CYBERSECURITY RISK MANAGEMENT

Transcription

1 CYBERSECURITY RISK MANAGEMENT

2 RETHINKING PROTECTION Cybersecurity is one of the most challenging risks confronting companies around the world. In today s interconnected world, virtually all companies and their customers are potential targets. With vast experience in cybersecurity matters and a global cybersecurity team, DLA Piper is ideally situated to guide clients in managing this increasingly important risk area. We help clients to implement a 360-degree approach to creating, managing and maintaining a secure cyber-dna in the face of escalating threats and legal requirements, and a shift in the duty of care for companies and directors. Our lawyers were instrumental in drafting the widely acclaimed National Association of Corporate Directors Cyber Risk Handbook, which is being used across corporate America to establish cyber risk governance systems. We also track cybersecurity regulatory developments in 23 major world economies for an information service. We helped to draft almost all the US state breach notice laws; are developing a video to help educate senior managers and directors about cyber risk issues; and we help clients to prepare for security incidents through a free model incident response protocol that clients adapt to their organization and regulatory requirements. RANKED IN TIER 1 IN CYBER LAW Legal 500, 2017 We offer clients practical and down-to-earth guidance across the spectrum of governance of cyber-risk, including: Global incident response and investigations Risk assessment mitigation and compliance around the world Program design and implementation Corporate governance Supply chain risk management DLA Piper has an intelligent and practical cyber team. Government affairs solutions Litigation (D&O, class action, product liability) 02 CYBERSECURITY RISK MANAGEMENT

3 PROACTIVE STRUCTURES, STEADFAST STRATEGY It is only a matter of time before a determined hacker can penetrate your organization s system. With consequences of these attacks growing ever more serious, cybersecurity risk has become a top priority for many organizations. DLA Piper has a series of offerings that are designed to prepare clients for the inevitable cyberattack, including how to respond to cyberattacks. We guide clients through the design and implementation of a governance structure that can meet organizations duties of care. We provide clients proactive corporate governance structures to protect companies and their directors; offer tools to comply with evolving regulatory requirements; develop and refine sound corporate policies; design and help to manage strategies to create and sustain a culture of security; and drive responsible supply-chain and vendor risk management techniques and contract support. In the wake of an attack, we provide a team that has helped clients through more than 450 security incidents and helped draft almost all the US state breach notice and data security laws. We offer charts and information services that capture cybersecurity and breach-related requirements across the 50 states and the world. We field a cohesive team of lawyers in 40 countries that is highly experienced in investigations and incident response, protocols, in protecting privilege throughout an investigation, and in helping clients to adjust security measures in light of the incident. Team members include former SEC lawyers with deep understanding of SEC materiality standards for notifying shareholders. Many more are litigators with strong experience in the claims typically brought in lawsuits filed in response to a cybersecurity incident. OUR CYBERSECURITY TEAM OFFERS: Proactive risk management. Because of the fast-changing nature of cyberattacks, cybersecurity defense is a complex risk management task. We were the only law firm that helped to draft the widely acclaimed NACD Cyber Risk Handbook for corporate directors. We help clients to implement a customized strategy, establish and refine their internal risk management strategy for preventing and responding to cyberattacks, and assist in the implementation of proactive policies and procedures that enable them to respond effectively, preserving attorney-client privilege and mitigating potential litigation and reputational risks associated with cybersecurity incidents. We have relationships with a wide range of cybersecurity experts to help clients to identify emerging threats, detect intrusions and conduct effective forensic investigations. We also focus on identifying and fixing breakdowns in corporate communications and planning that leave vulnerabilities unaddressed. We help clients to adopt nimble, repeatable and durable policies and procedures that fit their organization s culture and resources. Field-tested global crisis management coverage. We can be on the ground, with an integrated team of top cybersecurity technicians and lawyers, helping solve your security problem and cloaking those efforts in privilege, anywhere in the world, within 24 hours of a client request. We have established toll-free response protocols to respond and coordinate immediately. Connections to more than 40 governments around the world. We know the regulators, the advocates and many of the journalists who focus on data breaches and draw on this experience to guide our clients response to a breach incident so as to minimize potential reputational damage. Understanding of the US and international cyber-regulatory environment. We have drafted most of the breach notice laws, offer an online tool summarizing breach notice requirements in 72 countries. Our subsidiary Blue Edge Lab SM offers CyberTrak SM, an easy-to-use online information service that tracks the evolution of cybersecurity-related law in 23 major economies around the world. This work gives us an unrivaled understanding of the ever-changing US and international cyber-regulatory environment that we apply to both reactive and preventive client service. 03

4 Sector-specific focus. DLA Piper believes that our legal advice should be as pragmatic and practical as it is technically excellent. We are attuned to the unique requirements of different sectors and staff our teams with lawyers experienced in the client s sector. INCIDENT RESPONSE CAPABILITIES From the moment a company learns about a potential breach it should be armed with tools to respond quickly and effectively while ensuring that its investigation is privileged. We offer a highly experienced team that has been successful hundreds of times in protecting clients from risks following cybersecurity incidents. Our service in this area includes incident response protocols, crisis coordination and management, data breach response strategy, identifying and preparing required individual, payment card network and state notifications, communication and priority setting with regulators, inclusion of law enforcement as appropriate and responding to Congressional inquiries. We offer clients a step-by-step incident response protocol that prepares clients for breaches before they happen, preserves privilege from moment one and marshals organization, legal and forensic solutions. Among the members of our team are former computer crime prosecutors who have strong relationships with law enforcement that can be invaluable in responding to a hack. We also have a team of litigators around the world who can pursue non-state-sponsored hackers and their hosts in their home countries. We have a clear understanding of potential insurance coverage for these events and advise you of communications to ensure proper notice to carriers and third parties to limit direct and potentially consequential losses. We also work with the carriers to ensure that any improvements or modifications to the company s approach as a result of a breach can form the basis for decreased cost of coverage or enhanced coverage moving forward. RISK MITIGATION AND PROACTIVE STRATEGIES Effective cybercompliance begins with an independent and realistic assessment of the legal, compliance, governance and reputational risks that could threaten your company. DLA Piper has an integrated protocol that works hand-in-glove with cybersecurity technology providers to assess, respond to and mitigate the risks associated with cybersecurity incidents at your company. The protocol is an enterprisewide approach that analyzes these risks and is adaptable to the unique characteristics of your company, regulation of your sector and the geographical location of your data centers and of data subjects. It provides companies and directors with roadmaps to fulfill their respective fiduciary and legal obligations to their shareholders, employees and customers. Furthermore, to help clients address the proliferation of cybersecurity requirements globally, DLA Piper offers an information service that provides quick summaries of cybersecurity-related procurement and compliance requirements in 23 key markets around the world. 04 CYBERSECURITY RISK MANAGEMENT

5 We have devised easy-to-implement, repeatable and trackable methodologies that identify and address gaps, incorporate solutions into current business processes and auditing programs based on risk priorities. The methodologies incorporates rules-based applications, moving response checklists into current protocols. The resulting program addresses identified gaps in a holistic and ongoing fashion across multiple metrics. SUPPLY CHAIN RISK MANAGEMENT A key part of our proactive risk mitigation service involves providing practical, targeted and enforceable risk mitigation strategies throughout a company s supply chain. This usually begins with assessment of heightened risk of cyberincidents throughout a company s supply chain. It then moves to implementing diligence, contracting and vendor management strategies to mitigate and properly allocate cybersecurity risks so that your company is not left absorbing unmanageable liability or violating commitments to regulators, clients, suppliers or the public. These proactive solutions can make a major difference mitigating risk. GOVERNMENT AFFAIRS Our lawyers have been closely engaged in the development of the Cybersecurity Framework and federal and state government cybersecurity requirements. They include former Senate Intelligence Committee Vice-Chair Saxby Chambliss, who oversaw and worked closely with the U.S. agencies charged with cybersecurity preparedness. We are ideally positioned to help clients work with government agencies on implementation of the Administration Cybersecurity Framework and in contesting designations as critical infrastructure directly subject to the Framework. Furthermore, our team features a well-regarded former House Committee chief investigations counsel, who ran 200 hearings during his time on Capitol Hill and is adept at helping clients to manage investigations and excel at congressional hearings LITIGATION We feature some of the most highly experienced litigators in the world in data privacy, class action, insurance coverage, D&O litigation and product liability. This team is comprised of true trial lawyers and an alternative dispute resolution team that work across a global platform to represent clients in every industry that may be subject to liability for a data breach. These litigators represent clients across the spectrum of critical infrastructure and data-intensive sectors. They appreciate the vulnerability of internal and consumer data at the heart of every business sector and have developed strategies to anticipate, prepare and defend against cybersecurity-related claims. Our litigators also benefit from the incomparable experience of our lawyers who are skilled in cyber-regulations and cyber risk management, and frequently work together to assist clients in avoiding and/or mitigating litigation risks. This coordination makes us highly qualified to attack the substantive and procedural aspects of litigation arising out of data breaches and other security incidents. Class Action Litigation. DLA Piper is one of the few firms with actual experience litigating a consumer class action arising out of a data breach. Our lawyers currently represent various corporate entities in the first major multi-district litigation arising out of a data breach. That breach was, at the time, one of the largest recorded data security breaches, affecting more than 77 million consumers, and resulted in the filing of 65 class actions across the country. Our experience in the trenches gives us vast experience and insight into the defense of companies facing litigation arising out of a data breach, including issues of standing, the various theories of liability asserted by plaintiffs and class certification issues. In addition, DLA Piper has a deep bench of class action lawyers skilled in the representation of clients in nationwide and state class action lawsuits, many of which address the issues facing consumers and business in the areas of consumer fraud, the use of data and breach notification. This experience will be vital as the class of potential plaintiffs in these cases grow and the theories of liability evolve. 05

6 Our clients depend on us to anticipate emerging threats; develop streamlined, effective and innovative strategies to respond to the nuances of a particular suit; defeat class certification and the merits of the plaintiffs claims at an early stage; and strategically protect and advance our clients long-term business interests. Our experience in major data breach litigation, combined with our experience in the compliance and regulatory arena, makes us an asset for clients faced with data breach litigation. Securities Litigation. The duty of care for companies and boards now includes proper attention to cybersecurity vulnerabilities. Sophisticated hacks into a company s systems can affect stock prices and trigger derivative shareholder actions. Our securities litigators are experienced in defending companies in derivative shareholder actions and at guiding clients through the delicate process of determining whether the effects of a hack exceed the SEC s materiality threshold requiring notice to shareholders. Product Liability: Our product liability group includes some of the most highly regarded defense lawyers in the world. We advise clients on risk, compliance and business management at every stage of the product life cycle, from product design and development to distribution. Our sophisticated clients use information and technology at each of these stages to share research and testing and to efficiently manufacture and distribute products and services often considering the use of this data beyond immediate product design needs. We collaborate with clients at the front end on issues such as cybersecurity to focus on points of vulnerability raised by hacking in day-to-day use. Examples of these considerations include monitoring of personal vehicles, access to home security and controlled environment systems and access to medical devices and implants. At the back end, we handle crises that involve product recalls, governmental investigations and insurance coverage in the event these systems are breached or alleged to be defective. We collaborate with colleagues around the world to ensure that each client is receiving sound advice based on a multidisciplinary and multijurisdictional approach, and we are ever mindful of the need to protect reputations. 06 CYBERSECURITY RISK MANAGEMENT

7 DLA PIPER RELATIONSHIP*/COOPERATION FIRMS AFRICA AMERICAS ASIA PACIFIC EUROPE Addis Ababa* Accra* Bujumbura* Casablanca Dakar* Dar es Salaam* Johannesburg Gaborone* Kampala* Kigali* Lagos* Luanda* Lusaka* Maputo* Mwanza* Nairobi* Port Louis* Tunis* Windhoek* Albany Atlanta Atlantic City Austin Baltimore Bogota Boston Calgary Chicago Dallas Edmonton Houston Lima Los Angeles Mexico City Miami Minneapolis Montreal New York Northern Virginia Philadelphia Phoenix Raleigh Rio de Janeiro Sacramento San Diego San Francisco San Juan Santiago São Paulo Seattle Short Hills Silicon Valley Toronto Vancouver Washington, DC Wilmington Yellowknife Auckland Bangkok Beijing Brisbane Hong Kong Melbourne Perth Seoul Shanghai Singapore Sydney Tokyo Wellington Aarhus Amsterdam Antwerp Birmingham Bratislava Brussels Bucharest Budapest Cologne Copenhagen Edinburgh Frankfurt Hamburg Helsinki Kyiv Leeds Lisbon Liverpool London Luxembourg Madrid Manchester Milan Moscow Munich Oslo Paris Prague Rome Sheffield St. Petersburg Stockholm Vienna Warsaw Zagreb* MIDDLE EAST Abu Dhabi Al Khobar Doha Dubai Jeddah Kuwait City Manama Muscat Riyadh 07

8 ABOUT US DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world. FOR MORE INFORMATION To learn more about DLA Piper, visit or contact DLAPiperCybersecurity@dlapiper.com. DLA Piper is a global law firm operating through DLA Piper LLP (US) and affiliated entities. For further information please refer to Note past results are not guarantees of future results. Each matter is individual and will be decided on its own facts. Attorney Advertising. Jim Halpert, jim.halpert@dlapiper.com, 500 Eighth Street, NW, Washington, DC Copyright 2017 DLA Piper LLP (US). All rights reserved. NOV17 MRS