Perspectives on Cybersecurity and Its Legal Implications



Similar documents
Corporate Perspectives On Cybersecurity: A Survey Of Execs

Spring 2015 reforms: the new DC flexibilities

Addressing UBTI Concerns in Capital Call Subscription Credit Facilities

New York State Department of Financial Services Proposes a BitLicense Regulatory Framework for Virtual Currency Businesses

IRS Issues Revised Guidance on Form W-2 Reporting Requirements for Costs of Employer Group Health Coverage

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Intellectual Property & Data Protection 2015: Legal developments you need to know about

TERMINATION PAYMENTS AND INTERNATIONALLY MOBILE EMPLOYEES

Information Disclosure on the Securities Market

Major Changes Introduced by the New Companies Ordinance Private and Public Companies 1

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

Good faith is there a new implied duty in English contract law?

China s New Trademark Law Introduces Key Changes

A Quick Start Guide to EMIR: What you need to do and when

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

Vietnam s Insurance Market: An Overview January 2014

Capital Commitment Subscription Facilities and the Proposed Liquidity Coverage Ratio

Rare Bird Sightings: Recent Developments Address Distressed Obligation Issues Faced by REMICs

Financial Institutions and Cloud Computing What s on the Horizon

Beginner s Glossary to Fund Finance

Technological Evolution

Insolvency Litigation and Related

Negotiating ERP Implementation Agreements for Success

Equity Incentive Plans Extending US- and UK-based Plans Across the Pond

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Lawyers and Social Media: The Legal Ethics of Tweeting, Facebooking and Blogging

Contracting for Cloud Computing

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

US Bank Regulators Propose Net Stable Funding Ratio Rule to Enhance Financial System Resiliency

German Insolvency Law is geared towards liquidation of the debtor insolvency plan procedures are only applied in exceptional cases.

Guide on How to Invest in Real Estate in Hong Kong

FINRA Publishes its 2015 Report on Cybersecurity Practices

Guide to Discrimination Law in the PRC

Cyber Risks in the Boardroom

Mitigating and managing cyber risk: ten issues to consider

Authorisation and Restriction: Interplay and other Strategic Considerations

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Cyber Insurance Presentation

Guide to Investing in Real Estate in the PRC

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Bloomberg BNA Professional Learning Legal Course Catalog OnDemand Programs

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

Cyber and Data Security. Proposal form

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Restructuring, Bankruptcy & Insolvency in Asia

What are you trying to secure against Cyber Attack?

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Competitive Intelligence Acquisition and Reverse Engineering

A Brief Legal Guide to Investing in Real Estate in the US

The German Pension System. An Overview

Leveraging Supply Chain Finance to Optimize Value

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

The promise and pitfalls of cyber insurance January 2016

The Cloud and Cross-Border Risks - Singapore

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Transcription:

Survey Results 2015 Perspectives on Cybersecurity and Its Legal Implications a 2015 survey of corporate executives

The National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce, released its cybersecurity framework in February 2014 to help regulators and businesses identify and mitigate cyber risks that could affect national and economic security. The need was urgent. According to the Ponemon Institute s 2014 Cost of Data Breach Study: Global Analysis, the total average cost per data breach for US businesses was in excess of $5.85 million. Unsure of Congress ability to respond quickly with effective legislation to address the myriad issues surrounding cybersecurity, companies are developing their own cyber risk management protocols. Survey Background and Participants In an effort to gauge industry concerns and measure corporate responses to these significant privacy and security threats, Mayer Brown conducted an informal survey of key executives and corporate counsel in 15 industry sectors between mid-november 2014 and mid-february 2015. The majority of the companies were from finance and financial institutions, professional services (law, medicine, accounting, architecture and design), utilities and energy (including extraction), health care and pharmaceuticals. While two-thirds (70%) of the respondents companies have a chief information officer (CIO) or both a CIO and a chief privacy officer, one-fifth (21%) of the companies had neither. Summary Analysis and Outlook Survey respondents overwhelmingly considered the disclosure of personally, identifiable information as the biggest cyberrelated threat to their companies (63%). Concern about interruption of business operations such as system sabotage ranked second (24%). Less than 10% of the respondents considered theft of trade secrets as the most serious threat. Most respondents (63%) considered cyber issues to be just one more cost of doing business or that these problems can be overcome. Well over half (57%) of the respondents estimated that litigation risk posed by cybersecurity issues has a relatively modest impact on their cybersecurity planning. For some, pessimism reigns. Around 29% of respondents have a negative outlook on cyber-related issues, believing that cybercrime will always be one step ahead of legislative protections and enforcement. The survey revealed that respondents concern about the adverse impact of regulatory enforcement appreciably affects their willingness to share incident information with the government. Liability protection is a critical component of a voluntary cyber information-sharing program. Without meaningful liability protection, companies will be hesitant to participate because any act or omission made by a participant based upon cyberthreat information received by that entity could subject it to liability. This concern may also explain why only 23% of respondents said that their company had built a close working relationship with either a government enforcement agency (FBI, US Secret Service) or a prosecutorial agency (DOJ or state attorneys general) on cyber issues. An equivalent percentage (23%) reported working closely with industry regulatory (FTC, FCC, FDIC, CFPB). Over 40% said no, they have no such relationship, while approximately 24% did not know. The survey showed that 84% of respondents expect clear national standards on data breach notification to emerge within the next five years. Smaller numbers expected national standards for securing personally identifiable information, investor disclosures and liability protection for information sharing. This may reflect a growing recognition in Congress that having 47 different reporting standards does not make sense. Given the number of breaches that have occurred in recent years, it makes sense to instead have a clear set of standards, not just for notification but for information security as well. Nearly 50% of respondents weren t sure if the NIST Cybersecurity Framework has been helpful to their company in managing cybersecurity risk. This may indicate that it is premature to judge the NIST Framework, or that companies are not sufficiently aware of how it is meant to be helpful. Mayer Brown has published an informative overview which can be found at: http://www. mayerbrown.com/the-nist-cybersecurity-framework-overview-and-potential-impacts/. mayer brown 1

Full Survey Results Question 1: Does your organization have a Chief Privacy Officer ( CPO, or equivalent) or a Chief Information Officer ( CIO, orequivalent) who is accountable for developing, implementing and maintaining an organization-wide governance and privacy/cybersecurity program? 33% 37% 21% 4% 4% Chief Privacy Officer ( CPO or equivalent) Chief Information Officer ( CIO or equivalent) Both a CPO and a CIO Neither a CPO or a CIO Don t know the answer Question 2: How would you describe your outlook on cybersecurity issues? For this survey, cybersecurity issues could include breaches, attacks, denial of service, loss of data, and/or damage to cyber infrastructure. 27% 29% 36% 9% Optimistic, we re catching Pessimistic, the Neutral, cyber-related Don t know the answer up with or getting ahead problem(s) will always be issues are a cost of doing of the problem(s) one step ahead business 2 Perspectives on Cybersecurity and Its Legal Implications

Question 3: Which do you consider the biggest threat to your company? 4% Breach of confidential personally identifiable information 24% Theft of trade secrets Loss of availability or sabotage of systems 9% Don t know the answer 63% Question 4: Has the NIST Cybersecurity Framework been helpful to your company in managing cybersecurity risk? Yes No Don t know 36% 17% 47% mayer brown 3

Question 5: Has your company built a close working relationship with a government entity on cybersecurity issues (more than one answer could have been selected)? 20% 23% 41% Yes, a law enforcement agency (e.g., FBI, US Secret Service) Yes, an industry regulator (e.g., FTC, FCC, FDIC, CFPB) No 3% 7% 24% Yes, a prosecutorial agency (e.g., State AG, DOJ) Yes, an incident response agency (e.g., US-CERT) Don t know the answer Question 6: Which of the following percentage ranges best represents the estimated amount that litigation risk associated with cybersecurity issues influences your company s cybersecurity planning? 34% 23% 10% 6% 0% 0% - 20% 20% - 40% 40% - 60% 60% - 80% 80% - 100% *Don t know the answer - 27% 4 x Survey Results

Question 7: Does concern about regulatory enforcement actions or other adverse regulatory action impact your company s willingness to share incident information with the government? 14% 11% 27% 13% 4% 1 (no impact) 2 3 4 5 (significant impact) *Don t know the answer - 30% Question 8: Do you expect clear national standards to emerge in the next five years in the following areas (more than one answer could have been selected)? Data breach notification Security of personally identifiable information Investor disclosures 84% 54% 41% Cybersecurity of third-party service providers Liability protection for information sharing 34% 30% mayer brown 5

Question 9: Has your company developed a global strategy to meet the differing cybersecurity and data privacy legal requirements of the countries in which you operate? Yes 46% No, we handle compliance on an individual country basis 27% Not applicable 17% Don t know the answer 10% Question 10: Does your company have a separate cyber insurance policy? Yes, for liability 27% Yes, for remediation costs Yes, for penalties or fines 7% 0% No, but considering in the next 12 months 14% No, but might down the road No interest 14% 4% *Don t know the answer - 33% 6 x Survey Results

Question 11: Does your organization have a written data protection plan? If so, how was the plan prepared (more than one answer could have been selected)? 30% 30% 49% We retained an outside IT expert or outside counsel to assist in preparing the plan We consulted the PCI, NIST and or ISO standards in preparing the plan Don t know the answer Question 12: If your company suspected that a cyber-related incident had occurred, which two external entities on the following list do you believe your company would contact first? IT security company Consulting firm with cybersecurity advisory Law firm Insurance company Law enforcement (any level) 19% 21% 28% 7% 13% 4%? Some other external entity not listed here *Don t know the answer 8% mayer brown 7

About Mayer Brown Mayer Brown is a global legal services provider advising clients across the Americas, Asia and Europe. Our geographic strength means we can offer local market knowledge combined with global reach. We are noted for our commitment to client service and our ability to assist clients with their most complex and demanding legal and business challenges worldwide. We serve many of the world s largest companies, including a significant proportion of the Fortune 100, FTSE 100, DAX and Hang Seng Index companies and more than half of the world s largest banks. We provide legal services in areas such as banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; US Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory and enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management. Please visit www.mayerbrown.com for comprehensive contact information for all Mayer Brown offices. Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the Mayer Brown Practices ). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. Mayer Brown and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. 2015 The Mayer Brown Practices. All rights reserved. Attorney advertising

Americas Asia Europe www.mayerbrown.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information