Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource ›...
Transcript of Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource ›...
![Page 1: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/1.jpg)
Cybersecurity for In-House Counsel:Achieving Compliance (and Beyond) in aBreach-A-Day World
David G. Ries
John L. Hines, Jr.
Linda M. Watson
October 19, 2016
Clarkhill.com
![Page 2: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/2.jpg)
800-949-3120 | clarkhill.com
David G. RiesPittsburgh, PA412-394.7787
John L. Hines, Jr.Chicago, IL
Linda M. WatsonBirmingham, MI248.988.5881
2
www.clarkhill.com/contents/cybersecurity-data-protection-privacy
![Page 3: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/3.jpg)
800-949-3120 | clarkhill.com
“I am convinced that there are only two types ofcompanies: those that have been hacked and thosethat will be. And even they are converging into onecategory: companies that have been hacked and will behacked again.”
FBI Director Robert MuellerRSA Cybersecurity ConferenceMarch 2012
3
![Page 4: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/4.jpg)
800-949-3120 | clarkhill.com
THREAT ACTORS
• Cybercriminals
• Hackers
• Hactivists
• Government surveillance
• State sponsored / condoned espionage
• Insiders (disgruntled / dishonest / bored / untrained)
4
![Page 5: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/5.jpg)
800-949-3120 | clarkhill.com
ATTACK VECTORS
• Direct attack
• Watering hole attack
• DNS compromise
• Phishing / social engineering
• Malware / crimeware / ransomware
• Misuse of admin tools
• Infected devices
• Denial of service
• Supply chain attack
• Physical theft / loss
5
![Page 6: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/6.jpg)
800-949-3120 | clarkhill.com
WHAT THEY’RE AFTER
• Money
• Personally identifiable information
• Intellectual property
• Trade secrets
• Information on litigation &transactions
• Computing power
• National security data
• Deny / disrupt service +
“… because that’swhere the money is.”
6
![Page 7: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/7.jpg)
800-949-3120 | clarkhill.com
7
Criminal seeks hacker to break into international law firms
MARCH 2016 - FBI WARNINGS
![Page 8: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/8.jpg)
800-949-3120 | clarkhill.com
8
APRIL 2016 - CEO E-MAIL SCHEMES
• Oct 2013 through Feb 2016 - 17,642 victims• More than $2.3 billion in losses
![Page 9: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/9.jpg)
800-949-3120 | clarkhill.com
9
MARCH 2016 - W-2 PHISHING SCHEMES
Proskauer Rose + Snapchat + Seagate +++
![Page 10: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/10.jpg)
800-949-3120 | clarkhill.com
TODAY’S GREATEST THREATS
Lost & StolenLaptops
&Mobile Devices
Spearphishing
10
![Page 11: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/11.jpg)
800-949-3120 | clarkhill.com
• Board
• CEO / GC / C-level executives
• Establish & maintain cybersecurity program
• Provide budget & authority
• Assign responsibility
• Set the tone
11
SECURITY STARTS AT THE TOP
![Page 12: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/12.jpg)
800-949-3120 | clarkhill.com
INFORMATION SECURITY
SECURE
Process
People
Policies & Procedures
Technology
12
![Page 13: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/13.jpg)
800-949-3120 | clarkhill.com
INFORMATION SECURITY
SECURE
Protect
Confidentiality
Integrity
Availability
13
![Page 14: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/14.jpg)
800-949-3120 | clarkhill.com
INFORMATION SECURITY
14
Comprehensive Information Security Program
• Risk-based
• Policies
• Training
• Review and update
Constant security awareness
![Page 15: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/15.jpg)
800-949-3120 | clarkhill.com
NIST CYBERSECURITY FRAMEWORK
15
![Page 16: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/16.jpg)
800-949-3120 | clarkhill.com
STANDARDS / FRAMEWORKS / CONTROLS
• NIST Framework
• NIST Special Publication 800-53, Rev 4
+ numerous additional standards
• ISO/IEC 27000 series standards:
Information Security Management Systems
• ISACA - COBIT
• Center for Internet Security
• CIS Controls for Effective Cyber Defense Version 6.1
16
![Page 17: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/17.jpg)
800-949-3120 | clarkhill.com
STANDARDS AND FRAMEWORKS
Small Businesses:
• NIST’s Small Business Information Security: TheFundamentals, Draft NISTR 7621, Rev. 1 (30 pages)
• U.S.-CERT: resources for SMBs
17
![Page 18: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/18.jpg)
800-949-3120 | clarkhill.com
RISK ASSESSMENT
1. Identity Information Assets(data, software, hardware, appliances andinfrastructure)
2. Classify Information Assets
3. Identify Security Requirements(statutes and regulations, contracts, common law,“reasonable security,” business needs)
4. Identify Risks
18
![Page 19: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/19.jpg)
800-949-3120 | clarkhill.com
MANAGING RISK
1. Apply security policies and controls to manage the risk
2. Transfer the risk (insurance / contracts)
3. Eliminate the risk
4. Accept the risk
19
![Page 20: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/20.jpg)
800-949-3120 | clarkhill.com
20
SECURITY REQUIREMENTS
RiskAssessment
Technical
Administrative
Physical
Training
ThirdParties
Encryption
Passwords
Patching
AssignResponsibility
Firewalls
ComprehensivePlan
BackgroundChecks
Needto Know
Monitor+
Update
LimitAccess
![Page 21: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/21.jpg)
800-949-3120 | clarkhill.com
21
![Page 22: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/22.jpg)
800-949-3120 | clarkhill.com
INCIDENT RESPONSE PLANS
Preparing for when a business will be breached, not if itmay be breached
The new mantra in security:
Identify & Protect + Detect, Respond & Recover
22
![Page 23: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/23.jpg)
800-949-3120 | clarkhill.com
SECURITY IN TECH CONTRACTS
1. What kind of contracts?
2. What does security in K mean?
3. Absence in K may be violation of law
4. Negotiating security terms
23
ReasonableSecurity
Have andMaintain
ISOCertification
![Page 24: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/24.jpg)
800-949-3120 | clarkhill.com
SECURITY IN M&A
Is your organization positioned for M&A due diligence?
24
![Page 25: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/25.jpg)
800-949-3120 | clarkhill.com
David G. RiesPittsburgh, PA412-394.7787
John L. Hines, Jr.Chicago, IL
Linda M. WatsonBirmingham, MI248.988.5881
25
QUESTIONS?
![Page 26: Cybersecurity for In-House Counsel: Achieving Compliance ... › uploads › medium › resource › ... · 10/19/2016 · Cybersecurity for In-House Counsel: Achieving Compliance](https://reader034.fdocuments.us/reader034/viewer/2022042401/5f1011847e708231d44749f2/html5/thumbnails/26.jpg)
THANK YOULegal Disclaimer: This document is not intended to givelegal advice. It is comprised of general information.Companies facing specific issues should seek the assistanceof an attorney.