Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Similar documents
Incident Response and Cybersecurity: A View from the Boardroom

The Evolving Threat to Corporate Cyber & Data Security

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Data Breach Preparation and Response. April 21, 2017

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Financial Regulations, Enforcement & Cybersecurity

Bored with Your Board s Involvement with Privacy/Security Program?

SEC Issues Updated Guidance on Cybersecurity Disclosure

Cybersecurity and the Board of Directors

How will cyber risk management affect tomorrow's business?

CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?

Upcoming PIPEDA Changes What is changing and what to do about it

Cyber Risks in the Boardroom Conference

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Managing Cybersecurity Risk

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Security and Privacy Governance Program Guidelines

SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures

Rethinking Information Security Risk Management CRM002

DATA BREACH NUTS AND BOLTS

Incident Response Services

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

CYBER ALERT. Cyber Investigations, Part 4: Hallmarks of Enterprise Impact Investigations. Key Components of an Enterprise Impact Investigation

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

The Impact of Cybersecurity, Data Privacy and Social Media

Cybersecurity Auditing in an Unsecure World

Hacking and Cyber Espionage

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

NYDFS Cybersecurity Regulations

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Jeff Wilbur VP Marketing Iconix

External Supplier Control Obligations. Cyber Security

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CYBER INSURANCE: MANAGING THE RISK

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Are we breached? Deloitte's Cyber Threat Hunting

Sage Data Security Services Directory

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cybersecurity Landscape and Risk Considerations

CYBER RISK MANAGEMENT

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

BHConsulting. Your trusted cybersecurity partner

Oracle Data Cloud ( ODC ) Inbound Security Policies

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Bradford J. Willke. 19 September 2007

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

Investigating Insider Threats

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

European Union Agency for Network and Information Security

Bringing Cybersecurity to the Boardroom Bret Arsenault

Cybersecurity in Higher Ed

SOC for cybersecurity

DeMystifying Data Breaches and Information Security Compliance

The University of British Columbia Board of Governors

Key Takeaways. 4. Stay calm and do no harm in an incident Overreacting can be as damaging as underreacting

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

TECHNICALLY CHALLENGED BY CYBERSECURITY RISK MANAGEMENT?

MITIGATE CYBER ATTACK RISK

Putting It All Together:

Information for entity management. April 2018

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

M&A Cyber Security Due Diligence

Why you should adopt the NIST Cybersecurity Framework

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Legal Considerations and Case Studies

Privacy, Cyber Threats and Risk Mitigation Mitigating Liability Through the SAFETY Act

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

SOARING THROUGH THE CLOUDS IT S A BREEZE

Compliance Program Assessment Overview of Findings. Report to the Audit and Risk Committee of the Teachers Retirement Board June 8, 2016

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

A View from Inside: Perspectives of In-House Counsel Responsible for Addressing Cyber and Data Privacy Issues

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

The Role of the Data Protection Officer

Data Privacy & Protection

How to Establish Security & Privacy Due Diligence in the Cloud

GRC SURVEY RESULT Please indicate your profession

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

The Data Breach: How to Stay Defensible Before, During & After the Incident

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Protecting your next investment: The importance of cybersecurity due diligence

Transcription:

Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015

Agenda Introductions / Administrative Cybersecurity risk legal landscape Cyber threats Legal risks in the aftermath of a breach The role of the board in cybersecurity Board duties Shareholder demands and derivative actions Cyber risk oversight best practice guidance and regulator s view Cyber breach response 2

Presenters Jessica Corley Partner Securities Litigation Scott Ortwein Partner Corporate Transactions Kim Peretti Partner Privacy & Data Security Jim Harvey Partner Privacy & Data Security Moderator 3

The Cyber Threat Landscape From Exploitation to Disruption to Destruction 4

Fluid Dynamics of Cyber Risk Increasingly hard to keep breaches private irrespective of legal obligations (or control the disclosure). Shift from smash-and-grab to deep and prolonged access. Investigations produce uncertain results, increasing risk exposure. Detection can occur months or years after initial compromise. Evidence often not available, leaving victims unable to prove the negative. Risks: Reputational Regulatory Litigation Payment Cards 5

Board Duties Regarding Cybersecurity Cybersecurity is becoming a priority issue for boards due to large number of breaches and extensive press activity. State law governs the board s duties. Assume Delaware law for purposes of this presentation. Directors: Do not have to become experts on cybersecurity, and Are permitted (and expected) to rely on information and reports from management and others regarding cybersecurity and cyber risk. The Board should: Inform itself regarding cybersecurity risk, Be comfortable that the company has appropriate controls in place to manage that risk, and Monitor controls periodically to ensure that they are functioning as intended and that issues are being identified and addressed. 6

Practical Metrics for Board Reporting and Cyber Issues How frequently does the Board receive reports on cybersecurity and cyber risk? What reporting on cyber issues has occurred in the last twelve months? Do the reports go to: The full Board? The Audit Committee? The Risk Committee? Who reports? How? In what form? Incident Readiness and Planning Threat Intelligence Cyber Security Governance Internal and External Controls Minutes of the Board or Committee Meetings? Appropriate detail 7

The SEC is Focused on Boards and Cybersecurity 8

Third Party Guidance on Boards and Cyber Risk 9

Beware Section 220 Demands 10

Section 220 Demands (cont.) It is common to receive demands for investigation and books and records by shareholders in the post breach context. Investigation Shareholder will demand that the board investigate the breach and take action against any wrongdoers. Board hires counsel to conduct investigation. Books and Records Entitled to receive board materials related to cybersecurity and independence of the members of the board. Will negotiate a non-disclosure agreement before producing documents. Shareholder will either (1) go away, (2) file a lawsuit demanding additional materials, or (3) file a derivative lawsuit. 11

Shareholder Derivative Suits 12

Recent Shareholder Derivative Litigation Typical allegations against officers and directors in derivative litigation: Breach of the duty of loyalty and care, Wasted corporate assets, and Were unjustly enriched by the compensation they received while breaching their fiduciary duties. Cannot prevent these lawsuits, but best defense is: Regular reporting and review of controls, Appropriate governance, and Confirmation by the Board that the organization is staying abreast of evolving threats and adjusting its security posture accordingly. Very early in the life cycle of these cases final resolution is difficult to predict today. 13

Wyndham Litigation / Conflicts of Interest 14

Preventive Maintenance Disclosure? 15

D&O Insurance? 16

Cybersecurity Insurance? 17

Advising the Board During a Breach Board must gain understanding of the scope of the breach and the business and legal implications of the breach. Board involvement: Board members must become informed. Consider using a committee for daily or more regular communication (refer to incident response plan). Consider having third-party engaged in the investigation or remediation speak directly to the board or Risk Committee. Oversee management s decisions and responses. May include receiving reports on the action plan such as response times, appointment of breach czar, and action plan testing, as well as reports on containment and remediation plans. 18

Questions? 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback