HOW CORPORATE COUNSEL CAN MITIGATE CYBERSECURITY RISKS

Transcription

1 HOW CORPORATE COUNSEL CAN MITIGATE CYBERSECURITY RISKS September 9, 2015

2 2 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks PRESENTER BIOGRAPHIES Moderator Glenn M. Pomerantz, CPA, CFE Partner, BDO Global Forensics Practice Leader Direct: Panelist Karen A. Schuler Managing Director, BDO Information Governance Practice Leader Direct: Glenn Pomerantz leads the firm s Global Forensics practice with 30 years of forensic accounting, auditing and consulting experience. Mr. Pomerantz provides litigation and dispute advisory, fraud investigation and anti-fraud and anticorruption compliance, and due diligence services to organizations and their counsel. Coordinating with BDO practice leaders around the globe representing BDO s global network of more than 1,300 offices in 152 countries, Mr. Pomerantz organizes and oversees international resources on cross-border matters to serve the needs of our multinational clients. He has significant experience in antifraud and anti-corruption compliance and investigative matters in emerging markets. He also has significant investigative and compliance experience in matters involving embezzlement, theft, Ponzi schemes, fraudulent conveyances and financial reporting fraud. His dispute resolution experience includes providing expert witness testimony and consulting services in connection with complex economic damages across a range of disputes and insurance claims. Mr. Pomerantz has served as a Court appointed Umpire and Referee and as a neutral arbitrator. He frequently publishes and presents on forensic accounting and fraud topics, including corporate governance, fraud prevention, economic damages, risk assessments and insurance claims. Mr. Pomerantz holds certifications as a Certified Public Accountant and Certified Fraud Examiner and is Certified in Financial Forensics. Karen Schuler has more than 20 years of experience in multidisciplinary investigations, technology governance risk and compliance, and disputes including matters involving corruption, intellectual property, trade secrets, contracts, and products liabilities, across multiple industries. She is a nationally known speaker and author on advanced topics in e-discovery, digital forensics, investigations, and technology implementation and systems integration. Advising clients on all aspects of the investigative and litigation spectrum of the EDRM and IGRM, Ms. Schuler helps organizations evaluate risk and compliance requirements, respond to e-discovery matters in an efficient and cost-effective manner, and respond to internal and external vulnerabilities. She is skilled in managing large multidisciplinary matters where her clients are faced with complex issues during internal investigations, cyber investigations, or litigation. Ms. Schuler has participated in Rule 26(f) meetand-confer conferences, and has provided 30(b)6 testimony and fact and opinion testimony. Author of ediscovery: Creating and Managing an Enterprise-wide Program A Technical Guide to Digital, a comprehensive book on information governance and e-discovery, she frequently publishes and presents at conferences and has been quoted in the media. Prior to BDO, she held senior positions within global e-discovery and cyber investigations companies, and was a Senior Computer Forensics Examiner for the SEC. She is a board member of an information governance company, current member of the Association of Certified Fraud Examiner s Advisory Council, and served previously on the board of the MidAtlantic Chapter of HTCIA.

3 3 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks PRESENTER BIOGRAPHIES Panelist Michael Stiglianese Senior Managing Director, Axis Technology LLC Panelist David H. Brill Chair of the Corporate and Securities Committee, The Greater New York Chapter of the Association of Corporate Counsel Direct: Michael Stiglianese is an Executive Management Consultant with extensive expertise in IT financial and risk management, compliance and controls, shared services and expense management. He has a successful track record of over 30 years of experience implementing financial and risk management solutions for global organizations. Mr. Stiglianese is a respected information security visionary with a wealth of perspective on global financial services and corporate risk. He has extensive experience dealing with regulatory agencies. Mr. Stiglianese has held senior IT risk management and CFO positions for major global businesses. He has specialized in cost control and internal corporate consolidations. His specialties include IT Financial Management (ITFM), IT Asset Management (ITAM), IT Expense Management, IT Risk Management, Information Security, Continuity of Business, Cost Control, Shared Services Implementation and Management, Chargebacks, Regulatory Reporting, and Management Reporting, Financial Management. David H. Brill is Chair of the Corporate and Securities Committee of the Greater New York Chapter of the Association of Corporate Counsel. Mr. Brill is the former EVP and General Counsel of American Stock Transfer & Trust Company. Prior to joining AST, he spent seven years with Thomson Reuters and worked in several capacities, including as a member of the Corporate Services Executive Team and as Vice President and Principal Legal Counsel. Prior to the acquisition of Reuters by the Thomson Corporation, Mr. Brill had corporate legal responsibilities at Thomson Financial, including Mergers and Acquisitions, and managing the contract negotiation process in North America. David is Past President of the Greater New York Chapter of the Association of Corporate Counsel, where as President he led the chapter to winning Chapter of the Year. Mr. Brill is a member of the New York State Advisory Board Committee on Pro Bono Service by In-House Counsel. He also served as Past President of the Young Professionals Committee, Big Brothers Big Sisters of New York City. He is a frequent writer and speaker on law department management, technology, securities, risk management and social media issues. Mr. Brill has been interviewed and quoted in the Wall Street Journal, New York Times, the New York Law Journal and The American Lawyer among others. Mr. Brill earned his B.A. in History from the University of Michigan and his J.D. from American University, Washington College of Law where he was a member of the International Law Review.

4 4 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks PRESENTER BIOGRAPHIES Panelist Antony P. Kim Partner, Orrick, Herrington & Sutcliffe LLP Direct: Antony (Tony) Kim co-chairs the firm's Cybersecurity & Data Privacy team, which is nationally ranked by The Legal 500 and recognized for an aggressive yet practical approach to solving cyber issues. Mr. Kim works with Boards of Directors, C-Suites, in-house legal departments and InfoSec/IT teams on proactive cybersecurity preparedness and risk management strategies. He has directed forensic investigations, cross-border notifications, responses to regulatory enforcement actions, and civil defense strategies in significant cyber-attacks and security breaches involving compromised information, including credit card data and trade secrets, on behalf of private and public entities. The National Law Journal named Mr. Kim to its list of D.C. Rising Stars, a 40- under-40 group of "game changing" private, government and public interest attorneys who practice in our nation's capital. The International Law Office (ILO) and Lexology awarded him a Client Choice award for the District of Columbia and United States region based on a survey of over 2,000 senior in-house counsel. He is a graduate of Yale University and Georgetown Law.

5 5 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks MEET THE HACKERS THREAT TYPE WHO AND WHAT Advanced Persistent Threat (APT) Industrial Control System Attack Organized Crime Hacktivism Insiders Organized and state-funded groups methodically infiltrating the enterprise; present for months / years Targeted attack that can disrupt activities of large-scale industrial control systems (e.g. Stuxnet) Organized crime rings targeting corporations data for financial gain (e.g. Target) Highly visible attacks to advance movements, political / policy view (e.g. Anonymous) Employee or contractor using access to release or ex-filtrate information for personal, competitive or financial gain (e.g. Wikileaks)

6 6 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks NOTABLE CYBER / HACKING EVENTS LESSONS LEARNED Stolen credentials causing network disruption They warned card-issuing banks that a third-party payments processor suffered a security breach, affecting up to 10 million credit cards A person with privileged access unleashed a computer virus that erased data on three-quarters of Aramco s corporate PCs, including documents, spreadsheets, e- mails, and other files Approximately 40 million credit and debit card accounts may have been impacted in a credit card breach. It compromised as many as 110 million Target customers. Target is expected to recover $90 million from cyber insurers partially offsetting the $248 million in expenses Data breach allegedly conducted by a group of Russian hackers Avid Life Media is facing hundreds of millions of dollars in damages from clients alleging financial, reputational, and relationship losses

7 7 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks KEY ELEMENTS OF CYBER RISK MITIGATION Determine what threats are most likely to occur? Identify which threats could have a significant impact on an organization if they do occur? Select what strategies should be used to prevent and mitigate threats? Choose which strategies offer the best combination of cost and effectiveness?

8 8 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks IMPLEMENTING A CYBER STRATEGY C-Suite commitment Comprehensive risk assessment Adequate resources Training and awareness Response plan Board oversight

9 9 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks DESIGNING A CYBER RISK ASSESSMENT PROCESS STEP 1: Make Risk Assessment a Team Effort Build a risk assessment team that includes IT, legal and compliance personnel, HR, finance, and operations. STEP 2: Identify Digital Assets Your risk assessment team s first project should be to list all your systems and data, ranking them by the importance of each one to your business. STEP 3: Identify & Prioritize Risks to Assets Your team needs to consider what would happen if any of the following events occurred: The asset fails or is lost The asset is stolen or controlled The system or data is no longer by an unauthorized entity trustworthy or accurate STEP 4: Identify Ways to Mitigate Risk Involving Assets For each potential threat, list ways to avoid the risk, or mitigate it if it happens, and the cost of each prevention and mitigation strategy. STEP 5: Implementation & Maintenance Best practices must keep evolving in order to keep pace with changing technology. Companies must review their risk management practices regularly.

10 10 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks COMPONENTS OF AN IT CYBER PROGRAM Expertise. Analytics. Network security Monitoring and human intelligence Incident management Access control Identity management Data protection Penetration testing Third party vendor management Systems configuration management Anti-malware Encryption

11 11 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks CYBER INVESTIGATIONS Identification Containment Eradication Recovery Lessons Learned Location of the incident How was it discovered? Other areas compromised? Scope of the impact Have sources been identified? Business impact Short-term containment (is problem isolated / are systems isolated?) System-backup (evidence collection, imaging) Long-term containment (system off-line) Re-image and update patches, harden system(s) Removal of malware and artifacts from system(s) When can system(s) come back online? Have systems been prepared to thwart future attacks? What testing, monitoring solutions are going to be used for future? How can we prevent this in the future? Incident Report Who? What? Why? How? Where? When? Prevention CYBER INVESTIGATION

12 12 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks IN THE U.S., THERE ARE NO COMPREHENSIVE FEDERAL CYBER / DATA-SECURITY LAWS Laws imposing civil or criminal liability for hacking Laws requiring implementation of security measures Laws requiring notification of security breaches Contractual duties re: security and/or breach notification Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks

13 13 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks PREDICTIONS FOR THE FUTURE SEVEN Megatrends in Cybersecurity* 1. Cybersecurity will become a competitive advantage and a C-level priority. 2. Insider negligence risks are decreasing. 3. Cyber crime will keep information security leaders up at night. 4. The Internet of Things is here but organizations are slow to address its security risks. 5. The cyber talent gap will persist. 6. Big shifts in new technologies towards big data analytics, forensics and intelligence-based cyber solutions. 7. Despite alarming media headlines, cybersecurity postures are expected to improve. *Source: Ponemon Institute Research Report:

14 14 BDO Presents: How Corporate Counsel Can Mitigate Cybersecurity Risks QUESTIONS?

15 THANK YOU! September 9, 2015