MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Similar documents
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Managing Cyber Risk through Insurance

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Cyber Insurance Presentation

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Mitigating and managing cyber risk: ten issues to consider

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

CYBER SECURITY SPECIALREPORT

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber/ Network Security. FINEX Global

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cyber-insurance: Understanding Your Risks

CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Data Breach and Senior Living Communities May 29, 2015

Joe A. Ramirez Catherine Crane

Cyber Risks in the Boardroom

Understanding the Business Risk

ISO? ISO? ISO? LTD ISO?

Managing cyber risks with insurance

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cybersecurity Risk Transfer

Into the cybersecurity breach

DATA BREACH COVERAGE

Insurance implications for Cyber Threats

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cybersecurity y Managing g the Risks

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Law Firm Cyber Security & Compliance Risks

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Rogers Insurance Client Presentation

How To Cover A Data Breach In The European Market

Privacy and Data Breach Protection Modular application form

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Cyber Threats: Exposures and Breach Costs

Network Security & Privacy Landscape

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Logging In: Auditing Cybersecurity in an Unsecure World

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Managing Cyber & Privacy Risks

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Cybersecurity: Protecting Your Business. March 11, 2015

NZI LIABILITY CYBER. Are you protected?

What is Cyber Liability

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

RETHINKING CYBER SECURITY Changing the Business Conversation

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber Risks and Insurance Solutions Malaysia, November 2013

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Brief. The BakerHostetler Data Security Incident Response Report 2015

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Transcription:

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1

MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson Sonsini Goodrich & Rosati Seattle James D. Evans Partner Fenwick & West Seattle / Mountain View Lauren Neiswinder General Counsel Blue Nile Seattle Jeff Christianson Executive VP and General Counsel (2006-2013) F5 Networks Seattle 2

Introduction Cybersecurity A Perfect Storm Disclosure obligations related to cybersecurity risks and incidents Corporate governance and enterprise risk management considerations The role of legal counsel in cybersecurity risk management 3

Cybersecurity and Cyber Attacks Cybersecurity is the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access Most common cyber attacks: Installation of viruses or malware on computer systems Theft of private or confidential information Disruption or denial of service attacks Unauthorized access to computer systems Inappropriate use of computer systems by employees Why focus on cybersecurity: the financial, operational and reputational risks for the enterprise are potentially huge 4

Cybersecurity A Perfect Storm? Growth of internet access and speeds Explosion of digital data and multiple storage devices and locations Cloud computing / Outsourcing Mobility / BYOD Social Media Sophistication of bad actors Rise of entrepreneurial bad actors Geopolitical motivations DOJ Indictment of Chinese Hackers Stricter data security and privacy laws Recent cyber incidents Target, Heartbleed bug on OpenSSL software Evolving best practices for cybersecurity See NIST Framework for Improving Critical Infrastructure Cybersecurity published in February 2014 Board level attention and scrutiny 5

Symantec 2014 Internet Security Threat Report 91% increase in targeted attacks campaigns in 2013 62% increase in the number of breaches in 2013 Over 552 million identities were exposed via breaches in 2013 an increase of 493% over 2012 23 zero-day vulnerabilities discovered an increase of 64% 38% of mobile users have experienced mobile cybercrime in past 12 months Spam volume dropped to 66% of all email traffic 1 in 392 emails contain a phishing attack 1 in 196 emails contain malware Web-based attacks are up 23% 1 in 8 legitimate websites have a critical vulnerability Small businesses 1 in 5.2 chance of being attacked Large companies 1 in 2.3 chance of being attacked 6

Cyber Risk and Cyber Incident Disclosures SEC Guidance CF Disclosure Guidance: Topic No. 2 Cybersecurity Provides guidance on potential current and periodic reporting obligations related to cybersecurity risks and cyber incidents The Guidance does not require disclosure that itself could compromise a company s cybersecurity. Material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. While registrants should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence. 7

SEC Guidance Specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents Risk Factors Management s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) Description of Business Legal Proceedings Financial statement disclosures Disclosure Controls and Procedures Effective Shelf Registrations Materiality considerations Discussion at SEC s Cybersecurity Roundtable (March 26, 2014) www.sec.gov/spotlight/cybersecurity-roundtable.shtml 8

Additional Disclosure After a Cyber Incident SEC staff comments: It appears that you may have experienced one or more security breaches or cyber attacks that did not result in a material adverse effect on your operations. If true, beginning with you next periodic filing, please simply state this fact so investors are aware that you are currently experiencing these cyber risks. Proper accounting for any customer retention incentives Potential loss contingency disclosure Potential diminished future cash flows and potential asset impairment Impact of cyber incident on estimates of warranty liability, product returns, software costs, inventory, litigation and deferred revenue Timing of event may require disclosure of a subsequent event 9

Other Disclosure Considerations A patchwork of state and federal laws and regulatory obligations Potential breach notice requirement under state law 46 states (plus D.C. and Puerto Rico) have breach notice laws Sample of existing supervisory bodies Federal Bureau of Investigation Department of Defense Department of Homeland Security Department of the Treasury and the Federal Financial Institutions Examination Council Federal Energy Regulatory Commission Federal Communications Commission External and internal corporate communications 10

Corporate Governance and Enterprise Risk Management Considerations Risk oversight by board of directors Important to right size cybersecurity risk for the Board Board still protected by the business judgment rule Board should have a high-level understanding of the company s cyber risks, the management of these risks and the company s cyber incident response plan Delegate responsibility of cybersecurity to the appropriate Board committee 11

Corporate Governance and Enterprise Risk Management Considerations Incorporate cybersecurity into the company s enterprise risk management program Provide Board reasonable access to IT security team and any outside networks security consultants Report to Board on other risk mitigation programs Cyber-risk insurance Networks security infrastructure Internal IT security training programs Results of threat assessments Report to Board on the Crisis Management Plan 12

Role of Legal Counsel in Cybersecurity Risk Management Cybersecurity is a natural extension of the General Counsel s responsibilities to protect and secure the company s intellectual properties and other technologies, and to adequately assess, minimize and mitigate risk Promote universal awareness of cybersecurity risks throughout the company Consult with IT department on need for vulnerability or threat assessment Contribute to development of an efficient incident response plan 13

Role of Legal Counsel in Cybersecurity Risk Management Manage response to a cyber attack Manage internal and external cybersecurity-related communications Management cybersecurity-related third party and transactional risk Monitor cybersecurity-related regulatory, compliance and public policy issues, including security breach notification requirements Consult on potential need for cyber-risk insurance 14

Operational Considerations Determine need for network vulnerability or threat assessments Compliance with any state information security regulations Review network security policies Implement best practices for risk management NIST has issued Framework for Improving Critical Infrastructure Cybersecurity (http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf) May become de facto best practices for enterprise cybersecurity 15

Develop Crisis Management Plan Identify, classify, quantify cyber risk Identify outside forensic IT consultants Review internal/external communications policies Establish cross-functional incident response team corporate communications, compliance, finance, HR) Company-wide training on network security policies and procedures Anticipate common cyber attack scenarios and develop appropriate preventative and response plans Consider running a mock incident scenario (IT, legal, 16

Issues During Cyber Incident Response Engage counsel/third-party IT forensic and PR experts Maintain/monitor privilege Coordination with other affected/necessary internal resources Educate board of directors/senior management Document and data retention Determine disclosure needs and monitor media plans Coordinate with law enforcement and other regulators 17

Appendices MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS 18

If more than 75 percent of the value of a company is in information assets, why do firms focus on ancient risks, like product defects? Kevin Kalinich Global Practice Leader, Cyber Insurance Aon Risk Solutions 19

Is Cyber Insurance Right for Your Company? Why Cyber Insurance as opposed to relying on standard property and general liability policies? Covers 3 rd party liability for data/ network access of 3 rd parties Property insurance would cover physical computers but not (or in very limited fashion) the data contained on the computers Can cover costs to recreate any corrupted or lost damage from scratch, as well as to restore networks to pre-outage conditions Covers liability for information security (PHI, PII, corporate secrets, etc.) Can cover employee acts for theft or corruption of data Can cover media perils that are generally excluded from a GL or Property policies, such as slander, libel, infringement of copyright, trademark, slogan, trade dress, etc. Covers costs associated with notification to consumers and offerings of credit monitoring and ID theft monitoring Covers any costs associated with or fines and penalties assessed by Regulatory investigation Can cover fines assessed for non-pci compliance 20

Is Cyber Insurance Right for Your Company? Willis FINEX estimates the 40-50% of publicly traded companies with a significant privacy risk have purchased Cyber Insurance Poneman Institute study on cyber insurance (www.poneman.org, www.experian.com) Average financial impact of cyber breach incident - $9.4 million Average cost of a digital data breach was $188 per lost or stolen item Costs generally $5,000 - $35,000 per $1 million coverage Deductibles for small companies - $100,000-$250,000, premiums $5,000 to $15,000 per $1 million coverage, limits up to $10 million Deductibles and retentions for larger companies - $1 million to $5 million, premiums $20,000 to $50,000 per $1 million coverage, limits $200 million to $300,000 Policies are customizable 21

Is Cyber Insurance Right for Your Company? Be prepared for the underwriting process Harden your network Update IT security and data-breach prevention policies and procedures Update incident response plan Understand your unique cyber risks, if any Understand and audit your third party exposures (vendors, suppliers, cloud providers, off site hosting services, etc.) Know the gaps in your current property and GL policies Review third party and customer contracts for allocation of cybersecurity risks Review insurer s pre-approved defense counsel and authorized vendors lists Retain experienced advisors 22

Cyber Insurance Coverage Issues Make sure the policy covers both third-party claims and first-party losses Understand your existing coverages (e.g. business interruption) and buy what you need Watch for sublimits on crisis management expenses, notification and regulatory investigation costs Get retroactive coverage Beware of broad exclusions (e.g. exclusion for coverage on unencrypted devices) Do you need coverage for acts and omissions by third parties? (e.g. outsourced data processing or cloud storage and application vendors) 23

Cyber Insurance Coverage Issues Reconcile cyber insurance and contractual indemnity rights Coverage for data restoration costs Allocation of defense costs Request a partial subrogation waiver Does the insurer offer risk management services? Are there preapproved defense counsel, etc.? Does the policy require insurer s prior consent to incur claims-related expenses? 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information