework Core Functions to your organization. Working in tandem with your leadership team, we utilize the Core Functions to guide your cyber risk mitigation: Identify: Catalogue the resources necessary to support critical functions within your organization. Protect: Articulate specific protocols to ensure the delivery of critical functions. Detect: Identify methods for detecting cybersecurity threats at the early stage to minimize harm to critical functions. Respond: Adopt procedures for responding to a cybersecurity event. Recover: Develop contingencies for critical functions to ensure operational resilience. 8

15 Cybersecurity Profile Our cybersecurity team works with senior management officials in your company to develop a Current NIST Cybersecurity Profile (the Current Profile ) in light of your current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Current Profile reflects the business and security objectives identified through the application of the Framework Core. Following the development of a Current Profile, we identify opportunities for improving your current cybersecurity posture (the as-is state ) in order to achieve a Target Profile (the to be state). This analysis reflects your business drivers and risk tolerance to determine the cost-effectiveness of innovation. Comparing the Current Profile and Target Profile, we generate an individualized roadmap for reducing cybersecurity risk that is aligned with your organizational and sector goals. The customized roadmap or gap analysis also reflects your legal/regulatory requirements, industry best practices, and risk management priorities. Our risk-based approach is designed to assist organizations in gauging how best to deploy their resources (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective and prioritized manner. The development of a NIST Current and Target Profile is a critical step in aligning standards, guidelines, and practices across the organization to achieve the desired state of cybersecurity preparedness. NIST Alignment Report Following the NIST Cybersecurity Framework Assessment, we will deliver a comprehensive NIST Alignment Report that is unique to your organization. The report will identify and prioritize specific policies practices and procedures for the implementation of a continuous and repeatable cybersecurity management program. In this context, the report will also: (1) describe your current cybersecurity posture; (2) describe a target state for cybersecurity; (3) assess progress toward your target state; and (4) recommend procedures for effectively communicating among internal and external stakeholders regarding cybersecurity risk. The NIST Alignment Report is intended to be a living document, which can and should be updated individually or with our assistance to reflect your organization s business drivers and security considerations. While compliance with the Cybersecurity Framework is not yet mandatory, many in the business community have expressed their intent to support and adopt the Framework. Our NIST Alignment Report can be presented to business partners, government agencies, and insurance carriers as evidence of your organization s serious consideration of the Framework s recommendations and intent to reflect the Framework in an existing cybersecurity risk management process. 9

16 O N G O ING SUPPORT AN D M AINT ENA NC E Yesterday s solutions are just that solutions to solve yesterday s problems. But in today s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company. As with the evolving nature of today s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance. BOA R D O F D IR E C TO R S A N D S E N IO R M A N AG E M E N T C Y BE R S E C U R ITY A S S E S S M E N T Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident. Understanding that each client has different needs, we provide various levels of maintenance and support. Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. We help senior leaders to discharge their risk oversight role by ensuring their organization s cyber risk management policies and procedures are consistent with the company s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to: Develop effective corporate governance structures, policies and procedures, including establishment of appropriate committees, for managing cybersecurity risks. Identify Building on the benefits detailed above, our next level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP. the material cyber risks their company faces in a timely manner; Implement Management is all about managing in the short term, while developing the plans for the long term. In addition to the aforementioned levels of cybersecurity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP. appropriate cyber risk management strategies responsive to the company s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds; Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and Transmit Jack Welch necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees. Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats. 10 3

17 Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure. The only source of knowledge is experience. Albert Einstein A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises. Experience That Matters We provide the following services: Steven L. Caponi, Esq Caponi@BlankRome.com Advise the Board and senior management to identify the company s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making. Elizabeth A. Sloan, Esq Sloan@BlankRome.com Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment. Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement. Prepare a tailored Strategic Action Plan ( SAP ) that enhances your organization s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness. Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile. Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies. To learn more about how we may help you, please contact any member of our team listed on page 11. Richard A. Clarke RClarke@goodharbor.net Jacob Olcott Jacob.Olcott@goodharbor.net 11 2 CyberBro[Master] indd Emilian Papadopoulos Emilian@goodharbor.net

18 Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented cybersecurity challenges present in today s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness. Focused on corporate security solutions BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

19 OCTOBER 2014 No. 3 MAINBRACE INSIDE THIS ISSUE 1 Maritime Cybersecurity: A Growing Threat Goes Unanswered 11 Why Arbitration? Why Not? 3 Valuation in Maritime Chapter 11 Cases: Genco and NAV 15 Maritime Legislation Left Pending as Congress Exits Stage Right 5 Is the U.S. Prepared Legally and Operationally to Protect Its Arctic Interests? 17 YoungShip International Welcomes Texas and the United States! 8 Collection of Evidence in the U.S. for Use in Foreign Legal Proceedings under Section International Politics and Maritime Law Collide in Texas 9 Blank Rome Maritime Attorneys Co-Author Voyage Charters and Time Charters

20 MAINBRACE 1 BLANK ROME LLP Maritime Cybersecurity: A Growing Threat Goes Unanswered By Steven L. Caponi and Kate B. Belmont Caponi@BlankRome.com Steven L. Caponi PARTNER KBelmont@BlankRome.com Kate B. Belmont ASSOCIATE The maritime industry may be one of the oldest in the world, but in-depth reports issued by the United States Accountability Office ( GAO ) and the European Network and Information Security Agency ( ENISA ) confirm that our industry is as susceptible to cyber security risks as the most cutting-edge technology firms in Silicon Valley. With the ability to commandeer a ship, shut down a port or terminal, disclose highly confidential pricing documents, or alter manifests or container numbers, even a minor cyber attack can result in millions of dollars of lost business and third-party liability. Unfortunately, cybersecurity on board merchant vessels and at major ports is 10 to 20 years behind the curve compared with office-based computer systems and competing industries throughout the world. Like other industries critical to the global economy, such as the financial services sector and energy, it is time for the maritime industry to adopt a proactive response to the growing cybersecurity threat. Economic and Security Perspectives Although not yet treated as a significant business risk, cybersecurity has for some time been viewed as a considerable threat by the governmental agencies responsible for both national and international maritime security. In late 2011, ENISA issued a sobering report focused on the cybersecurity risks facing the maritime industry, and provided recommendations for how the maritime industry should respond. Unfortunately, the most recent report issued by the GAO in June of this year confirms that the threat has grown more significant, but that the maritime industry has failed to make cybersecurity a priority. Copies of both the ENISA and GAO reports can be obtained by visiting Blank Rome s cybersecurity blog, Cybersecuritylawwatch.com. ENISA was prompted, in part, to issue its 2011 report because the maritime sector is universally viewed as critical to the security and prosperity of European society. ENISA noted that in 2010, 52 percent of the goods trafficked throughout Europe were carried by maritime transport, compared to only 45 percent a decade earlier. The ENISA report further noted that, throughout Europe, approximately 90% of EU external trade and more than 43% of the internal trade take place via maritime routes. The industries and services belonging to the maritime sector are responsible for approximately three to five percent of EU Gross Domestic Product. This vast amount of trade flows into and out of the numerous ports located in 22 EU member states. From both an economic and security perspective, the ability to disrupt the flow of maritime goods in Europe or the United States would have a tremendous negative impact on the respective local economies, and would also be felt worldwide. According to ENISA, The three major European seaports (i.e., Rotterdam, Hamburg, and Antwerp) accounted in 2010 for 8% of overall world traffic volume, representing over million TEUs. Additionally, these ports carried in % of the international exports and 18% of the imports. For its part, the GAO noted that, as an essential element of America s critical infrastructure, the maritime industry operates approximately 360 commercial sea ports that handle more than $1.3 trillion in cargo annually. The Long Beach port alone services 2,000 vessels per year, carrying over 6.7 million TEUs, which accounts for one in five containers moving through all U.S. ports. Long Beach ranks among the top 21 busiest ports internationally, with significant connections to Asia, Australia, and Indonesia. With the ability to commandeer a ship, shut down a port or terminal, disclose highly confidential pricing documents, or alter manifests or container numbers, even a minor cyber attack can result in millions of dollars of lost business and third-party liability. Given the interconnectivity of the maritime industry and paramount need to keep ports moving with speed and efficiency, a cyber attack on just one of the major EU or U.S. ports would send a significant negative ripple throughout the entire industry. With the ability to impact so many nations and peoples at once, the maritime industry presents a fruitful target for