Hot Topics in the Financial Industry: Cybersecurity PANELISTS: Douglas W. Henkin, Partner, BakerBotts L.L.P.  Maneesha Mithal, Associate Director, U.S. Federal Trade Commission, Division of Privacy and Identity Protection David M. Ross, Assistant General Counsel, MetLife

Cybersecurity Background Cybersecurity is the ability to maintain controls over information technology systems so that there is (i) no unintended access to or interference with those systems and (ii) no unintended exfiltration of data from those systems

Significance and Types of Cybersecurity Issues: Hacking and data breaches are increasing, as are the methods hackers use — always assume someone smarter than you is attacking or trying to attack your systems Intentional malfeasance Cyberwarfare (i.e., kinetic attacks) Criminal activity (theft of data or IP, ransomware) Fun (joyriding kids who learn hacking from the Internet) Accidents Rogue employees/ex-employees

What Data is at Risk? Customer information (i.e., account-related information) Employee information Vendor information Intellectual Property Other confidential information

What Systems Are at Risk? Customer-facing systems HR systems Third-party provided systems Finance systems Large-scale process control/industrial systems

State of the Law US Federal Law Existing Statutes (HIPAA, G-L-B, FTC Act) Executive Order (February 9, 2016) establishing Commission on Enhancing National Cybersecurity within the Department of Commerce to “make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices … “

State of the Law US State Law (mostly focuses on PII and breach notification) State privacy laws and insurance laws Contract law Case law Self-regulatory approaches (i.e., Payment Card Industry)

State of the Law Rest of the World EU Model — Focuses on data transfer restrictions Changing EU Model Privacy Shield New Data Protection Regulation (GDPR) New cyber statute Other rest-of-world concerns (i.e., how to integrate systems that need to communicate across jurisdictions)

MINIMIZING RISK — BEST PRACTICES Corporate Governance Have regular discussions of data privacy, integrity, and security at board meetings, led by the GC, CIO, CTO, or other responsible party If you don’t already, consider having a Chief Information Security Office, whose only job is to address these sorts of issues and make sure the company is doing as much as it possibly can to avoid breaches Consider delegating responsibility for these issues to a board committee as well Periodically test the company’s systems and standards, pay attention to what the tests reveal, and document what’s done to fix any identified issues (or why they don’t need to be fixed). At least some of the testing should be done by outside entities that specialize in penetration testing Establish a team, with counsel involved, to function as a response team to investigate and respond to any incursion or breach

IT Security Policies and Procedures Frameworks (NIST, COBOL, etc.) Training and evaluation policies (including, when necessary, restricting access to employees who don’t do training or learn what’s taught) Travel policies (i.e., restrictions on what devices can be taken to certain countries and how devices can be used when traveler returns) Risk-Based and Technology-Based Approaches Compared

Information Sharing Government/Private Sector February 2016 Executive Order establishing cybersecurity commission InfraGard (www.infragard.org) DHS Private Sector/Private Sector Industry-specific information sharing and analysis groups (i.e., FS-ISAC — www.fsisac.com)

Playbook Create the Program Train and Test Actively Monitor Create Governance Structure Identify assets to be protected Conduct risk assessment Identify and select controls Test and Implement controls Use technology to enhance controls, where appropriate Implement incident response program Build Business Continuity/Disaster Recovery (BC/DR) Program Integrate Physical Security Create metrics to measure program effectiveness Training and awareness Require contractors and vendors to implement adequate security Periodically Test Incident Response and BC/DR Periodically test controls Periodically review the ESP and make necessary adjustments Use Metrics to measure effectiveness Actively monitor and adapt security controls and practices Use metrics to measure effectiveness

Exercises Testing your systems and training must be consistent and documented Tabletop exercises System and employee testing Reporting and followup to address issues

Contracts Scrub your most important contracts Do your agreements with your customers have strong and enforceable venue, choice of law, and limitation of liability provisions? Do your agreements with your business counterparties contain the best indemnification and allocation of risks and responsibilities? Do they establish best practices as between you and your counterparties? Do you audit your vendors and counterparties’ compliance with your contracts and best practices and document those audits? For example, a breach at one of your vendors could enable a hacker to get information needed to attack your system, or even attack your systems through that vendor’s systems.

Insurance Consider discussing with your company’s insurance broker and counsel whether your existing insurance (including commercial crime policies) covers cyber risks — don’t assume a CGL policy covers cyber risks Cyber-specific coverage is available — more than 50 underwriters in the US and London insure risks like these, and it’s important to have a broker who understands the markets and what is available This type of insurance can be written to cover not only third-party liability claims, but also first-party losses (such as business interruption and extortion threats) as well as the often large (and unanticipated) crisis management fees and expenses All else being equal, the more you follow best practices, the less cyber-specific insurance will cost

Questions?