BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC,

haved teamed to provide a comprehensive solution for protecting your company’s property and reputation from the unprecedented cybersecurity challenges present in today’s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness.

Focused on corporate security solutions

BECAUSE CYBERSECURITY RISKS

ARE ENTERPRISE RISKS.

Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure.

A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises.

Experience That Matters

We provide the following services:



 Advise the Board and senior management to identify the company’s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making.



 Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment.



 Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement.



 Prepare a tailored Strategic Action Plan (“SAP”) that enhances your organization’s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness.



 Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile.



 Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies.

To learn more about how we may help you, please contact any member of our team listed on page 11.

The only source

of knowledge is

experience.

—Albert Einstein

Elizabeth A. Sloan, Esq. 302.425.6472

[email protected] Steven L. Caponi, Esq.

302.425.6408 [email protected] Jacob Olcott 703.812.9199 [email protected] Richard A. Clarke 703.812.9199 [email protected] Emilian Papadopoulos 703.812.9199 [email protected]

3

BOARD OF DIRECTORS AND SENIOR

MANAGEMENT CYBERSECURITY ASSESSMENT Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization’s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident.

We help senior leaders to discharge their risk oversight role by ensuring their organization’s cyber risk management policies and procedures are consistent with the company’s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to:



 Develop effective corporate governance structures, policies and procedures, including establishment of appropri-ate committees, for managing cybersecurity risks.



Identify the material cyber risks their company faces in a timely manner;



 Implement appropriate cyber risk management strategies responsive to the company’s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds;



 Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and



 Transmit necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees.

Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats.

Management is all

about managing in

the short term, while

developing the plans

for the long term.

—Jack Welch

ONGOING SUPPORT AND MAINTENANCE

Yesterday’s solutions are just that—solutions to solve yesterday’s problems. But in today’s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company.

As with the evolving nature of today’s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company’s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance.

Understanding that each client has different needs, we provide various levels of maintenance and support.

Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. Building on the benefits detailed above, our next

level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP.

In addition to the aforementioned levels of cyberse-curity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP.

CYBER RISK MITIGATION EXERCISE

Threat Awareness Exercise

Our Threat Awareness Exercise is an interactive presentation conducted by a senior member of the Good Harbor team and cybersecurity attor-neys from Blank Rome to increase awareness of the cybersecurity threats your company and industry segment are facing. Through a thought-provoking analysis with your senior executive team, as well as other C-suite officers, we will cover the following issues in the workshop session:



 Targets: An overview of who is being targeted and why. We will discuss the need for every company to understand its own threats and risks as a key part of an effective and resourceful strategy.



 Industry Threats: A discussion of the unique threats and risks facing your company and specific industry sector, including who is conducting the attacks, the purpose of the attacks, the type of data being targeted, and an analy-sis of recent attacks in your sector.



 Legal Implications: A high-level overview of the laws, regulations, and best practices relevant to your industry sector. We will also cover directors’ and officers’ liability, fiduciary obligations, and governance changes to ensure successful implementation of cybersecurity policies across your organization.



 Command and Control: A review of why the directors and officers in your company need to understand the current cybersecurity threat landscape in order to mitigate and manage any potential risks. We will discuss the necessity of giving your technical security teams a proper level of support; test and adopt cybersecurity plans, pro-tocols, and a post-breach response plan; and implement an internal reporting and review infrastructure to ensure compliance with the objectives articulated by management.

Following the Threat Awareness Exercise, our team will deliver a white paper outlining the over-arching cyber risk exposure for your company and industry sector, core cybersecurity threats, key takeaways from the exercise, and percep-tions of the current and specific cybersecurity threat environment, as well as provide a report on sector-wide trends.

Executive Cyber Crisis Simulation

The Executive Cyber Crisis Simulation (“ECCS”) can either be a stand-alone service or used to test the effectiveness of your cybersecurity SAP. The ECCS is a realistic simulation of a cyber breach led by Richard A. Clarke, Chairman of Good Harbor and a renowned cybersecurity expert, and Blank Rome’s cybersecurity attorneys.

The ECCS tests the management team’s preparedness through a challenging, real-life scenario, but in a safe environ-ment, with a focus on executives working collaboratively, uncovering capabilities and resources, and identifying areas for improvement in a constructive, low-risk environment. The ECCS is not designed to make individuals “pass or fail,” but rather to help the company improve its collective preparedness. To simulate a real life cyber breach, the ECCS will con-front your senior executives with a barrage of rapidly changing facts coming from a multitude of sources, and force them to consider what decisions they would make. Throughout the exercise, we will explore the pros and cons of every critical decision, with the understanding that there are rarely any objectively “right or wrong” answers. For companies without an existing SAP, the simulation will demonstrate the need for adopting one before a real incident occurs. For companies with an existing SAP, the exercise will test the adequacy of your current SAP protocols and identify areas needing improve-ment. By conducting the ECCS under the supervision of legal counsel, you will have peace of mind in knowing that your self-assessment will remain privileged and confidential. Finally, our team will deliver an After Action Review memorandum with key findings, lessons learned, and recommendations from the exercise.

Cybersecurity Profile

Our cybersecurity team works with senior management officials in your company to develop a Current NIST Cybersecurity Profile (the “Current Profile”) in light of your current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Current Profile reflects the business and security objectives identified through the application of the Framework Core. Following the development of a Current Profile, we identify opportunities for improving your current cybersecurity posture (the “as-is state”) in order to achieve a Target Profile (the “to be” state). This analysis reflects your business drivers and risk tolerance to determine the cost-effec-tiveness of innovation.

Comparing the Current Profile and Target Profile, we generate an individualized roadmap for reducing cybersecurity risk that is aligned with your organizational and sector goals. The customized roadmap or “gap” analysis also reflects your legal/regulatory requirements, industry best practices, and risk management priorities. Our risk-based approach is designed to assist organizations in gauging how best to deploy their resources (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective and prioritized manner.

The development of a NIST Current and Target Profile is a critical step in aligning standards, guidelines, and practices across the organiza-tion to achieve the desired state of cybersecurity preparedness.

NIST Alignment Report

Following the NIST Cybersecurity Framework Assessment, we will deliver a comprehensive NIST Alignment Report that is unique to your organization. The report will identify and prioritize specific policies practices and procedures for the imple-mentation of a continuous and repeatable cybersecurity management program. In this context, the report will also: (1) describe your current cybersecurity posture; (2) describe a target state for cybersecurity; (3) assess progress toward your target state; and (4) recommend procedures for effectively communicating among internal and external stakeholders regarding cybersecurity risk. The NIST Alignment Report is intended to be a “living document,” which can and should be updated—individually or with our assistance—to reflect your organization’s business drivers and security considerations. While compliance with the Cybersecurity Framework is not yet mandatory, many in the business community have expressed their intent to support and adopt the Framework. Our NIST Alignment Report can be presented to business partners, government agencies, and insurance carriers as evidence of your organization’s serious consideration of the Framework’s recommendations and intent to reflect the Framework in an existing cybersecurity risk management process.

Know your enemy

and know yourself

and you can fight

a hundred battles

without disaster.

Before developing the simulation parameters, our team will gain an understanding of your organization, operations, and desired objectives to ensure that the exercise is realistic and aligned with your corporate priorities. Relying on this information, we will then design an interac-tive, engaging, multimedia ECCS that will help corporate leaders achieve the following key objectives:



 Evaluate assumptions, capabilities, and the effectiveness of existing response planning.



 Analyze cybersecurity measures to determine whether they comport with current laws, regulations, and contractual obligations.



 Strengthen the awareness of senior leaders and crisis management teams regarding the need for response plans and the importance of crisis preparedness.



 Consider whether the corporate fiduciaries have implemented the protocols, best practices, and information reporting structures necessary to minimize their personal liability.



 Improve the ability of multiple teams from across the organization to communicate and work together quickly and effectively in a real crisis.

Following the ECCS, our team will hold a group debrief with the participants in an after action review meeting, which will extract the key lessons learned and allow our team to identify and articulate specific action items.

STRATEGIC ACTION PLAN

Preparation and advanced planning separate those who succeed from those who fail in the face of a significant threat. In the world of cybersecurity, there is simply not enough time to consider your options after an attack or breach is detected. Consider the following:



 Retail companies can expect to lose an average of $3.4 million in brand damage every hour their systems are offline. Depending on the industry and nature of the data breach, brand value can decline by as much as 17 percent to 31 percent.



 Publicly traded companies may experience a drop in their share price after announcing a breach.



 To the extent that third-party data is involved, costs for a breach may include liability for stolen assets, repairs to information systems, and remediation expenses to address stolen identities.



 A cyber thief using the average cable modem can transfer approxi-mately 15,000 documents per second or nearly 100,000 per hour. The magnitude and emergent nature of cybersecurity risks requires the adoption of a SAP before an incident occurs. Can your company afford to wait the 5-, 10-, or 24-hours it would take to locate your senior executives, apprise them of the devel-oping situation, and answer all of their questions before obtaining direction on how to respond to a cyber breach?

Understanding that each client has a unique profile and different needs, we offer two programs to help assess your com-pany’s cyber risks and develop an effective SAP.

The NIST Cybersecurity Framework Assessment

The NIST Cybersecurity Framework Assessment provides comprehensive services for companies seeking an independent assessment of their current cybersecurity practices to assess alignment with NIST, identify gaps and provide a tailored maturity rating for the company based on our unique methodology. We are also able to assist organizations who wish to conduct a self-assessment in the context of a NIST Framework risk management model. Under either assessment model, we help our clients determine their desired Target Market Profile and develop an action plan with improvement milestones and timelines to help the company achieve its Target Maturity Profile. This independent NIST Cybersecurity Framework Assessment affords a helpful tool for companies whose cybersecurity is being reviewed by customers, vendors, investors, insurance carriers, or other third parties.

The Framework Core

The heart of the NIST Cybersecurity Framework Assessment is the application of the Framework Core, which is intended to identify a set of cybersecurity activities, desired outcomes, and applicable references that are common across your organi-zation and industry sector. When applied correctly, the Core provides a high-level, strategic view of the lifecycle of an orga-nization’s management of cybersecurity risks. We assist clients in achieving this objective through applying the five concurrent and continuous NIST Framework Core Functions to your orga-nization. Working in tandem with your leadership team, we utilize the Core Functions to guide your cyber risk mitigation:



 Identify: Catalogue the resources necessary to support critical functions within your organization.



 Protect: Articulate specific protocols to ensure the deliv-ery of critical functions.



 Detect: Identify methods for detecting cybersecurity threats at the early stage to minimize harm to critical functions.



 Respond: Adopt procedures for responding to a cyber-security event.



 Recover: Develop contingencies for critical functions to ensure operational resilience.

Success depends upon

previous preparation

and without such

preparation there is

sure to be failure.

OPTION

1

: Cyber Risk Profile and Recommendations

Preparing a comprehensive SAP requires a candid assessment of your company’s cybersecurity risk profile (“Cyber Profile”). Your Cyber Profile is determined by considering the likelihood your company will suffer from a cyber attack, the potential severity of a breach, the sufficiency of your existing cybersecurity policies, and your company’s crisis response policies.

Every company will have a unique Cyber Profile, falling within a spectrum ranging from high- to low-risk. High-risk companies will be expected to implement more comprehensive defensive measures as compared to low-risk enterprises. A company in the critical infrastructure sector, or one with particularly sensitive intellectual property, would be considered high-risk; for them, it is not a question of if they will be attacked, but rather of when and how frequently. Additionally, an attack on companies in these sectors can cripple not only their internal operations, but also have a ripple effect across the economy at large. Given the stakes, companies with a high-risk Cyber Profile will be expected to adopt rigorous policy procedures and crisis management plans to address the threats they face.

Our comprehensive Cyber Profile will help senior executives in your company to understand their unique cyber risk exposure and to mitigate the impact of a significant cyber event. Working collaboratively with your executives, we will assess the essential elements of your company’s cyber risk status, cyber risk management strategy, corporate governance structure, policies and procedures, existing technologies, sector-specific risks, and crisis management protocols. We will then use our findings to identify significant gaps or areas needing improvement.

At the end of the assessment period, your company will receive an Executive Cyber Risk Profile Report. The report is a tailored analysis designed for C-suite executives that summarizes your company’s current state of cybersecurity, outlines key findings, and includes recommendations for strengthening cyber defenses in a way that balances security consider-ations with operational needs. Your company can then use the report to create, enhance, or implement your own SAP on a schedule that is consistent with your operational needs.

OPTION

2

: Cyber Risk Profile and SAP Implementation

If your company is seeking greater assistance in addressing cyber risks, this option includes the aforementioned Cyber Profile and allows our cybersecurity team to further build on the insights gleaned from the report by testing your com-pany’s cyber risk management programs against your material cyber risks. We will also perform a gap assessment and recommend specific changes in your company’s policies, programs, and technologies to help mitigate those material risks and identify significant gaps or areas needing improvement.

Following our review, we will deliver a report containing a detailed SAP that is unique to your company, as well as work with you to implement the SAP. Included in our final report, you will receive the following:



Crown Jewels and Worst-Case Scenarios Identification Report: Identification of your company’s most valuable assets and a forecast of worst-case scenarios to avoid, which are then weighted and mapped on a risk-tolerance scale and incorporated into the SAP.



 Strategy Profile: Evaluation of whether your company’s strategy and governance systems adequately address not only internal considerations and direct external risks, but also third-party risks, including supply chain security and vendor risk management.



Final Policies and Procedures Recommendations: Presentation detailing our execution plan to implement your company’s SAP, as well as procedural recommendations to mitigate your most significant risks.



Technology Roadmap: Examination of the current state of your company’s technology and legal issues, and a proposal of their “future state” to effectively implement the new policies.

NIST CYBERSECURITY FRAMEWORK ORIENTATION AND WORKSHOPS

On February 19, 2014, the National Institute of Standards and Technology (“NIST”) released the long-awaited “Framework for Improving Critical Infrastructure Cybersecurity” (the “Cybersecurity Framework” or “Framework”) In part, the Cybersecurity Framework is intended to aid in the development of cybersecurity practices for managing cyber risks. Properly applied, the Cybersecurity Framework enables companies to create a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs. At its core, the Cybersecurity Framework

affirms the belief that cyber risks are enterprise risks that warrant the attention of C-suite executives.

Working with our clients, we utilize proven methods to apply the Cybersecurity Framework to develop specific protocols essential to secure the processes, information, and systems directly involved in the delivery of your critical services. Our methodologies include overlaying the Cybersecurity Framework on top of current cyber security practices to determine gaps and to develop a detailed roadmap to improvement. We stand ready to provide our extensive experience to help our clients navigate the complex features of the Framework to help protect their core assets, minimize liability exposure, and reduce risks through our NIST Cybersecurity Framework services.

NIST Cybersecurity Framework Briefing

Through an interactive presentation, we work with our clients to explore and analyze the practical implications of the Cybersecurity Frame work, including what it means for businesses, how it can be effectively applied, its purpose, and its objectives. Consisting of an orientation and series of workshops (typically one to three), the NIST Cybersecurity Framework Briefing is designed to help executives achieve several key objectives:



 Understand the Cybersecurity Framework and how it is used by leading companies to manage cyber risk;



 Understand how the Cybersecurity Framework can help man-age and mitigate a wide range of liability, policy, and cyber threats facing companies;



 Facilitate the unification of company leaders (e.g., the CEO, CFO, CIO, CISO, General Counsel, and senior officers for human resources, communications, and key business lines) around cyber risk management policies in a NIST context; and



 Make key decisions regarding whether and how to use the Cybersecurity Framework to manage cyber risks.

Following the Briefing, our team will deliver a white paper that summarizes the collaborative discussion, outlines the purpose and objectives of the NIST compliance, reviews how companies in your industry sector are implementing the Cybersecurity Framework, provides key “takeaways” and recommends next steps for your organization.

rk

By failing to prepare

you are preparing

to fail.

OPTION

1

: Cyber Risk Profile and Recommendations

Preparing a comprehensive SAP requires a candid assessment of your company’s cybersecurity risk profile (“Cyber Profile”). Your Cyber Profile is determined by considering the likelihood your company will suffer from a cyber attack, the potential severity of a breach, the sufficiency of your existing cybersecurity policies, and your company’s crisis response policies.

Every company will have a unique Cyber Profile, falling within a spectrum ranging from high- to low-risk. High-risk companies will be expected to implement more comprehensive defensive measures as compared to low-risk enterprises. A company in the critical infrastructure sector, or one with particularly sensitive intellectual property, would be considered high-risk; for them, it is not a question of if they will be attacked, but rather of when and how frequently. Additionally, an attack on companies in these sectors can cripple not only their internal operations, but also have a ripple effect across the economy at large. Given the stakes, companies with a high-risk Cyber Profile will be expected to adopt rigorous policy procedures and crisis management plans to address the threats they face.

Our comprehensive Cyber Profile will help senior executives in your company to understand their unique cyber risk exposure and to mitigate the impact of a significant cyber event. Working collaboratively with your executives, we will assess the essential elements of your company’s cyber risk status, cyber risk management strategy, corporate governance structure, policies and procedures, existing technologies, sector-specific risks, and crisis management protocols. We will then use our findings to identify significant gaps or areas needing improvement.

At the end of the assessment period, your company will receive an Executive Cyber Risk Profile Report. The report is a tailored analysis designed for C-suite executives that summarizes your company’s current state of cybersecurity, outlines key findings, and includes recommendations for strengthening cyber defenses in a way that balances security consider-ations with operational needs. Your company can then use the report to create, enhance, or implement your own SAP on a schedule that is consistent with your operational needs.

OPTION

2

: Cyber Risk Profile and SAP Implementation

If your company is seeking greater assistance in addressing cyber risks, this option includes the aforementioned Cyber Profile and allows our cybersecurity team to further build on the insights gleaned from the report by testing your com-pany’s cyber risk management programs against your material cyber risks. We will also perform a gap assessment and recommend specific changes in your company’s policies, programs, and technologies to help mitigate those material risks and identify significant gaps or areas needing improvement.

Following our review, we will deliver a report containing a detailed SAP that is unique to your company, as well as work with you to implement the SAP. Included in our final report, you will receive the following:



Crown Jewels and Worst-Case Scenarios Identification Report: Identification of your company’s most valuable assets and a forecast of worst-case scenarios to avoid, which are then weighted and mapped on a risk-tolerance scale and incorporated into the SAP.



 Strategy Profile: Evaluation of whether your company’s strategy and governance systems adequately address not only internal considerations and direct external risks, but also third-party risks, including supply chain security and vendor risk management.



Final Policies and Procedures Recommendations: Presentation detailing our execution plan to implement your company’s SAP, as well as procedural recommendations to mitigate your most significant risks.



Technology Roadmap: Examination of the current state of your company’s technology and legal issues, and a proposal of their “future state” to effectively implement the new policies.

NIST CYBERSECURITY FRAMEWORK ORIENTATION AND WORKSHOPS

On February 19, 2014, the National Institute of Standards and Technology (“NIST”) released the long-awaited “Framework for Improving Critical Infrastructure Cybersecurity” (the “Cybersecurity Framework” or “Framework”) In part, the Cybersecurity Framework is intended to aid in the development of cybersecurity practices for managing cyber risks. Properly applied, the Cybersecurity Framework enables companies to create a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs. At its core, the Cybersecurity Framework

affirms the belief that cyber risks are enterprise risks that warrant the attention of C-suite executives.

Working with our clients, we utilize proven methods to apply the Cybersecurity Framework to develop specific protocols essential to secure the processes, information, and systems directly involved in the delivery of your critical services. Our methodologies include overlaying the Cybersecurity Framework on top of current cyber security practices to determine gaps and to develop a detailed roadmap to improvement. We stand ready to provide our extensive experience to help our clients navigate the complex features of the Framework to help protect their core assets, minimize liability exposure, and reduce risks through our NIST Cybersecurity Framework services.

NIST Cybersecurity Framework Briefing

Through an interactive presentation, we work with our clients to explore and analyze the practical implications of the Cybersecurity Frame work, including what it means for businesses, how it can be effectively applied, its purpose, and its objectives. Consisting of an orientation and series of workshops (typically one to three), the NIST Cybersecurity Framework Briefing is designed to help executives achieve several key objectives:



 Understand the Cybersecurity Framework and how it is used by leading companies to manage cyber risk;



 Understand how the Cybersecurity Framework can help man-age and mitigate a wide range of liability, policy, and cyber threats facing companies;



 Facilitate the unification of company leaders (e.g., the CEO, CFO, CIO, CISO, General Counsel, and senior officers for human resources, communications, and key business lines) around cyber risk management policies in a NIST context; and



 Make key decisions regarding whether and how to use the Cybersecurity Framework to manage cyber risks.

Following the Briefing, our team will deliver a white paper that summarizes the collaborative discussion, outlines the purpose and objectives of the NIST compliance, reviews how companies in your industry sector are implementing the Cybersecurity Framework, provides key “takeaways” and recommends next steps for your organization.

rk

By failing to prepare

you are preparing

to fail.

Before developing the simulation parameters, our team will gain an understanding of your organization, operations, and desired objectives to ensure that the exercise is realistic and aligned with your corporate priorities. Relying on this information, we will then design an interac-tive, engaging, multimedia ECCS that will help corporate leaders achieve the following key objectives:



 Evaluate assumptions, capabilities, and the effectiveness of existing response planning.



 Analyze cybersecurity measures to determine whether they comport with current laws, regulations, and contractual obligations.



 Strengthen the awareness of senior leaders and crisis management teams regarding the need for response plans and the importance of crisis preparedness.



 Consider whether the corporate fiduciaries have implemented the protocols, best practices, and information reporting structures necessary to minimize their personal liability.



 Improve the ability of multiple teams from across the organization to communicate and work together quickly and effectively in a real crisis.

Following the ECCS, our team will hold a group debrief with the participants in an after action review meeting, which will extract the key lessons learned and allow our team to identify and articulate specific action items.

STRATEGIC ACTION PLAN

Preparation and advanced planning separate those who succeed from those who fail in the face of a significant threat. In the world of cybersecurity, there is simply not enough time to consider your options after an attack or breach is detected. Consider the following:



 Retail companies can expect to lose an average of $3.4 million in brand damage every hour their systems are offline. Depending on the industry and nature of the data breach, brand value can decline by as much as 17 percent to 31 percent.



 Publicly traded companies may experience a drop in their share price after announcing a breach.



 To the extent that third-party data is involved, costs for a breach may include liability for stolen assets, repairs to information systems, and remediation expenses to address stolen identities.



 A cyber thief using the average cable modem can transfer approxi-mately 15,000 documents per second or nearly 100,000 per hour. The magnitude and emergent nature of cybersecurity risks requires the adoption of a SAP before an incident occurs. Can your company afford to wait the 5-, 10-, or 24-hours it would take to locate your senior executives, apprise them of the devel-oping situation, and answer all of their questions before obtaining direction on how to respond to a cyber breach?

Understanding that each client has a unique profile and different needs, we offer two programs to help assess your com-pany’s cyber risks and develop an effective SAP.

The NIST Cybersecurity Framework Assessment

The NIST Cybersecurity Framework Assessment provides comprehensive services for companies seeking an independent assessment of their current cybersecurity practices to assess alignment with NIST, identify gaps and provide a tailored maturity rating for the company based on our unique methodology. We are also able to assist organizations who wish to conduct a self-assessment in the context of a NIST Framework risk management model. Under either assessment model, we help our clients determine their desired Target Market Profile and develop an action plan with improvement milestones and timelines to help the company achieve its Target Maturity Profile. This independent NIST Cybersecurity Framework Assessment affords a helpful tool for companies whose cybersecurity is being reviewed by customers, vendors, investors, insurance carriers, or other third parties.

The Framework Core

The heart of the NIST Cybersecurity Framework Assessment is the application of the Framework Core, which is intended to identify a set of cybersecurity activities, desired outcomes, and applicable references that are common across your organi-zation and industry sector. When applied correctly, the Core provides a high-level, strategic view of the lifecycle of an orga-nization’s management of cybersecurity risks. We assist clients in achieving this objective through applying the five concurrent and continuous NIST Framework Core Functions to your orga-nization. Working in tandem with your leadership team, we utilize the Core Functions to guide your cyber risk mitigation:



 Identify: Catalogue the resources necessary to support critical functions within your organization.



 Protect: Articulate specific protocols to ensure the deliv-ery of critical functions.



 Detect: Identify methods for detecting cybersecurity threats at the early stage to minimize harm to critical functions.



 Respond: Adopt procedures for responding to a cyber-security event.



 Recover: Develop contingencies for critical functions to ensure operational resilience.

Success depends upon

previous preparation

and without such

preparation there is

sure to be failure.

CYBER RISK MITIGATION EXERCISE

Threat Awareness Exercise

Our Threat Awareness Exercise is an interactive presentation conducted by a senior member of the Good Harbor team and cybersecurity attor-neys from Blank Rome to increase awareness of the cybersecurity threats your company and industry segment are facing. Through a thought-provoking analysis with your senior executive team, as well as other C-suite officers, we will cover the following issues in the workshop session:



 Targets: An overview of who is being targeted and why. We will discuss the need for every company to understand its own threats and risks as a key part of an effective and resourceful strategy.



 Industry Threats: A discussion of the unique threats and risks facing your company and specific industry sector, including who is conducting the attacks, the purpose of the attacks, the type of data being targeted, and an analy-sis of recent attacks in your sector.



 Legal Implications: A high-level overview of the laws, regulations, and best practices relevant to your industry sector. We will also cover directors’ and officers’ liability, fiduciary obligations, and governance changes to ensure successful implementation of cybersecurity policies across your organization.



 Command and Control: A review of why the directors and officers in your company need to understand the current cybersecurity threat landscape in order to mitigate and manage any potential risks. We will discuss the necessity of giving your technical security teams a proper level of support; test and adopt cybersecurity plans, pro-tocols, and a post-breach response plan; and implement an internal reporting and review infrastructure to ensure compliance with the objectives articulated by management.

Following the Threat Awareness Exercise, our team will deliver a white paper outlining the over-arching cyber risk exposure for your company and industry sector, core cybersecurity threats, key takeaways from the exercise, and percep-tions of the current and specific cybersecurity threat environment, as well as provide a report on sector-wide trends.

Executive Cyber Crisis Simulation

The Executive Cyber Crisis Simulation (“ECCS”) can either be a stand-alone service or used to test the effectiveness of your cybersecurity SAP. The ECCS is a realistic simulation of a cyber breach led by Richard A. Clarke, Chairman of Good Harbor and a renowned cybersecurity expert, and Blank Rome’s cybersecurity attorneys.

The ECCS tests the management team’s preparedness through a challenging, real-life scenario, but in a safe environ-ment, with a focus on executives working collaboratively, uncovering capabilities and resources, and identifying areas for improvement in a constructive, low-risk environment. The ECCS is not designed to make individuals “pass or fail,” but rather to help the company improve its collective preparedness. To simulate a real life cyber breach, the ECCS will con-front your senior executives with a barrage of rapidly changing facts coming from a multitude of sources, and force them to consider what decisions they would make. Throughout the exercise, we will explore the pros and cons of every critical decision, with the understanding that there are rarely any objectively “right or wrong” answers. For companies without an existing SAP, the simulation will demonstrate the need for adopting one before a real incident occurs. For companies with an existing SAP, the exercise will test the adequacy of your current SAP protocols and identify areas needing improve-ment. By conducting the ECCS under the supervision of legal counsel, you will have peace of mind in knowing that your self-assessment will remain privileged and confidential. Finally, our team will deliver an After Action Review memorandum with key findings, lessons learned, and recommendations from the exercise.

Cybersecurity Profile

Our cybersecurity team works with senior management officials in your company to develop a Current NIST Cybersecurity Profile (the “Current Profile”) in light of your current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Current Profile reflects the business and security objectives identified through the application of the Framework Core. Following the development of a Current Profile, we identify opportunities for improving your current cybersecurity posture (the “as-is state”) in order to achieve a Target Profile (the “to be” state). This analysis reflects your business drivers and risk tolerance to determine the cost-effec-tiveness of innovation.

Comparing the Current Profile and Target Profile, we generate an individualized roadmap for reducing cybersecurity risk that is aligned with your organizational and sector goals. The customized roadmap or “gap” analysis also reflects your legal/regulatory requirements, industry best practices, and risk management priorities. Our risk-based approach is designed to assist organizations in gauging how best to deploy their resources (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective and prioritized manner.

The development of a NIST Current and Target Profile is a critical step in aligning standards, guidelines, and practices across the organiza-tion to achieve the desired state of cybersecurity preparedness.

NIST Alignment Report

Following the NIST Cybersecurity Framework Assessment, we will deliver a comprehensive NIST Alignment Report that is unique to your organization. The report will identify and prioritize specific policies practices and procedures for the imple-mentation of a continuous and repeatable cybersecurity management program. In this context, the report will also: (1) describe your current cybersecurity posture; (2) describe a target state for cybersecurity; (3) assess progress toward your target state; and (4) recommend procedures for effectively communicating among internal and external stakeholders regarding cybersecurity risk. The NIST Alignment Report is intended to be a “living document,” which can and should be updated—individually or with our assistance—to reflect your organization’s business drivers and security considerations. While compliance with the Cybersecurity Framework is not yet mandatory, many in the business community have expressed their intent to support and adopt the Framework. Our NIST Alignment Report can be presented to business partners, government agencies, and insurance carriers as evidence of your organization’s serious consideration of the Framework’s recommendations and intent to reflect the Framework in an existing cybersecurity risk management process.

Know your enemy

and know yourself

and you can fight

a hundred battles

without disaster.

BOARD OF DIRECTORS AND SENIOR

MANAGEMENT CYBERSECURITY ASSESSMENT Oversight of enterprise risks can be a challenge for many boards and senior management; yet, it is one of the most important responsibilities of the Board and C-Suite. Cyber threats can quickly devastate an organization and its ability to carry out its core functions. This threat has left many corporate leaders asking how they can do a better job overseeing the management of their organization’s cyber risk exposure, and how they can improve board oversight to minimize the impact of a cyber incident.

We help senior leaders to discharge their risk oversight role by ensuring their organization’s cyber risk management policies and procedures are consistent with the company’s corporate strategy and risk appetite, and that these policies and procedures foster a culture of risk-adjusted decision-making. By conducting a thorough cybersecurity review for and with the C-Suite, we fully engage the board and senior management in the cyber risk mitigation process and assist them to:



 Develop effective corporate governance structures, policies and procedures, including establishment of appropri-ate committees, for managing cybersecurity risks.



Identify the material cyber risks their company faces in a timely manner;



 Implement appropriate cyber risk management strategies responsive to the company’s risk profile, business strategies, specific material risk exposures and risk tolerance thresholds;



 Integrate consideration of cybersecurity risk management into business decision-making throughout the organization; and



 Transmit necessary information with respect to material cyber risks and events to senior executives and, as appropriate, to the board or relevant committees.

Following our review, we will deliver a detailed report containing specific recommendations for how your organization can improve its enterprise risk management effectiveness to address current and emerging cyber threats.

Management is all

about managing in

the short term, while

developing the plans

for the long term.

—Jack Welch

ONGOING SUPPORT AND MAINTENANCE

Yesterday’s solutions are just that—solutions to solve yesterday’s problems. But in today’s world, cybersecurity risks and threats are changing every day. Malicious actors and hackers constantly alter techniques to avoid defensive measures and overcome industry best practices. Additionally, new regulations, guidelines, and litigation will continue to shape the cybersecurity landscape and the obligations required of your company.

As with the evolving nature of today’s growing cyber threat, your SAP, cyber defenses, and best practices must also continue to evolve. Keeping abreast of the changing cybersecurity environment and regularly updating your company’s SAP or protocols are essential to mitigating any potential cyber threats. To assist with these critical tasks, we provide our clients with a continuing relationship to help facilitate their awareness of the cybersecurity landscape and to help assist them with their ongoing cybersecurity maintenance.

Understanding that each client has different needs, we provide various levels of maintenance and support.

Our basic level provides a critical foundation of ongoing maintenance and support, which includes a monthly bulletin containing articles authored by our cybersecurity professionals that examine the recent and anticipated changes in the world of cybersecurity, including the current nature of the threat. Additionally, the bulletin will summarize recent litigation trends, case law, regulations, guidelines, proposed legislation, and other developments in the cybersecurity legal environment. This option also entitles your company to 5 hours per month of cybersecurity legal assistance from Blank Rome or cyber risk management assistance from Good Harbor, in the form of phone calls, requested research, or other legal support. Building on the benefits detailed above, our next

level of maintenance and support provides your company with an additional 5 hours per month (for a total of 10 hours per month) of Blank Rome legal assistance. We will also perform an annual risk assessment update and an annual ECCS to test the adequacy of your current SAP.

In addition to the aforementioned levels of cyberse-curity support, we also offer supplemental services and benefits that are uniquely tailored to the individual needs of our clients. These supplemental services can consist of additional hours of support per month, periodic risk reviews, Executive Cyber Crisis Simulations, and updating your SAP.

Blank Rome LLP, a nationally recognized Am Law 100 firm, and Good Harbor Security Risk Management LLC, a cyber risk consulting firm led by renowned cyber and national security expert Richard A. Clarke, assist our clients to combat the threat of cyber attacks. We can offer a privileged attorney-client relationship through which companies can identify and manage all of their security risks, protect their digital assets, and quickly respond to cyber threats while simultaneously protecting their efforts from discovery or inadvertent public disclosure.

A cyber attack can not only create devastating financial losses for your company, but also significant operational and reputational damages and costly lawsuits. Responsible cyber risk management requires a complex strategy of ongoing support to navigate any potential crises.

Experience That Matters

We provide the following services:



 Advise the Board and senior management to identify the company’s cyber risks, determine its risk appetite, and establish a culture and processes that incorporate risk into decision-making.



 Provide customized Threat Awareness Exercises designed to increase awareness among senior management of the cybersecurity challenges facing your company and industry segment.



 Conduct a crisis simulation designed to expose key decision makers to the realities of a true cyber incident and to test the strength of your cybersecurity defenses while identifying areas needing improvement.



 Prepare a tailored Strategic Action Plan (“SAP”) that enhances your organization’s ability to mitigate cyber risk, successfully manage a cyber incident, and quickly return to maximum operational effectiveness.



 Conduct a NIST Cybersecurity Framework Assessment to benchmark NIST alignment, apply the five NIST Framework Core functions and develop actionable milestones to help companies achieve their NIST Target Maturity Profile.



 Provide ongoing cybersecurity support and maintenance through a variety of service offerings scalable to fit the needs of all companies.

To learn more about how we may help you, please contact any member of our team listed on page 11.

2

The only source

of knowledge is

experience.

—Albert Einstein

Elizabeth A. Sloan, Esq. 302.425.6472

[email protected] Steven L. Caponi, Esq.

302.425.6408 [email protected] Jacob Olcott 703.812.9199 [email protected] Richard A. Clarke 703.812.9199 [email protected] Emilian Papadopoulos 703.812.9199 [email protected] 11

Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC,

haved teamed to provide a comprehensive solution for protecting your company’s property and reputation from the unprecedented cybersecurity challenges present in today’s global digital economy. Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepare customized strategy and action plans, and provide ongoing support and maintenance to promote cybersecurity awareness.

Focused on corporate security solutions

BECAUSE CYBERSECURITY RISKS

ARE ENTERPRISE RISKS.