Cyber risk - NBA-CLS
advertisement
Understanding Cybersecurity Risks: Issues & Trends Association of Corporate Counsel © 2015 1 Our questions… "What should my company do to prepare for a data-related incident?" "What can I do to help manage risks while supporting innovation?” "Why Most Cybersecuirty Happens Outside the CISO's Office" Wall Street Journal Blog (June 23, 2015) ACC Docket, “Cybersecurity: Emerging Trends and Regulatory Guidance” (May 2015) 2 Understanding Cyber Risk: • Goal of cybersecurity = protect assets that allow business to perform • Cyber risk = probability of threat exploiting weak point of assets • Attackers, motives, and attacks = varied and constantly evolving • Status update: – Cyber threats increasing in frequency, scale, sophistication, & severity – Unpreparedness remains high – Prediction: “ongoing series of low-to-moderate level cyber attacks * * * that impose cumulative costs on US economic competitiveness and national security." (Worldwide Threat Assessment of U.S. Intelligence Community) • Potential impact: Stakes include reputational harm, shareholder stock price, continuity of operations, overall confidence and liability 3 Where Threats May Exist Enterprise level “Internet of Things” Point-of-sale registers Vendor Employee Wi-Fi printers Hackers Personal email accounts Social media Employee smartphones 4 Managing Risk Collaboratively Human Resources Accounting Information Technology Payroll Sales/Customer Service Legal Cyber-risk committees Board Company culture Cyber Risk Public Relations 5 Key Cybersecurity Milestones • February 12, 2013: – Executive Order 13636 calling for voluntary consensus standards and industry best practices – Presidential Policy Directive 21 calling for greater research and development work, including focus on better protections and partnerships • February 12, 2014: – National Institute of Standards and Technology (NIST) Cybersecurity Framework is released • Throughout 2013 and 2014: – Target, Home Depot, Community Health Systems, JPMorgan and Sony Pictures all publicly disclose massive cybersecurity attacks. – Federal Financial Institutions Examination Council (FFIEC) recommends Financial Services Information Sharing and Analysis Center (FS-ISAC). 6 Key Cybersecurity Milestones (cont’d) • Thus far in 2015: – More Breaches: Anthem (records of 80 million exposed); OPM (records of millions exposed – number disputed) – White House continues activity: • • • • Proposes Personal Data Notification & Protection Act (January 2015) Proposes Student Digital Privacy Act (January 2015) Reintroduces draft of Consumer Privacy Bill of Rights (February 2015) Issues EO 13691 (February 2015) – calling for development of information sharing organizations, voluntary standards for information organizations, and liability protections for companies that share. – House approves Cybersecurity Bill (April 2015) – allows for information sharing with feds and includes liability protections – DOJ issues guidance: “Best Practices for Victim Response and Reporting of Cyber Incidents” 7 Sector-by-sector Regulation in US Key Agencies • • • • • • • Federal Trade Commission Department of Health and Human Services Office of the Comptroller of the Currency Securities and Exchange Commission Department of Justice Federal Deposit Insurance Corporation State AG offices and insurance regulators Key Laws (and Agency Guidance) • • • • • • • • • • • Gramm-Leach-Bliley Act HIPAA SOX Fair Credit Reporting Act Children’s Online Privacy Protection Act Privacy Act Electronic Signatures in Global and National Commerce Act Federal Information Security Management Act Homeland Security Act of 2002 SEC and DOJ Guidelines FTC Act? 8 Highlight: Federal Trade Commission (FTC) Role in Cybersecurity • 50+ enforcement actions in past 15 years relating to data security – Mostly administrative actions – Mostly resolved through consent orders and long-term supervision – Other cases filed in federal court pursuant to injunctive authority • FTC enforcement authority primarily from Section 5 of FTC Act – Also from Children Online Privacy Protection Act (COPPA); Gramm-LeachBliley (GLB) and Fair Credit Reporting Act (FCRA) • Section 5: “unfair” and “deceptive” trade practices – Deceptive (historical & most common): challenge allegedly false data security representations (e.g. Fandango, Credit Karma) – Unfair (most recent): FTC’s minimum cybersecurity standards for companies collecting personal information 9 Highlight: Federal Trade Commission (FTC) Role in Cybersecurity • What’s “unfair”: – Failure to encrypt, establish log-in protocols, protect against commonly known attacks, and provide cybersecurity training… • Remedying violations through consent orders: – Comprehensive information security program – Independent risk assessments – Periodic reporting back to FTC • Watch: Whether Third Circuit will curtail FTC authority – FTC v. Wyndham Worldwide Corporation, et al., 2014 WL 2812049 (D.N.J.) – Interlocutory appeal before the Third Circuit 10 Highlight: Federal Trade Commission (FTC) Role in Cybersecurity (Cont’d) • FTC Recommendations -- 2012 Privacy Report - • Privacy by design Simplified choice: Offer choices at a time and in the context in which consumer is making the decision Transparency: Shorter, clearer privacy notices Other recommendations – - Use commonly used and readily available data security measures Have a privacy policy in place Review consumer assurances for alignment with actual security Scrutinize data management often Follow FTC complaints and consent decrees 11 NIST Cybersecurity Framework • What it is: set of voluntary standards and best practices to help organizations with critical infrastructure manage cyber risk • Key attributes: Any sector; any industry; common vocabulary; common concepts; envisioned for international compatibility • Three parts: – Core: common activities & desired outcomes – Tiers: context for understanding organizational view of cyber risk and processes to manage risk – Profile: actual outcomes against business needs • Basis of future regulation? Still a concern… 12 NIST Cybersecurity Framework (cont’d) • How in-house counsel can use it – – – – Understand company’s alignment with best practices Raise awareness and communicate with stakeholders Understand and share information across functions and BUs Use as basis for due diligence or evaluation criteria with service providers – Provide high-level education to senior execs and board members – Foresee how the “standard of care” may evolve – And many other ways… 13 Briefly on Breach Notification • Patchwork everywhere: – United States: • States & territories have laws except AL, SD, & NM • Federal: depends on industry and regulatory guidance – International: • • • • • • Some nation-states comprehensive approach Others nation-states have sectoral approach for specific industries Data protection authority guidance Implied by notice/consent requirements of privacy laws Still awaiting: Harmonized Data Privacy Regulations from EU Commission Timing is everything: – timely internal notice to incident response team and external response team; retaining third party forensic firm; and managing notice components 14 Hypothetical Scenario • FBI discovers personal identifiable information (PII) of your company’s employees (including those in the UK) as well as 300,000 customers posted on Pastebin • FBI formally notifies your company and requests an onsite visit to further discuss the apparent breach • On the same day the corporate anonymous hotline receives allegations of an insider possibly facilitating a data breach that may be linked to the FBI notification What should your company have done prior to this incident? 15 Practical Considerations: Pre-incident Establish a Working Group Use guidelines (e.g., NIST Framework) Preincident • Identify • Protect • Detect • Respond Incident Postincident • Recover 16 Practical Considerations: Pre-incident Identify: • Assets: - Data, devices, systems and facilities • Governance - Risk manager: CISO/CIO - Planning team: Legal, data privacy and security experts, HR, IT, CFO, Marketing and Product Development - Plan, train and conduct table-top exercises - Decision making structure - Information security policies - Data breach regulations and notification obligations - Establish ongoing relationships with relevant entities (regulators, industry peers, FBI, Department of Homeland Security) 17 Practical Considerations: Pre-incident Identify (Cont’d): • Perform risk assessment? - Threats and vulnerabilities - Potential business impacts - Determine risk based on threats, vulnerabilities, likelihoods, and impacts • Establish risk management strategy - Determine priorities - Determine risk tolerance • Establish response plan 18 Practical Considerations: Pre-incident Key “Protect” considerations: • • • • • • Who has access? Employees and vendors Access controls? Training program/Exercise group Insurance Measures to protect data-at-rest and data-in-transit? Vendor security policy? Due diligence, contractual obligations supply chain • Key policies? Internal investigation, computer use, computer monitoring, bring your own device (BYOD), Cloud Computing, other emerging technologies 19 Practical Considerations: Pre-incident Key “Detect” Considerations: • • • • Is anomalous activity being detected? How? How is the network and physical environment being monitored? “Privacy by design” Detection team? - Clear roles and back ups - Clear criteria on reporting detection 20 Practical Considerations: Incident Key “Respond” Considerations: • Incident response team Clear roles, back ups and order of operations E.g., IT, Legal, customer service dept., Corporate Relations and Government Relations • External providers – IT forensics, mailing houses and call center providers, external counsel, credit monitoring services providers • Forensics report and assessment • Contain breach 21 Practical Considerations: Incident (Cont’d) Key “Respond” Considerations (Cont’d) • Notification - To whom Consider law enforcement/Department of Homeland Security C-Suite Customers/employees Regulators (e.g., Insurance Departments, attorney generals, etc.) Media - When • Cooperation with regulators 22 Practical Considerations: Post-Incident • Prepare for claims against the company - • • • • • FTC, state insurance departments, attorney generals and class actions Consider bringing civil claims against attackers or cooperating with criminal prosecution Consider Pursue insurance coverage Document lessons learned and review securityrelated policies and processes Document diligence 23 “What should my company do to prepare for a data breach and how can I help?” – Understand the company’s exposure to cyber threats – Understand where the company’s vulnerabilities may exist – Ensure Legal is represented on the Security Policy Planning Committee – Prepare and coordinate with stakeholders • Lead by identifying legal requirements and proposing ways to limit risk • Consider insurance options • Consider data sharing proposals – Develop a strong plan • Include focus on preserving evidence • Include possibilities for media response 24 Contact Information/Follow-Up [Speaker’s name] [Title] Association of Corporate Counsel 1025 Connecticut Ave NW Suite 200 Washington, DC 20036 202-2934103 25 THANK YOU! Association of Corporate Counsel 26
