Legal Jeopardy:Whose Risk Is It?

2

SPEAKERS

Jason StraightChief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex

Patrick ManzoExecutive Vice President, Global Customer Service and Chief Privacy Officer at Monster Worldwide

Michael C. MillerExecutive Vice President, General Counsel and Secretary at Monster Worldwide

3

If You Think Cybersecurity Risk Is Not a SignificantIssue for Your Company…

THINK AGAIN.

What industries had the most confirmed, publicly disclosed breaches in 2014?

– Public agencies (303)– Financial services (277)– Manufacturing (235)– Accommodation (223)– Retail (164)– Professional Organization (146)– Healthcare (141)

What are the security improvement priorities of companies that have experienced a breach?

1. Endpoint Security2. Employee training3. Expanded use of encryption4. Adding manual procedures and security controls5. Implementing Data Loss Prevention solution

6

OGC Must Play a Key Role in Managing Cyber Risk, from Risk Assessment through Incident Response

Name the top reasons that the general counsel's office must be involved in managing cyber risk?

– To identify key business risks relating to specific types of sensitive data – PII, PHI, IP (including trade secrets)

– To determine what constitutes a "defensible” security control– OGC has a deep understanding of how risk might be affected

by an evolving business strategy– OGC has knowledge of third-party relationships and insider

risks– To protect the ability to assert a/c privilege and work product

protection over cyber risk management activities– To serve as the primary conduit between the incident

response team and the executives/board

Name the top challenges with establishing OGC’s role in managing cyber risk?

– Cyber security still largely viewed as “an IT problem” that should be managed by CIO/CISO

– Legal slows down decision-making in an area that requires agility and rapid response

– Lawyers lack the technical background to understand risk and mitigation options

– Lawyers consulted only on compliance and regulatory issues rather than as advisor on business risk

What are the top factors that will reduce the cost of a breach?

– Strong security posture– Incident Response Plan in place– Business Continuity Management involvement– Have a CISO

10

OGC’s Role in Educating the Executive Team andBoard of Directors

What are the key questions counsel should seek to answer through a risk assessment?

– What are the critical assets that are most important to protect?

– What are the biggest threats to those assets?– What would the legal and business impact be if those

assets were compromised?– What are the most effective ways to improve our risk

posture?

What are the primary ways counsel can contribute to the risk assessment process?

– Identifying critical data assets– Anticipating and defining regulatory and compliance

obligations– Determining what constitutes a "defensible" security

control– Understanding the broader threat environment– Deep understanding of how risk might be affected by

an evolving business strategy

Name the best arguments for DEFEATING the assertion of privilege protection over a risk

assessment.

– Assessment not conducted "in anticipation of litigation"

– Recommendations in risk assessment report are business advisory not legal advice

– Legal may be involved but is not truly directing RA efforts

What are the biggest problems with having CISO report to CIO?

– Conflict of interest between primary role of CIO (availability and integrity) and CISO (security)

– Lack of focus on security in favor of responsibilities viewed as more "important" to the business

– Lack of segregated and protected security budget may lead to shift of resources over course of year

What should be the board’s role in overseeingcyber risk management?

– Must have an accurate and up to date view on the company’s cyber risk profile

– Should understand how cybersecurity budget is allocated

– Should understand the company’s incident response protocol and determine the point at which the board should be informed of an incident

– Board should regularly assess the effectiveness of the company’s cyber risk governance structure

What are the top reasons that the GC should direct the IR process?

– To help anticipate and manage potential legal/regulatory issues arising from an incident

– To protect the ability to assert a/c privilege and work product protection over IR activities

– To control internal and external communications in a risk-averse manner

– To serve as the primary conduit between the IR team and the execs/board

What are the top reasons that the GC should NOT direct the IR process?

– Too slow to make decisions– Don't understand the technical aspects of an

incident– Not comfortable with the uncertainty and evolving

understanding of the facts– Too quick to jump to conclusions

What do you fear most in the event of a breach?

– Federal agencies (FTC, SEC, DOJ)– State Ags– PCI Council– Civil lawsuits– Reputation damage/customer churn

19

What should you do when you go back to youroffices this week?

Conclusion

• Take your CIO/CISO to lunch and talk about the “defensibility” of your company’s cyber risk posture.

• Review your company’s incident response plan and make sure you are comfortable with counsel’s formal role in the process.

• Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident

• Check your insurance coverage• Ask your executives and board if they are comfortable with

the degree of visibility they have into cyber risk issues