Presentation on theme: "Cybersecurity Risk: It's Not Just for IT Anymore or, What You Don't Know Could Hurt You Cynthia J. Larose, Esq., CIPP May 14, 2013."— Presentation transcript:
Cybersecurity Risk: It's Not Just for IT Anymore or, What You Don't Know Could Hurt You Cynthia J. Larose, Esq., CIPP May 14, 2013
Corporate Data at Risk
Nation states Criminals Insiders Hacktivists Terrorists Threat actors Cyber/technical Insiders Physical Threat vectors R&D and IP Business data Personally Identifiable Information Sabotage The Target: Your Company Analyzing the Threat Landscape
Valuable IP assets, proprietary information, business, transaction and negotiating records, financial data, electronic funds, business functionality and continuity Account information, personal information, access to accounts Disruption of business; denial of service; business extortion; debilitating impact on essential services Supply chain management SCADA (supervisory control and data acquisition): systems that monitor and control industrial, infrastructure or facility-based processes What's at Stake?
2013 FTI Consulting/Corporate Board Member Survey: –Data security and IT risk is one of the most significant legal issues in 2013 for over 550 Directors and General Counsel surveyed The percentage of Directors and GCs concerned about data security has doubled since 2008 –Trend continued from 2012 Survey –The median annualized cost of a cyber-crime per company averaged $8.9 million Denial of service, malicious insider and external attacks all up –The survey noted participants' opinion that cyber risks are invisible, ever-changing, pervasive and costly Data Security: On the Corporate Radar?
Directors and GCs both identify data security as the number 2 issue that keeps them up at night – close on the heels of succession/leadership transitions, but of much greater concern than operational effectiveness or M&A transactions Cyber risk cited by both directors and GCs as an issue on which the board will be spending considerable time this year Only a third of GCs felt "very confident" in their company's ability to respond to a breach Less than a quarter of directors agreed… FTI Consulting Survey By the Numbers
71% rarely or never review privacy and security budgets 79% rarely or never review roles and responsibilities 64% rarely or never review top-level policies 57% rarely or never review security program assessments Boards of Energy/Utility Companies 42% rarely or never review annual privacy/security budgets 39% rarely or never review roles and responsibilities 56% do not actively address computer/information security 52% do not review cyber insurance Boards of Financial Sector Companies Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement (Governance of Enterprise Security: CyLab 2012 Report)
2012 Data Breaches by Business Category
Major finding: Majority of corporate executives surveyed (258) were more concerned about cyber threats than about other major business risks –85% very or somewhat concerned about cyber risk to their organization –Other responses: Loss of income – 82% Property damage – 80% Securities and investment risk – 76% AIG Survey – February 2013
More than 2 out of 3 (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk. More than 7 in 10 (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks. The vast majority of brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk. AIG Survey – February 2013 (cont'd)
Customer whose bank funds were stolen by hackers alleged that bank did not do enough to prevent hack –Patco Construction Co. v. People's Ocean Bank Bank sued to avoid refunding customers' funds taken from their account by Romanian hackers with valid credentials –PlainsCapital Bank v. Hillary Machinery, Inc. Data breach litigation following cyber attacks –Class action lawsuits arise after nearly every major breach Litigation Exposure
Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty Delaware Caremark decision: duty of care to safeguard digital assets Shareholder actions resulting from failure of adequate disclosure –SEC Cybersecurity Guidance Litigation Exposure (cont'd)
Corporation Finance guidance issued October 13, 2011 Cyber attacks: –Target theft of financial assets, intellectual property, other sensitive information –Customer or business partner data could be implicated –Objectives could include disrupting business obligations Disclosure if cyber-risks "are among the most significant factors that make an investment in the company speculative or risky" –Consider frequency of prior incidents and probability and potential harm of future incidents –"Specify how each risk affects the registrant" SEC Cybersecurity Guidance
At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures. Many were also drawing comments from the SEC and were required to add information or otherwise revise disclosures SEC Guidance on Cybersecurity Disclosures
In 2012, following hack of Amazon's Zappos servers, SEC asked Amazon to "expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches" and "to describe [risks of] third-party technology and systems." SEC had disagreed with Amazon's view that hack was not significant enough to be covered by SEC Cybersecurity Guidance Google, AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures. What if your company did no risk assessment, made no disclosure and then experienced a material breach? Problem – it's no longer "if", but "when" SEC Cyber-Comment Letters
The "cyber threat is one of the most serious economic and national security challenges we face as a nation…America's economic prosperity in the 21 st century will depend on cybersecurity." (President Obama) Cyber-attacks against Google (attributed to China) a "wake-up call" about the vulnerabilities that could cripple the U.S. economy. (Dennis Blair, former Director of National Intelligence) "[The] Government Accountability Office has reported that over the last five years, cyber-attacks against the United States are up 650 percent. The threat is real. (Sen. John McCain, Feb. 16, 2012) US Government Perspective on Cybersecurity
Numerous bills proposed in last Congress; none passed Minimal consensus that critical infrastructure must be protected –Utilities, electrical grid, telecommunications, financial services, defense contractors –Facilitate information sharing Sen. Rockefeller issued "cybersecurity" letter to CEOs of Fortune 500 (Sept. 2012) House passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA) in April – unlikely to get to a vote in the Senate Congress on Cybersecurity
Legislative efforts have failed – White House drafted Executive Order in late September 2012 Improving Critical Infrastructure Cybersecurity – signed by President Obama on February 12, 2013 Purpose stated in Section 12: "Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront." Executive Order on Cybersecurity
Defined broadly and generally Secretary of Homeland Security will identify key threats –Communications, Manufacturing, Energy, Food and Agriculture, Financial, Healthcare, Transportation, Shipping –Critical Infrastructure Partnership Advisor Council –National Institute for Standards and Technology (NIST) directed to create a Cybersecurity Framework Executive Order – What is Critical Infrastructure?
DateCompanyDetails of Breach May 2013LivingSocialNo details of breach, but company reset passwords of 50 million users March 2013South Korean banks and media companies Cyber attack causes computers to crash at South Korean banks and media companies, paralyzing bank machines across the country. July 2012LinkedInReportedly targeted in hacker attack and 6.5 million passwords posted to Internet March 2012Global PaymentsCredit card processor confirms hacker attack compromised approx 1.5 million credit cards January 2012ZapposShoe retailer announced that names, addresses and passwords of 24 million customers illegally accessed January 2012NY State Electric + GasSecurity breach allowed unauthorized access to customer data, including SSN and bank account numbers, exposing 1.8 million records High Profile Data Breaches
Review and refine information governance structure –Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies –Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing –Consider appointing CISO (chief information security officer) and CPO (chief privacy officer) –Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness Enhance Board/CEO Attention
Limited coverage under traditional policies may be available Specialized cyber coverage available as a stand-alone policy –First and third party coverage available Types of coverage include: –Loss/corruption of data –Business interruption –Cyber Extortion –Crisis Management Cybersecurity and Insurance
Develop cybersecurity and data protection risk assessment –Understand system and network vulnerabilities; plan for possible "persistent" threats –Understand exposure of essential or valuable information and communication assets –Understand exposure to third parties and service providers Evaluate cyber insurance coverage Monitor legislative, policy, industry, contractual, etc. developments and expectations –Address legal compliance and reporting responsibilities –Consider SEC issues Engage IT and audit experts; report on testing of systems Enhance Board/CEO Attention (cont'd)
Types of coverage include: –Identity theft –Social media/networking –Liability Breach of privacy due to theft of data Transmission of computer virus or other liability resulting from a computer attack which causes financial loss to third parties Failure of security which causes network systems to be unavailable to third parties Allegations of copyright infringement or trademark or other "media" activities online. Cybersecurity and Insurance (con'td)
Can I buy insurance for that? YES! Coverage varies but the typical available coverages are: –Third Party Computer Forensics Services to determine the scope of a failure of Network Security –Complying with Privacy Regulations –Notifying individuals whose Personal Information has been disclosed –Retaining public relations firm, crisis management firm or law firm for advertising or related communications –Retaining a law firm to determine any indemnification rights with an independent contractor –Creditor monitoring services Data Breach Insurance
Almost all D&O insurance policies have a "privacy" exclusion –Buried in the Bodily Injury/Property Damage exclusion Most D&O insurance policies also have a Professional Services Exclusion –Large gap in coverage Coverage can possibly be modified – but not easily –Takes more than just a simple endorsement D&O Insurance and Privacy
There are separate D&O Cyber Insurance policies that companies can purchase to protect the Board –Number of carriers offer a broad range of different products These policies are new and untested –Buyer beware! Many of the terms and conditions can be less favorable than the existing D&O policy –In order to fill gaps, must be done carefully D&O Insurance and D&O Cyber Insurance
1.Stay informed about cyber threats and their potential impact on your organization. 2.Recognize that intelligence about cyber threats is as valuable as traditional business intelligence. 3.Hold a C-level executive accountable for cyber threat risk management. 4.Provide sufficient resources for the organization's cyber threat risk management efforts. 5.Require management to make regular (e.g. quarterly) substantive reports on the organization's top cyber threat risk management priorities. 10 Steps Toward More Effective Cyber Threat Risk Governance
6.Expect executives to establish continuous monitoring methods that can help the organization predict and prevent cyber threat related issues. 7.Require internal audit to evaluate cyber threat risk management effectiveness as part of its quarterly reviews. 8.Expect executives to track and report metrics that quantify the business impact of cyber threat risk management efforts. 9.Monitor current and potential future cybersecurity-related legislation and regulation. 10.Recognize that effective cyber threat risk management can give your company more confidence to take certain "rewarded" risks (e.g. adopting cloud computing) to pursue new value. 10 Steps Toward More Effective Cyber Threat Risk Governance
Full-service, multi-disciplinary law firm 450 attorneys and senior professionals Offices across the country, and in the UK: –Boston –New York –Washington, DC –Stamford Liaison office in Israel International network of contacts Government relations, public policy and real estate project development consulting affiliate – ML Strategies About Mintz Levin 30 –Los Angeles –San Diego –San Francisco –London
Member Boston JD, Boston University MS, Boston University BA, University of Massachusetts Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP) Represents companies in information, communications, and technology, including e-commerce and other electronic transactions Extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions Conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise Frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies Cynthia J. Larose
All information contained herein is proprietary to Mintz Levin and considered confidential. This document presents general information about Mintz Levin and is not intended as legal advice, and it should not be considered or relied upon as such. Questions?