Cybersecurity y Managing g the Risks



Similar documents
Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Cyber Risks in the Boardroom

Mitigating and managing cyber risk: ten issues to consider

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cybersecurity: Protecting Your Business. March 11, 2015

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Cyber Insurance Presentation

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Health Care Data Breach Discovery Strategies for Immediate Response

Rogers Insurance Client Presentation

Data Privacy & Security: Essential Questions Every Business Must Ask

How To Protect Your Data From Hackers

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Cyber-insurance: Understanding Your Risks

Cyber Security Risk Management

Cybersecurity and Insurance Companies

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Logging In: Auditing Cybersecurity in an Unsecure World

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Joe A. Ramirez Catherine Crane

White Paper on Financial Institution Vendor Management

Working with the FBI

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

What Data? I m A Trucking Company!

Discussion on Network Security & Privacy Liability Exposures and Insurance

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Anatomy of a Hotel Breach

Security & Compliance, Sikich LLP

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

October 24, Mitigating Legal and Business Risks of Cyber Breaches

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

CYBERSECURITY INVESTIGATIONS

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

CYBER SECURITY SPECIALREPORT

Law Firm Cyber Security & Compliance Risks

Brief. The BakerHostetler Data Security Incident Response Report 2015

U. S. Attorney Office Northern District of Texas March 2013

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

ISO? ISO? ISO? LTD ISO?

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Middle Class Economics: Cybersecurity Updated August 7, 2015

Transcription:

Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking money, credit card #s, personal info. Governments: infrastructure, banks, rail, energy transmission, etc. Espionage (govt./competitors): corporate plans and intellectual property Truly international Everyone is at Risk 1.11 billion records over last 9 years 200 substantial attacks per day 30% on companies with 1-250 employees 25% attacks directed at senior management or board level 100 1

Cybersecurity The Risks Are Real Impact of Cybercrime Global Cybercrime costs to companies may reach $1T in 2013 U.S. businesses spending averages $8.9M annually Hard Cost of a Cyberattack Average loss was $5.5M Defending an attack averages $500,000 / TJX $12M Q Litigation A single case resulted in settlements exceeding $100M Substantial government fines Soft Costs of a Cyberattack 5% drop in stock price for publicly traded companies 17% - 31% drop in brand value 101 Corporate Fiduciary Duties Officers, Directors & Senior Management An affirmative obligation to manage and mitigate risk Response must be commensurate with the level of risk A breach will be noticed Litigation shareholders & customers The government, both state and federal You will be judged in hindsight The risk will be deemed significant Part of our popular culture - news, movies, TV. The repercussions will be known 102 2

Corporate Fiduciary Duties Oversight Liability Caremark Claim Duty to actively monitor corporate performance and risks Cannot abdicate this responsibility It's complicated so we left it to the IT department Unconsidered Failure of the Board to Act Breach of the duty of loyalty Not exculpated by a 102(b)(7) Equals personal liability No decision is worse than a bad decision 103 Corporate Fiduciary Duties Exercising Reasonable Oversight Step 1: Understand your company s risk profile How likely are you to be attacked vs. repercussions Step 2: Speak to your peers and experts How are they addressing the risk Reasonable person standard - safety in numbers Step 3: Adopt and Monitor Best Practices IT talent on the Board / Risk Committee Regular updates from management Comprehensive Incident Response Plan 104 3

Advanced Planning For An Attack Do you have the right response team? Combination of legal, IT / risk management, privacy, business, and PR Regular meetings before the incident occurs Speak a common language and know their respective roles Implement a firm chain of command Filtering concise information up to decision makers Clearly disseminating decisions down the chain of command Established Outside Relationships Outside counsel Technical advisors Government: SEC, Homeland Security, FBI, etc. 105 Advanced Planning For An Attack Vendor audits / Vendor Contracts Importance of security at all links in the chain Not just a check the box activity Consider vendor subcontractors Training Build a culture of awareness Review insurance coverage Participate in standard setting process Pay attention to government communications / notices 106 4

Do You Have Adequate Insurance? Coverage under commercial general liability policies Exclusions and limitations have been added Specialty cyber products vary significantly First party and third party risks Consider information in the care of third parties White House encouragement of formation of insurance market 107 Will you know a breach occurred? Internal scans or signs indicate breach Notification by ISP Employee report Government inquiry or notice Vendor notice Customer notice 108 5

Look to your incident response plan / activate response team Stop additional data loss Contain attack Take affected machines offline Determine what happened What data were compromised? Should forensic experts be engaged? How did it happen? Allow the attack to continue? Need to observe the flow of data 109 Preserve evidence do not power down Self-Help? Can you retrieve data? Hack back legal? Don t go from victim to perpetrator Decide whether to contact law enforcement Decide whether to engage outside counsel to run internal investigation 110 6

Framework of Internal Investigation What is the purpose of the investigation? Identify what happened? Determine whether notification or disclosure is required Respond to government? Should independent outside counsel be engaged? Develop facts under protection of privilege Independence confidence in results Is there a reasonable anticipation of litigation? Should counsel engage forensic experts? 111 Planning the Investigation: Determine corporate decision-maker for investigation Define scope and goals of investigation Establish procedures for internal coordination OGC, IT, HR Determine procedures for submitting interim findings and the final report Should report be written or oral? Evaluate need to interview vendor employees Upjohn warnings Securing information and data Preserve privilege and maintain confidentiality Common interest privilege 112 7

Manage media relations in conjunction with counsel Cooperation with government agencies and law enforcement State laws require notice to regulators of incidents, in some cases even if company determines no breach occurs. Whose side are regulators on? Federal government encourages sharing of information Responding to state AG inquiries Steps to avoid waiving privilege 113 Determine legal obligations Individual notice? Regulator notice? Media notice? Pay attention to timelines Identify contractual obligations Consider mitigation of harm Should individuals be notified in absence of legal obligation? Offer identity theft protection service? Warn your competitors? 114 8

Contact insurer Establish call center / public relations SEC disclosures Document everything Lessons learned 115 116 9

117 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information