Transcript Slide 1
Cybersecurity Risk:
It's Not Just for IT Anymore or, What You Don't Know
Could
Hurt You Cynthia J. Larose, Esq., CIPP May 14, 2013
Corporate Data at Risk
Analyzing the Threat Landscape
Threat actors
• Nation states • Criminals • Insiders • Hacktivists • Terrorists
Threat vectors
• Cyber/technical • Insiders • Physical
The Target: Your Company
• R&D and IP • Business data • Personally Identifiable Information • Sabotage
What's at Stake?
Valuable IP assets, proprietary information, business, transaction and negotiating records, financial data, electronic funds, business functionality and continuity SCADA (supervisory control and data acquisition): systems that monitor and control industrial, infrastructure or facility-based processes Account information, personal information, access to accounts Supply chain management Disruption of business; denial of service; business extortion; debilitating impact on essential services
Data Security: On the Corporate Radar?
• 2013 FTI Consulting/Corporate Board Member Survey: – Data security and IT risk is
one of the most significant legal issues
in 2013 for over 550 Directors and General Counsel surveyed • The percentage of Directors and GCs concerned about data security has
doubled
since 2008 – Trend continued from 2012 Survey – The median annualized cost of a cyber-crime per company averaged $8.9 million • Denial of service, malicious insider and external attacks all up – The survey noted participants' opinion that cyber risks are invisible, ever-changing, pervasive and costly
2013 FTI Consulting Survey By the Numbers
• Directors and GCs both identify data security as the number 2 issue that keeps them up at night – close on the heels of succession/leadership transitions, but of much greater concern than operational effectiveness or M&A transactions • Cyber risk cited by both directors and GCs as an issue on which the board will be spending considerable time this year • Only a third of GCs felt "very confident" in their company's ability to respond to a breach • Less than a quarter of directors agreed…..
Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement (
Governance of Enterprise Security: CyLab 2012 Report)
Boards of Energy/Utility Companies
• 71% rarely or never review privacy and security budgets • 79% rarely or never review roles and responsibilities • 64% rarely or never review top-level policies • 57% rarely or never review security program assessments
Boards of Financial Sector Companies
• 42% rarely or never review annual privacy/security budgets • 39% rarely or never review roles and responsibilities • 56% do not actively address computer/information security • 52% do not review cyber insurance
2012 Data Breaches by Business Category
AIG Survey – February 2013
• Major finding: Majority of corporate executives surveyed (258) were more concerned about cyber threats than about other major business risks – 85% very or somewhat concerned about cyber risk to their organization – Other responses: • Loss of income – 82% • Property damage – 80% • Securities and investment risk – 76%
AIG Survey – February 2013 (cont'd)
• More than 2 out of 3 (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk. • More than 7 in 10 (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks. • The vast majority of brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk.
Litigation Exposure
•
Customer whose bank funds were stolen by hackers alleged that bank did not do enough to prevent hack
–
Patco Construction Co. v. People's Ocean Bank
•
Bank sued to avoid refunding customers' funds taken from their account by Romanian hackers with valid credentials
–
PlainsCapital Bank v. Hillary Machinery, Inc.
•
Data breach litigation following cyber attacks
–
Class action lawsuits arise after nearly every major breach
Litigation Exposure (cont'd)
•
Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty
• Delaware
Caremark
decision: duty of care to safeguard digital assets •
Shareholder actions resulting from failure of adequate disclosure
– SEC Cybersecurity Guidance
SEC Cybersecurity Guidance
• Corporation Finance guidance issued October 13, 2011 • Cyber attacks: – Target theft of financial assets, intellectual property, other sensitive information – Customer or business partner data could be implicated – Objectives could include disrupting business obligations • Disclosure if cyber-risks "are among the most significant factors that make an investment in the company speculative or risky" – Consider frequency of prior incidents and probability and potential harm of future incidents – "Specify how each risk affects the registrant"
SEC Guidance on Cybersecurity Disclosures
• At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures.
• Many were also drawing comments from the SEC and were required to add information or otherwise revise disclosures
SEC Cyber-Comment Letters
In 2012, following hack of Amazon's Zappos servers, SEC asked Amazon to "expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches" and "to describe [risks of] third-party technology and systems." • SEC had disagreed with Amazon's view that hack was not significant enough to be covered by SEC Cybersecurity Guidance Google, AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures.
• What if your company did no risk assessment, made no disclosure and then experienced a material breach? Problem – it's no longer "if", but "when"
US Government Perspective on Cybersecurity
The "cyber threat is
we face as a nation one of the most serious economic and national security challenges
…America's economic prosperity in the 21 st century will depend on cybersecurity." (President Obama) "[The] Government Accountability Office has reported that over the last five years,
cyber-attacks against the United States are up 650 percent. The threat is real.
(Sen. John McCain, Feb. 16, 2012) Cyber-attacks against Google (attributed to China) a
"wake-up call"
about the vulnerabilities that could cripple the U.S. economy. (Dennis Blair, former Director of National Intelligence)
Congress on Cybersecurity
• Numerous bills proposed in last Congress; none passed • Minimal consensus that critical infrastructure must be protected – Utilities, electrical grid, telecommunications, financial services, defense contractors – Facilitate information sharing • Sen. Rockefeller issued "cybersecurity" letter to CEOs of Fortune 500 (Sept. 2012) • House passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA) in April – unlikely to get to a vote in the Senate
Executive Order on Cybersecurity
• Legislative efforts have failed – White House drafted Executive Order in late September 2012 •
Improving Critical Infrastructure Cybersecurity
President Obama on February 12, 2013 – signed by • Purpose stated in Section 12:
"Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."
Executive Order – What is Critical Infrastructure?
• Defined broadly and generally • Secretary of Homeland Security will identify key threats – Communications, Manufacturing, Energy, Food and Agriculture, Financial, Healthcare, Transportation, Shipping – Critical Infrastructure Partnership Advisor Council – National Institute for Standards and Technology (NIST) directed to create a Cybersecurity Framework
Date
May 2013 March 2013 July 2012 March 2012 January 2012 January 2012
High Profile Data Breaches 2012-2013
Company
LivingSocial South Korean banks and media companies LinkedIn Global Payments Zappos NY State Electric + Gas
Details of Breach
No details of breach, but company reset passwords of 50 million users Cyber attack causes computers to crash at South Korean banks and media companies, paralyzing bank machines across the country.
Reportedly targeted in hacker attack and 6.5 million passwords posted to Internet Credit card processor confirms hacker attack compromised approx 1.5 million credit cards Shoe retailer announced that names, addresses and passwords of 24 million customers illegally accessed Security breach allowed unauthorized access to customer data, including SSN and bank account numbers, exposing 1.8 million records
Enhance Board/CEO Attention
• Review and refine information governance structure – Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies – Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing – Consider appointing CISO (chief information security officer) and CPO (chief privacy officer) – Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness
Cybersecurity and Insurance
• Limited coverage under traditional policies
may
available be • Specialized cyber coverage available as a stand-alone policy – First and third party coverage available • Types of coverage include: – Loss/corruption of data – Business interruption – Cyber Extortion – Crisis Management
Enhance Board/CEO Attention (cont'd)
• Develop cybersecurity and data protection risk assessment – Understand system and network vulnerabilities; plan for possible "persistent" threats – Understand exposure of essential or valuable information and communication assets – Understand exposure to third parties and service providers • Evaluate cyber insurance coverage • Monitor legislative, policy, industry, contractual, etc. developments and expectations – Address legal compliance and reporting responsibilities – Consider SEC issues • Engage IT and audit experts; report on testing of systems
Cybersecurity and Insurance (con'td)
• Types of coverage include: – Identity theft – Social media/networking – Liability • Breach of privacy due to theft of data • Transmission of computer virus or other liability resulting from a computer attack which causes financial loss to third parties • Failure of security which causes network systems to be unavailable to third parties • Allegations of copyright infringement or trademark or other "media" activities online.
Data Breach Insurance
• Can I buy insurance for that? YES!
• Coverage varies but the typical available coverages are: – Third Party Computer Forensics Services to determine the scope of a failure of Network Security – Complying with Privacy Regulations – Notifying individuals whose Personal Information has been disclosed – Retaining public relations firm, crisis management firm or law firm for advertising or related communications – Retaining a law firm to determine any indemnification rights with an independent contractor – Creditor monitoring services
D&O Insurance and Privacy
• Almost all D&O insurance policies have a "privacy" exclusion – Buried in the Bodily Injury/Property Damage exclusion • Most D&O insurance policies also have a Professional Services Exclusion – Large gap in coverage • Coverage can possibly be modified – but not easily – Takes more than just a simple endorsement
D&O Insurance and D&O Cyber Insurance
• There are separate D&O Cyber Insurance policies that companies can purchase to protect the Board – Number of carriers offer a broad range of different products • These policies are new and untested – Buyer beware!
• Many of the terms and conditions can be less favorable than the existing D&O policy – In order to fill gaps, must be done carefully
10 Steps Toward More Effective Cyber Threat Risk Governance
1.
2.
3.
4.
5.
Stay informed about cyber threats and their potential impact on your organization.
Recognize that intelligence about cyber threats is as valuable as traditional business intelligence.
Hold a C-level executive accountable for cyber threat risk management.
Provide sufficient resources for the organization's cyber threat risk management efforts.
Require management to make regular (e.g. quarterly) substantive reports on the organization's top cyber threat risk management priorities.
10 Steps Toward More Effective Cyber Threat Risk Governance
6.
7.
8.
9.
Expect executives to establish continuous monitoring methods that can help the organization predict and prevent cyber threat related issues.
Require internal audit to evaluate cyber threat risk management effectiveness as part of its quarterly reviews.
Expect executives to track and report metrics that quantify the business impact of cyber threat risk management efforts.
Monitor current and potential future cybersecurity-related legislation and regulation.
10.
Recognize that effective cyber threat risk management can give your company more confidence to take certain "rewarded" risks (e.g. adopting cloud computing) to pursue new value .
About Mintz Levin
• Full-service, multi-disciplinary law firm • 450 attorneys and senior professionals • Offices across the country, and in the UK: – Boston – New York – Washington, DC – Stamford – Los Angeles – San Diego – San Francisco – London • Liaison office in Israel • International network of contacts • Government relations, public policy and real estate project development consulting affiliate – ML Strategies 30
Cynthia J. Larose
Member
Boston 617.348.1732
JD, Boston University MS, Boston University BA, University of Massachusetts • • • • • Chair of the firm ’ s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP) Represents companies in information, communications, and technology, including e-commerce and other electronic transactions Extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions Conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “ best practices ” across all levels of the enterprise Frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies
Questions?
All information contained herein is proprietary to Mintz Levin and considered confidential. This document presents general in formation about Mintz Levin and is not intended as legal advice, and it should not be considered or relied upon as such.