Cybersecurity y Managing g the Risks

(1)

Cybersecurity – Managing the Risks

y

g g

Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin @BlankRomeLLP #EmergingIssues8 99 g y

Cybersecurity – The Risks Are Real

• Perpetrators are as varied as their goals

– Organized Crime: seeking money credit card #s personal infoOrganized Crime: seeking money, credit card #s, personal info.

– Governments: infrastructure, banks, rail, energy transmission, etc.

– Espionage (govt./competitors): corporate plans and intellectual property

– Truly international

• Everyone is at Risk

– 1 1 billion records over last 9 years1.1 billion records over last 9 years

– 200 substantial attacks per day

– 30% on companies with 1-250 employees

(2)

Cybersecurity – The Risks Are Real

• Impact of Cybercrime

– Global Cybercrime costs to companies may reach $1T in 2013Global Cybercrime costs to companies may reach $1T in 2013

– U.S. businesses spending averages $8.9M annually

• Hard Cost of a Cyberattack

– Average loss was $5.5M

– Defending an attack averages $500,000 / TJX $12M Q

– Litigation – A single case resulted in settlements exceeding $100M

@BlankRomeLLP #EmergingIssues8

101 Litigation A single case resulted in settlements exceeding $100M

– Substantial government fines

• Soft Costs of a Cyberattack

– 5% drop in stock price for publicly traded companies

– 17% - 31% drop in brand value

Corporate Fiduciary Duties

Officers, Directors & Senior Management

• An affirmative obligation to manage and mitigate risk

• Response must be commensurate with the level of risk

• A breach will be noticed

– Litigation – shareholders & customers

– The government, both state and federal

• You will be judged in hindsight

– The risk will be deemed significant

•Part of our popular culture - news, movies, TV.

(3)

Corporate Fiduciary Duties

Oversight Liability – Caremark Claim

• Duty to actively monitor corporate performance and risks

• Cannot abdicate this responsibility

– “It's complicated so we left it to the IT department”

• “Unconsidered Failure of the Board to Act”

– Breach of the duty of loyalty N t l t d b 102(b)(7)

103

– Not exculpated by a 102(b)(7)

– Equals personal liability

• No decision is worse than a bad decision

Corporate Fiduciary Duties

Exercising Reasonable Oversight

• Step 1: Understand your company’s risk profile

• Step 1: Understand your company s risk profile

– How likely are you to be attacked vs. repercussions

• Step 2: Speak to your peers and experts

– How are they addressing the risk

– Reasonable person standard - safety in numbers

Step 3 Adopt and Monitor Best Practices

• Step 3: Adopt and Monitor Best Practices

– IT talent on the Board / Risk Committee

– Regular updates from management

(4)

Advanced Planning For An Attack

• Do you have the right response team?

– Combination of legal IT / risk management privacy business and PRCombination of legal, IT / risk management, privacy, business, and PR

– Regular meetings before the incident occurs

– Speak a common language and know their respective roles

• Implement a firm chain of command

– Filtering concise information up to decision makers

– Clearly disseminating decisions down the chain of command

105 Clearly disseminating decisions down the chain of command

• Established Outside Relationships

– Outside counsel

– Technical advisors

– Government: SEC, Homeland Security, FBI, etc.

Advanced Planning For An Attack

• Vendor audits / Vendor Contracts

– Importance of security at all links in the chainImportance of security at all links in the chain

– Not just a “check the box” activity

– Consider vendor subcontractors

• Training

– Build a culture of awareness

• Review insurance coverage

• Participate in standard setting process

(5)

Do You Have Adequate Insurance?

• Coverage under commercial general liability policies

• Exclusions and limitations have been added

• Specialty cyber products vary significantly

• First party and third party risks

• Consider information in the care of third parties

• White House encouragement of formation of insurance market

107

Responding to an Incident

• Will you know a breach occurred?

– Internal scans or signs indicate breachInternal scans or signs indicate breach

– Notification by ISP

– Employee report

– Government inquiry or notice

– Vendor notice

(6)

Responding to an Incident

• Look to your incident response plan / activate response team

• Stop additional data loss

– Contain attack

– Take affected machines offline

• Determine what happened

– What data were compromised? Should forensic experts be engaged?

109

– Should forensic experts be engaged?

– How did it happen?

• Allow the attack to continue?

– Need to observe the flow of data

Responding to an Incident

• Preserve evidence – do not power down

• Self Help?

• Self-Help?

– Can you retrieve data?

– Hack back – legal?

– Don’t go from victim to perpetrator

• Decide whether to contact law enforcement

Decide hether to engage o tside co nsel to r n internal

• Decide whether to engage outside counsel to run internal

(7)

Responding to an Incident

• Framework of Internal Investigation

– What is the purpose of the investigation?What is the purpose of the investigation?

•Identify what happened?

–Determine whether notification or disclosure is required

•Respond to government?

– Should independent outside counsel be engaged?

•Develop facts under protection of privilege

111

p p p g

•Independence – confidence in results

•Is there a reasonable anticipation of litigation?

– Should counsel engage forensic experts?

Responding to an Incident

• Planning the Investigation:

– Determine corporate decision-maker for investigation Determine corporate decision-maker for investigation

– Define scope and goals of investigation

•Establish procedures for internal coordination – OGC, IT, HR

– Determine procedures for submitting interim findings and the final report

•Should report be written or oral?

– Evaluate need to interview vendor employees p y

– Upjohn warnings

– Securing information and data

– Preserve privilege and maintain confidentiality

(8)

Responding to an Incident

• Manage media relations in conjunction with counsel

• Cooperation with government agencies and law enforcement

– State laws require notice to regulators of incidents, in some cases even if company determines no breach occurs.

– Whose side are regulators on?

– Federal government encourages sharing of information

– Responding to state AG inquiries

113

p g q

– Steps to avoid waiving privilege

Responding to an Incident

• Determine legal obligations

– Individual notice?Individual notice?

– Regulator notice?

– Media notice?

– Pay attention to timelines

• Identify contractual obligations

• Consider mitigation of harm

– Should individuals be notified in absence of legal obligation?

– Offer identity theft protection service?

(9)

Responding to an Incident

• Contact insurer

• Establish call center / public relations

• SEC disclosures

• Document everything

• Lessons learned

(10)