Draft of June 9, 2015

Cyber Risks in the BoardroomManaging Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers

Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat EnvironmentWorking Document from “Cyber Risks in the Boardroom Conference”

June 12, 2015

2

Copyright ©2015 Sullivan & Cromwell LLP

Table of Contents

Overview 3

Governance 6

Assessing Your Company’s Vulnerabilities and Risks 9

Mitigating Cybersecurity Risk 16

Response to Breach 23

Overview

4

Copyright ©2015 Sullivan & Cromwell LLP

Overview

A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the

respondents during 2014, an increase of more than 48% over 2013

Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013

The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013

Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015

5

Copyright ©2015 Sullivan & Cromwell LLP

Overview

Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S.

The most costly breaches, however, are malicious in nature

Being prepared to handle a data breach properly may reduce the costs related to an incident significantly

Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness

Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015

Governance

7

Copyright ©2015 Sullivan & Cromwell LLP

Governance

Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization

Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures

Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs

8

Copyright ©2015 Sullivan & Cromwell LLP

Governance

Depending on your company’s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company’s security preparations

The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review

The board may consider it appropriate to meet with external advisors in the course of its oversight

Assessing Your Company’s Vulnerabilities and Risks

10

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:

Assessment Framework

How should your company assess risk? Periodic self-assessment by an identified group of employees,

overseen by an identified supervisor or committee of supervisors

Client reviews and audits

Governmental or regulatory reviews and audits

Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry

Use of external advisers

Penetration/vulnerability testing

11

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:

Information to Protect

Identify the kinds of sensitive information that your company holds

Personal data of clients and employees (such as credit card data or financial or health-related information)

Trade secrets

Other commercially valuable or proprietary information

Market-sensitive information, such as information on company results and/or potential transactions

Other client information

12

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:Systems

Assess the risks posed by your company’s IT profile Cloud storage

Mobile devices

Distributed systems

Third-party interconnection

Physical security

13

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:Systems

Consider the nature of the threats to which your company is exposed

Theft of your company’s information

Theft of others’ information

Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks)

Harassment, hactivism and public exposure

14

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:

Threat Environment

Employees, whether through malice, negligence or inadvertence

Vendors and others with system access

Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups

Physical intruders

15

Copyright ©2015 Sullivan & Cromwell LLP

Assessing Your Company’s Vulnerabilities and Risks:

Protection Obligations

Identify the obligations to which your company is subject regarding how information is to be protected

Legal and regulatory (federal, state, international)

Contractual

Professional (e.g., lawyers’ ethical duties)

Mitigating Cybersecurity Risk

17

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Security Policy

Your company should have a comprehensive security policy intended to address the threats it faces

The policy must comply with all applicable legal, contractual and professional requirements

The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls

The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan

18

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Employees

Your company should establish measures to manage and mitigate the risks employees create

Screening and background checks at hiring

Continued monitoring during employment

Requirements that employees review and confirm that they understand and will comply with the company’s security policy

Ongoing training in security awareness and risk mitigation

19

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Technical Controls

Your company should implement up-to-date technical controls to address cybersecurity risks

Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces

Identify attempts to hack into the company’s systems and attempts to access information that users are not authorized to see

Identify unauthorized communications into and out of the company’s network

20

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Security Considerations

Evaluation of security considerations relating to employees Passwords

Use of personal devices and other non-firm devices

Use of public networks

Ability to write on transportable media

Ability to download external programs onto the company’s network or onto company devices

Physical security of IT systems

21

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Contractors and Vendors

Address threats posed by contractors and vendors They must understand your company’s security requirements and

agree to comply with them

Your company should review their cybersecurity vulnerabilities and their potential impact on your company

Your company’s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject

22

Copyright ©2015 Sullivan & Cromwell LLP

Mitigating Cybersecurity Risk: Insurance

Assess your company’s position regarding cybersecurity insurance

Confirm that your policies cover losses from data breaches, as many general liability policies may not

Consider specific cybersecurity coverage in addition to your general liability coverage

Secure the correct amount of coverage

Response to Breach

24

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Response Team

There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach

The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it

Identify the company personnel who will be on the team to handle the incident response

Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management

Specific responsibilities and leadership should be assigned in advance

25

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Response Team

Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged

Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice

26

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Communications Strategy

Your company’s goal should be to control external messaging, not react to it

It may be preferable to volunteer disclosure before it is legally required

Monitor media, including blogs and social media, for what others may be saying

Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement

27

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Notice Obligations

Identify in advance all applicable notification requirements State notification laws for personal data

Specific federal notification requirements (HIPAA, GLB)

SEC and stock exchange requirements for public companies

Legal obligations from jurisdictions outside the U.S.

Contractual requirements

Professional requirements, if applicable

28

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Notice Recipients

Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them

Law enforcement and DHS

Regulators

Customers and clients

Contractual counterparties, vendors, contractors and other partners

Public filings

29

Copyright ©2015 Sullivan & Cromwell LLP

Response to Breach: Outside Support

Identify in advance outside advisers to assist with breach response and integrate them into response planning

Technical advisers, including forensic consultants

Legal advisers

Public relations

Government relations

Credit monitoring services, if applicable

Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations