draft of june 9, 2015 cyber risks in the boardroom managing business, legal and reputational risks...
TRANSCRIPT
Draft of June 9, 2015
Cyber Risks in the BoardroomManaging Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers
Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat EnvironmentWorking Document from “Cyber Risks in the Boardroom Conference”
June 12, 2015
2
Copyright ©2015 Sullivan & Cromwell LLP
Table of Contents
Overview 3
Governance 6
Assessing Your Company’s Vulnerabilities and Risks 9
Mitigating Cybersecurity Risk 16
Response to Breach 23
Overview
4
Copyright ©2015 Sullivan & Cromwell LLP
Overview
A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the
respondents during 2014, an increase of more than 48% over 2013
Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013
The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013
Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015
5
Copyright ©2015 Sullivan & Cromwell LLP
Overview
Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S.
The most costly breaches, however, are malicious in nature
Being prepared to handle a data breach properly may reduce the costs related to an incident significantly
Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness
Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015
Governance
7
Copyright ©2015 Sullivan & Cromwell LLP
Governance
Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization
Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures
Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs
8
Copyright ©2015 Sullivan & Cromwell LLP
Governance
Depending on your company’s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company’s security preparations
The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review
The board may consider it appropriate to meet with external advisors in the course of its oversight
Assessing Your Company’s Vulnerabilities and Risks
10
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:
Assessment Framework
How should your company assess risk? Periodic self-assessment by an identified group of employees,
overseen by an identified supervisor or committee of supervisors
Client reviews and audits
Governmental or regulatory reviews and audits
Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry
Use of external advisers
Penetration/vulnerability testing
11
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:
Information to Protect
Identify the kinds of sensitive information that your company holds
Personal data of clients and employees (such as credit card data or financial or health-related information)
Trade secrets
Other commercially valuable or proprietary information
Market-sensitive information, such as information on company results and/or potential transactions
Other client information
12
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:Systems
Assess the risks posed by your company’s IT profile Cloud storage
Mobile devices
Distributed systems
Third-party interconnection
Physical security
13
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:Systems
Consider the nature of the threats to which your company is exposed
Theft of your company’s information
Theft of others’ information
Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks)
Harassment, hactivism and public exposure
14
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:
Threat Environment
Employees, whether through malice, negligence or inadvertence
Vendors and others with system access
Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups
Physical intruders
15
Copyright ©2015 Sullivan & Cromwell LLP
Assessing Your Company’s Vulnerabilities and Risks:
Protection Obligations
Identify the obligations to which your company is subject regarding how information is to be protected
Legal and regulatory (federal, state, international)
Contractual
Professional (e.g., lawyers’ ethical duties)
Mitigating Cybersecurity Risk
17
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Security Policy
Your company should have a comprehensive security policy intended to address the threats it faces
The policy must comply with all applicable legal, contractual and professional requirements
The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls
The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan
18
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Employees
Your company should establish measures to manage and mitigate the risks employees create
Screening and background checks at hiring
Continued monitoring during employment
Requirements that employees review and confirm that they understand and will comply with the company’s security policy
Ongoing training in security awareness and risk mitigation
19
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Technical Controls
Your company should implement up-to-date technical controls to address cybersecurity risks
Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces
Identify attempts to hack into the company’s systems and attempts to access information that users are not authorized to see
Identify unauthorized communications into and out of the company’s network
20
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Security Considerations
Evaluation of security considerations relating to employees Passwords
Use of personal devices and other non-firm devices
Use of public networks
Ability to write on transportable media
Ability to download external programs onto the company’s network or onto company devices
Physical security of IT systems
21
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Contractors and Vendors
Address threats posed by contractors and vendors They must understand your company’s security requirements and
agree to comply with them
Your company should review their cybersecurity vulnerabilities and their potential impact on your company
Your company’s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject
22
Copyright ©2015 Sullivan & Cromwell LLP
Mitigating Cybersecurity Risk: Insurance
Assess your company’s position regarding cybersecurity insurance
Confirm that your policies cover losses from data breaches, as many general liability policies may not
Consider specific cybersecurity coverage in addition to your general liability coverage
Secure the correct amount of coverage
Response to Breach
24
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Response Team
There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach
The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it
Identify the company personnel who will be on the team to handle the incident response
Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management
Specific responsibilities and leadership should be assigned in advance
25
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Response Team
Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged
Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice
26
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Communications Strategy
Your company’s goal should be to control external messaging, not react to it
It may be preferable to volunteer disclosure before it is legally required
Monitor media, including blogs and social media, for what others may be saying
Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement
27
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Notice Obligations
Identify in advance all applicable notification requirements State notification laws for personal data
Specific federal notification requirements (HIPAA, GLB)
SEC and stock exchange requirements for public companies
Legal obligations from jurisdictions outside the U.S.
Contractual requirements
Professional requirements, if applicable
28
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Notice Recipients
Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them
Law enforcement and DHS
Regulators
Customers and clients
Contractual counterparties, vendors, contractors and other partners
Public filings
29
Copyright ©2015 Sullivan & Cromwell LLP
Response to Breach: Outside Support
Identify in advance outside advisers to assist with breach response and integrate them into response planning
Technical advisers, including forensic consultants
Legal advisers
Public relations
Government relations
Credit monitoring services, if applicable
Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations