Successfully reported this slideshow.

Panel I - Cyber Risks in the Digital Age


Published on

Summit D&O Conference
Panel I - Cyber Risks in the Digital Age Cyberliability, risk management, virus, DOS Attacks, Chaffin, Hoole, Floresca, Klausner

  • Be the first to comment

  • Be the first to like this

Panel I - Cyber Risks in the Digital Age

  1. 1. Cyber and Social Media Risks What Board Members Should Know Spence Hoole Janice Chaffin Tonia Klausner Lauri Floresca
  2. 2. Overview Why Cyber Risk and not  Legal Exposures from D&O Insurance? Cyber Activity Increases In Security and  Social Media Risks Data Breaches  Cyber Liability – a Board Privacy Issues and Cyber Level Issue Attacks  Cyber Liability Insurance Why should a Director care?  Goals and Takeaways  Role of Directors & Officers What every Director should  Practical Implementation know and do  Q&A Understanding Privacy Laws in the US 2
  3. 3. Why Cyber Risk and Not D&O at Summit?■ Evolution of changes in exposure to loss . . . brick and mortar risk shifting to network and cyber risks■ A growing trend – frequency and severity of data breaches ■ 2010 largest collection of lost data on record ■ In 2009, over $220M personal records were breached (Social Security numbers, medical information, credit card databases) ■ Compared to only $35M personal records exposed in 2008 Source: / Source: Ponemon Institute LLC■ Boards responsibility in overseeing all organizational risks, including network / cyber risks■ Cyber Risk insurance for “all” companies is the new, new thing ■ This is not your father’s Property and Liability Insurance Program
  4. 4. Privacy Issues and Cyber AttacksJanice ChaffinGroup PresidentConsumer Business UnitSymantec
  6. 6. Stuxnet: Thousands Of Industrial Control Centers Infiltrated
  8. 8. Why a director should care Protecting Stock Customer Intellectual Brand Price Confidence Property
  10. 10. WHAT EVERYDIRECTORSHOULD KNOW Who is responsible for Cyber Security? Has a cyber risk assessment been done? Is there a breach response plan in place?
  11. 11. Who is responsible for Cyber Security?Who does he/she report to?Does he/she have the authority and resources to succeed?Is there an IT Security policy in place?Are employees actively engaged?Is there a regular cadence for updating the Board?
  12. 12. Has a cyber risk assessment been done? People “Strategic” Security Executive Security Strategy Sponsorship Organization Security Security Legal Personnel Architecture & Program Metrics Framework Security Planning & Quality Security Governance i IT Risk Security & Defintio o n f Managment Awareness Physical Roles Security Policy and Security Security Contingency / Regulatory Policies & Architecture & Disaster Compliance Procedures Planning Planning Mangement Threat Media Vulnerability Secure Audit Business Control & Awareness & Operations Function Continuity Handling Management Process Logging, Incident Provisioning & Information a “Operational” Implementation Monitoring & Reporting Classifict io n Handling & Response Configr a io t n Secure Backup, Identity Asset Recovery & & Patch Development Mangement Management Archiving u Management Cycle Secure Builds Secure Intrusion Directory & Host Design & Detection & Services Hardening Coding Prevention Secure Malicious Code Application Data Network Encryption Protection Security Integrity Design Network Privacy e Clustering & Mobility & Authentication & Data & Systems Confidnt ia ity & l Data Wireless Authorisation Security Security Segmentation Availability Remote & Technology Extranet Perimeter Product Secure Storage Security Security Communication “Tactical” Connections Security Exceeds goals No gaps Minor gaps Moderate gaps Serious gaps Not applicable
  13. 13. What is the breach response plan?This plan should include clear steps for:Containing the breach and handling forensicsContacting your security software vendorEngaging with law enforcementDisclosing the breachManaging public relationsConducting post-mortem analysis
  14. 14. Use personal best practices onlineTake stock of your online profileNever open links from strangersUse strong passwords and change them oftenBe conservative about what you shareClosely monitor security settings on social networksUse approved web services only for company content
  15. 15. Summary Threats are growing in number and sophistication It’s only a matter of time before your company will be attacked The stakes are high, be informed and act now Don’t make yourself a target
  16. 16. Additional resources• Estimate Your Risk Exposure: Poneman Institute Data Breach Risk Calculator• Security Policy Templates and Resources: CSO Magazine• Real-time Reports on Data Loss by Data Breach Type: DB Data Loss• The FTC’s Guide to Dealing With A Data Breach:• FBI eScams and Threat Warnings:• Symantec State of Spam and Phishing Report:• Symantec Stuxnet Site:
  17. 17. Privacy LawTonia KlausnerPartnerWilson Sonsini Goodrich & Rosati
  18. 18. Privacy Law in the U.S.Technology has driven the growth of privacy lawLegislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable informationMany of these laws respond to particular issues or concernsResult: sectoral approach (industry silos), overlaid with cross- industry requirementsContrast with omnibus approach in other regions (e.g., EU)
  19. 19. Some U.S. Privacy Laws Electronic  Telemarketing & States: Communications Consumer Fraud &  Spyware Privacy Act (ECPA) Abuse Prevention Act  Social Security #s Fair Credit (Telemarketing Sales Rule)  Data Security Reporting Act (FCRA) + FACTA  Telephone Consumer  Breach Notification GLB Protection Act (TCPA)  Data Disposal CPNI  Junk Fax Prevention  Point of Sale Data Act Collection FERPA  CAN-SPAM  ID Theft Legislation HIPAA  US/EU Safe Harbor  Security Freezes COPPA  Video Privacy  Shine the Light SOX Protection Act  Credit Card Security FTC Section 5
  20. 20. U.S. Privacy Law Enforcement
  21. 21. Data Breach Containment  Response team  Accurate records of all events  Preservation of evidence  Newly enacted safeguards to prevent reoccurrence Notifications  Required-by statute; by contract  Other notifications Customer relations  Call center  Protection services
  22. 22. Data Breach Consequences Investigations  FTC  State AGs  HHS Fines Lawsuits Breach Of Contracts; Loss of Rights/Revenues Commercial Reputation
  23. 23. Data Breach Pending Legislation Comprehensive notice requirements Preemption of patchwork of state statutes Possible private right of action
  24. 24. Social Media• Social Networking-rapid growth online and on handhelds  MySpace, Facebook, LinkedIn, Google+, Twitter, Ning, Tagged, Orkut, hi5, Meetup, Badoo, Friendster  iPhone, Android, iPad, Galaxy, Xoom, Windows 7 Tablet  GroupMe, Disco, WeTxt
  25. 25. Legal Risks Beyond Breach Many Potentially Applicable Statutes  Computer Fraud and Abuse Act  ECPA  CAN-SPAM/Wireless CAN-SPAM  TCPA  COPPA  Video Privacy Protection Act Hot area for class action lawsuits  Social programs  Geolocation data collection and use  Texting programs
  26. 26. Steps to Reduce Litigation Risks Clear disclosure in terms of use or privacy policy Conspicuous opt out or opt in at time user data is collected Customer agreement to arbitrate dispute with class action waiver
  27. 27. Online Advertising
  28. 28. Online AdvertisingCollection of information about users’ activities online  Web pages visited  Searches conducted  Content viewedAdvertisers’ Goal: present users with ads targeting users’ interests
  29. 29. Digital Advertising Flow source gridley & co. and
  30. 30. A New Perspective on Online Privacy “Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites for free, and in return, they give up data – like their gender or income level – which the sites use to aim their advertisements. The head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.” New York Times, August 5, 2009
  31. 31. Industry Created A Self-Regulatory ProgramSelf-Regulatory Principles for Online Behavioral Advertising released July 2009Advertising Option Icon announced & registration begins October 4, 2010Consumer Choice page launched November 2010Coalition turns to enforcement, operational implementation, and educational planning
  32. 32. FTC Staff Report on Privacy December 2010 Said Progress Not Fast Enough Simplified Choice • Consumers should have choice about both data collection and usage • Choice mechanism should be offered at point consumers provide data • “Do Not Track” proposed as simplified choice mechanism • Choice not required for a narrow set of practices – Fulfillment – Internal operations – Fraud prevention – Legal compliance – First-party marketing – Contextual advertising
  33. 33. Behavioral Advertising Litigation RisksLawsuits regarding cookies, flash cookies, super- cookiesUnsettled law  ECPA  CFAAMulti-million dollar Class-action Settlements
  34. 34. Tonia 212.497.7706
  35. 35. Cyber Liability a Board-Level IssueLauri FlorescaPartnerWoodruff-Sawyer & Co.
  36. 36. Cyber Liability: a Board-Level IssueBoards increasingly focused on cyber risk exposures  ERM Risk Oversight Rules adopted by SEC in 2009  Media attention on high profile breaches grows in 2011  SEC issues informal guidance on cyber risk disclosure in October 2011In a technology driven world, most companies have some exposure to cyber liability.  Customer Records  Employee RecordsHow to quantify? And how to remediate?
  37. 37. Average Cost of Breach
  38. 38. SEC Guidance: A Closer LookOctober 2011 SEC guidance suggests that listed companies should add disclosure on cyber liability to their risk factors based on: 1. The “probability of cyber incidents occurring” 2. The “quantitative and qualitative magnitude of those risks”Probability ≈ 100%Magnitude much more difficult to assessSEC also suggests that companies include a description of “relevant insurance coverage”  Not straight-forward  Many different types of insurance policies address cyber liability exposures, and all of them have some coverage limitationsSEC notes that relevant costs may include:  Remediation costs – insurable, sublimits often apply  Increased cyber security protection costs – not generally insurable  Lost revenues resulting from a cyber attack – insurable, significant limitations/waiting periods  Litigation - insurable  Reputational damage – specialized insurance products available, limited in scope
  39. 39. Evolution of Cyber Liability Insurance
  40. 40. Why you need Cyber Liability Insurance
  41. 41. Identifying Your Cyber Liability
  42. 42. Third-party v. First-party Coverage
  43. 43. Contract Liability in the CloudGrowth in cloud computing and outsourced I/T function creates new challenges  I/T infrastructure may be improved by outsourcing to a reputable cloud vendor – but lose some elements of control  Will cloud vendor be a more attractive target for a serious hacker (criminal or “hacktivism”?)Compliance with data breach notification rests with the data owner – does not matter if you outsourcing data processing or storageContracts with vendors likely limit their liability – but can vary substantially  Often limited to 12 months of revenue paid to cloud provider  Large cloud providers may offer no indemnity whatsoever under a standard contract, wiling to negotiate for large customersMake sure that your cyber liabialty insurance extends coverage in the event your data is breached while under control of a third partyNegotiate with vendor to maximize your chance of recovery if a breach is their faultAsk your vendor for confirmation of their coverage – for them, falls under traditional technology “E&O” coverage module
  44. 44. Q&A