Advising Florida’s Students Florida’s Official Student Advising Web site!
Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising...
Transcript of Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising...
![Page 1: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/1.jpg)
Advising the C-Suite andBoards of Directors on Cybersecurity
February 11, 2015
![Page 2: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/2.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Agenda
Introductions / Administrative
Cybersecurity risk legal landscape
Cyber threats
Legal risks in the aftermath of a breach
The role of the board in cybersecurity
Board duties
Shareholder demands and derivative actions
Cyber risk oversight – best practice guidance and regulator’sview
Cyber breach response
2
![Page 3: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/3.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Presenters
Jessica CorleyPartner
Securities Litigation
Scott OrtweinPartner
Corporate Transactions
Kim PerettiPartner
Privacy & Data Security
Jim HarveyPartner
Privacy & Data Security
Moderator
3
![Page 4: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/4.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
The Cyber Threat Landscape
From Exploitation to Disruption to Destruction
4
![Page 5: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/5.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Fluid Dynamics of Cyber Risk
Increasingly hard to keep breaches private irrespective of legal obligations(or control the disclosure).
Shift from smash-and-grab to deep and prolonged access.
Investigations produce uncertain results, increasing risk exposure.
Detection can occur months or years after initial compromise.
Evidence often not available, leaving victims unable to “prove thenegative.”
Risks:
Reputational
Regulatory
Litigation
Payment Cards
5
![Page 6: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/6.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Board Duties RegardingCybersecurity
Cybersecurity is becoming a priority issue for boards due to large number ofbreaches and extensive press activity.
State law governs the board’s duties.
Assume Delaware law for purposes of this presentation.
Directors:
Do not have to become experts on cybersecurity, and
Are permitted (and expected) to rely on information and reports frommanagement and others regarding cybersecurity and cyber risk.
The Board should:
Inform itself regarding cybersecurity risk,
Be comfortable that the company has appropriate controls in place tomanage that risk, and
Monitor controls periodically to ensure that they are functioning asintended and that issues are being identified and addressed.
6
![Page 7: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/7.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Practical Metrics for BoardReporting and Cyber Issues
How frequently does the Board receive reports on cybersecurity and cyberrisk? What reporting on cyber issues has occurred in the last twelve months?
Do the reports go to: The full Board? The Audit Committee? The Risk Committee?
Who reports? How? In what form? Incident Readiness and Planning Threat Intelligence Cyber Security Governance Internal and External Controls
Minutes of the Board or Committee Meetings? Appropriate detail
7
![Page 8: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/8.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
The SEC is Focused onBoards and Cybersecurity
8
![Page 9: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/9.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Third Party Guidance onBoards and Cyber Risk
9
![Page 10: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/10.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Beware – Section 220 Demands
10
![Page 11: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/11.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Section 220 Demands (cont.)
It is common to receive demands for investigation and books and recordsby shareholders in the post breach context.
Investigation
Shareholder will demand that the board investigate the breach and takeaction against any wrongdoers.
Board hires counsel to conduct investigation.
Books and Records
Entitled to receive board materials related to cybersecurity andindependence of the members of the board.
Will negotiate a non-disclosure agreement before producing documents.
Shareholder will either (1) go away, (2) file a lawsuit demanding additionalmaterials, or (3) file a derivative lawsuit.
11
![Page 12: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/12.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Shareholder Derivative Suits
12
![Page 13: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/13.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Recent ShareholderDerivative Litigation
Typical allegations against officers and directors in derivative litigation:
Breach of the duty of loyalty and care,
Wasted corporate assets, and
Were unjustly enriched by the compensation they received whilebreaching their fiduciary duties.
Cannot prevent these lawsuits, but best defense is:
Regular reporting and review of controls,
Appropriate governance, and
Confirmation by the Board that the organization is staying abreast ofevolving threats and adjusting its security posture accordingly.
Very early in the life cycle of these cases – final resolution is difficult topredict today.
13
![Page 14: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/14.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Wyndham Litigation / Conflicts ofInterest
14
![Page 15: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/15.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Preventive Maintenance –Disclosure?
15
![Page 16: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/16.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
D&O Insurance?
16
![Page 17: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/17.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Cybersecurity Insurance?
17
![Page 18: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/18.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Advising the Board During aBreach
Board must gain understanding of the scope of the breach and thebusiness and legal implications of the breach.
Board involvement:
Board members must become informed.
Consider using a committee for daily or more regular communication(refer to incident response plan).
Consider having third-party engaged in the investigation orremediation speak directly to the board or Risk Committee.
Oversee management’s decisions and responses.
May include receiving reports on the action plan such as responsetimes, appointment of “breach czar,” and action plan testing, aswell as reports on containment and remediation plans.
18
![Page 19: Advising C-Suite and Boards on Cybersecurity 1 (2)€¦ · Title: Microsoft PowerPoint - Advising C-Suite and Boards on Cybersecurity_1 (2).pptx Author: smiab Created Date: 2/12/2015](https://reader033.fdocuments.us/reader033/viewer/2022052012/602958b917f093385d3d51c6/html5/thumbnails/19.jpg)
Follow us: @AlstonPrivacywww.AlstonPrivacy.com
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Questions?
19