cybersecurityweb1.amchouston.com/flexshare/003/accw/website/summit/...boards that choose to ignore,...
TRANSCRIPT
![Page 1: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/1.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Cybersecurity
Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP214.758.1048
![Page 2: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/2.jpg)
![Page 3: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/3.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
• Are you susceptible to a data breach?
Setting expectations
![Page 4: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/4.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
October 7, 2014
![Page 5: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/5.jpg)
![Page 6: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/6.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Victim Perpetrator
Setting expectations
![Page 7: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/7.jpg)
![Page 8: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/8.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
![Page 9: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/9.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
![Page 10: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/10.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
October 28, 2014
![Page 11: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/11.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
It’s only a matter of time
CyberEspionage
CyberActivism
Cyber Crime
![Page 12: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/12.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Retail (B&M and ecommerce)
Financial Institutions
Healthcare
Higher Education
Governmental Entities
2005 Today
Defense and Aerospace
Technology
All employers
Energy/Utilities
Breach trends
![Page 13: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/13.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Emerging risks
June 27, 2012
![Page 14: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/14.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Emerging risks
October 16, 2014
![Page 15: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/15.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
17%
27%42%
14%
Insider theft
Hacking
Accidental exposure or negligence
Subcontractor
Breach Types – 2007 through 2013 (4215 breaches)
It’s only a matter of time
![Page 16: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/16.jpg)
![Page 17: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/17.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Re-setting expectations
Target Corp.’s cost so far: $236 million and more than 100 lawsuits
Average cost to respond to a data breach? $5.4 million($201 per record)
Analyst: Cost will exceed $1 billion
![Page 18: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/18.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
October 15, 2014
![Page 19: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/19.jpg)
![Page 20: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/20.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part I: Cybersecurity and data breach law*
*The least entertaining part of the presentation.
![Page 21: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/21.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Cybersecurity and data breach law
• The FTC, SEC, FCC, and NY
• Other federal statutes
• States
![Page 22: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/22.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FTC
• “The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission’s 50 settlements with businesses that it charged with failing to provide reasonable protections for consumers’ personal information have halted harmful data security practices; required companies to accord strong protections for consumer data; and raised awareness about the risks to data, the need for reasonable and appropriate security, and the types of security failures that raise concerns.”
— Edith Ramirez, FTC Chairwoman, Congressional testimony (April 2, 2014)
![Page 23: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/23.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FTC
• Example: What did TJX do wrong?
• Failed to implement measures to limit wireless access to its stores, allowing a hacker to connect wirelessly to its networks without authorization
• Did not require administrators to use strong passwords
• Failed to use a firewall or otherwise limit access to the internet on networks processing cardholder data
• Lacked procedures to detect and prevent unauthorized access, such as by updating antivirus software and responding on security warnings and intrusion alerts
![Page 24: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/24.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
• “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities. In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
— Luis Aguilar, SEC Commissioner, speech given at NYSE on June 10, 2014
![Page 25: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/25.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
An SEC comment:
“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the ‘certain other coverage’ that may reduce your exposure to Data Breach losses.” (Target Form 10-K, March 2014)
![Page 26: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/26.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
Another SEC comment:“Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary. If you have experienced any cyber attacks in the past, please state that fact in any additional risk factor disclosure in order to provide the proper context. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.” (Hilton Worldwide Holdings, Inc. S-1, October 2013)
![Page 27: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/27.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The SEC
One more SEC comment:
“We note your disclosure that an unauthorized party was able to gain access to your computer network ‘in a prior fiscal year.’ So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.” (Alion Science and Technology Corp. S-1 filing, March 2014)
![Page 28: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/28.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
The FCC
• After levying a $10 million fine against two telecom companies for storing personally identifiable customer data online without firewalls, encryption, or password protection: “This is unacceptable.… This is the first data security enforcement action [by the FCC], but it will not be the last.”
— Travis LeBlanc, FCC’s top enforcement official (October 28, 2014)
![Page 29: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/29.jpg)
28www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
![Page 30: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/30.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Other federal statutes
• HITECH (medical information)
• HIPAA (medical information)
• GLBA (financial institutions)
• FTCA (federal trade commission act)
• FERRPA (educational records)
• FCRA (consumer reporting agencies)
• COPPA (children’s information)
![Page 31: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/31.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
States
• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.
![Page 32: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/32.jpg)
![Page 33: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/33.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
States
• There are 47 different state laws with different requirements, different definitions of whether notifications need to occur, and different timings for notifications.• Some require harm to occur to trigger notification
• Some require notice to their attorneys general or agencies (some are before notice is sent to consumers, some are after)
• Some have a specific time frame
• Some permit a private right of action
• Some have different provisions for third parties that hold data.
How much of what you do crosses state lines?FUN FACT!
![Page 34: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/34.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Washington state (HB 1078 – effective July 24, 2015)
• Among other provisions:
• Expands coverage to hard copy data.
• Requires notification to the Washington Attorney General if more than 500 Washington residents must be notified.
• Imposes a 45-day deadline for notification of affected consumers and/or the Washington Attorney General.
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act.
• Mandates certain content in the consumer notification.
![Page 35: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/35.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part II: What you should do right now*
*Well, not right now. But right after this presentation!
![Page 36: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/36.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Get the Boards on … err … board.
• Ensure the company’s focus on cybersecurity
• Provide oversight of the risk management process
• Identify and empower their experts
• Include cybersecurity as a regular Board agenda item
![Page 37: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/37.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan
• Why?
• Minimize employee-related breaches
• Reduce overall exposure• Reductions for CISO, information security program, strong security
• Legally important
• Increase customer trust and company reputation
• Don’t be a or a
![Page 38: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/38.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan
“In November 2005, Jason Spaltro, executive director of information at Sony Pictures Entertainment [said], ‘There are decisions that have to be made. We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions…. Legislative requirements are mandatory, but going the extra step is a business decision.’”
Your Guide to Good-Enough Compliance
CIO Magazine
April 6, 2007
![Page 39: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/39.jpg)
![Page 40: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/40.jpg)
![Page 41: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/41.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create an information security plan• Designate a lead
• Conduct a systems assessment
• Implement a security program – include “visual hacking” measures• Policies and training
• Thanks, Sony!
• Consider cyber insurance
• Review third party contracts
• Create and implement a crisis response plan and team
• Whistleblowers
![Page 42: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/42.jpg)
![Page 43: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/43.jpg)
![Page 44: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/44.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Insurance
October 12, 2014
![Page 45: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/45.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create a crisis response team
• Identify the key constituents
• Recognize their motivations
![Page 46: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/46.jpg)
![Page 47: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/47.jpg)
![Page 48: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/48.jpg)
![Page 49: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/49.jpg)
![Page 50: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/50.jpg)
![Page 51: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/51.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Create a crisis response team
• Identify the key constituents
• Recognize their motivations
• Identify and empower the decision-maker
![Page 52: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/52.jpg)
![Page 53: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/53.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Part III: I’ve been breached (and I can’t get up)
![Page 54: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/54.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
Feel free to take all the time you need!
. . . yeah. Just kidding.
Clock starts ticking from DOB (discovery of breach**)
**Nobody else knows what this means, either.
![Page 55: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/55.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• What did Part II give you?
• Faster reaction time
• More thorough reaction
• Ability to minimize risk and damage
• Without Part II . . .
![Page 56: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/56.jpg)
![Page 57: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/57.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
![Page 58: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/58.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
![Page 59: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/59.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure• Retain forensic investigator• Interview witnesses• Preserve documents and systems• Identify what was compromised• Document everything
• Notify (federal, state, int’l, individual, media, and other)• Consider referral to law enforcement and/or civil remedy• Re-evaluate
![Page 60: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/60.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure• Notify (federal, state, int’l, individual, media, and other)
• Federal, state, international• Individuals• Insurers and credit card companies (PFI!)• Media• Employees
• Consider referral to law enforcement and/or civil remedy• Re-evaluate
![Page 61: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/61.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• E.g., 18 U.S.C. § 1030
• Re-evaluate
![Page 62: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/62.jpg)
![Page 63: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/63.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Crisis response
• Coordinate first-response team (IT, HR, legal, PR, and business)
• Investigate, isolate, contain, and secure
• Notify (federal, state, int’l, individual, media, and other)
• Consider referral to law enforcement and/or civil remedy
• Re-evaluate
![Page 64: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/64.jpg)
63www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
![Page 65: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/65.jpg)
![Page 66: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/66.jpg)
The end.
![Page 67: Cybersecurityweb1.amchouston.com/flexshare/003/ACCW/Website/Summit/...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at](https://reader034.vdocuments.us/reader034/viewer/2022042302/5ecd82136466ba57552f1939/html5/thumbnails/67.jpg)
bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London
Contact Information
Shamoil T. ShipchandlerPartner, Bracewell & Giuliani LLP
214.758.1048 | [email protected]