“This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.”
Jay Rockefeller
Senator & Commerce
Committee Chairman in letter to Chairman of SEC
April 9, 2013
Sources: http://thehill.com/blogs/hillicon-valley/technology/292919-rockefeller-asks-sec-to-step-up-cybersecurity-disclosures http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?pagewanted=all&_r=0 http://www.bloomberg.com/news/2013-05-14/iran-based-hackers-traced-to-cyber-attack-on-u-s-company.html
techland.time.com/2013/09/26/major-u-s-data-providers-hit-by-cyber-attacks/ http://www.npr.org/blogs/alltechconsidered/2013/08/30/217296301/firms-brace-for-possible-retaliatory-cyberattacks-from-syria
• Cybercrimes are widespread, systemic and insidious
• Annual cost is approximately $100 billion per year
• Double-digit year-over-year growth in incidents
• 90% of U.S. companies surveyed had detected computer security breaches *
• 74% acknowledged financial losses as a result
*Source: 2011 Computer Security Institute survey
2
(April 23, 2014)
• Nearly 200 breaches of payment systems used by retailers, hotels and restaurants
• Cyber education and “hygiene” critical in protecting payment systems
3
• Harm to business, “franchise” risk, company valuation, stock price, etc.
• Long-term financial and business damage
• Theft of valuable intellectual property and business plans
• Theft of customer data and funds
• Disruption of critical operations and corporate web sites
• Headline and reputational harm
4
Financial losses for company
Average cost of $500,000 and 24 days to identify and resolve an attack
1
Cyber crime cost companies $300bn - $1trillion total in 2013
1
Financial losses for shareholders
~5% drop in share price for public companies
2
Brand reputation
Value of brand can decline 17-31%, depending on nature and industry
3
Your reputation
Sources:
5
2: “Anatomy of data breaches and their impact on market value,” Electronic International Interdisciplinary Conference 2012 http://www.eiic.cz/archive/?vid=1&aid=2&kid=20101-131
3: Poneman Institute, Reputation Impact of Data Breach, October 2011 http://www.scmagazine.com/breaches-lead-to-major-reputation-brand-damage/article/215595/
• Governmental investigations and sanctions (SEC,
DOJ, State Attorneys General, FTC, etc.)
• Consumer litigation
• Class action lawsuits
• Shareholder derivative demands
• Special Board/Litigation Committees and potential claims against the corporation
6
Cyber Intelligence Sharing & Protection Act
To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
Passed House of Representatives in April; Senate will not vote but is drafting competing legislation
White House Executive Order – Improving Critical
Infrastructure Cybersecurity (February 12, 2013)
Establish top-tobottom review of federal government’s efforts to defend our nation’s information and infrastructure
In conjunction, SEC Division of Corporation Finance issued guidance instructing companies to disclose cyber attacks or risks associated with breaches if such attacks or breaches are likely to be material to investors
7
• Detailed, step-by-step Incident Response Plan
• Analysis of insurance policies to determine coverage
• Legal counsel and key service providers “on speed dial”
• Crisis communication strategy and trained s pokespeople
• Government affairs/communications with regulators
• Readiness exercises that simulate an actual attack
• Business continuity planning
• Security audits of key vendors
• Litigation and regulatory preparedness
8
Detailed, step-by-step Incident Response Plan
Adequate insurance coverage (consider Cyber policy)
Legal counsel and other service providers “on speed dial”
Crisis communication and Litigation strategies
Government affairs/communications with regulators
Readiness exercises that simulate an actual attack
Business continuity planning
Security audits of key vendors
9
Establish ‘tone from the top’ through top-level policies
Review roles and responsibilities; ensure risk/accountability shared throughout organization
Ensure regular information flows to executives and board, including cyber incidents and breaches
Review annual IT budgets for privacy and security, separate from CIO’s budget
Conduct annual reviews of enterprise security program, review findings, ensure gaps and deficiencies are addressed
Evaluate adequacy of security around board materials and communication
Source:
Governance of Enterprise Security: How Boards & Senior Executives are Managing Cyber Risks, CyLab 2012 Report
10
In-person at
Time of
Meeting
Courier
Delivery
Unsecure
Cloud
File
Sharing
Services
Mobile App / Secure
PDF Reader Email
Internal PDF-Based
Portal Portal
Secure
Board Portal
Key concerns
Privacy
Limited administrator control
Hacking and other security vulnerabilities
Purchase of additional secure container technology
Control access to data
Data encrypted in transit and on all devices
Does not track Director’s electronic footprint
Regular, repeated third-party audits and penetration testing
Local redundancy, data back-up and recovery
Ensure that privacy and security requirements for vendors are based upon key aspects of your organization's security program
Carefully review internal and vendor notification procedures in the event of breach or security incident
13