1. SEC CybersecurityDisclosure Guidance:Risks and Strategies

2. Page 2Introductions: Todays Speakers Rick Olin, CIPP/US; Counsel, GTC Law Group Gant Redmon, CIPP/US; General Counsel, Co3Systems 3. Page 3Agenda Introductions Basis of SEC Cybersecurity Disclosure Guidance Current SEC Disclosure Guidance What Companies Are Doing Potential Changes to Disclosure Guidance Proactive Steps to Consider Other Considerations Final Thoughts/Recommendations Q&A 4. Page 4Co3 Automates Incident ResponsePREPAREImprove OrganizationalReadiness Assign response team Describe environment Simulate events and incidents Focus on organizational gapsREPORTDocument Results andTrack Performance Document incident results Track historical performance Demonstrate organizationalpreparedness Generate audit/compliance reportsASSESSQuantify Potential Impact,Support Privacy ImpactAssessments Track events Scope regulatory requirements See $ exposure Send notice to team Generate Impact AssessmentsMANAGEEasily Generate DetailedIncident Response Plans Escalate to complete IR plan Oversee the complete plan Assign tasks: who/what/when Notify regulators and clients Monitor progress to completion 5. Page 5About GTC GTC Law Group specializes in IP Strategy, Mergers &Acquisitions, and Business & Technology Transactions forIP-centric companies and institutions worldwide. Founded in 2002 in response to overwhelming clientdemand for a strategic approach to IP counseling andtransactions. Broad range of clients, including Fortune 500 enterprises,technology start-ups, venture capital firms, entrepreneurs,and industry consortia across the spectrum of IP-intensivesectors, including software, hardware, life sciences, financialservices, Internet, media & entertainment and energy Strategic partners for Data Privacy and Security. 6. Page 6Basis of SEC Cybersecurity Disclosure Guidance U.S. Securities Laws: High Value Placed on Transparency Goal is level playing field: equal access to information that might affect aninvestment decision Prohibits trading on material non-public information Historically, SEC required disclosure of any information that would have a materialeffect on a companys performance Materiality is determined in light of the total mix of information available defined as any information that a reasonable investor would find important indeciding whether to purchase or sell a security SEC Guidance on Cybersecurity Released in October 2011 by Division of Corporate Finance This guidance is not a rule, regulation, or statement of the Securities andExchange Commission. Further, the Commission has neither approved nordisapproved its content. Even though advisoryin nature, registrants/reporting companies, prudentto consider enhanced disclosure Provide clearer guidance of material risks 7. Page 7Basis of SEC Cybersecurity Disclosure GuidanceCyber Incident Could Affect Company Stock Performance Damage to companys brand Risk of class-action securities litigation Private causes of action Even if no harm to operations, may lower confidence in company Remediation costs and lost revenue SEC Enforcement Bottom Line: potential adverse impact on company stock price 8. Page 8Basis of SEC Cybersecurity Disclosure Guidance Objectives and effects of cyber attacks: Cyber attacks are mostcommonly targeted at one of three objectives: Stealing Proprietary Business Information trade secrets,data, and other business information. Financial Information and Identity Theft often seek toacquire credit card numbers, SSNs and bank accountinformation. Harming a Competitor some intended to disable or disrupt acompetitors operations. 9. Page 9Current SEC Disclosure GuidanceOperative Definitions Cybersecurity - SEC Guidance uses definition of Cybersecurity: the body oftechnologies, processes and practices designed to protect networks, systems, computers,programs and data from attack, damage or unauthorized access; and notes that a cyberincident can result from deliberate attacks or unintentional events. Cyber incident - two major categories: (a) unauthorized access and (b) disruption of functionality: Unauthorized access - an incident in which a party not authorized to access adigital system gains access to proprietary or other sensitive information; maybe as a result of deliberate acts or unintentional events. Disruption of functionality attacks, also known as denial of serviceattacks; involve efforts to limit the functionality of data processing, storage, andtransmission systems, such as web sites, through which orders are processed;generally involve programs that send high volumes of repeated queries totargeted sites. 10. Page 10 General Disclosure Tenets Fact-specific Inquiry The disclosure requirements related to cyber incidentsshould reflect the reporting companys specific facts and circumstances, as well asthe existing securities laws. As to the latter, as with any reporting disclosure: Timeliness/Accuracy Disclosure must be timely, comprehensive, andaccurate about risks and events that a reasonable investor would considerimportant to an investment decision. Context Material information regarding cybersecurity risks and cyberincidents is required to be disclosed when necessary in order to makeother required disclosures, in light of the circumstances under which theyare made, not misleading. Ongoing Review As with other operational and financial risks,registrants should review, on an ongoing basis, the adequacy of theirdisclosure relating to cybersecurity risks and cyber incidents.Current SEC Disclosure Guidance 11. Page 11Current SEC Disclosure GuidanceGeneral Disclosure Tenets (continued) Factors to Consider In determining disclosure obligations: Relative Significance Whether a security incident may be among the most significantfactors that make an investment in the company speculative orrisky. Factors particular to a business or the type of business, rather than risksthat could apply to any business Incident Impact and History When conducting this evaluation of itscybersecurity risk profile, a reporting company must examine risks of such anincident, prior cyber incidents and the severity and frequency of suchincidents. Likelihood of Future Incidents A registrant should also analyze thelikelihood of additional incidents occurring in the future, and the impact of suchincidents on the company.NOTE: A company need not disclose risks that are generic in nature or detailsthat would likely compromise its cybersecurity efforts. 12. Page 12Current SEC Disclosure GuidanceSpecific Disclosure Requirements There are a number of specific disclosurerequirements under existing regulations that may require a discussion of cybersecurity risksand cyber incidents in (i) Registration Statements, (ii) Periodic Reports and (iii) MaterialEvent Reports: Risk Factors Managements Discussion and Analysis Legal Proceedings Description of Business Financial Statement Disclosures Other Disclosures 13. Page 13Current SEC Disclosure GuidanceSpecific Disclosure Requirements (continued) Risk Factors following evaluation of companys overall cybersecurity risk profile,and consistent with the Regulation S-K Item 503(c) requirements for risk factordisclosures, generally, cybersecurity risk disclosure provided must adequatelydescribe the nature of the material risks and specify how each risk affects theregistrant. To the extent material, appropriate disclosures may include: discussionof aspects of operations that give risk to material risks; outsourced securityfunctions; past cybersecurity incidents and costs of remediating those incidents;risks of undetected cybersecurity incidents, and relevant insurance coverage thatmight cover such an incident. Managements Discussion and Analysis should address cybersecurity risks andincidents in MD&A if the costs or other consequences associated with one or moreknown incidents or the risks of potential incidents represent a material event, trendor uncertainty that is reasonably likely to have a material effect on the companysfinancial position. For example, if critical intellectual property is stolen, a companywill want to evaluate the materiality of the theft and whether to disclose that theinformation was stolen and the potential effect on the companys financial condition. 14. Page 14Current SEC Disclosure GuidanceSpecific Disclosure Requirements (continued) Legal Proceedings Legal proceedings involving a cyber incident may need to bedisclosed and would include the name of the court, the date the suit was instituted,principal parties, description of the allegations and the damages sought. Description of Business In determining whether to include disclosure regardingcybersecurity incidents in this section of its filings, registrants should consider theimpact on each of their reportable segments. As an example, if a registrant has a newproduct in development and learns of a cyber incident that could materially impair itsfuture viability, the registrant should discuss the incident and the potential impact to theextent material. Financial Statement Disclosures Cybersecurity risks and cyber incidents may havea broad impact on a registrants financial statements, depending on the nature andseverity of the potential or actual incident. 15. Page 15Current SEC Disclosure GuidanceSpecific Disclosure Requirements (continued) Other Disclosures In addition to the foregoing specific areas to be considered, the SEC guidancerequires consideration of: Prevention Costs the substantial costs that may be incurred to prevent cyber incidents,and the accounting for the capitalization of these costs to the extent that such costs arerelated to internal use software; ASC 605-50 Customer Payments and Incentives, to ensure appropriate recognition,measurement, and classification of any incentives provided to customers by the companyin its efforts to mitigate damages from a cyber incident. ASC 450-20 Loss Contingencies, to determine when to recognize a liability if losses(such as losses related to claims based on breach of contract, product recall andreplacement, and indemnification of counterparty losses from their remediation efforts) areprobable and estimable. Effectiveness Assessment Conclusions on the effectiveness of disclosure controls andprocedures. To the extent cyber incidents pose a risk to a registrants ability to record,process, summarize, and report information that is required to be disclosed in Commissionfilings, management should also consider whether there are any deficiencies in itsdisclosure controls and procedures that would render them ineffective. 16. POLL 17. Page 17What Other Companies Are DoingTrends and Patterns Companies are still in the process of adjusting to this guidance, so still too early toassess long-term practical effect. At this stage two trends have emerged: Disclosure of Risk by Financial Companies and Some Other LargeCompanies Many companies, particularly financial institutions, haveacknowledged the risk posed by cyber security breaches in their periodic filingsand some have acknowledged that they have been the victims of cyber attacks,but these reports do not generally acknowledge those attacks having had amaterial effect on financial performance. Few Disclosures of Actual Breaches Although companies are disclosingthe risk of breach, few are disclosing actual breaches in SEC filings. In caseswhere companies have been required by state law to disclose such breaches,the SEC has inquired why there was not also an 8-K disclosure. 18. Page 18Trends and PatternsWills Fortune 500 Cyber Disclosure Report 2013 tracked responses to SEC Guidance by Fortune 500 companies key findings include (as of April 2013): ~85% of Fortune 500 companies were following the SEC guidelines byproviding some level of disclosure of cyber exposures. ~40% of Fortune 500 companies failed to provide details on the size of theirexposure, stating only that the risk would have an impact on the companywithout further discussing the extent of the impact. concludes that, questionable disclosure compliance with SECs mandatedlevel, given the lack of disclosure on probability of incidents and theirquantitative and qualitative magnitude. 19. Page 19What Other Companies Are Doing Example of Annual Disclosure: Risk Factor Goldman Sachs 2012 10-K acknowledges that it has been the target of cyber attacks,but does not specify if any of those attacks were successful:"We are regularly the target of attempted cyber attacks, including denial-of-service attacks, and must continuouslymonitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption.Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems,software and networks may be vulnerable to unauthorized access, misuse, computer viruses or other malicious codeand other events that could have a security impact. If one or more of such events occur, this potentially couldjeopardize our or our clients or counterparties confidential and other information processed and stored in, andtransmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, ourclients, our counterparties or third parties operations, which could impact their ability to transact with us or otherwiseresult in significant losses or reputational damage. The increased use of mobile technologies can heighten these andother operational risks. We expect to expend significant additional resources on an ongoing basis to modify ourprotective measures and to investigate and remediate vulnerabilities or other exposures, and we may be subject tolitigation and financial losses that are either not insured against or not fully covered through any insurance maintainedby us." 20. Page 20What Other Companies Are Doing Example of 8-K Disclosure Selective Insurance Groups February 5, 2013 8-K filing reads more like an annualreports risk disclosure than an acknowledgement of a specific attack:We are subject to attempted cyber-attacks and other cybersecurity risks. The nature of our business requires that westore and exchange electronically with appropriate parties and systems significant amounts of personally identifiableinformation that may be targeted in an attempted cybersecurity breach. In addition, our business is heavily reliant onvarious information technology and application systems that may be impacted by a malicious cyber-attack. These cyberincidents may cause lost revenues or increased expenses stemming from reputational damage and fines related to thebreach of personally identifiable information, inability to use certain systems for a period of time, loss of financial assets,remediation and litigation costs and increased cybersecurity protection costs. We have developed and continue to investin a variety of controls to prevent, detect and appropriately react to such cyber-attacks including periodically testing oursystems security and access controls. However, cybersecurity risks continue to become more complex and broad rangingand our internal controls provide only a reasonable, not absolute, assurance that we will be able to protect ourselves fromsignificant cyber-attack incidents. By outsourcing certain business and administrative functions to third parties, we may beexposed to enhanced risk of data security breaches. Any breach of data security could damage our reputation and/orresult in monetary damages, which, in turn, could have a material adverse effect on our results of operations, liquidity,financial condition, financial strength, and debt ratings. Although we have not experienced a material cyber-attack, werecently purchased insurance coverage to specifically address cybersecurity risks. The coverage provides protection upto $20 million above a deductible of $250,000 for various cybersecurity risks including privacy breach related incidents." 21. Page 21What Other Companies Are Doing Examples of SEC Responses In response to press reports that Morgan Stanley had experienced cyber attacks, SEC sent aninquiry letter that appears to go beyond the guidance by requiring the disclosure of a cyberattack that did not result in a material operating impact. Here is an excerpt:We note your response to comment 1 in our letter dated June 22, 2012. Based on yourresponse it appears that you may have experienced one or more security breaches orcyber attacks that did not result in a material adverse effect on your operations. If true,beginning with your next periodic filing, please simply state this fact so investors areaware that you are currently experiencing these cyber risks. Similarly, SEC requested that Freeport disclose any cyber attacks that it experienced: In future filings, beginning with your next Form 10-Q, please provide risk factor disclosuredescribing the cybersecurity risks that you face or tell us why you believe such disclosureis unnecessary. If you have experienced any cyber attacks in the past, please state thatfact in any additional risk factor disclosure in order to provide the proper context. 22. POLL 23. Page 23Potential Changes to Disclosure GuidanceProspects for Legislation During the last term, Congress considered a bill (S. 3414) that would have required theSEC to examine its cybersecurity regulations and to issue annual reports to Congresson cybersecurity enforcement activity for five years. that bills lead sponsor, Sen. Lieberman, has since retired and no similarlegislation has been filed. current Senate Commerce Committee Chairman Jay Rockefeller was a co-sponsor of that legislation and has expressed a keen interest in the issue, so itis reasonable to speculate that a failure of the SEC to move forward with newregulations could lead to Chairman Rockefeller to file legislation that wouldrequire such action. 24. Page 24Potential Changes to Disclosure Guidance Possible SEC Regulations April 9, 2013 letter from Sen. Rockefeller to SEC Chairman White given the growing significance of cyber security on investors and stockholders decisions,the SEC should elevate this guidance and issue it at the Commission level as well. While thestaff guidance has had a positive impact on the information available to investors on thesematters, the disclosures are generally insufficientto discern the true costs and benefits ofcompanies cybersecurity practices. Chairman Whites May 1, 2013 Response Letter Review commenced in early 2012 resulted in staff comments to ~50 public companies ofvarying size and in a wide variety of industries; She has asked the staff to provide her with a briefing of current disclosure practices andoverall compliance with the guidance, as well as any recommendations for further action. Although no commitment to specific changes (or to the need for any changes), there is a widely-held expectation that the SEC will issue expanded cyber security guidance. 25. Page 25Proactive Steps to Consider Conduct a Risk Profile Analysis For certain businesses prudent to conduct a risk profile analysis to determine thepotential impact of a cybersecurity incident and examine current filing disclosures toevaluate whether they are appropriate and sufficient under the SEC guidance. If your company collects, processes or stores sensitive data, such as financial orhealthcare information, likely your disclosure should be enhanced to address risksrelated to a cyber incident. Such an analysis should consider two distinct types of exposure: (1) operational riskand (2) compliance risk. Operational Risk considers a companys use of sensitive data and askswhat effect of successful cyber attack on the company would be. Forpurposes of this analysis, it is helpful to explore scenarios involving differenttypes of cyber incidents (e.g. loss or theft of proprietary data, and disruption offunctionality) in light of the specific types of sensitive information (includingcustomer information, credit cards, financial information, health care records,social security numbers, intellectual property, strategy documents, etc.). 26. Page 26Proactive Steps to Consider Compliance Risk 2 distinct types of compliance risk to evaluate: (a) pre-attack disclosures and (b) incident reporting. Pre-attack Disclosures Failure to report vulnerability to cyber attacks inannual filings could constitute a breach of the duty to disclose materialinformation. Although such failure might be harmless, it could also lead toSEC enforcement actions. These actions often begin with a comment letter,but can escalate to full scale investigations resulting in costly litigation andpotential fines and injunctions, as well as referral of violations to otheragencies and departments, including FINRA, FTC, and DOJ. Shareholderlitigation is also possible if the value of a stock declines following asubsequent cyber attack (after a failure to disclose risk). Incident Reporting Involve a delicate balancing act as to whether todisclose between providing investors with material information and notgiving cyber attackers a road map to vulnerabilities. Acknowledging theattacks without going into detail on the attacks may be appropriatedepending upon the operational effect of the attack. Generally, disclosureon a state level should be evaluated in context of SEC requirements. 27. Page 27Proactive Steps to ConsiderConsider Risk Mitigation Strategies Once cybersecurity risk has been analyzed, a number of risk mitigation strategies areavailable. Although disclosure may mitigate enforcement risk, there are a number ofways to mitigate operational risk. Two areas in particular should be examined: Operational Changes An operational risk may often be mitigated throughoperational changes, such as using more advanced encryption, setting upback-up servers to assist in resisting a denial of service attack, outsourcingdata services to a more secure provider, or even opting not to store certaintypes of highly-sensitive data in digital form. contractual obligations may need to be amended to make theseoperational changes. these operational exposures should be considered when drafting andnegotiating contracts, which may also help to shift risks to partners betterable to manage them. prioritization of cyber security through staffing adjustments, training, andeducation are also useful tools to consider. For example, somecompanies have designated a person within their IT departments ashaving responsibility for developing and implementing a cybersecuritypolicy. 28. Page 28Proactive Steps to Consider Insurance most direct approach to mitigating cyber security risk. Importantconsiderations include: whether current insurance would cover all forms of cyber security attack(including the terms and exclusions) whether further insurance would make sense, keeping in mind that other riskmitigation measures may lower the cost of such insurance. Generally, traditional business insurance does not fully cover cyber attacks: offers only limited coverage for a number of cybersecurity-related exposures, such asrevenue lost during disruption of functionality/denial of service attacks, cost torecover lost data, exposure of proprietary information, and expenses associated withrecovering from cyber attacks. often offers no coverage for other cyber attack exposures, including defendingregulatory actions (including SEC suits), providing notification to users whose privatedata has been breached, and compensating data subjects who have been harmedby the security breach (e.g. through theft of their credit card numbers or privateinformation). Cyber insurance policies that provide robust coverage for all of these areas areavailable and may be a prudent investment depending upon the level of exposure andthe companys risk tolerance. 29. Page 29Other Considerations Impact on Directors and Officers. Directors and officers should be active participants in the cybersecuritydiscussion both for purposes of developing effective risk mitigationstrategies and because directors may be exposed to liability under thebusiness judgment rule if they do not actively consider cybersecurityissues in planning company operations. One approach to this issue is toinclude cybersecurity updates in reports to the board of directors on aregular basis. If Disclosure Committee does not have IT/Security representative,consider adding that resource. 30. Page 30Other ConsiderationsRelated State Laws In addition to SEC reporting requirements, most states have enacted lawsrequiring companies to report breaches where certain personally identifiableinformation is accessed. Although it is possible that breaches could affect acompany financially without involving the breach of files containing personalinformation, many breaches will likely need to be reported: to state officials (AG or Secretary of State); to Data Subjects; media; or others When such a state disclosure is required, it may prompt the need for disclosureto the SEC to avoid partial dissemination (selective disclosure) of materialinformation. This determination will turn on Materiality assessment; alsoconsider whether state disclosure is public. 31. Page 31Final Thoughts/Recommendations Disclosure of Risk Ensure you right size the risk disclosure to your business. Balance between overkill and boilerplate. Although some sectors (e.g. financial) have greater potential exposure than others, virtually alllarge companies bear some risk. Disclosure of Actual Breaches SEC Guidance suggests that actual breaches should be disclosed when they take place via an8-K filing. Reactive 8-K disclosure could compromise ongoing incident investigations. Differing requirements could lead to inconsistencies in notices: Litigation Risks Unfair/Deceptive Acts & Practices Rule is advisory only - appears few companies have followed it. SEC is currently considering strengthening this guidance, potentially making it a binding rule. Contractual obligations may decrease notice threshold(s). Consequences of Failure to Disclose SEC may take enforcement action against a company that fails to disclose material information. A decrease in stock price may spawn class action securities law suits. 32. QUESTIONS 33. One Alewife Center, Suite 450Cambridge, MA 02140PHONE 617.206.3900WWW.CO3SYS.COMRick Olin, CIPP/USCounselGTC Law Grouprolin@gtclawgroup.comOne of the most important startups in securityBUSINESS INSIDER JANUARY 2013One of the hottest products at RSANETWORK WORLD FEBRUARY 2013an invaluable weapon when responding tosecurity incidents.GOVERNMENT COMPUTER NEWSCo3 Systems makes the process of planningfor a nightmare scenario as painless aspossible, making it an Editors Choice.PC MAGAZINE, EDITORS CHOICE