cybersecurity and privacy 2015: presentation to institute ... · cybersecurity and privacy 2015│1...

Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│1

Beijing

Boston

Brussels

Chicago

Frankfurt

Hong Kong

Houston

London

Los Angeles

Moscow

Munich

New York

Palo Alto

Paris

São Paulo

Seoul

Shanghai

Singapore

Sydney

Tokyo

Toronto

Washington, D.C.

Wilmington

Cybersecurity and Privacy 2015: Presentation to Institute of International Bankers

October 2015

Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│2 Skadden, Arps, Slate, Meagher & Flom LLP

THE REGULATORY ENVIRONMENT


• Published Report on Cybersecurity Practices and an Investor Alert (Feb 2015)

− Goal: help broker-dealers better prepare for and respond to threats posed by cyberattacks.

• Identifies principles and effective practices, grounded in risk management

− Recognizes that no single approach will work for all firms

• Although technology controls are discussed, the focus is on management and governance

FINRA GUIDANCE


• Conducting a risk assessment to understand the cybersecurity risks a company faces across all activities and assets;

• Instituting a strong governance framework with strong leadership at the board and senior management levels;

• Implementing technical controls, including a "defense-in-depth" approach;

• Developing, implementing and testing incident response plans (which should include steps toward containment, mitigation, eradication, recovery, investigation, notification and making customers whole);

• Undertaking strong diligence and management of vendor relationships;

• Conducting effective training to certain staff about cybersecurity risks;

• Participating in intelligence-sharing opportunities; and

• Obtaining cyber insurance.

FINRA GUIDANCE – KEY ACTION ITEMS


THE LITIGATION ENVIRONMENT


KEY LITIGATION ISSUES

• Every cyberattack results in multiple class action lawsuits – with no end in sight

− Consumers and shareholders

• Courts are split on the type of harm that is sufficient to defeat a motion to dismiss based on “standing”

− But recent case finding standing may have shifted the landscape Remijas v. Neiman Marcus (7th Cir. 2015)

• Potentially low bar on proving consumer exposure to cybersecurity claims (based on Tobacco litigations)

− Opperman v. Path, Inc., N.D. Cal. 2015

• Settlements have been modest so far, but this has not deterred the class action bar


THE TARGET LITIGATION

• “Around September 2013, numerous members of Target’s security staff raised concerns about what they believed to be vulnerabilities in Target’s payment card system. The vulnerabilities were due to updates being made to Target’s cash registers, presumably in conjunction with the rolling out of the FireEye security software. The warnings went unheeded and Target officials ordered no further investigation.”

• “Target could have required vendors to more closely monitor the integrity of their critical system files.”

• “Target failed to disclose to Consumer Plaintiffs and members of the Class that its computer systems and security practices were inadequate to reasonably safeguard customers’ personal and financial information and failed to immediately and accurately notify its customers of the data breach.”


THE HOME DEPOT LITIGATION

• “Despite alarms as far back as 2008, Home Depot was slow to raise its defenses ... ”

• “Home Depot failed to discover the attack and notify consumers in a timely manner”

• “Home Depot had a duty to put in place policies and procedures designed to protect and prevent the theft or dissemination of PII.”


CRITICAL STEPS TO TAKE TODAY


THE RESPONSE CLOCK HAS ACCELERATED

HISTORICAL PRACTICE

IN THE PAST, COMPANIES OFTEN DELAYED NOTICE TO CONSUMERS AND REGULATORS UNTIL FULL FORENSIC ANALYSIS WAS DONE» Provided time to formulate a response

and manage PR, communications and legal

» Companies often hopeful that forensics analysis would reveal notice was not required

» Sometimes delay was required by law enforcement, but this was the exception



• Today, companies face a new and pressing reality:

− Privacy advocates/activists

» Learning of breaches and threatening to go public if the company does not disclose

» Generally unsympathetic to pleas that the company needs more time to formulate its response

− Insurance plans may require prompt notice

− Regulators may demand prompt action

− Every hour of delay potentially increases liability



• When a cyberattack hits, companies cannot waste time figuring out:

− What to do

− Who should be involved

− Who should make decisions

− Which external parties (regulators, customer, etc.) should be contacted

− What is the state of the law

• Scrambling to figure out the team and an action plan once an incident occurs is inefficient and dramatically increases the risk of a misstep



• “As soon as a cyberattack hits, everyone’s IQ drops 50 points”

> A CISO of a major financial institution

• Responses to cyberattacks need to be part of the “muscle memory” of the company


WHAT SHOULD COMPANIES DO?

• The two factors with the greatest impact on reducing data breach costs

− Having an incident response plan

− Having a strong security posture

- Ponemon Institute 2014 Study


ESTABLISHING A RAPID RESPONSE TEAM

• Critical in a world where you may lose control of the response timing

• Identify team members and “project lead”

− IT, legal, compliance, security, PR/communications, HR, risk management,corporate management, government relations

− Outside counsel

• Create a playbook of how various incidents will be handled

− Determine how “incidents” will be identified

− Prioritize and classify the incident

− Establish protocols to determine who should be notified

− Establish protocols to mitigate and remediate

− Establish protocols for how incidents will be documented

− Include logistical information


ESTABLISHING A RAPID RESPONSE TEAM

• Understand state (and federal) data breach notification requirements

• Consider any international implications

• Understand regulatory disclosure obligations

• Document preservation

• Use of attorney client privilege

• Relationship with external forensic expert

• Relationship with law enforcement

• Train and update team and general population


MINIMIZING YOUR LEGAL EXPOSURE

• Class action plaintiffs and regulators cannot bring an action simply because a company was attacked

• They need a “hook” to show a company’s negligence, etc.

− The company failed to install or implement adequate security protections

− Were there internal or consultant recommendations that were ignored

− The company “misled” customers about the level of its security

− The company did not have, or did not follow, policies and procedures (cybersecurity policies, vendor management, etc.)

− C-suite and/or board was not adequately kept apprised of security procedures

− The company took too long to provide notice of a data breach or to respond to an attack


GOVERNANCE AND CULTURE

• Strong governance over the cybersecurity and privacy function is critical

− Highlighted by every regulator and the National Institute of Standards and Technology (NIST) Framework

− Possible legal obligation to do so

− Best business practice

• Governance needs to be based on how the company normally operates

• Develop a dashboard of key facts and metrics

• A culture of security needs to start at the top


PRIVACY/CYBERSECURITY AUDITS

• Typically performed by a law firm and/or external consultant

− External advisers see issues that companies might overlook

» View each issue from a “what if” lawsuit perspective

− “Good fact” in the event of a litigation

− External advisers have the benefit of seeing best practices at other companies

− Provides regulators with comfort


PRIVACY/CYBERSCURITY AUDITS

• Key Steps:

− Where is data coming into the company?

− How is data used and what controls are in place?

− How are security decisions made and implemented?

− Do internal and external privacy policies align with actual practice?

» Very often they do not

− What is the company saying about its security practices?

− What is the company disclosing in its public filings?

− How are company executives and board members kept informed?

− How mature is the privacy and cybersecurity program?

− What sort of training/retraining is provided?

• Critical Step: Need to act on audit recommendations


CORPORATE GOVERNANCE

THE ROLE OF THE BOARD AND DISCLOSURES


“[B]oards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk – and there can be little doubt that cyber-risk also must be considered as part of [a] board’s overall risk oversight.”

– SEC Commissioner Luis A. Aguilar “Cyber Risks and the Boardroom” NYSE Conference June 10, 2014

CYBER RISKS AND THE BOARDROOM


• National Association of Corporate Directors (NACD), together with AIG and the Internet Security Alliance, has identified five steps all corporate boards should consider to enhance their oversight of cyber risks:

− Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue

− Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances

− Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda

− Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget

− Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach

CYBER RISKS AND THE BOARDROOM

cybersecurity and privacy 2015: presentation to institute ... · cybersecurity and privacy 2015│1...

Documents