CYBER THREATS, ACTIVE DEFENSE, AND THE BUSINESS AND LEGAL IMPACTS. October 20, Robert Silvers

Transcription

1 CYBER THREATS, ACTIVE DEFENSE, AND THE BUSINESS AND LEGAL IMPACTS October 20, 2017 Robert Silvers Haiyan Tang

2 CYBERSECURITY THREAT LANDSCAPE

3 CYBERSECURITY THREAT LANDSCAPE 3 Variety of Players: Criminal Actors, Nation-States, and Insiders Criminal Actors. More of the same, but intensified Hacks of payment data Hacks of personal information Hacks of IP and trade secrets Business compromise Ransomware Content extortion Nation-States. A range of motivations Espionage Political aims: Sony Pictures Profit motive: WannaCry? Bank of Bangladesh? Critical infrastructure Hacktivists and Others Don t Forget the Insider Threat. Employees can cause grave harm, inadvertently or with intent.

4 SPRAWLING CONSEQUENCES

5 SPRAWLING CONSEQUENCES 5 Disruption of Operations Sony Pictures, Ransomware, etc. Disruption of Deal Flow Due diligence; Entanglement in regulatory processes (e.g. CFIUS in the U.S.) Painful financial consequences Theft of valuable data, or money; cost of recalls, forensic costs, and remediation Painful reputational consequences Litigation and Regulatory Enforcement

6 NEW RULES OF THE ROAD

7 NEW RULES OF THE ROAD 7 China s New Cybersecurity Law and Related Regulations Two Categories of Regulated Entities: General Network Operators and Critical Information Infrastructure Operators. Mandated Corporate Governance and Controls. General Network Operators must formulate internal security protocols and operating procedures, and adopt other technical measures. Critical Information Infrastructure Operators are additionally required to establish security management departments with lead personnel. Cybersecurity Review of Network Products and Services. Critical Information Infrastructure companies must undergo national security review in the purchase of certain network products and services under CAC guidelines. Pre-approved catalog for certain critical network equipment and cybersecurity products used in critical infrastructure.

8 NEW RULES OF THE ROAD 8 China s New Cybersecurity Law and Related Regulations (Cont.) Personal Information Protection. Requirements for the collection, use and protection of personal information. Data localization. Personal information and other important data collected and produced by Critical Information Infrastructure Operators during their operations in China must be stored in China. Cross-border data transfer restrictions. Applies to personal information and important data Security assessments requirement: self-assessment before transfer or regular assessment by government or industry authorities. Sector-specific regulations. Financial Services, Aviation, more to come. Cybersecurity standards development under TC260. Covering big data, encryption, etc.

9 NEW RULES OF THE ROAD 9 China s New Cybersecurity Law and Related Regulations (Cont.) Companies across the board need to: Understand data footprint and flows in China, and adapt accordingly. Map cyber and privacy controls against the law s requirements. Concerns around security reviews: Awaiting guidance and enforcement. Considerations around source code. How companies are responding: Impact on Joint Venture agreements. Aligning investment to new requirements. Particular impact on technology companies. Watching and waiting.

10 NEW RULES OF THE ROAD 10 U.S. Regulation Across Sectors Public Company Reporting Requirements Banks and Insurance Companies Private Equity and Investment Advisers Energy Sector Consumer-facing Products, Websites and Technologies The European Union General Data Protection Regulation (GDPR) Reach Applies to all personal data stored in the EU or controlled or processed anywhere by an entity in the EU (or any of their contractors and subcontractors anywhere in the world). Mandatory Breach Notifications Impacting Consumers, Critical Infrastructure and IT Infrastructure Extensive Privacy Protections Enforcement Risk Fines of up to 4% of global revenue.

11 NEW RULES OF THE ROAD 11 The European Union General Data Protection Regulation (GDPR) Effective Date May 2018 Reach Extended jurisdiction of the GDPR applies to all personal data stored/resident in the EU or controlled or processed anywhere by an entity in the EU (or any of their contractors and subcontractors anywhere in the world). Mandatory Breach Notifications Impacting Consumers. Mandatory Breach Notifications for Critical Infrastructure and IT Infrastructure Extensive Privacy Protections Enforcement Risk Fines of up to 4% of global revenue.

12 HOW TO TAKE ON THE CHALLENGE

13 HOW TO TAKE ON THE CHALLENGE 13 Be Active on Both Sides of the Breach Before the Breach Technical/Implementation Multi-factor Authentication Encryption Employee & Administrative Access Controls Layered Defense Strategies Governance Comprehensive Cybersecurity & Risk Assessments Corporate Policies & Procedures Third-Party Risk Management Regular Board Reporting Incident Response Planning & Exercises

14 HOW TO TAKE ON THE CHALLENGE 14 After the Breach Be Active on Both Sides of the Breach Practiced, Well-Oiled Incident Response IT Security, Legal/Compliance, Risk, PR, Customer Relations, HR Forensic Investigation Under Privilege Where Applicable Prompt Consideration of Required Notifications Regulatory & Contractual Consideration of Whether to Notify Law Enforcement Coordinated External Messaging All in the Fog of War Litigation Defense Regulatory Defense

15 RANSOMWARE

16 RANSOMWARE Key Response Efforts Assemble the Incident Response Team Include outside cybersecurity provider and law firm IT Security Effort Isolate impacted systems; assess scope; prepare to move to backup Determine Regulatory and Contractual Notice Obligations Assess Insurance Coverage and Notify Insurers External Messaging Considerations around Ransom Payments Understand the Risks & Weigh the Alternatives Legality of Paying Ransom Due Diligence around Perpetrator Consideration of Compliance Issues (e.g., Sanctions Compliance) Potential Notifications to Law Enforcement Preparedness Makes All of this Easier 16

17 INTERNET OF THINGS SECURITY

18 INTERNET OF THINGS SECURITY 18 Emerging Phenomenon and Landscape Convergence of Threats Massive Privacy and Security Risk Full Spectrum Risk: from Consumer Devices to Critical Infrastructure and Industrial Equipment October 2016 attack The Next Ransomware Wave? Expanding Set of Regulatory Expectations

19 INTERNET OF THINGS SECURITY 19 Emerging Best Practices Security by Design Security Updates and Vulnerability Management Prioritize Around Risk and Potential Impact Know Your Supply Chain What to Do? Operational and legal risk assessments around IoT Conduct IoT risk assessment Map product development guidelines and policies to best practices and regulatory expectations

20 THE AMERICAS ASIA EUROPE 20 Atlanta Chicago Houston Los Angeles New York Orange County Palo Alto San Diego San Francisco São Paulo Washington, D.C. Beijing Hong Kong Seoul Shanghai Tokyo Brussels Frankfurt London Milan Paris 21 Offices ACROSS THE AMERICAS, ASIA AND EUROPE 1 Legal Team TO INTEGRATE WITH THE STRATEGIC GOALS OF YOUR BUSINESS

21 OUR OFFICES 21 THE AMERICAS ASIA EUROPE Atlanta 1170 Peachtree Street, N.E. Suite 100 Atlanta, GA t: f: Chicago 71 S. Wacker Drive Forty-fifth Floor Chicago, IL t: f: Houston 600 Travis Street Fifty-Eighth Floor Houston, TX t: f: Los Angeles 515 South Flower Street Twenty-Fifth Floor Los Angeles, CA t: f: New York 200 Park Avenue New York, NY t: f: Orange County 695 Town Center Drive Seventeenth Floor Costa Mesa, CA t: f: Palo Alto 1117 S. California Avenue Palo Alto, CA t: f: San Diego 4747 Executive Drive Twelfth Floor San Diego, CA t: f: San Francisco 55 Second Street Twenty-Fourth Floor San Francisco, CA t: f: São Paulo Rua Funchal, 418 Conj 3401 C Vila Olímpia São Paulo - SP Brazil Washington, D.C th Street, N.W. Washington, D.C t: f: Beijing 19/F Yintai Center Office Tower 2 Jianguomenwai Avenue Chaoyang District Beijing , PRC t: f: Hong Kong 21-22/F Bank of China Tower 1 Garden Road Central Hong Kong t: f: Seoul 33/F West Tower Mirae Asset Center1 26, Eulji-ro 5-gil, Jung-gu, Seoul, 04539, Korea t: f: Shanghai 43/F Jing An Kerry Center Tower II 1539 Nanjing West Road Shanghai , PRC t: f: Tokyo Ark Hills Sengokuyama Mori Tower 40th Floor, Roppongi Minato-ku, Tokyo Japan t: f: Brussels Avenue Louise 480-5B 1050 Brussels Belgium t: f: Frankfurt Siesmayerstrasse 21 D Frankfurt am Main Germany t: f: London Ten Bishops Square Eighth Floor London E1 6EG United Kingdom t: f: Milan Via Rovello, Milano Italy t: f: Paris 96, boulevard Haussmann Paris France t: f: For further information, you may visit our home page at or us at info@paulhastings.com Paul Hastings LLP