BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS. www.blankrome.com/cybersecurity



Similar documents
Managing cyber risks with insurance

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

The NIST Cybersecurity Framework

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cybersecurity Awareness for Executives

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

FINRA Publishes its 2015 Report on Cybersecurity Practices

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

PROTIVITI FLASH REPORT

Managing Risk at Bank of America Corporation. Overview

Cybersecurity The role of Internal Audit

Why you should adopt the NIST Cybersecurity Framework

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Cybersecurity and internal audit. August 15, 2014

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cyber security Building confidence in your digital future

Cybersecurity y Managing g the Risks

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Integrated Risk Management. Balancing Risk and Budget

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Defending Against Data Beaches: Internal Controls for Cybersecurity

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

The Legal Pitfalls of Failing to Develop Secure Cloud Services

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis

FFIEC Cybersecurity Assessment Tool

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Business Continuity for Cyber Threat

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Cybersecurity. Considerations for the audit committee

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Cyber Security From The Front Lines

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

NIST Cybersecurity Framework & A Tale of Two Criticalities

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

How To Assess A Critical Service Provider

International Diploma in Risk Management Syllabus

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

POLICY. Number: Title: Enterprise Risk Management. Authorization

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

White Paper on Financial Institution Vendor Management

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Why you should adopt the NIST Cybersecurity Framework

PRIORITIZING CYBERSECURITY

Defining the Gap: The Cybersecurity Governance Study

Applying IBM Security solutions to the NIST Cybersecurity Framework

Cyber Security and the Board of Directors

Framework for Improving Critical Infrastructure Cybersecurity

MISSION VALUES. The guide has been printed by:

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cyber Security Evolved

Click to edit Master title style

CONSULTING IMAGE PLACEHOLDER

How To Write A Cybersecurity Framework

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

VENDOR MANAGEMENT. General Overview

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Mitigating and managing cyber risk: ten issues to consider

IT Insights. Managing Third Party Technology Risk

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Cybersecurity Framework: Current Status and Next Steps

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

SECURITY RISK MANAGEMENT

Transcription:

Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented cybersecurity challenges present in today s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness. Focused on corporate security solutions BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS. www.blankrome.com/cybersecurity

Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure. The only source of knowledge is experience. Albert Einstein A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises. Experience That Matters We provide the following services: Steven L. Caponi, Esq. 302.425.6408 Caponi@BlankRome.com Advise the Board and senior management to identify the company s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making. Elizabeth A. Sloan, Esq. 302.425.6472 Sloan@BlankRome.com Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment. Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement. Prepare a tailored Strategic Action Plan ( SAP ) that enhances your organization s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness. Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile. Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies. To learn more about how we may help you, please contact any member of our team listed on page 11. Richard A. Clarke 703.812.9199 RClarke@goodharbor.net Jacob Olcott 703.812.9199 Jacob.Olcott@goodharbor.net 11 2 CyberBro[Master]8.8.14.indd Emilian Papadopoulos 703.812.9199 Emilian@goodharbor.net

O N G O ING SUPPORT AN D M AINT ENA NC E Yesterday s solutions are just that solutions to solve yesterday s problems. But in today s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company. As with the evolving nature of today s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance. BOA R D O F D IR E C TO R S A N D S E N IO R M A N AG E M E N T C Y BE R S E C U R ITY A S S E S S M E N T Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident. Understanding that each client has different needs, we provide various levels of maintenance and support. Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. We help senior leaders to discharge their risk oversight role by ensuring their organization s cyber risk management policies and procedures are consistent with the company s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to: Develop effective corporate governance structures, policies and procedures, including establishment of appropriate committees, for managing cybersecurity risks. Identify Building on the benefits detailed above, our next level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP. the material cyber risks their company faces in a timely manner; Implement Management is all about managing in the short term, while developing the plans for the long term. In addition to the aforementioned levels of cybersecurity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP. appropriate cyber risk management strategies responsive to the company s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds; Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and Transmit Jack Welch necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees. Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats. 10 3

CYBER RISK MITIGATION EXERCISE Threat Awareness Exercise Our Threat Awareness Exercise is an interactive presentation conducted by a senior member of the Good Harbor team and cybersecurity attorneys from Blank Rome to increase awareness of the cybersecurity threats your company and industry segment are facing. Through a thoughtprovoking analysis with your senior executive team, as well as other C-suite officers, we will cover the following issues in the workshop session: Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Targets: An overview of who is being targeted and why. We will discuss the need for every company to understand its own threats and risks as a key part of an effective and resourceful strategy. Industry Threats: A discussion of the unique threats and risks facing your company and specific industry sector, including who is conducting the attacks, the purpose of the attacks, the type of data being targeted, and an analysis of recent attacks in your sector. Legal Implications: A high-level overview of the laws, regulations, and best practices relevant to your industry sector. We will also cover directors and officers liability, fiduciary obligations, and governance changes to ensure successful implementation of cybersecurity policies across your organization. Command and Control: A review of why the directors and officers in your company need to understand the current cybersecurity threat landscape in order to mitigate and manage any potential risks. We will discuss the necessity of giving your technical security teams a proper level of support; test and adopt cybersecurity plans, protocols, and a post-breach response plan; and implement an internal reporting and review infrastructure to ensure compliance with the objectives articulated by management. Following the Threat Awareness Exercise, our team will deliver a white paper outlining the over-arching cyber risk exposure for your company and industry sector, core cybersecurity threats, key takeaways from the exercise, and perceptions of the current and specific cybersecurity threat environment, as well as provide a report on sector-wide trends. Executive Cyber Crisis Simulation The Executive Cyber Crisis Simulation ( ECCS ) can either be a stand-alone service or used to test the effectiveness of your cybersecurity SAP. The ECCS is a realistic simulation of a cyber breach led by Richard A. Clarke, Chairman of Good Harbor and a renowned cybersecurity expert, and Blank Rome s cybersecurity attorneys. The ECCS tests the management team s preparedness through a challenging, real-life scenario, but in a safe environment, with a focus on executives working collaboratively, uncovering capabilities and resources, and identifying areas for improvement in a constructive, low-risk environment. The ECCS is not designed to make individuals pass or fail, but rather to help the company improve its collective preparedness. To simulate a real life cyber breach, the ECCS will confront your senior executives with a barrage of rapidly changing facts coming from a multitude of sources, and force them to consider what decisions they would make. Throughout the exercise, we will explore the pros and cons of every critical decision, with the understanding that there are rarely any objectively right or wrong answers. For companies without an existing SAP, the simulation will demonstrate the need for adopting one before a real incident occurs. For companies with an existing SAP, the exercise will test the adequacy of your current SAP protocols and identify areas needing improvement. By conducting the ECCS under the supervision of legal counsel, you will have peace of mind in knowing that your self-assessment will remain privileged and confidential. Finally, our team will deliver an After Action Review memorandum with key findings, lessons learned, and recommendations from the exercise. 4

Before developing the simulation parameters, our team will gain an understanding of your organization, operations, and desired objectives to ensure that the exercise is realistic and aligned with your corporate priorities. Relying on this information, we will then design an interactive, engaging, multimedia ECCS that will help corporate leaders achieve the following key objectives: Evaluate assumptions, capabilities, and the effectiveness of existing response planning. Analyze cybersecurity measures to determine whether they comport with current laws, regulations, and contractual obligations. Strengthen the awareness of senior leaders and crisis management teams regarding the need for response plans and the importance of crisis preparedness. Consider whether the corporate fiduciaries have implemented the protocols, best practices, and information reporting structures necessary to minimize their personal liability. Improve the ability of multiple teams from across the organization to communicate and work together quickly and effectively in a real crisis. Following the ECCS, our team will hold a group debrief with the participants in an after action review meeting, which will extract the key lessons learned and allow our team to identify and articulate specific action items. STRATEGIC ACTION PLAN Preparation and advanced planning separate those who succeed from those who fail in the face of a significant threat. In the world of cybersecurity, there is simply not enough time to consider your options after an attack or breach is detected. Consider the following: Retail companies can expect to lose an average of $3.4 million in brand damage every hour their systems are offline. Depending on the industry and nature of the data breach, brand value can decline by as much as 17 percent to 31 percent. Success depends upon previous preparation and without such preparation there is sure to be failure. Confucius Publicly traded companies may experience a drop in their share price after announcing a breach. To the extent that third-party data is involved, costs for a breach may include liability for stolen assets, repairs to information systems, and remediation expenses to address stolen identities. A cyber thief using the average cable modem can transfer approximately 15,000 documents per second or nearly 100,000 per hour. The magnitude and emergent nature of cybersecurity risks requires the adoption of a SAP before an incident occurs. Can your company afford to wait the 5-, 10-, or 24-hours it would take to locate your senior executives, apprise them of the developing situation, and answer all of their questions before obtaining direction on how to respond to a cyber breach? Understanding that each client has a unique profile and different needs, we offer two programs to help assess your company s cyber risks and develop an effective SAP. 5

OPTION 1: Cyber Risk Profile and Recommendations Preparing a comprehensive SAP requires a candid assessment of your company s cybersecurity risk profile ( Cyber Profile ). Your Cyber Profile is determined by considering the likelihood your company will suffer from a cyber attack, the potential severity of a breach, the sufficiency of your existing cybersecurity policies, and your company s crisis response policies. Every company will have a unique Cyber Profile, falling within a spectrum ranging from high- to low-risk. High-risk companies will be expected to implement more comprehensive defensive measures as compared to low-risk enterprises. A company in the critical infrastructure sector, or one with particularly sensitive intellectual property, would be considered high-risk; for them, it is not a question of if they will be attacked, but rather of when and how frequently. Additionally, an attack on companies in these sectors can cripple not only their internal operations, but also have a ripple effect across the economy at large. Given the stakes, companies with a high-risk Cyber Profile will be expected to adopt rigorous policy procedures and crisis management plans to address the threats they face. Our comprehensive Cyber Profile will help senior executives in your company to understand their unique cyber risk exposure and to mitigate the impact of a significant cyber event. Working collaboratively with your executives, we will assess the essential elements of your company s cyber risk status, cyber risk management strategy, corporate governance structure, policies and procedures, existing technologies, sector-specific risks, and crisis management protocols. We will then use our findings to identify significant gaps or areas needing improvement. At the end of the assessment period, your company will receive an Executive Cyber Risk Profile Report. The report is a tailored analysis designed for C-suite executives that summarizes your company s current state of cybersecurity, outlines key findings, and includes recommendations for strengthening cyber defenses in a way that balances security considerations with operational needs. Your company can then use the report to create, enhance, or implement your own SAP on a schedule that is consistent with your operational needs. OPTION 2: Cyber Risk Profile and SAP Implementation If your company is seeking greater assistance in addressing cyber risks, this option includes the aforementioned Cyber Profile and allows our cybersecurity team to further build on the insights gleaned from the report by testing your company s cyber risk management programs against your material cyber risks. We will also perform a gap assessment and recommend specific changes in your company s policies, programs, and technologies to help mitigate those material risks and identify significant gaps or areas needing improvement. Following our review, we will deliver a report containing a detailed SAP that is unique to your company, as well as work with you to implement the SAP. Included in our final report, you will receive the following: Crown Jewels and Worst-Case Scenarios Identification Report: Identification of your company s most valuable assets and a forecast of worst-case scenarios to avoid, which are then weighted and mapped on a risktolerance scale and incorporated into the SAP. Strategy Profile: Evaluation of whether your company s strategy and governance systems adequately address not only internal considerations and direct external risks, but also third-party risks, including supply chain security and vendor risk management. Final Policies and Procedures Recommendations: Presentation detailing our execution plan to implement your company s SAP, as well as procedural recommendations to mitigate your most significant risks. Technology Roadmap: Examination of the current state of your company s technology and legal issues, and a proposal of their future state to effectively implement the new policies. 6

NIST CYBERSECURITY FRAMEWORK ORIENTATION AND WORKSHOPS On February 19, 2014, the National Institute of Standards and Technology ( NIST ) released the long-awaited Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework or Framework ) In part, the Cybersecurity Framework is intended to aid in the development of cybersecurity practices for managing cyber risks. Properly applied, the Cybersecurity Framework enables companies to create a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs. At its core, the Cybersecurity Framework rk affirms the belief that cyber risks are enterprise risks that warrant the attention of C-suite executives. Working with our clients, we utilize proven methods to apply the Cybersecurity Framework to develop specific protocols essential to secure the processes, information, and systems directly involved in the delivery of your critical services. Our methodologies include overlaying the Cybersecurity Framework on top of current cyber security practices to determine gaps and to develop a detailed roadmap to improvement. We stand ready to provide our extensive experience to help our clients navigate the complex features of the Framework to help protect their core assets, minimize liability exposure, and reduce risks through our NIST Cybersecurity Framework services. NIST Cybersecurity Framework Briefing By failing to prepare you are preparing to fail. Benjamin Franklin Through an interactive presentation, we work with our clients to explore and analyze the practical implications of the Cybersecurity Frame work, including what it means for businesses, how it can be effectively applied, its purpose, and its objectives. Consisting of an orientation and series of workshops (typically one to three), the NIST Cybersecurity Framework Briefing is designed to help executives achieve several key objectives: Understand the Cybersecurity Framework and how it is used by leading companies to manage cyber risk; Understand how the Cybersecurity Framework can help manage and mitigate a wide range of liability, policy, and cyber threats facing companies; Facilitate the unification of company leaders (e.g., the CEO, CFO, CIO, CISO, General Counsel, and senior officers for human resources, communications, and key business lines) around cyber risk management policies in a NIST context; and Make key decisions regarding whether and how to use the Cybersecurity Framework to manage cyber risks. Following the Briefing, our team will deliver a white paper that summarizes the collaborative discussion, outlines the purpose and objectives of the NIST compliance, reviews how companies in your industry sector are implementing the Cybersecurity Framework, provides key takeaways and recommends next steps for your organization. 7

The NIST Cybersecurity Framework Assessment The NIST Cybersecurity Framework Assessment provides comprehensive services for companies seeking an independent assessment of their current cybersecurity practices to assess alignment with NIST, identify gaps and provide a tailored maturity rating for the company based on our unique methodology. We are also able to assist organizations who wish to conduct a self-assessment in the context of a NIST Framework risk management model. Under either assessment model, we help our clients determine their desired Target Market Profile and develop an action plan with improvement milestones and timelines to help the company achieve its Target Maturity Profile. This independent NIST Cybersecurity Framework Assessment affords a helpful tool for companies whose cybersecurity is being reviewed by customers, vendors, investors, insurance carriers, or other third parties. The Framework Core The heart of the NIST Cybersecurity Framework Assessment is the application of the Framework Core, which is intended to identify a set of cybersecurity activities, desired outcomes, and applicable references that are common across your organization and industry sector. When applied correctly, the Core provides a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risks. We assist clients in achieving this objective through applying the five concurrent and continuous NIST Framework Core Functions to your organization. Working in tandem with your leadership team, we utilize the Core Functions to guide your cyber risk mitigation: Identify: Catalogue the resources necessary to support critical functions within your organization. Protect: Articulate specific protocols to ensure the delivery of critical functions. Detect: Identify methods for detecting cybersecurity threats at the early stage to minimize harm to critical functions. Respond: Adopt procedures for responding to a cybersecurity event. Recover: Develop contingencies for critical functions to ensure operational resilience. 8

Cybersecurity Profile Our cybersecurity team works with senior management officials in your company to develop a Current NIST Cybersecurity Profile (the Current Profile ) in light of your current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Current Profile reflects the business and security objectives identified through the application of the Framework Core. Following the development of a Current Profile, we identify opportunities for improving your current cybersecurity posture (the as-is state ) in order to achieve a Target Profile (the to be state). This analysis reflects your business drivers and risk tolerance to determine the cost-effectiveness of innovation. Comparing the Current Profile and Target Profile, we generate an individualized roadmap for reducing cybersecurity risk that is aligned with your organizational and sector goals. The customized roadmap or gap analysis also reflects your legal/regulatory requirements, industry best practices, and risk management priorities. Our risk-based approach is designed to assist organizations in gauging how best to deploy their resources (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective and prioritized manner. The development of a NIST Current and Target Profile is a critical step in aligning standards, guidelines, and practices across the organization to achieve the desired state of cybersecurity preparedness. NIST Alignment Report Following the NIST Cybersecurity Framework Assessment, we will deliver a comprehensive NIST Alignment Report that is unique to your organization. The report will identify and prioritize specific policies practices and procedures for the implementation of a continuous and repeatable cybersecurity management program. In this context, the report will also: (1) describe your current cybersecurity posture; (2) describe a target state for cybersecurity; (3) assess progress toward your target state; and (4) recommend procedures for effectively communicating among internal and external stakeholders regarding cybersecurity risk. The NIST Alignment Report is intended to be a living document, which can and should be updated individually or with our assistance to reflect your organization s business drivers and security considerations. While compliance with the Cybersecurity Framework is not yet mandatory, many in the business community have expressed their intent to support and adopt the Framework. Our NIST Alignment Report can be presented to business partners, government agencies, and insurance carriers as evidence of your organization s serious consideration of the Framework s recommendations and intent to reflect the Framework in an existing cybersecurity risk management process. 9

O N G O ING SUPPORT AN D M AINT ENA NC E Yesterday s solutions are just that solutions to solve yesterday s problems. But in today s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company. As with the evolving nature of today s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance. BOA R D O F D IR E C TO R S A N D S E N IO R M A N AG E M E N T C Y BE R S E C U R ITY A S S E S S M E N T Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident. Understanding that each client has different needs, we provide various levels of maintenance and support. Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. We help senior leaders to discharge their risk oversight role by ensuring their organization s cyber risk management policies and procedures are consistent with the company s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to: Develop effective corporate governance structures, policies and procedures, including establishment of appropriate committees, for managing cybersecurity risks. Identify Building on the benefits detailed above, our next level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP. the material cyber risks their company faces in a timely manner; Implement Management is all about managing in the short term, while developing the plans for the long term. In addition to the aforementioned levels of cybersecurity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP. appropriate cyber risk management strategies responsive to the company s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds; Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and Transmit Jack Welch necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees. Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats. 10 3

Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure. The only source of knowledge is experience. Albert Einstein A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises. Experience That Matters We provide the following services: Steven L. Caponi, Esq. 302.425.6408 Caponi@BlankRome.com Advise the Board and senior management to identify the company s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making. Elizabeth A. Sloan, Esq. 302.425.6472 Sloan@BlankRome.com Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment. Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement. Prepare a tailored Strategic Action Plan ( SAP ) that enhances your organization s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness. Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile. Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies. To learn more about how we may help you, please contact any member of our team listed on page 11. Richard A. Clarke 703.812.9199 RClarke@goodharbor.net Jacob Olcott 703.812.9199 Jacob.Olcott@goodharbor.net 11 2 CyberBro[Master]8.8.14.indd Emilian Papadopoulos 703.812.9199 Emilian@goodharbor.net

Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented cybersecurity challenges present in today s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness. Focused on corporate security solutions BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS. www.blankrome.com/cybersecurity

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information