Cybersecurity Risk: It's Not Just for IT Anymore

or, What You Don't Know Could Hurt You

Cynthia J. Larose, Esq., CIPP

May 14, 2013

Corporate Data at Risk

Analyzing the Threat Landscape

What's at Stake?

• 2013 FTI Consulting/Corporate Board Member Survey:

–Data security and IT risk is one of the most significant legal issues in 2013 for over 550 Directors and General Counsel surveyed

• The percentage of Directors and GCs concerned about data security has doubled since 2008

–Trend continued from 2012 Survey

–The median annualized cost of a cyber-crime per company averaged $8.9 million

• Denial of service, malicious insider and external attacks all up

–The survey noted participants' opinion that cyber risks are invisible, ever-changing, pervasive and costly

Data Security: On the Corporate Radar?

• Directors and GCs both identify data security as the number 2 issue that keeps them up at night – close on the heels of succession/leadership transitions, but of much greater concern than operational effectiveness or M&A transactions

• Cyber risk cited by both directors and GCs as an issue on which the board will be spending considerable time this year

• Only a third of GCs felt "very confident" in their company's ability to respond to a breach

• Less than a quarter of directors agreed…..

2013 FTI Consulting Survey By the Numbers

Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement (Governance of Enterprise Security: CyLab 2012 Report)

2012 Data Breaches by Business Category

• Major finding: Majority of corporate executives surveyed (258) were more concerned about cyber threats than about other major business risks

–85% very or somewhat concerned about cyber risk to their organization

–Other responses:

• Loss of income – 82%

• Property damage – 80%

• Securities and investment risk – 76%

AIG Survey – February 2013

• More than 2 out of 3 (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk.

• More than 7 in 10 (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks.

• The vast majority of brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk.

AIG Survey – February 2013 (cont'd)

• Customer whose bank funds were stolen by hackers alleged that bank did not do enough to prevent hack

–Patco Construction Co. v. People's Ocean Bank

• Bank sued to avoid refunding customers' funds taken from their account by Romanian hackers with valid credentials

–PlainsCapital Bank v. Hillary Machinery, Inc.

• Data breach litigation following cyber attacks

–Class action lawsuits arise after nearly every major breach

Litigation Exposure

• Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty

• Delaware Caremark decision: duty of care to safeguard digital assets

• Shareholder actions resulting from failure of adequate disclosure

–SEC Cybersecurity Guidance

Litigation Exposure (cont'd)

• Corporation Finance guidance issued October 13, 2011• Cyber attacks:

– Target theft of financial assets, intellectual property, other sensitive information

– Customer or business partner data could be implicated

– Objectives could include disrupting business obligations

• Disclosure if cyber-risks "are among the most significant factors that make an investment in the company speculative or risky"

– Consider frequency of prior incidents and probability and potential harm of future incidents

– "Specify how each risk affects the registrant"

SEC Cybersecurity Guidance

• At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures.

• Many were also drawing comments from the SEC and were required to add information or otherwise revise disclosures

SEC Guidance on Cybersecurity Disclosures

SEC Cyber-Comment Letters

US Government Perspective on Cybersecurity

• Numerous bills proposed in last Congress; none passed

• Minimal consensus that critical infrastructure must be protected

– Utilities, electrical grid, telecommunications, financial services, defense contractors

– Facilitate information sharing

• Sen. Rockefeller issued "cybersecurity" letter to CEOs of Fortune 500 (Sept. 2012)

• House passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA) in April – unlikely to get to a vote in the Senate

Congress on Cybersecurity

• Legislative efforts have failed – White House drafted Executive Order in late September 2012

• Improving Critical Infrastructure Cybersecurity – signed by President Obama on February 12, 2013

• Purpose stated in Section 12:

"Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow

and represents one of the most serious national security challenges we must confront."

Executive Order on Cybersecurity

• Defined broadly and generally

• Secretary of Homeland Security will identify key threats

–Communications, Manufacturing, Energy, Food and Agriculture, Financial, Healthcare, Transportation, Shipping

–Critical Infrastructure Partnership Advisor Council

–National Institute for Standards and Technology (NIST) directed to create a Cybersecurity Framework

Executive Order – What is Critical Infrastructure?

Date Company Details of Breach

May 2013 LivingSocial No details of breach, but company reset passwords of 50 million users

March 2013 South Korean banks and media companies

Cyber attack causes computers to crash at South Korean banks and media companies, paralyzing bank machines across the country.

July 2012 LinkedIn Reportedly targeted in hacker attack and 6.5 million passwords posted to Internet

March 2012 Global Payments Credit card processor confirms hacker attack compromised approx 1.5 million credit cards

January 2012 Zappos Shoe retailer announced that names, addresses and passwords of 24 million customers illegally accessed

January 2012 NY State Electric + Gas Security breach allowed unauthorized access to customer data, including SSN and bank account numbers, exposing 1.8 million records

High Profile Data Breaches 2012-2013

• Review and refine information governance structure

– Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies

– Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing

– Consider appointing CISO (chief information security officer) and CPO (chief privacy officer)

– Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness

Enhance Board/CEO Attention

• Limited coverage under traditional policies may be available

• Specialized cyber coverage available as a stand-alone policy

–First and third party coverage available

• Types of coverage include:

–Loss/corruption of data

–Business interruption

–Cyber Extortion

–Crisis Management

Cybersecurity and Insurance

• Develop cybersecurity and data protection risk assessment– Understand system and network vulnerabilities; plan for possible "persistent" threats

– Understand exposure of essential or valuable information and communication assets

– Understand exposure to third parties and service providers

• Evaluate cyber insurance coverage

• Monitor legislative, policy, industry, contractual, etc. developments and expectations

– Address legal compliance and reporting responsibilities

– Consider SEC issues

• Engage IT and audit experts; report on testing of systems

Enhance Board/CEO Attention (cont'd)

• Types of coverage include:

–Identity theft

–Social media/networking

–Liability

• Breach of privacy due to theft of data

• Transmission of computer virus or other liability resulting from a computer attack which causes financial loss to third parties

• Failure of security which causes network systems to be unavailable to third parties

• Allegations of copyright infringement or trademark or other "media" activities online.

Cybersecurity and Insurance (con'td)

• Can I buy insurance for that? YES!

• Coverage varies but the typical available coverages are:– Third Party Computer Forensics Services to determine the scope of a failure of

Network Security

– Complying with Privacy Regulations

– Notifying individuals whose Personal Information has been disclosed

– Retaining public relations firm, crisis management firm or law firm for advertising or related communications

– Retaining a law firm to determine any indemnification rights with an independent contractor

– Creditor monitoring services

Data Breach Insurance

• Almost all D&O insurance policies have a "privacy" exclusion

–Buried in the Bodily Injury/Property Damage exclusion

• Most D&O insurance policies also have a Professional Services Exclusion

–Large gap in coverage

• Coverage can possibly be modified – but not easily

–Takes more than just a simple endorsement

D&O Insurance and Privacy

• There are separate D&O Cyber Insurance policies that companies can purchase to protect the Board

–Number of carriers offer a broad range of different products

• These policies are new and untested

–Buyer beware!

• Many of the terms and conditions can be less favorable than the existing D&O policy

–In order to fill gaps, must be done carefully

D&O Insurance and D&O Cyber Insurance

1. Stay informed about cyber threats and their potential impact on your organization.

2. Recognize that intelligence about cyber threats is as valuable as traditional business intelligence.

3. Hold a C-level executive accountable for cyber threat risk management.

4. Provide sufficient resources for the organization's cyber threat risk management efforts.

5. Require management to make regular (e.g. quarterly) substantive reports on the organization's top cyber threat risk management priorities.

10 Steps Toward More Effective Cyber Threat Risk Governance

6. Expect executives to establish continuous monitoring methods that can help the organization predict and prevent cyber threat related issues.

7. Require internal audit to evaluate cyber threat risk management effectiveness as part of its quarterly reviews.

8. Expect executives to track and report metrics that quantify the business impact of cyber threat risk management efforts.

9. Monitor current and potential future cybersecurity-related legislation and regulation.

10. Recognize that effective cyber threat risk management can give your company more confidence to take certain "rewarded" risks (e.g.

adopting cloud computing) to pursue new value.

10 Steps Toward More Effective Cyber Threat Risk Governance

•Full-service, multi-disciplinary law firm

•450 attorneys and senior professionals

•Offices across the country, and in the UK:

–Boston

–New York

–Washington, DC

–Stamford

•Liaison office in Israel

•International network of contacts

•Government relations, public policy and real estate project development consulting affiliate – ML Strategies

About Mintz Levin

30

– Los Angeles

– San Diego

– San Francisco

– London

MemberBoston

617.348.1732CJLarose@mintz.com

JD, Boston UniversityMS, Boston UniversityBA, University of Massachusetts

• Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP)

• Represents companies in information, communications, and technology, including e-commerce and other electronic transactions

• Extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions

• Conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise

• Frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies

Cynthia J. Larose

All information contained herein is proprietary to Mintz Levin and considered confidential. This document presents general information about Mintz Levin and is not intended as legal advice, and it should not be considered or relied upon as such.

Questions?

cjlarose@mintz.com