Dallas Bar Association Securities Section Meeting Are You Prepared for Anonymous? Securities Lawyers Need to Address Cybersecurity Risk Byron Egan, Steve.

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
35th Annual Conference on Securities Regulation and Business Law Are You Prepared for Anonymous? Securities Lawyers Need to Address Cybersecurity Risk.
Rise in cyber attacks at US companies “This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.”
Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Recent Trends and Insurance Considerations March 2015
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Overview of Cybercrime
Service Organization Control (SOC) Reporting Options and Information
Evolving IT Framework Standards (Compliance and IT)
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
AUGUST 25, 2015 Cyber Insurance:
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.
Cyber Security Nevada Businesses Overview June, 2014.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
New A.M. Best Cyber Questionnaire
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Financial Times Matheson is ranked in the FT’s top 10 European law firms Matheson has also been commended by the FT for corporate law,
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Trinity Industries, Inc. FEI Presentation May 31, 2012.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
PCI COMPLIANCE Compliance is mandatory for all organizations that accept credit cards.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
JOHN M. HUFF NAIC PRESIDENT DIRECTOR, MISSOURI DEPARTMENT OF INSURANCE JUNE 16, 2016 NAIC CYBERSECURITY INITIATIVES.
Cyber Insurance Risk Transfer Alternatives
Cybersecurity as a Business Differentiator
Law Firm Data Security: What In-house Counsel Need to Know
New A.M. Best Cyber Questionnaire
Case Study - Target.
E&O Risk Management: Meeting the Challenge of Change
Protection of CONSUMER information
Managing a Cyber Event Steven P. Gibson President
35th Annual Conference on Securities Regulation and Business Law
Vendor Management & Business Value
Chapter 3: IRS and FTC Data Security Rules
Data Privacy and Breaches
Cyber Issues Facing Medical Practice Managers
cyberopsalliance.com |
Cyber Trends and Market Update
#IASACFO.
Understanding Cyber Insurance NASCUS/CUNA Cybersecurity Symposium
By Joseph Carnevale, CIP Partner & Director of Sales
Cyber Security: What the Head & Board Need to Know
Texas Assisted Living Association 2019 Conference
35th Annual Conference on Securities Regulation and Business Law
Anatomy of a Common Cyber Attack
Presentation transcript:

Dallas Bar Association Securities Section Meeting Are You Prepared for Anonymous? Securities Lawyers Need to Address Cybersecurity Risk Byron Egan, Steve Jacobs and Stephanie Chandler Jackson Walker L.L.P. March 26, 2012

Speakers Byron Egan, Partner Chair Elect of the Texas Business Law Foundation; former Chair of the Business Law Section of the State Bar of Texas Steve Jacobs, Partner Head of Corporate & Securities Section – San Antonio Office; Co- Chair of Cybersecurity Practice Stephanie Chandler, Partner, Corporate & Securities Section; Chair of Technology Practice Group; Co-Chair of Cybersecurity Practice

"Securing cyberspace is one of the most important and urgent challenges of our time." ~Senator Jay Rockefeller, Chairman of the Senate Commerce, Science and Transportation Committee

The Problem Attacks are now systemic Directors and Officers have a fiduciary duty to protect assets

Carnegie Mellon – CyLab 2012 Report Used Forbes Global 2000 Boards and senior management still not exercising proper governance

Carnegie Mellon – CyLab 2012 Report Boards & management pay attention to enterprise risk management (92%) Disconnect: Boards & management still do not make privacy and security and IT part of risk management

How Does It Happen? Targeted Attack –Anonymous gets angry; Competitor hack Intentional Employee Theft –i.e. Data sent offsite Equipment Theft –i.e. Laptops or mobile device stolen from vehicle Employee Error –i.e. s oops

What is the Nature of Risk? Class Actions/Consumer Litigation State Law Breach of Contract Claims Resulting from Privacy Policy Bank/Credit Card Company Breach of Contract (i.e. requirements to maintain PCI DSS compliance) Governmental Authorities (AGs & FTC) Chargebacks (Credit Card Data) Public Relations Harm: State/Federal/International Law Notice Requirements

What Do The State Laws Require? Notification Obligations –Notification to Customer –Notification to Consumer Reporting Agencies –Notification to Applicable Local or Statewide Media –Potential Exception: Adopt Company Notification Policy Penalties/Fines Duty to Properly Destroy Optional: Provide Credit Monitoring Services to Breach Victims Note: Potential Waiver by Contract

The SEC Letter to Chairman Schapiro Responded in June ’11 Guidance issued in October ‘11

SEC Guidance Risk factors –(See Appendix) –Description of outsourced functions that have material cybersecurity risks; –Description of cyber incidents experienced by the registrant that are material, including a description of the costs and consequences; and –Description of relevant insurance coverage for cyber incidents. MD&A –Cost Business –If there has been an incident Legal Proceedings Financial Statements

What Should Corporate Boards Do? CTO/Chief Security Officer – Direct Report (or Report to Audit or Risk Committees) Disclosure Committees Risk Oversight – "disclosure about the board's involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company."

What Should Corporate Boards Do? Insurance Policies –Prior to the Breach – Hack Insurance/ Cybersecurity Insurance –After the Breach CSIdentity Debix Experian Credit Bureau Financial Reports (SSAE 16) Non-Financial Reporting (AT101) Security Audits –Document Retention Policies –SAS70 Now SOC SOC 1 - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting SOC 2 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy SOC 3 - Trust Services Report

FIDUCIARY DUTIES

Questions Contact Byron Egan Steve Jacobs Stephanie Chandler

Appendix Sample Risk Factor Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer. [In the ordinary course of our business, we/We] [collect and] store sensitive data, including intellectual property, our proprietary business information and that of our customers, [suppliers and business partners,] and personally identifiable information of our [customers and] employees, in our data centers and on our networks. The secure [processing,] maintenance [and transmission] of this information is critical to our operations [and business strategy]. Despite our security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance or other disruptions. Any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in legal claims or proceedings, [liability under laws that protect the privacy of personal information,] [and regulatory penalties,] [disrupt our operations [and the services we provide to customers],] [and] damage our reputation, [and cause a loss of confidence in our products and services], which could adversely affect our [business/operating margins, revenues and competitive position]. Source: PLC Securities

Examples of Risk Factors Google Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011.Google Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011 Citigroup Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011.Citigroup Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011 Lockheed Martin Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011.Lockheed Martin Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011 EMC Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011.EMC Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011 The Coca-Cola Company Annual Report on Form 10-K for the fiscal year ended December 31, 2011.The Coca-Cola Company Annual Report on Form 10-K for the fiscal year ended December 31, 2011 Electronic Arts Inc. Quarterly Report on Form 10-Q for the period ended December 31, 2011.Electronic Arts Inc. Quarterly Report on Form 10-Q for the period ended December 31, 2011 ATA Inc. Annual Report on Form 20-F for the fiscal year ended March 31, 2011.ATA Inc. Annual Report on Form 20-F for the fiscal year ended March 31, 2011 CoreLogic, Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011.CoreLogic, Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011 Alliance Data Systems Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011.Alliance Data Systems Corporation Annual Report on Form 10-K for the fiscal year ended December 31, 2011

Sample Risk Factor [ADDITIONAL RISK FACTOR DISCLOSURE FOR COMPANIES THAT HAVE EXPERIENCED A SECURITY BREACH] [In [DATE] [[our computer network/our website] suffered [cyber attacks/unauthorized intrusions] in which [customer data/proprietary business information] was accessed [and stolen]/[DESCRIBE SPECIFICS OF CYBER ATTACK OR OTHER BREACH]]. Following the[se] attack[s], we have taken [additional] steps designed to improve the security of our networks and computer systems. Despite these defensive measures, there can be no assurance that we have adequately protected our information or that we will not experience future violations.] Source: PLC Securities

Examples of Risk Factors Examples of description of previous attacks or breaches: –Sony Corporation Annual Report on Form 20- F for the fiscal year ended March 30, 2011.Sony Corporation Annual Report on Form 20- F for the fiscal year ended March 30, 2011 –The TJX Companies, Inc. Annual Report on Form 10-K for the fiscal year ended January 29, 2011.The TJX Companies, Inc. Annual Report on Form 10-K for the fiscal year ended January 29, 2011 –The NASDAQ OMX Group, Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011.The NASDAQ OMX Group, Inc. Annual Report on Form 10-K for the fiscal year ended December 31, 2011

Examples of Risk Factors Consider Describing Your Preventative Actions Examples: Microsoft Corporation's Quarterly Report on Form 10-Q for the period ended December 31, 2011.Microsoft Corporation's Quarterly Report on Form 10-Q for the period ended December 31, 2011 Adobe Systems Incorporated Annual Report on Form 10-K for the fiscal year ended December 2, 2011.Adobe Systems Incorporated Annual Report on Form 10-K for the fiscal year ended December 2, 2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.