Cybersecurity: What In-House Counsel Needs to Know November 19, 2013 Vivian A. Maese vivian.maese@dechert.com 2013 Dechert LLP
So what does all of the legal activity in cybersecurity mean to you? The top 4 things that you have to worry about: You have a new regulator if you are in one of the critical infrastructure businesses. If you are a public company then you have to worry about disclosures. Part of your role is to help your company identify and manage cyber risk. You need to understand the implications of new technologies which create new risks.
1. NIST The National Institute for Science and Technology is about to make rules take a look at the rules and make your Company s voice heard or live with a rule set that will be costly to implement.
2. SEC Disclosures In the disclosure guidance, the SEC includes the following as Risk Factors (SEC Guidance 2011): Discussion of aspects of the registrant's business or operations that give rise to material cyber-security risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cyber-security risks, description of those functions and how the registrant addresses those risks; Description of cyber-incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; Risks related to cyber-incidents that may remain undetected for an extended period; and Description of relevant insurance coverage.
2. SEC Disclosures (Continued) Questions for in-house counsel to ask: What is the organization doing to protect itself from unwanted intrusion? Is access to information carefully controlled, well documented and permitted on a need-to-know basis? Is there an inventory of the software applications and the data used by those systems? Does the company classify its data by category (e.g., personally identifiable information ( PII ), proprietary, trade secret, confidential, public, internal use only, restricted)? Does the company have an approach to the protection of information by data classification?
2. SEC Disclosures (Continued) The role of outsourcing providers: Third parties (i.e., outsourcing providers) who perform services for the company are a potential break in the chain of control in an organization, and the SEC requires that the company consider these outsourcing arrangements as a Risk Factor. In the outsourcing context, the company should have a dynamic inventory of its third-party service providers, what they do, what data is in their custody and where in the world the data is located. The company should conduct diligence regarding the providers of outsourced services prior to contract.
2. SEC Disclosures (Continued) Dynamic Vendor Risk Management: The outsourcing contract should be carefully crafted and clear about risks, rights and remedies. It used to be that once the contract was signed, it could be filed away and not reviewed again. Not anymore. In order to appropriately and adequately disclose risks, third-party diligence should continue after the agreement has been signed. Audits, reviews, monitoring, testing and escalation procedures are important elements of good governance. New technologies are making the monitoring job easier than it has been in recent years, meaning more process automation and scenario simulation is available and less manual and physical checking is required. If the company is contemplating an outsourced relationship to a virtual data center (aka the cloud ), there is an enhanced risk profile to consider.
3. Counsel s Role in Managing Risk Counsel needs to know and understand: What kind of data is kept by the Company The character of the data Is it confidential customer information or trade secrets? Is it personal? How the data flows In country Cross-border How the data is stored when it is at rest Where in the world it is kept By the Company By an outsourced provider
3. Risk (Continued) Data is an asset that should be protected. There are multiple ways to safeguard information: Due diligence and background checks when you have employees or consultants the insider threat Contracts should balance and apportion risks, and give the Company a foundation for a claim. Training, Processes, Procedures, and Escalation Outsourcing contracts should include escalation procedures Computer architecture not obvious pathways into company systems Audit trails for access Intrusion detection capability
3. Risk (Continued) Cyber thieves or bad actors today are persistent if they fail, they don t go away; they learn and try again. It is important to have a response team that is cohesive and tested in advance of the event (It is like continuity of business readiness).
3. Risk (Continued) You need a multidisciplinary team to respond that can: 1. Assess the threat 2. Have help identified 3. Have defined roles for team members 4. Have go to vendors identified and under contract in advance of a cyber incident
4. New Technologies Create New Cyber-risk Cloud Computing Mobility Bring Your Own Device Social Networks
Dechert LLP Definitive advice Practical guidance Powerful advocacy dechert.com Almaty Austin Beijing Boston Brussels Charlotte Chicago Dubai Dublin Frankfurt Hartford Hong Kong London Los Angeles Luxembourg Moscow Munich New York Orange County Paris Philadelphia Princeton San Francisco Silicon Valley Tbilisi Washington, D.C. Dechert practices as a limited liability partnership or limited liability company other than in Almaty, Dublin, Hong Kong, Luxembourg and Tbilisi.