Presentation is loading. Please wait.

Presentation is loading. Please wait.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Published byLaurel Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo."— Presentation transcript:

1 Legal Jeopardy: Whose Risk Is It?

2 SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo Executive Vice President, Global Customer Service and Chief Privacy Officer at Monster Worldwide Michael C. Miller Executive Vice President, General Counsel and Secretary at Monster Worldwide 2

3 If You Think Cybersecurity Risk Is Not a Significant Issue for Your Company… THINK AGAIN. 3

4 What industries had the most confirmed, publicly disclosed breaches in 2014? – Public agencies (303) – Financial services (277) – Manufacturing (235) – Accommodation (223) – Retail (164) – Professional Organization (146) – Healthcare (141) 4

5 What are the security improvement priorities of companies that have experienced a breach? 1.Endpoint Security 2.Employee training 3.Expanded use of encryption 4.Adding manual procedures and security controls 5.Implementing Data Loss Prevention solution 5

6 OGC Must Play a Key Role in Managing Cyber Risk, from Risk Assessment through Incident Response 6

7 Name the top reasons that the general counsel's office must be involved in managing cyber risk? – To identify key business risks relating to specific types of sensitive data – PII, PHI, IP (including trade secrets) – To determine what constitutes a "defensible” security control – OGC has a deep understanding of how risk might be affected by an evolving business strategy – OGC has knowledge of third-party relationships and insider risks – To protect the ability to assert a/c privilege and work product protection over cyber risk management activities – To serve as the primary conduit between the incident response team and the executives/board 7

8 Name the top challenges with establishing OGC’s role in managing cyber risk? – Cyber security still largely viewed as “an IT problem” that should be managed by CIO/CISO – Legal slows down decision-making in an area that requires agility and rapid response – Lawyers lack the technical background to understand risk and mitigation options – Lawyers consulted only on compliance and regulatory issues rather than as advisor on business risk 8

9 What are the top factors that will reduce the cost of a breach? – Strong security posture – Incident Response Plan in place – Business Continuity Management involvement – Have a CISO 9

10 OGC’s Role in Educating the Executive Team and Board of Directors 10

11 What are the key questions counsel should seek to answer through a risk assessment? – What are the critical assets that are most important to protect? – What are the biggest threats to those assets? – What would the legal and business impact be if those assets were compromised? – What are the most effective ways to improve our risk posture? 11

12 What are the primary ways counsel can contribute to the risk assessment process? – Identifying critical data assets – Anticipating and defining regulatory and compliance obligations – Determining what constitutes a "defensible" security control – Understanding the broader threat environment – Deep understanding of how risk might be affected by an evolving business strategy 12

13 Name the best arguments for DEFEATING the assertion of privilege protection over a risk assessment. – Assessment not conducted "in anticipation of litigation" – Recommendations in risk assessment report are business advisory not legal advice – Legal may be involved but is not truly directing RA efforts 13

14 What are the biggest problems with having CISO report to CIO? – Conflict of interest between primary role of CIO (availability and integrity) and CISO (security) – Lack of focus on security in favor of responsibilities viewed as more "important" to the business – Lack of segregated and protected security budget may lead to shift of resources over course of year 14

15 What should be the board’s role in overseeing cyber risk management? – Must have an accurate and up to date view on the company’s cyber risk profile – Should understand how cybersecurity budget is allocated – Should understand the company’s incident response protocol and determine the point at which the board should be informed of an incident – Board should regularly assess the effectiveness of the company’s cyber risk governance structure 15

16 What are the top reasons that the GC should direct the IR process? – To help anticipate and manage potential legal/regulatory issues arising from an incident – To protect the ability to assert a/c privilege and work product protection over IR activities – To control internal and external communications in a risk-averse manner – To serve as the primary conduit between the IR team and the execs/board 16

17 What are the top reasons that the GC should NOT direct the IR process? – Too slow to make decisions – Don't understand the technical aspects of an incident – Not comfortable with the uncertainty and evolving understanding of the facts – Too quick to jump to conclusions 17

18 What do you fear most in the event of a breach? – Federal agencies (FTC, SEC, DOJ) – State Ags – PCI Council – Civil lawsuits – Reputation damage/customer churn 18

19 What should you do when you go back to your offices this week? 19

20 Conclusion Take your CIO/CISO to lunch and talk about the “defensibility” of your company’s cyber risk posture. Review your company’s incident response plan and make sure you are comfortable with counsel’s formal role in the process. Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident Check your insurance coverage Ask your executives and board if they are comfortable with the degree of visibility they have into cyber risk issues 20

Download ppt "Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo."

Similar presentations

Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.

Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
BNSF Ethics and Compliance Program Roger Nober Executive Vice President Law and Secretary July 13, 2011.

BNSF Ethics and Compliance Program Roger Nober Executive Vice President Law and Secretary July 13, 2011.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Risk Assessment Frameworks

Risk Assessment Frameworks
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
Competency Models Impact on Talent Management

Competency Models Impact on Talent Management
National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.
Information Technology Audit

Information Technology Audit
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Risk Management Report to Audit Committee 26 September 2006 Lee Harris Assistant Chief Executive.

Risk Management Report to Audit Committee 26 September 2006 Lee Harris Assistant Chief Executive.
0 How To Pursue and Win the Complex Claim RIMS 2012 – Philadelphia, PA Wednesday, April 18, 2012 Ty Childress, Partner, Jones Day Los Angeles, CA

0 How To Pursue and Win the Complex Claim RIMS 2012 – Philadelphia, PA Wednesday, April 18, 2012 Ty Childress, Partner, Jones Day Los Angeles, CA
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Similar presentations

Ads by Google