Panel I - Cyber Risks in the Digital Age
Upcoming SlideShare
Loading in...5
×
 

Panel I - Cyber Risks in the Digital Age

on

  • 1,392 views

Summit D&O Conference

Summit D&O Conference
Panel I - Cyber Risks in the Digital Age Cyberliability, risk management, virus, DOS Attacks, Chaffin, Hoole, Floresca, Klausner

Statistics

Views

Total Views
1,392
Views on SlideShare
1,212
Embed Views
180

Actions

Likes
0
Downloads
26
Comments
0

1 Embed 180

http://www.summitconf.org 180

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Sara
  • Lydia
  • Lydia

Panel I - Cyber Risks in the Digital Age Panel I - Cyber Risks in the Digital Age Presentation Transcript

  • Cyber and Social Media Risks What Board Members Should Know Spence Hoole Janice Chaffin Tonia Klausner Lauri Floresca
  • Overview Why Cyber Risk and not  Legal Exposures from D&O Insurance? Cyber Activity Increases In Security and  Social Media Risks Data Breaches  Cyber Liability – a Board Privacy Issues and Cyber Level Issue Attacks  Cyber Liability Insurance Why should a Director care?  Goals and Takeaways  Role of Directors & Officers What every Director should  Practical Implementation know and do  Q&A Understanding Privacy Laws in the US 2
  • Why Cyber Risk and Not D&O at Summit?■ Evolution of changes in exposure to loss . . . brick and mortar risk shifting to network and cyber risks■ A growing trend – frequency and severity of data breaches ■ 2010 largest collection of lost data on record ■ In 2009, over $220M personal records were breached (Social Security numbers, medical information, credit card databases) ■ Compared to only $35M personal records exposed in 2008 Source: Databreaches.net / Source: Ponemon Institute LLC■ Boards responsibility in overseeing all organizational risks, including network / cyber risks■ Cyber Risk insurance for “all” companies is the new, new thing ■ This is not your father’s Property and Liability Insurance Program
  • Privacy Issues and Cyber AttacksJanice ChaffinGroup PresidentConsumer Business UnitSymantec
  • » BUSINESSES» GOVERNMENTS» INDIVIDUALS
  • Stuxnet: Thousands Of Industrial Control Centers Infiltrated
  • “SPEAR PHISHING” FOR COMPANY DATA
  • Why a director should care Protecting Stock Customer Intellectual Brand Price Confidence Property
  • THE QUESTION IS NOTWILL YOU BE ATTACKED?THE QUESTION IS WHEN?
  • WHAT EVERYDIRECTORSHOULD KNOW Who is responsible for Cyber Security? Has a cyber risk assessment been done? Is there a breach response plan in place?
  • Who is responsible for Cyber Security?Who does he/she report to?Does he/she have the authority and resources to succeed?Is there an IT Security policy in place?Are employees actively engaged?Is there a regular cadence for updating the Board?
  • Has a cyber risk assessment been done? People “Strategic” Security Executive Security Strategy Sponsorship Organization Security Security Legal Personnel Architecture & Program Metrics Framework Security Planning & Quality Security Governance i IT Risk Security & Defintio o n f Managment Awareness Physical Roles Security Policy and Security Security Contingency / Regulatory Policies & Architecture & Disaster Compliance Procedures Planning Planning Mangement Threat Media Vulnerability Secure Audit Business Control & Awareness & Operations Function Continuity Handling Management Process Logging, Incident Provisioning & Information a “Operational” Implementation Monitoring & Reporting Classifict io n Handling & Response Configr a io t n Secure Backup, Identity Asset Recovery & & Patch Development Mangement Management Archiving u Management Cycle Secure Builds Secure Intrusion Directory & Host Design & Detection & Services Hardening Coding Prevention Secure Malicious Code Application Data Network Encryption Protection Security Integrity Design Network Privacy e Clustering & Mobility & Authentication & Data & Systems Confidnt ia ity & l Data Wireless Authorisation Security Security Segmentation Availability Remote & Technology Extranet Perimeter Product Secure Storage Security Security Communication “Tactical” Connections Security Exceeds goals No gaps Minor gaps Moderate gaps Serious gaps Not applicable
  • What is the breach response plan?This plan should include clear steps for:Containing the breach and handling forensicsContacting your security software vendorEngaging with law enforcementDisclosing the breachManaging public relationsConducting post-mortem analysis
  • Use personal best practices onlineTake stock of your online profileNever open links from strangersUse strong passwords and change them oftenBe conservative about what you shareClosely monitor security settings on social networksUse approved web services only for company content
  • Summary Threats are growing in number and sophistication It’s only a matter of time before your company will be attacked The stakes are high, be informed and act now Don’t make yourself a target
  • Additional resources• Estimate Your Risk Exposure: Poneman Institute Data Breach Risk Calculator http://databreachcalculator.com• Security Policy Templates and Resources: CSO Magazine http://www.csoonline.com/article/486324/security-tools-templates-policies• Real-time Reports on Data Loss by Data Breach Type: DB Data Loss http://datalossdb.org• The FTC’s Guide to Dealing With A Data Breach: http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html• FBI eScams and Threat Warnings: http://www.fbi.gov/scams-safety/e-scams• Symantec State of Spam and Phishing Report: http://www.symantec.com/business/theme.jsp?themeid=state_of_spam• Symantec Stuxnet Site: http://www.symantec.com/stuxnet Janice_Chaffin@Symantec.com
  • Privacy LawTonia KlausnerPartnerWilson Sonsini Goodrich & Rosati
  • Privacy Law in the U.S.Technology has driven the growth of privacy lawLegislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable informationMany of these laws respond to particular issues or concernsResult: sectoral approach (industry silos), overlaid with cross- industry requirementsContrast with omnibus approach in other regions (e.g., EU)
  • Some U.S. Privacy Laws Electronic  Telemarketing & States: Communications Consumer Fraud &  Spyware Privacy Act (ECPA) Abuse Prevention Act  Social Security #s Fair Credit (Telemarketing Sales Rule)  Data Security Reporting Act (FCRA) + FACTA  Telephone Consumer  Breach Notification GLB Protection Act (TCPA)  Data Disposal CPNI  Junk Fax Prevention  Point of Sale Data Act Collection FERPA  CAN-SPAM  ID Theft Legislation HIPAA  US/EU Safe Harbor  Security Freezes COPPA  Video Privacy  Shine the Light SOX Protection Act  Credit Card Security FTC Section 5
  • U.S. Privacy Law Enforcement
  • Data Breach Containment  Response team  Accurate records of all events  Preservation of evidence  Newly enacted safeguards to prevent reoccurrence Notifications  Required-by statute; by contract  Other notifications Customer relations  Call center  Protection services
  • Data Breach Consequences Investigations  FTC  State AGs  HHS Fines Lawsuits Breach Of Contracts; Loss of Rights/Revenues Commercial Reputation
  • Data Breach Pending Legislation Comprehensive notice requirements Preemption of patchwork of state statutes Possible private right of action
  • Social Media• Social Networking-rapid growth online and on handhelds  MySpace, Facebook, LinkedIn, Google+, Twitter, Ning, Tagged, Orkut, hi5, Meetup, Badoo, Friendster  iPhone, Android, iPad, Galaxy, Xoom, Windows 7 Tablet  GroupMe, Disco, WeTxt
  • Legal Risks Beyond Breach Many Potentially Applicable Statutes  Computer Fraud and Abuse Act  ECPA  CAN-SPAM/Wireless CAN-SPAM  TCPA  COPPA  Video Privacy Protection Act Hot area for class action lawsuits  Social programs  Geolocation data collection and use  Texting programs
  • Steps to Reduce Litigation Risks Clear disclosure in terms of use or privacy policy Conspicuous opt out or opt in at time user data is collected Customer agreement to arbitrate dispute with class action waiver
  • Online Advertising
  • Online AdvertisingCollection of information about users’ activities online  Web pages visited  Searches conducted  Content viewedAdvertisers’ Goal: present users with ads targeting users’ interests
  • Digital Advertising Flow source gridley & co. and gregstuart.com
  • A New Perspective on Online Privacy “Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites for free, and in return, they give up data – like their gender or income level – which the sites use to aim their advertisements. The head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.” New York Times, August 5, 2009
  • Industry Created A Self-Regulatory ProgramSelf-Regulatory Principles for Online Behavioral Advertising released July 2009Advertising Option Icon announced & registration begins October 4, 2010Consumer Choice page launched November 2010Coalition turns to enforcement, operational implementation, and educational planning
  • FTC Staff Report on Privacy December 2010 Said Progress Not Fast Enough Simplified Choice • Consumers should have choice about both data collection and usage • Choice mechanism should be offered at point consumers provide data • “Do Not Track” proposed as simplified choice mechanism • Choice not required for a narrow set of practices – Fulfillment – Internal operations – Fraud prevention – Legal compliance – First-party marketing – Contextual advertising
  • Behavioral Advertising Litigation RisksLawsuits regarding cookies, flash cookies, super- cookiesUnsettled law  ECPA  CFAAMulti-million dollar Class-action Settlements
  • Tonia Klausnertklausner@wsgr.com+1. 212.497.7706
  • Cyber Liability a Board-Level IssueLauri FlorescaPartnerWoodruff-Sawyer & Co.
  • Cyber Liability: a Board-Level IssueBoards increasingly focused on cyber risk exposures  ERM Risk Oversight Rules adopted by SEC in 2009  Media attention on high profile breaches grows in 2011  SEC issues informal guidance on cyber risk disclosure in October 2011In a technology driven world, most companies have some exposure to cyber liability.  Customer Records  Employee RecordsHow to quantify? And how to remediate?
  • Average Cost of Breach
  • SEC Guidance: A Closer LookOctober 2011 SEC guidance suggests that listed companies should add disclosure on cyber liability to their risk factors based on: 1. The “probability of cyber incidents occurring” 2. The “quantitative and qualitative magnitude of those risks”Probability ≈ 100%Magnitude much more difficult to assessSEC also suggests that companies include a description of “relevant insurance coverage”  Not straight-forward  Many different types of insurance policies address cyber liability exposures, and all of them have some coverage limitationsSEC notes that relevant costs may include:  Remediation costs – insurable, sublimits often apply  Increased cyber security protection costs – not generally insurable  Lost revenues resulting from a cyber attack – insurable, significant limitations/waiting periods  Litigation - insurable  Reputational damage – specialized insurance products available, limited in scope
  • Evolution of Cyber Liability Insurance
  • Why you need Cyber Liability Insurance
  • Identifying Your Cyber Liability
  • Third-party v. First-party Coverage
  • Contract Liability in the CloudGrowth in cloud computing and outsourced I/T function creates new challenges  I/T infrastructure may be improved by outsourcing to a reputable cloud vendor – but lose some elements of control  Will cloud vendor be a more attractive target for a serious hacker (criminal or “hacktivism”?)Compliance with data breach notification rests with the data owner – does not matter if you outsourcing data processing or storageContracts with vendors likely limit their liability – but can vary substantially  Often limited to 12 months of revenue paid to cloud provider  Large cloud providers may offer no indemnity whatsoever under a standard contract, wiling to negotiate for large customersMake sure that your cyber liabialty insurance extends coverage in the event your data is breached while under control of a third partyNegotiate with vendor to maximize your chance of recovery if a breach is their faultAsk your vendor for confirmation of their coverage – for them, falls under traditional technology “E&O” coverage module
  • Q&A