Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus A. Christian i Burt M. Fealing Chief Executive Officer William Hill US Partner Mayer Brown LLP Executive Vice President, General Counsel and Secretary Southwire Company
Joseph M. Asher Chief Executive Officer William Hill US Marcus A. Christian Partner Mayer Brown LLP Burt M. Fealing Executive Vice President, General Counsel and Secretary Southwire Company 2
Topics The Risk Formula Risk Realized Making the Case for Action Implementing a Written Information Security Program (WISP) Implementing an Effective Incident Response Capacity Proactive Engagement gg with Law Enforcement Organizations and ISAOs 3
The Risk Formula 4
The Risk Formula Risk = Threat x Vulnerability x Cost Threat is the frequency of a potentially adverse event. Vulnerability is the likelihood that a particular threat will impact an organization. Cost (Consequence) is the total cost of the impact of a particular threat. 5
Risk Realized Adverse Events Occur 6
Risk Realized Adverse Events Occur 7
Risk Realized Impact Varies Among Victims PII or PHI theft Ransomware DoS Corporate account takeover Cyber espionage Corporate identity theft Sabotage Payment card theft 8
Risk Realized Relative Priorities Vary Damage to reputation/brand Loss of proprietary information Economic damage Government/regulatory action Business continuity it Litigation Board of directors concerns Executive liability Preservation of lawyer client privilege Shareholder activity Media coverage 9
Making the Case Securing the Authority, Support and Resources to Reduce Cybersecurity Risk 10
Making the Case The Legal Landscape Federal and state laws establish various frameworks that companies must comply with or may adopt as best practices. Federal Trade Commission Act Gramm Leach Bliley Act HIPAA State data breach notification and data security laws Best practices, frameworks and industry standards d (e.g., PCI DSS, NIST, ISO) 11
Making the Case Enforcement Actions and Lawsuits 12
Making the Case The Business Case for Cybersecurity What is the projected impact of improving cybersecurity on profitability from research and development? What is the expected financial lbenefit of improved cybersecurity on market share over the next three years? How will reducing cybersecurity risk enable the company to preserve its pricing or operational advantages over competitors? How much will bolstering cybersecurity enhance the company s ability to track, analyze and predict customers preferences and demands? 13
Implementing a Written Information Security Program Reducing Risk by Decreasing Vulnerability and Costs 14
Implementing a Written Information Security Program Legal g Requirements Federal statutes (e.g., Gramm Leach Bliley Act, HIPAA) State statutes (e.g., Massachusetts, Oregon) Settlements with regulators Business agreements Other requirements (e.g., COPPA Safe Harbor) Judicial protective orders Administrative, technical and physical safeguards 15
Implementing a Written Information Security Program Selected Elements* Regular cybersecurity audits Regular risk assessments Adoption of risk management standards Employee training Tracking of employee training Training effectiveness *The specific elements of a WISP will depend upon the organization, its business and its regulators, among other factors. 16 Disciplinary measures Encryption of PII and/or PHI Maintenance and transport of records containing PII and/or PHI Physical security of records containingpiiand/or and/or PHI Monitoring program performance
Implementing a Written Information Security Program Selected Elements (cont.) Password security Third party access to systems Access control Need to know access Document retention Media destruction Portable devices Internet privacy policy System access control BYOD Regular system mapping Regular data mapping Data classification Password complexity Regular updates 17
Implementing a Written Information Security Program Potential Pitfalls Lack of executive support Failing to implement a written program Including elements that will not be enforced Inadequate updating Selective enforcement Failing to break down silos 18
Implementing an Effective Incident Response Capacity Reducing Risk by Mitigating the Impact of an Incident 19
Implementing an Effective Incident Response Capacity The Written Plan A written computer security incident response plan ensures that business priorities guide the response function. This plan should: Clearlystate goals and objectives; Categorize incidents to which the plan applies; Establish incident severity categories and corresponding levels of deployment; Identify response team members and their respective roles; and Provide a structure that enables agile decision making by the response team. The plan must be regularly assessed and revised as necessary to reflect new assets, business activities or technologies. 20
Implementing an Effective Incident Response Capacity The Written Plan (cont.) Every computer security incident response plan will be tailored to a specific company s unique needs, but generally they all should include certain key elements: Incident detection, notification, analysis and forensics; Response actions, including containment, remediation and recovery; Communications; Procedures to capture lessons learned; and Identification of necessary documents and key legal requirements. 21
Implementing an Effective Incident Response Capacity The Team EXTERNAL SUPPORT Software and Hardware Vendors EXTERNAL TEAM INTERNAL TEAM Industry Working Groups Internet Service Providers Outside Counsel Information Technology & Security Corporate Counsel and Compliance Communications Business Management Other: Customer Care; HR; Physical Security; Investor Relations Forensics Expertise Insurance Providers Crisis Communications Specialist Law Enforcement Other Government Agencies 22
Implementing an Effective Incident Response Capacity Resources To facilitate your team s work, you will need to assure that it has the logistical support to operate when your information, technological and even physical security might be compromised. Consider maintaining: Dedicated clean laptops that can be used to record investigation activities iti and others that t can be used to connect to a compromised network without putting further information or assets (other than the laptop) at risk; Secure communications; A war room; and A call center to interface with customers and employees as the incident develops. 23
Implementing an Effective Incident Response Capacity Training and Practice Training and practice ensure that the effort and resources expended to prepare for a computer security incident are deployed efficiently andeffectively when itcounts counts. Regular tabletop exercises (e.g., twice a year) help keep the computer security incident response plan and the team s skills and relationships up to date. Employee training can demonstrate institutional commitment to cybersecurity in post incident litigation. 24
Implementing an Effective Incident Response Capacity Potential Pitfalls Lack of leadership sponsorship Staleness of plan Incompleteness of investigation or remediation Inadequate training Unclear chain of command or authority 25
Proactive Engagement with Law Enforcement Organizations and ISAOs Reducing Risk by Working Against Threat Actors and Mitigating Costs 26
Proactive Engagement with Law Enforcement and Information Sharing and Analysis Organizations (ISAOs) Reducing threats from criminal organizations and nation states will require concerted efforts by policy makers, companies and industry associations. Meaningful concerted action among large numbers of entities normally develops slowly and can be inefficient. Companies are taking action against external threat actors, individually and collectively. The passage of the Cybersecurity Information Sharing Act of 2015 should lead to increased threat information sharing. 27
Proactive Engagement with Law Enforcement Selected Benefits Establishing contacts within law enforcement agencies Building rapport with law enforcement agencies before a crisis occurs Conducting a necessary action to reduce the number and impactof threat actors Increasing awareness of threats, trends and best practices Demonstrating ti commitment t to cybersecurity in a way that t regulators view favorably 28
Proactive Engagement with Law Enforcement Selected Statutes Used in Cybercrime Prosecutions Computer Fraud and Abuse Act of 1986 Aggravated Identity Theft Wire Fraud Statute Economic Espionage Act Electronic Communications Privacy Act Stored Communications Act 29
Proactive Engagement with ISAOs Selected Benefits Reducing the number of threat actors by providing better intelligence to law enforcement agencies Enabling organizations to prevent more cyber attacks directed d at them through awareness of exploits Improving entities abilities to obtain defensive measures effective against specific attacks Improvingcompanies abilities to detect attacks Allowing businesses to respond to information security incidents earlier more effectively 30
QUESTIONS 31
Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.