Presented By:
Successful Ways to Evaluate Your Organization’s Legal and Business Cybersecurity Risk Profile
October 30, 2015
Pamela Passman, President & CEO, Center for Responsible Enterprise and Trade (CREATe.org)Mary Jane Wilson‐Bilik, Partner, Sutherland Asbill & Brennan LLPLeslie T. Thornton, Senior Vice President, General Counsel & Secretary,
WGL Holdings, Inc. & Washington Gas Heather Shea, Assistant General Counsel, AIGAnjli Garg, SVP, Assistant General Counsel, Citibank
1
Presented By:
• Evolving cyber landscape• What regulators are saying• The Board’s role• Best practices in risk assessment• Vendor management
Agenda
2
Presented By:
Cyber Threats and Business Critical Information:
Steps to Reduce Risks and Protect Assets
Pamela PassmanPresident & CEO, Center for Responsible Enterprise and Trade (CREATe.org)
3
Presented By:
A Growing Challenge
PwC 2015 State of Compliance Survey
What are the top 3 areas in terms of future perceived level of compliance‐related risk to your business over the next 5 years?
1 – Data security2 – Privacy and confidentiality3 – Industry‐specific regulations4 – Bribery/corruption5 – Supplier/vendor/third‐party compliance
4
Presented By:
‘Corporate Digital Assets’
Example: Sony
As much as 75 percent of most organizations’ value and sources of revenue creation are in intangible assets, intellectual property, and proprietary competitive advantages
• Email• Employee PII (banking,
medical, passport, SSN, performance reviews)
• Financial data• Customer, Vendor and
third party proprietary and confidential information
• Products and Services (films, scripts)
• Business plans • Intellectual Property and
Trade Secrets• Other Confidential and
Private Information
Employee & Company Information
IP, Products & Competitive Information
5
Presented By:
Why the Rise of Corporate Digital Asset Breaches?
Globalized Marketplace
Information Digitalization
MobileWorkforce
Fragmented Value Chains
Corporate Digital Assets
6
Presented By:
Supply Chain/Vendor Vulnerabilities
“Financial criminals will typically look for the weakest link – the most efficient, easiest way into a system. And, the majority of the time, suppliers are the easiest way in”
8
Presented By:
What Regulators Are Saying
Mary Jane Wilson‐BilikPartner, Sutherland Asbill & Brennan LLP
9
Presented By:
10
Obligation to Protect Systems & Information– Not just customer’s privacy – also critical infrastructure safeguards– Not just company data – also vendors/servicers data, source codes
• Mosaic of regulations– Federal
• Gramm‐Leach‐Bliley (GLB) (privacy and safeguard rules)• HIPAA• FTC Act (unfair and deceptive trade practices)• Commerce (NIST Framework) • SEC requirements (Reg. S‐P, disclosure)• FERC (Critical Infrastructure Protection, CIP)
– State and International
Evolving Legal Framework
Presented By:
• GLB’s two rules (1999): financial institutions – Privacy Rule: must notify customers when their information is shared with others; opt‐out rights; annual notice/ Reg. S‐P
– Safeguards Rule: must develop a written information security plan describing how the company will protect the security, confidentiality and integrity of customer information
• Tailored to company’s size, risks and complexity• Nature and scope of company’s activities
11
Gramm‐Leach‐Bliley
Presented By:
• The 2013 Executive Order– Feb. 12, 2013: President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”
• Call for development of voluntary cybersecurity framework
– Feb. 21, 2014: National Institute of Standards and Technology (NIST) Cybersecurity Framework
• Year‐long initiative of NIST and Homeland Security in response to Executive Order
• Guidance to companies on how to assess readiness and manage the growing cybersecurity threat
12
Targeted Focus
Presented By:
SEC: Strong Focus on Cybersecurity
• SEC Guidance for Public Companies (2011): – Identified cybersecurity risks and incidents as potential material information to be disclosed to investors
– Encourages companies to assess their risks of cyber incidents and review impact on a company’s operations, liquidity and financial condition
– A blueprint for assessing cyber risk exposures and determining what must be disclosed
13
Presented By:
SEC Exam Focus
• 2014‐15: SEC Cybersecurity Benchmarks– Published seminal list of 26 questions on:
• Cybersecurity governance and risk assessments• Measures to protect networks and information• Detecting unauthorized activity and loss of data• Vendor management and use of the cloud• Employee training• Information sharing• Cyberinsurance and business continuity planning
– Other regulators have similar focus
14
Presented By:
FTC Wyndham Case
Fed. Trade Comm’n v. Wyndham Worldwide Corp., 2015 WL 4998121 (3d Cir. Aug. 24, 2015)• 15 U.S.C. § 5(a) prohibits “unfair or deceptive acts or practices
in or affecting commerce.”• Holding: FTC Act gives the FTC the authority to regulate
cybersecurity as an “unfair” business practice– No actual injury requirement– Statute provides sufficient notice– Start with Security: A Guide for Business
State Developments: Encryption, Breach notice to AGs, Expanding definition of PII, state Unfair Trade Practices Acts
15
Presented By:
The Role of the BoardLeslie T. Thornton
Senior Vice President, General Counsel & Corporate SecretaryWGL Holdings Inc. & Washington Gas Light Company
Director, Career Education Corporation
16
Presented By:
The Board’s Role
• What is the board’s role in ensuring a company is proactive in preventing a breach?
– While the Board’s role is largely an oversight function, scrutiny by the SEC and other regulators of the manner in which Boards effect their oversight responsibility means Boards must take this responsibility seriously (e.g. Wyndham case).
– Basic tenets as adeptly outlined by the 2012 NACD Handbook on Cybersecurity for Directors are:
• Directors must contemplate cybersecurity as an enterprise‐wide risk management issues, not just an IT issue• Directors should understand the legal implications of cyber risks as they relate to their company’s specific
issues/circumstances • Boards should have adequate access to cybersecurity expertise and they must devote sufficient time to cyber‐
risk management on board meeting agendas• Directors should hold management’s feet to the fire on establishing an enterprise‐wide cyber risk management
framework with adequate staffing and budget (e.g. NIST Framework)• Board‐management discussion of cyber risk should include the identification of which risks must be avoided,
which can be accepted, mitigated, or transferred through insurance, as well as specific “plans” for each approach.
17
Presented By:
• Legal• Risk• Chief Information Officer (CIO)• Chief Information Security Officer
(CISO) • Chief Compliance Officer (CCO)
• Finance• Communications/PR• Physical Security• Supply Chain• Customer Support• Human Resources
Cybersecurity Integrated into Business
Cross Functional Team
Board Oversight
Executive Level Decision‐Making
Stakeholders
• Employees• Regulatory agencies• Customers• Law enforcement• Vendors/Suppliers
• Lenders• Shareholders• Media (formal and informal)• Partners
18
Presented By:
Training the Board
• What is your advice to directors who do not have a technical background?– Boards should have access to cybersecurity expertise whether it’s an actual director or outside expertise.
– Boards of critical infrastructure companies might do well to consider seating a cyber‐savvy director.
19
Presented By:
Information Sharing
• What are the pros and cons of information sharing and risks of working with the government?– “It’s only a matter of time before someone uses cyber as a tool to do damage
to critical infrastructure…” Adm. Michael S. Rogers, NSA, Global Tech Conference, October 2015
– “Under the FBI’s strategic vision, our threat‐focus approach means we not only focus on arresting nefarious actors but we also seek to ultimately neutralize the threat. Key to this is incorporating the FBI into a company’s response plan: Get to know the local FBI cyber‐trained Special Agent; learn how the FBI investigates cyber crime; learn what to collect and how to preserve evidence needed to conduct an investigation; know who to contact in the event of an emergency; include the FBI in training and exercises; and prepare in advance how you will respond to an intrusion.” ‐‐ Christopher K. Stangl, Unit Chief, Cyber Division, Federal Bureau of Investigation, December 2014
20
Presented By:
Information Sharing
• “It certainly is the case that to the extent that we try to take information from specific incidents and extract generally useful information, anonymize it, and get it out as broadly as we can, if we don’t have it because companies won’t share it, we’re not able to help others ‐‐ they are participating in raising all boats.” ‐‐ Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, December 2014
21
Presented By:
22
Cybersecurity Risk Assessments
Heather SheaSenior Compliance Officer & Assistant General Counsel, AIG
The views expressed in this presentation are my own and do not necessarily represent the views or positions of American International Group, Inc.
Presented By:
Cybersecurity Risk Assessments
• US Legal Requirements– Gramm‐Leach‐Bliley Act Safeguards Rule– HIPAA Security Rule– State requirements (MA)
• Industry/Regulatory Standards– NIST Cybersecurity Framework– FFIEC Cybersecurity Assessment Tool
23
Legal/Regulatory Landscape
Presented By:
Cybersecurity Risk Assessments
• Identify Inherent risks– Assess threat landscape and likelihood of being a target– Consider applicable legal/regulatory environment– Evaluate operational, financial and reputational harm
• Prioritize ‘high’ risks• Evaluate controls
– Assess effectiveness of existing controls – Identify control gaps
• Assess residual risk• Develop action plans
– Mitigate any partially effective or ineffective controls– Develop and implement controls where gaps are identified– Aim to achieve target state of cybersecurity maturity
24
Risk Assessment Framework
Presented By:
Cybersecurity Risk Assessments
• Identify key stakeholders responsible for cybersecurity• Identify, classify and protect sensitive data
– Consider encryption and disposal
• Develop and implement written information security policies and procedures• Train employees and others with access to data• Identify a core Incident Response Team and develop an Incident Response Plan
– Plan should address: identification, mitigation, investigation, escalation, notification (internal and external), and remediation (including short‐term and long‐term lessons learned)
– Conduct table top exercises
• Manage third party risk• Monitor and test effectiveness of the information security program regularly • Perform risk assessments to discern the likelihood of an event and its impact
25
Cybersecurity Program Recommendations
Presented By:
26
Vendors and Cybersecurity
Anjli GargSVP, Assistant General Counsel, Citibank
The views expressed in this presentation are not necessarily those of Citibank.
Presented By:
Vendors and Cybersecurity
27
Vendor Management – Accountability and Vendors
Identify Disclosed Data (IP, CI, PD, SPD, PHI)
Identify Your Obligations (e.g., GLBA, PCI‐DSS, HIPAA, HITECH, FFIEC
Guidelines, State laws)
• Duplicate requirements for your Vendors
Toolkit:
• Template Q&A for Business
• Standard process for Vendor classification/risk assessment
• Template Vendor Contracts (fallbacks/risk‐driven provisions)
Presented By:
Vendors and Cybersecurity
28
Vendor Management – Due Diligence/Risk Assessment
Security is only as good as your weakest link
Template Q&A
Vendor Risk Classification
Risk Mitigation:
• Data Necessary for Service?
• Scope of Data Processing – storage/ location/cross‐border
transfer
• Data Encryption
Presented By:
Vendors and Cybersecurity
29
Vendor Management – Audit
Ongoing due diligence
Frequency
Type of Audit
• Security certificates
• Onsite
Presented By:
Vendors and Cybersecurity
30
Vendor Management – Contract
Breach Notification & Costs
Subcontracting (Vendors of Vendors)
Reps & Warranties – compliance with law, industry standards,
other requirements
Indemnities and LOL
• Liability Caps
Other requirements
• Data storage and transfer (Model Contract)
• BAA for PHI