Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice...
-
Upload
laurel-johnson -
Category
Documents
-
view
217 -
download
0
description
Transcript of Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice...
Legal Jeopardy:Whose Risk Is It?
2
SPEAKERS
Jason StraightChief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex
Patrick ManzoExecutive Vice President, Global Customer Service and Chief Privacy Officer at Monster Worldwide
Michael C. MillerExecutive Vice President, General Counsel and Secretary at Monster Worldwide
3
If You Think Cybersecurity Risk Is Not a SignificantIssue for Your Company…
THINK AGAIN.
What industries had the most confirmed, publicly disclosed breaches in 2014?
– Public agencies (303)– Financial services (277)– Manufacturing (235)– Accommodation (223)– Retail (164)– Professional Organization (146)– Healthcare (141)
What are the security improvement priorities of companies that have experienced a breach?
1. Endpoint Security2. Employee training3. Expanded use of encryption4. Adding manual procedures and security controls5. Implementing Data Loss Prevention solution
6
OGC Must Play a Key Role in Managing Cyber Risk, from Risk Assessment through Incident Response
Name the top reasons that the general counsel's office must be involved in managing cyber risk?
– To identify key business risks relating to specific types of sensitive data – PII, PHI, IP (including trade secrets)
– To determine what constitutes a "defensible” security control– OGC has a deep understanding of how risk might be affected
by an evolving business strategy– OGC has knowledge of third-party relationships and insider
risks– To protect the ability to assert a/c privilege and work product
protection over cyber risk management activities– To serve as the primary conduit between the incident
response team and the executives/board
Name the top challenges with establishing OGC’s role in managing cyber risk?
– Cyber security still largely viewed as “an IT problem” that should be managed by CIO/CISO
– Legal slows down decision-making in an area that requires agility and rapid response
– Lawyers lack the technical background to understand risk and mitigation options
– Lawyers consulted only on compliance and regulatory issues rather than as advisor on business risk
What are the top factors that will reduce the cost of a breach?
– Strong security posture– Incident Response Plan in place– Business Continuity Management involvement– Have a CISO
10
OGC’s Role in Educating the Executive Team andBoard of Directors
What are the key questions counsel should seek to answer through a risk assessment?
– What are the critical assets that are most important to protect?
– What are the biggest threats to those assets?– What would the legal and business impact be if those
assets were compromised?– What are the most effective ways to improve our risk
posture?
What are the primary ways counsel can contribute to the risk assessment process?
– Identifying critical data assets– Anticipating and defining regulatory and compliance
obligations– Determining what constitutes a "defensible" security
control– Understanding the broader threat environment– Deep understanding of how risk might be affected by
an evolving business strategy
Name the best arguments for DEFEATING the assertion of privilege protection over a risk
assessment.
– Assessment not conducted "in anticipation of litigation"
– Recommendations in risk assessment report are business advisory not legal advice
– Legal may be involved but is not truly directing RA efforts
What are the biggest problems with having CISO report to CIO?
– Conflict of interest between primary role of CIO (availability and integrity) and CISO (security)
– Lack of focus on security in favor of responsibilities viewed as more "important" to the business
– Lack of segregated and protected security budget may lead to shift of resources over course of year
What should be the board’s role in overseeingcyber risk management?
– Must have an accurate and up to date view on the company’s cyber risk profile
– Should understand how cybersecurity budget is allocated
– Should understand the company’s incident response protocol and determine the point at which the board should be informed of an incident
– Board should regularly assess the effectiveness of the company’s cyber risk governance structure
What are the top reasons that the GC should direct the IR process?
– To help anticipate and manage potential legal/regulatory issues arising from an incident
– To protect the ability to assert a/c privilege and work product protection over IR activities
– To control internal and external communications in a risk-averse manner
– To serve as the primary conduit between the IR team and the execs/board
What are the top reasons that the GC should NOT direct the IR process?
– Too slow to make decisions– Don't understand the technical aspects of an
incident– Not comfortable with the uncertainty and evolving
understanding of the facts– Too quick to jump to conclusions
What do you fear most in the event of a breach?
– Federal agencies (FTC, SEC, DOJ)– State Ags– PCI Council– Civil lawsuits– Reputation damage/customer churn
19
What should you do when you go back to youroffices this week?
Conclusion
• Take your CIO/CISO to lunch and talk about the “defensibility” of your company’s cyber risk posture.
• Review your company’s incident response plan and make sure you are comfortable with counsel’s formal role in the process.
• Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident
• Check your insurance coverage• Ask your executives and board if they are comfortable with
the degree of visibility they have into cyber risk issues