cyber and the board - privacy+security academy...litigation costs and settlements, remediation...

CYBER AND THE BOARD

April 2019

Dan CaprioKim GriffinAndrew Serwin

1

• How concerned are Boards?• Communicating with the Board about cyber• What are the relevant legal obligations for the Board?• How should the Board think about cyber?• Where should cyber be addressed at the Board?• What are the threats and challenges?• What should the Board do about cyber?• What should Management do about cyber?• Lessons learned and takeaways

Agenda

Morrison & Foerster LLP

2

• According to a 2018 NACD survey, 47% of Boards were concerned about cyber, the third highest ranked concern of Boards for 2018.

How Concerned Are Boards About Cyber?


3

Understanding types of risk: 3 Categories

First Category: Preventable Risks Risk that is well known and best addressed by rules-based compliance.

Second Category: Strategy RisksBusiness decisions designed to benefit the organization through the assumption of risk and change the

nature of the risk activity to actively managing assumed risks. • Not all risks will be obvious at first, and the risk-management program will need to carefully

monitor risks and adjust quickly as new or unforeseen risks become apparent.

Third Category: External RisksOutside and beyond the control of the organization. • Indeed, an external risk may not be preventable, so the focus of risk management must then turn to

early risk identification and impact mitigation.

Risk framing is a process of understanding and conceptualizing an organization’s risk in order for business leaders to make risk-informed decisions.

https://iapp.org/news/a/how-to-avoid-privacy-black-swans/

Communicating With the Board About Cyber

https://iapp.org/news/a/how-to-avoid-privacy-black-swans/

4

Organizations must contend with the complexity and uncertainty of a future that is characterized by dynamic threats and shifting expectations.

It is not enough to just have a plan for when a cyber event happens.

Organizations need to be confident that their plans will actually work as expected.

Problem solving approaches must overcome the numerous biases that affect thinking about risk and uncover opportunities to solve tough problems.


5

Too often cybersecurity and privacy communications for boards and senior executives are ineffective because they are disconnected from business priorities, do not provide meaningful risk context, and rely on technical and legal language that is often confusing and distracting.

Organizations must tailor their board and executive communications based on corporate culture, alignment with business strategy and risk tolerance.


6

Stakeholder cybersecurity and privacy communications are vital across all dimensions of an organization yet are rarely viewed as a holistic business imperative.

The three biggest impediments to effective stakeholder engagement: an incomplete understanding of who the stakeholders are, siloed and uncoordinated messaging, and appreciation of the varied audience expectations


7

Getting Senior Management and Boards to think strategically

Think of Cybersecurity in terms of risk.

Cybersecurity is a risk management problem, not a technology problem.

There is not a silver bullet or compliance check list.

Educate the Board on the nature of the specific threat to the organization, and the ways in which it is attempting to prevent attacks, detect and respond to them.


8

Use the NIST CSF to help boards and senior management think strategically. https://www.nist.gov/cyberframework/framework

The Framework helps organizations to better understand, manage, and reduce its cybersecurity risks.

By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization.


https://www.nist.gov/cyberframework/framework

9

Framing cybersecurity in terms of risk management makes the threat and the company’s ability to deal with it much less daunting to boards, which are comprised of few if any members with an operational background in and understanding of technology risk.

Boards should apply the same lens to cybersecurity as they do with strategic, operational, and financial risk, issues that boards are generally more comfortable overseeing.


10

Scenario Development

Boards need to be creative when imagining attack scenarios

Think proactively and creatively about potential attackers.

What would you do if your infrastructure got taken down?”


11

The process of effectively managing cybersecurity and privacy risk can be managed with foresight and imagination.

Conducting cyber and privacy war games and table-top simulations provides organizations the ability to test response plans, exercise executive decision making under uncertainty, and ensure effective internal and external communications.

Creating risk management solutions to an organization’s unique cybersecurity and privacy challenges requires more than just applying “best practices” and “out-of-the-box” thinking.


12

Prepare for multiple attack scenarios.

It is not enough to have a plan to prevent, detect, and respond to cyber-attack: that is merely table stakes.

Companies must have detailed and highly coordinated plans for multiple attack scenarios with the goal of shutting down the attack and communicating a strong message to customers, regulators, and investors.

You need a technical response, a legal response, a press response and a public relations response. And you have to plan for various scenarios –a modest breach, a large breach, and a catastrophic breach. And you have to respond within a day.


13

• Fiduciary duties are state law specific• Generally, directors have:

• Duty of Care• Duty of Loyalty• Duty of Oversight

• The most relevant duties are the Duty of Care and Oversight.

Legal ObligationsFiduciary Duties - Generally

14

• The Board must act on an informed basis after due consideration of relevant materials and proper deliberation.

• Adequate procedure drives the court’s inquiry – did the Board:• have access to relevant information?• receive input from management and advisors?• consider alternatives?• follow a reasonable process?• adequately deliberate?

• Directors may rely on the reports and advice of appropriate advisors, including officers and employees of the Company, counsel and others professionals.

Duty of Care


15

• Ordinarily, a decision to take action, or a conscious decision not to act, is entitled to the protection of the business judgment rule and a court will not substitute its judgment for that of the Board.

• To be eligible for this protection, the Board’s actions must be:• Based on material information available with reasonable diligence and inquiry• Made in good faith • Made in the honest belief that the action taken or not taken is in the best interest

of the Company and its stockholders• Made without a conflict of interest

• A person challenging the Board’s decision has burden to show the Board failed to satisfy its fiduciary duties.

Business Judgment Rule


Duty of Oversight

In re Caremark(Del. Ch. 1996)

• Duty of oversight: “A director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.”

Stone v. Ritter (Del. 2006)

• To establish a breach of oversight, it must be pleaded and proven that: “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”

Understanding Cyber• Cyber is an asymmetric threat.

• This means that the attackers may know more about your vulnerabilities than management does.

• The Board will inherently know less about the vulnerabilities than management.• Ultimately managing cyber risk is a governance issue, and to

appropriately manage this risk the Board must understand the potential risks to the business.

• They can include:• Financial;• Legal/compliance;• Reputational; and • Operational risks.

• Information Risk.• Information is an asset of the company, and the Board should ensure that it is

appropriately protected, valued, and utilized for the benefit of the company.

What is Your Cyber Risk Tolerance?• After examining the potential impact of a cyber event, management,

with appropriate input from the Board, should determine what the company’s risk tolerance is regarding cyber.

• Ultimately the Board needs to understand the earnings impact of the risk tolerance of the Company and ensure that it and management are aligned, and it must ensure, via its oversight responsibility, that Company management appropriately addresses cyber.

Where Should Cyber “Sit”?• Dodd-Frank requires certain financial institutions to have a Risk

Committee at the Board.• While it is not required for other companies, some Boards have

created Risk Committees.• The Board should determine where cyber fits in any relevant

committees of the Board, whether that is through Audit, Risk, or other committees.

• While it is not a requirement, Board’s should consider whether cyber should factor into other committees, including compensation, nominating and governance, as well as how it should fit into the Board Agenda.

What are Examples of Cyber Threats?• Theft of “Personally Identifiable Information”;• Theft of business data

• Intellectual property (IP) • Material nonpublic information• Trade secrets;

• Business disruption

21

• Information regarding individuals• Other forms of sensitive information unrelated to individuals,

such as:• Intellectual property (IP) • Material nonpublic information• Trade secrets

• Business interruption and other forms of attacks• Types of Threats

• Cyberterrorism• Organized crime• Hactivists• Industrial espionage• Insiders

Breaches involve:

Types of Threats

Challenges

Bad guys have more time and more resources

Threats constantly changing

Inadequate information sharing

Chief Information Security Officers cite gaps in skill sets on their teams, lack of bandwidth, and inadequate budgets as some of the biggest issues

22

23

• Cyber can impact the Company in a number of ways:• Loss of trust/reputational harm;• Bad PR;• Impact on earnings due to:

• Loss of customers (including for “B-to-B” Companies);• Increased costs that result from fines, response costs, investigative costs,

litigation costs and settlements, remediation costs, as well as many others; and

• Significant distraction for employees, management, and the Board.

Ramifications


24

• Understand the cyber risk profile of the Company by discussing this with management, and any appropriate third parties;

• As appropriate, engage with management, to help set the risk tolerance for the company;

• Make sure that management has appropriate processes and programs to engage in appropriate risk assessment, which include identifying, assessing, and mitigating risk;

• Make sure that management appropriately communicates the risk; and;

• Engage in appropriate oversight by: • making sure that cyber is appropriately addressed by the Board, including through

relevant committees; • Ensuring that risks are appropriately remediated; and • The cyber risk program is otherwise functioning appropriately.

What Should the Board Do?


25

• Risk Factors need to be reviewed• When to Disclose a Breach• Enforcement (Coordination with DOJ)

• Pre-Breach Questions• Post Breach Questions

SEC Issues

26

• Conduct an appropriate enterprise cyber risk assessment;• Assist the Board with determining the Company’s risk tolerance; • Keep the Board appropriately informed of the Company’s cyber risks;• Align incentives for employees with the risk tolerance of the

Company; and• Appropriately manage the company’s cyber risks, via an appropriate

cyber risk mitigation program.

What Should Management Do?


27

Cyber Policy: What does it cover?

• What other policies may come into play? • Crime• Business Interruption• D&O• E&O • General Liability• Property

• 3rd Party Vendors: You may set certain dollar-level requirements, but those will be shared with other customers/clients

• Breach Response Consultants: Have engaged prior to any breach

Management: Know Your Insurance


Lessons Learned from Breaches

Too many cooks

Unclear decision

making paths

Lack of practice on incident

response plan

Lack of resiliency

planning (i.e. no back up for

communication failure)

28

• Understand what information you have and how you protect it• Create a governance structure that includes senior stakeholders who

are relevant to governing information, such as:• IT, HR, Audit, Legal, Loss Prevention, Security, Marketing, and others

• Create a framework that protects your highly valuable information• Use industry standard technical controls (encryption, network

segmentation, strong password management, remote access)• Make systematic behavioral changes to how information is collected

and protected (imbed privacy and data security into the culture)• Be evaluated by a third-party assessor (under privilege)• Prepare to respond to a security incident (prepare cross-functional

plan, train on it, and practice)

What Steps Can Be Taken?

29

• Has management reviewed and de-conflicted these cyber organizational structures with the organizational structures for other risks—i.e. is your cyber risk management consistent in approach with the management of other risks?

• Have the company's security processes and systems been reviewed by a third-party assessor?

• Third-party review of cybersecurity readiness can be a crucial factor in defending the company after a security incident, as well as helping a company to take reasonable steps to prepare for and defend against a cyberattack.

• Has internal audit been appropriately engaged?• Does the company have an incident response plan, and are the

appropriate business leaders identified in it?• Is it cross-functional?• Have you tested it through a tabletop?

What Should the Board Be Asking?

30

• Is our actual cyber risk consistent with our intended cyber risk?• Have we considered appropriate risk shifting devices, such as insurance?• Is the Board appropriately engaged regarding cyber, and does it have the

appropriate organizational structures, including committees, to meet its oversight obligations?

• This includes assessing how often, and where, cyber is reported on to the Board.

• What organizational structures at the management level exist to measure, govern, and assess data and information risk, and how are threat assessments managed and reported?

• Does management appropriately report on cyber risk to the Board?• Does management consider cyber risk, as appropriate, when it makes

decisions regarding new products or services?


31

32

• Has the level of penetration testing (internal and external), software patching, and other similar activities been reviewed by a third party to ensure it is adequate for your company?

• Has the company benchmarked its cybersecurity risk posture against those of other similar businesses?

• Has management determined what the company’s information sharing strategy is?

• Has management allocated responsibility for protecting the Company’s information assets appropriately?

• Has management completed a high-level data inventory of the company's information assets so that it has an understanding of what information the Company has and generally where it is located?

• Have management done a thorough review of policies and procedures to ensure that they comply with the relevant data security laws, and are consistent with industry best practice?

• Have management done appropriate resiliency planning for a destructive cyber attack?



33

• Has management tested and trained on “phishing” attacks and other types of social engineering?



Identify risks and respond

prospectively

Identify solutions that increase information

sharing

Create processes and resources to respond when an incident occurs

Take Aways for Board and Management

34

cyber and the board - privacy+security academy...litigation costs and settlements, remediation...

Documents