Transcript Rise in cyber attacks at US companies

Rise in cyber attacks at US companies
“This threat to our
country’s economic
and national
security, and to
companies’ bottom
line, is real and it is
growing.”
Jay Rockefeller
Senator & Commerce
Committee Chairman
in letter to Chairman of SEC
April 9, 2013
Sources:
http://thehill.com/blogs/hillicon-valley/technology/292919-rockefeller-asks-sec-to-step-up-cybersecurity-disclosures
http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?pagewanted=all&_r=0
http://www.bloomberg.com/news/2013-05-14/iran-based-hackers-traced-to-cyber-attack-on-u-s-company.html
techland.time.com/2013/09/26/major-u-s-data-providers-hit-by-cyber-attacks/
http://www.npr.org/blogs/alltechconsidered/2013/08/30/217296301/firms-brace-for-possible-retaliatory-cyberattacks-from-syria
Magnitude of the Threat
•
•
•
•
Cybercrimes are widespread, systemic and insidious
Annual cost is approximately $100 billion per year
Double-digit year-over-year growth in incidents
90% of U.S. companies surveyed had detected
computer security breaches*
• 74% acknowledged financial losses as a result
*Source: 2011 Computer Security Institute survey
2
Verizon 2014 Data Breach
Investigations Report (April 23, 2014)
• Nearly 200
breaches of
payment systems
used by retailers,
hotels and
restaurants
• Cyber education
and “hygiene”
critical in
protecting
payment systems
3
Business Consequences
• Harm to business, “franchise” risk, company
valuation, stock price, etc.
• Long-term financial and business damage
• Theft of valuable intellectual property and business
plans
• Theft of customer data and funds
• Disruption of critical operations and corporate web
sites
• Headline and reputational harm
4
Potential costs
 Financial losses for company
 Average cost of $500,000 and 24 days to identify and resolve an attack
1
 Cyber crime cost companies $300bn - $1trillion total in 2013
1
 Financial losses for shareholders
 ~5% drop in share price for public companies
2
 Brand reputation
3
 Value of brand can decline 17-31%, depending on nature and industry
 Your reputation
Sources:
1: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute, October 2013, http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reports
2: “Anatomy of data breaches and their impact on market value,” Electronic International Interdisciplinary Conference 2012 http://www.eiic.cz/archive/?vid=1&aid=2&kid=20101-131
3: Poneman Institute, Reputation Impact of Data Breach, October 2011 http://www.scmagazine.com/breaches-lead-to-major-reputation-brand-damage/article/215595/
5
Legal Consequences
• Governmental investigations and sanctions (SEC,
DOJ, State Attorneys General, FTC, etc.)
• Consumer litigation
• Class action lawsuits
• Shareholder derivative demands
• Special Board/Litigation Committees and potential
claims against the corporation
6
Push for government regulation
 Cyber Intelligence Sharing & Protection Act
 To provide for the sharing of certain cyber threat intelligence and cyber
threat information between the intelligence community and cybersecurity
entities, and for other purposes.
 Passed House of Representatives in April; Senate will not vote but is
drafting competing legislation
 White House Executive Order – Improving Critical
Infrastructure Cybersecurity (February 12, 2013)
 Establish top-to-bottom review of federal government’s efforts to defend
our nation’s information and infrastructure
 In conjunction, SEC Division of Corporation Finance issued guidance
instructing companies to disclose cyber attacks or risks associated with
breaches if such attacks or breaches are likely to be material to investors
7
Proactive Response Plan
•
•
•
•
•
•
•
•
•
Detailed, step-by-step Incident Response Plan
Analysis of insurance policies to determine coverage
Legal counsel and key service providers “on speed dial”
Crisis communication strategy and trained spokespeople
Government affairs/communications with regulators
Readiness exercises that simulate an actual attack
Business continuity planning
Security audits of key vendors
Litigation and regulatory preparedness
8
Cybersecurity Strategic Planning
Checklist
 Detailed, step-by-step Incident Response Plan
 Adequate insurance coverage (consider Cyber policy)
 Legal counsel and other service providers “on speed dial”
 Crisis communication and Litigation strategies
 Government affairs/communications with regulators
 Readiness exercises that simulate an actual attack
 Business continuity planning
 Security audits of key vendors
9
Privacy and security guidelines for boards
Establish ‘tone from the
top’ through top-level
policies
Review roles and
responsibilities; ensure
risk/accountability shared
throughout organization
Ensure regular information
flows to executives and
board, including cyber
incidents and breaches
Review annual IT budgets
for privacy and security,
separate from CIO’s budget
Conduct annual reviews
of enterprise security
program, review findings,
ensure gaps and
deficiencies are addressed
Evaluate adequacy of
security around board
materials and
communication
Source:
Governance of Enterprise Security: How Boards & Senior Executives are Managing Cyber Risks, CyLab 2012 Report – Carnegie Mellon University
10
Technology in the boardroom
In-person at
Courier
Time of Meeting Delivery
Unsecure
Email
Cloud File
Sharing
Services
Mobile App / Secure
PDF Reader Email
Internal PDF-Based
Portal
Portal
Key concerns
 Privacy
 Limited administrator control
 Hacking and other security
vulnerabilities
 Purchase of additional secure
container technology
Secure
Board Portal
Board portal technology
brings a new standard
of cyber security
 Control access to data
 Data encrypted in transit and on
all devices
 Does not track Director’s
electronic footprint
 Regular, repeated third-party
audits and penetration testing
 Local redundancy, data back-up
and recovery
Important vendor requirements
 Ensure that privacy and
security requirements for
vendors are based upon key
aspects of your organization's
security program
 Carefully review internal and
vendor notification procedures
in the event of breach or
security incident
13