Cybersecurity for In-House Counsel:Achieving Compliance (and Beyond) in aBreach-A-Day World
David G. Ries
John L. Hines, Jr.
Linda M. Watson
October 19, 2016
Clarkhill.com
800-949-3120 | clarkhill.com
David G. RiesPittsburgh, PA412-394.7787
John L. Hines, Jr.Chicago, IL
Linda M. WatsonBirmingham, MI248.988.5881
2
www.clarkhill.com/contents/cybersecurity-data-protection-privacy
800-949-3120 | clarkhill.com
“I am convinced that there are only two types ofcompanies: those that have been hacked and thosethat will be. And even they are converging into onecategory: companies that have been hacked and will behacked again.”
FBI Director Robert MuellerRSA Cybersecurity ConferenceMarch 2012
3
800-949-3120 | clarkhill.com
THREAT ACTORS
• Cybercriminals
• Hackers
• Hactivists
• Government surveillance
• State sponsored / condoned espionage
• Insiders (disgruntled / dishonest / bored / untrained)
4
800-949-3120 | clarkhill.com
ATTACK VECTORS
• Direct attack
• Watering hole attack
• DNS compromise
• Phishing / social engineering
• Malware / crimeware / ransomware
• Misuse of admin tools
• Infected devices
• Denial of service
• Supply chain attack
• Physical theft / loss
5
800-949-3120 | clarkhill.com
WHAT THEY’RE AFTER
• Money
• Personally identifiable information
• Intellectual property
• Trade secrets
• Information on litigation &transactions
• Computing power
• National security data
• Deny / disrupt service +
“… because that’swhere the money is.”
6
800-949-3120 | clarkhill.com
7
Criminal seeks hacker to break into international law firms
MARCH 2016 - FBI WARNINGS
800-949-3120 | clarkhill.com
8
APRIL 2016 - CEO E-MAIL SCHEMES
• Oct 2013 through Feb 2016 - 17,642 victims• More than $2.3 billion in losses
800-949-3120 | clarkhill.com
9
MARCH 2016 - W-2 PHISHING SCHEMES
Proskauer Rose + Snapchat + Seagate +++
800-949-3120 | clarkhill.com
TODAY’S GREATEST THREATS
Lost & StolenLaptops
&Mobile Devices
Spearphishing
10
800-949-3120 | clarkhill.com
• Board
• CEO / GC / C-level executives
• Establish & maintain cybersecurity program
• Provide budget & authority
• Assign responsibility
• Set the tone
11
SECURITY STARTS AT THE TOP
800-949-3120 | clarkhill.com
INFORMATION SECURITY
SECURE
Process
People
Policies & Procedures
Technology
12
800-949-3120 | clarkhill.com
INFORMATION SECURITY
SECURE
Protect
Confidentiality
Integrity
Availability
13
800-949-3120 | clarkhill.com
INFORMATION SECURITY
14
Comprehensive Information Security Program
• Risk-based
• Policies
• Training
• Review and update
Constant security awareness
800-949-3120 | clarkhill.com
NIST CYBERSECURITY FRAMEWORK
15
800-949-3120 | clarkhill.com
STANDARDS / FRAMEWORKS / CONTROLS
• NIST Framework
• NIST Special Publication 800-53, Rev 4
+ numerous additional standards
• ISO/IEC 27000 series standards:
Information Security Management Systems
• ISACA - COBIT
• Center for Internet Security
• CIS Controls for Effective Cyber Defense Version 6.1
16
800-949-3120 | clarkhill.com
STANDARDS AND FRAMEWORKS
Small Businesses:
• NIST’s Small Business Information Security: TheFundamentals, Draft NISTR 7621, Rev. 1 (30 pages)
• U.S.-CERT: resources for SMBs
17
800-949-3120 | clarkhill.com
RISK ASSESSMENT
1. Identity Information Assets(data, software, hardware, appliances andinfrastructure)
2. Classify Information Assets
3. Identify Security Requirements(statutes and regulations, contracts, common law,“reasonable security,” business needs)
4. Identify Risks
18
800-949-3120 | clarkhill.com
MANAGING RISK
1. Apply security policies and controls to manage the risk
2. Transfer the risk (insurance / contracts)
3. Eliminate the risk
4. Accept the risk
19
800-949-3120 | clarkhill.com
20
SECURITY REQUIREMENTS
RiskAssessment
Technical
Administrative
Physical
Training
ThirdParties
Encryption
Passwords
Patching
AssignResponsibility
Firewalls
ComprehensivePlan
BackgroundChecks
Needto Know
Monitor+
Update
LimitAccess
800-949-3120 | clarkhill.com
21
800-949-3120 | clarkhill.com
INCIDENT RESPONSE PLANS
Preparing for when a business will be breached, not if itmay be breached
The new mantra in security:
Identify & Protect + Detect, Respond & Recover
22
800-949-3120 | clarkhill.com
SECURITY IN TECH CONTRACTS
1. What kind of contracts?
2. What does security in K mean?
3. Absence in K may be violation of law
4. Negotiating security terms
23
ReasonableSecurity
Have andMaintain
ISOCertification
800-949-3120 | clarkhill.com
SECURITY IN M&A
Is your organization positioned for M&A due diligence?
24
800-949-3120 | clarkhill.com
David G. RiesPittsburgh, PA412-394.7787
John L. Hines, Jr.Chicago, IL
Linda M. WatsonBirmingham, MI248.988.5881
25
QUESTIONS?
THANK YOULegal Disclaimer: This document is not intended to givelegal advice. It is comprised of general information.Companies facing specific issues should seek the assistanceof an attorney.