Cybersecurity: What In-House Counsel Needs to Know

Similar documents
DEFINITIVE ADVICE PRACTICAL GUIDANCE POWERFUL ADVOCACY LLP

Background. 9 September Practice Groups: Investment Management, Hedge Funds and Alternative Investments Broker-Dealer Finance

Financial services regulation in Australia

Environment, Health And Safety. Ensuring Your Company s European Operations are Compliant with New EU Regulations and Enforcement Measures

Cyber Risks in the Boardroom

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target

AGGREGATING CAPITAL FOR IMPACT INVESTMENT: VENTURE CAPITAL IMPACT INVESTMENT FUNDS

Client Alert. Accountants and Auditors as SEC Whistleblowers. Categories of Persons Eligible or Not Eligible for SEC Whistleblower Awards

DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES

Launch of Mutual Recognition of Funds Between Mainland China and Hong Kong

SOFTWARE DEVELOPMENT IN RUSSIA: KEY LEGAL ISSUES

Removal of Credit Ratings References

Virtual Asset Management Roundtable Series: SEC Examination Trends for Investment Advisers

SEC Staff Addresses Third-Party Endorsements of Investment Advisers on Social Media Websites

Cyber security: A major issue for Australian business


Technology Assisted Review Goes Left: Predictive Analytics In Information Governance

Advanced Topics in Patent Litigation:

China's new national security law creates more insecurity for foreign businesses

2013 SEC and FINRA Year in Review for Broker Dealers and Investment Advisers

Client Alert. New Treasury Regulations Put Issuers at Increased Risk for Cancellation of Indebtedness Income in Debt-for-Debt Exchanges.

Loan Trading under LMA Documentation A Guide for Traders and In-house Counsel

Connecting to Remote Desktop Services on an ipad

Benefits and Compensation Alert

NIST Unveils Preliminary Cybersecurity Framework

PLAN SPONSOR BASICS: CASH BALANCE PLANS. Presenters: John Ferreira and Jared Rogers March 31, Morgan, Lewis & Bockius LLP

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Authors: The American Recovery and Reinvestment Act of 2009: A Guide for State and Local Governments

The Affordable Care Act s Employer Mandate: Guidance for Educational Organizations

Health Care Entities Get Clarity from FCC on Telephone Communications

Peter Montanaro, Head, Delegated Authorities

IRS Issues Proposed Rules and Sample Notice Regarding Automatic Enrollment Arrangements

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Investment Advisers Act of 1940

CRITICAL THINKING AT THE CRITICAL TIME CONSTRUCTION SOLUTIONS

Latham & Watkins Corporate Department

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Health IT: Practical Considerations for the Acquisition and Implementation of Electronic Data Warehouses

Foreign Broker-Dealer Subject to Enforcement Action for Failing to Register with the SEC

How Can the Automotive Industry Strengthen Its Regulatory Compliance Process and Reduce Its Compliance Risks?

Italian Tax Reform. New legislation on abuse of law and statute of limitations. Abuse of law and tax avoidance. Introduction

Selection and Use of Patient-Reported Outcome Measures The Role of Outside Consultants Janice Hogan, Partner, Hogan Lovells LLP

E-commerce liberalization in China: State Council and MIIT push forward

Plan Sponsor Basics Webinar Series Issues for 401(k) Plan Sponsors with Employer Stock Investment Funds

Australian National Electricity Rules Adopt a More 'Cost Reflective' Approach to Network Pricing

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Liberating the Power of Service The right of establishment The case of lawyers

Liberating the Power of Service The right of establishment The case of lawyers. Second Bruges European Business Conference College of Europe

REGULATION OF ADVISERS (PART II):

SEC s Proposed Rules for Implementing Dodd-Frank Whistleblower Provisions: Important Implications for Employers. November 12, 2010

Tax Guide 2014/15 South Africa

Cloud Computing: Managing the Legal Risks Mitigating Liabilities in Outsourcing Virtual IT Storage and Applications

Increased Regulatory Focus on Cybersecurity Underscores Need for Public Companies to Review Cybersecurity-Related Disclosures

New Disciplinary and Grievance Rules

SEC Cybersecurity Findings May Establish De Facto Standard

Cuba Sanctions Update: Removal of Cuba from Terrorism List Will Result in Modest Easing of Trade Sanctions

The Telephone Consumer Protection Act: Compliance Developments and What to Expect in 2015

Private Equity Fund Expenses

Hazardous substances. Our capabilities in Paris

JUDGMENT ON THE SPANISH TAX LEASE SYSTEM

SEC Approves Imposition of Redemption Fee for Mutual Funds Funds Are Permitted, Not Required, to Impose Charge

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

SOC 3 for Security and Availability

Latham & Watkins Corporate Department

Data Security Best Practices for In-House Counsel

Cloud Computing: Business Benefits, Legal Uncertainties, Risks and Strategies

CASE STUDY: Six Sigma Legal Services for Mortgage Loans

Alvarez & Marsal Global Forensic and Dispute Services Asia Pacific Regional Meeting (APRM) Tokyo, Japan April 2015

What Makes Cities Successful Randstad on the World Stage

FINRA Publishes its 2015 Report on Cybersecurity Practices

Outsourcing has become a critical component of financial institutions management

Cyber security: A growing threat to the energy sector

Fraudulent Insurance Claims A Mucky Present and a Murky Future

Latham & Watkins Benefits & Compensation Practice

The Tested Effectiveness of Equivio>Relevance in Technology Assisted Review

Regulatory Implications of New Products and Services in the Australian Electricity Market

Acquisition Transaction Reinsurance: Key Concepts SEAN KEYVAN AND JEREMY WATSON, SIDLEY AUSTIN LLP

Board Responsibilities Under SEC s Money Market Fund Reforms

Latham & Watkins Finance Department. Amended Bankruptcy Rule 2019: Clarity and Confusion?

LexisNexis Emerging Issues Analysis

DOE Announces Fundamental Shift in LNG Export Authorization Policy

Cyber and Data Risk What Keeps You Up at Night?

Defining and Managing Reputation Risk

Client Alert. The purpose of Form PF is to provide federal regulators with data to aid in monitoring systemic risks to the US financial markets.

China Publishes Draft Rules on Protection of Information Network Dissemination Rights

Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials

Leadership Development: Building Your Personal Plan

Case Study: Virtualised Private Simulation An on-demand SaaS solution for the financial market place

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

Maximizing Insurance Recovery for the Tianjin Port Explosions

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Authors: The American Recovery and Reinvestment Act of 2009: A Guide for State and Local Governments

IT Audit Services. Ensuring the Right Systems and Controls Are in Place to Manage Risks Created by New Technologies

PROPOSED INTERPRETIVE NOTICE

Intellectual Property in Internet Transactions

Integrating Data from Disparate Systems

Whistleblower Provisions

Latham & Watkins Health Care Practice

From the Investment Management Practice Group

Transcription:

Cybersecurity: What In-House Counsel Needs to Know November 19, 2013 Vivian A. Maese vivian.maese@dechert.com 2013 Dechert LLP

So what does all of the legal activity in cybersecurity mean to you? The top 4 things that you have to worry about: You have a new regulator if you are in one of the critical infrastructure businesses. If you are a public company then you have to worry about disclosures. Part of your role is to help your company identify and manage cyber risk. You need to understand the implications of new technologies which create new risks.

1. NIST The National Institute for Science and Technology is about to make rules take a look at the rules and make your Company s voice heard or live with a rule set that will be costly to implement.

2. SEC Disclosures In the disclosure guidance, the SEC includes the following as Risk Factors (SEC Guidance 2011): Discussion of aspects of the registrant's business or operations that give rise to material cyber-security risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cyber-security risks, description of those functions and how the registrant addresses those risks; Description of cyber-incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; Risks related to cyber-incidents that may remain undetected for an extended period; and Description of relevant insurance coverage.

2. SEC Disclosures (Continued) Questions for in-house counsel to ask: What is the organization doing to protect itself from unwanted intrusion? Is access to information carefully controlled, well documented and permitted on a need-to-know basis? Is there an inventory of the software applications and the data used by those systems? Does the company classify its data by category (e.g., personally identifiable information ( PII ), proprietary, trade secret, confidential, public, internal use only, restricted)? Does the company have an approach to the protection of information by data classification?

2. SEC Disclosures (Continued) The role of outsourcing providers: Third parties (i.e., outsourcing providers) who perform services for the company are a potential break in the chain of control in an organization, and the SEC requires that the company consider these outsourcing arrangements as a Risk Factor. In the outsourcing context, the company should have a dynamic inventory of its third-party service providers, what they do, what data is in their custody and where in the world the data is located. The company should conduct diligence regarding the providers of outsourced services prior to contract.

2. SEC Disclosures (Continued) Dynamic Vendor Risk Management: The outsourcing contract should be carefully crafted and clear about risks, rights and remedies. It used to be that once the contract was signed, it could be filed away and not reviewed again. Not anymore. In order to appropriately and adequately disclose risks, third-party diligence should continue after the agreement has been signed. Audits, reviews, monitoring, testing and escalation procedures are important elements of good governance. New technologies are making the monitoring job easier than it has been in recent years, meaning more process automation and scenario simulation is available and less manual and physical checking is required. If the company is contemplating an outsourced relationship to a virtual data center (aka the cloud ), there is an enhanced risk profile to consider.

3. Counsel s Role in Managing Risk Counsel needs to know and understand: What kind of data is kept by the Company The character of the data Is it confidential customer information or trade secrets? Is it personal? How the data flows In country Cross-border How the data is stored when it is at rest Where in the world it is kept By the Company By an outsourced provider

3. Risk (Continued) Data is an asset that should be protected. There are multiple ways to safeguard information: Due diligence and background checks when you have employees or consultants the insider threat Contracts should balance and apportion risks, and give the Company a foundation for a claim. Training, Processes, Procedures, and Escalation Outsourcing contracts should include escalation procedures Computer architecture not obvious pathways into company systems Audit trails for access Intrusion detection capability

3. Risk (Continued) Cyber thieves or bad actors today are persistent if they fail, they don t go away; they learn and try again. It is important to have a response team that is cohesive and tested in advance of the event (It is like continuity of business readiness).

3. Risk (Continued) You need a multidisciplinary team to respond that can: 1. Assess the threat 2. Have help identified 3. Have defined roles for team members 4. Have go to vendors identified and under contract in advance of a cyber incident

4. New Technologies Create New Cyber-risk Cloud Computing Mobility Bring Your Own Device Social Networks

Dechert LLP Definitive advice Practical guidance Powerful advocacy dechert.com Almaty Austin Beijing Boston Brussels Charlotte Chicago Dubai Dublin Frankfurt Hartford Hong Kong London Los Angeles Luxembourg Moscow Munich New York Orange County Paris Philadelphia Princeton San Francisco Silicon Valley Tbilisi Washington, D.C. Dechert practices as a limited liability partnership or limited liability company other than in Almaty, Dublin, Hong Kong, Luxembourg and Tbilisi.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information