panel i - cyber risks in the digital age
Post on 18-Oct-2014
1.447 views
DESCRIPTION
Summit D&O ConferencePanel I - Cyber Risks in the Digital Age Cyberliability, risk management, virus, DOS Attacks, Chaffin, Hoole, Floresca, KlausnerTRANSCRIPT
Cyber and Social Media RisksWhat Board Members Should Know
Spence Hoole
Janice Chaffin
Tonia Klausner
Lauri Floresca
Why Cyber Risk and not D&O Insurance?
Increases In Security and Data Breaches
Privacy Issues and Cyber Attacks
Why should a Director care?
What every Director should know and do
Understanding Privacy Laws in the US
Legal Exposures from Cyber Activity
Social Media Risks
Cyber Liability – a Board Level Issue
Cyber Liability Insurance
Goals and Takeaways
Role of Directors & Officers Practical Implementation
Q&A
2
Overview
■ Evolution of changes in exposure to loss . . . brick and mortar risk shifting to network and cyber risks
■ A growing trend – frequency and severity of data breaches■ 2010 largest collection of lost data on record ■ In 2009, over $220M personal records were breached (Social Security
numbers, medical information, credit card databases)■ Compared to only $35M personal records exposed in 2008
Source: Databreaches.net / Source: Ponemon Institute LLC
■ Boards responsibility in overseeing all organizational risks, including network / cyber risks
■ Cyber Risk insurance for “all” companies is the new, new thing■ This is not your father’s Property and Liability Insurance Program
Why Cyber Risk and Not D&O at Summit?
Privacy Issues and Cyber Attacks
Janice Chaffin
Group President
Consumer Business Unit
Symantec
» BUSINESSES» GOVERNMENTS» INDIVIDUALS
Stuxnet: Thousands Of Industrial Control Centers Infiltrated
“SPEAR PHISHING” FOR COMPANY DATA
Why a director should care
Protecting Intellectual
PropertyBrandStock
PriceCustomer
Confidence
THE QUESTION IS NOT WILL YOU BE ATTACKED? THE QUESTION IS WHEN?
WHAT EVERY DIRECTOR SHOULD KNOW
Who is responsible for Cyber Security? Has a cyber risk assessment been done? Is there a breach response plan in place?
Who is responsible for Cyber Security?
Who does he/she report to?
Does he/she have the authority and resources to succeed?
Is there an IT Security policy in place?
Are employees actively engaged?
Is there a regular cadence for updating the Board?
Has a cyber risk assessment been done?
What is the breach response plan?
This plan should include clear steps for:
Containing the breach and handling forensics
Contacting your security software vendor
Engaging with law enforcement
Disclosing the breach
Managing public relations
Conducting post-mortem analysis
Use personal best practices online
Take stock of your online profile
Never open links from strangers
Use strong passwords and change them often
Be conservative about what you share
Closely monitor security settings on social networks
Use approved web services only for company content
Summary
Threats are growing in number and sophistication
It’s only a matter of time before your company will be attacked
The stakes are high, be informed and act now Don’t make yourself a target
Additional resources• Estimate Your Risk Exposure: Poneman Institute Data Breach Risk Calculator
http://databreachcalculator.com• Security Policy Templates and Resources: CSO Magazine
http://www.csoonline.com/article/486324/security-tools-templates-policies• Real-time Reports on Data Loss by Data Breach Type: DB Data Loss
http://datalossdb.org• The FTC’s Guide to Dealing With A Data Breach: http
://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html• FBI eScams and Threat Warnings: http://www.fbi.gov/scams-safety/e-scams• Symantec State of Spam and Phishing Report:
http://www.symantec.com/business/theme.jsp?themeid=state_of_spam• Symantec Stuxnet Site: http://www.symantec.com/stuxnet
Privacy Law
Tonia Klausner
Partner
Wilson Sonsini Goodrich & Rosati
Privacy Law in the U.S.
Technology has driven the growth of privacy law
Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information
Many of these laws respond to particular issues or concerns
Result: sectoral approach (industry silos), overlaid with cross-industry requirements
Contrast with omnibus approach in other regions (e.g., EU)
Some U.S. Privacy Laws
Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule)
Telephone Consumer Protection Act (TCPA)
Junk Fax Prevention Act
CAN-SPAM US/EU Safe Harbor Video Privacy
Protection Act
Electronic Communications Privacy Act (ECPA)
Fair Credit Reporting Act (FCRA) + FACTA
GLB CPNI FERPA HIPAA COPPA SOX FTC Section 5
States: Spyware Social Security #s Data Security Breach Notification Data Disposal Point of Sale Data
Collection ID Theft Legislation Security Freezes Shine the Light Credit Card Security
U.S. Privacy Law Enforcement
Data Breach
Containment Response team Accurate records of all events Preservation of evidence Newly enacted safeguards to prevent reoccurrence
Notifications Required-by statute; by contract Other notifications
Customer relations Call center Protection services
Data BreachConsequences
Investigations FTC State AGs HHS
Fines
Lawsuits
Breach Of Contracts; Loss of Rights/Revenues
Commercial Reputation
Data BreachPending Legislation
Comprehensive notice requirements
Preemption of patchwork of state statutes
Possible private right of action
Social Media• Social Networking-rapid growth online and on handhelds
MySpace, Facebook, LinkedIn, Google+, Twitter, Ning, Tagged, Orkut, hi5, Meetup, Badoo, Friendster
iPhone, Android, iPad, Galaxy, Xoom, Windows 7 Tablet GroupMe, Disco, WeTxt
Legal Risks Beyond Breach Many Potentially Applicable Statutes
Computer Fraud and Abuse Act ECPA CAN-SPAM/Wireless CAN-SPAM TCPA COPPA Video Privacy Protection Act
Hot area for class action lawsuits Social programs Geolocation data collection and use Texting programs
Steps to Reduce Litigation Risks
Clear disclosure in terms of use or privacy policy
Conspicuous opt out or opt in at time user data is collected
Customer agreement to arbitrate dispute with class action waiver
Online Advertising
Online Advertising
Collection of information about users’ activities online Web pages visited Searches conducted Content viewed
Advertisers’ Goal: present users with ads targeting users’ interests
Digital Advertising Flowsource gridley & co. and gregstuart.com
A New Perspective on Online Privacy
“Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites for free, and in return, they give up data – like their gender or income level – which the sites use to aim their advertisements. The head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.”
New York Times, August 5, 2009
Industry Created A Self-Regulatory Program
Self-Regulatory Principles for Online Behavioral Advertising released July 2009
Advertising Option Icon announced & registration begins October 4, 2010
Consumer Choice page launched November 2010
Coalition turns to enforcement, operational implementation, and educational planning
FTC Staff Report on Privacy December 2010 Said Progress Not Fast Enough
Simplified Choice
• Consumers should have choice about both data collection and usage
• Choice mechanism should be offered at point consumers provide data
• “Do Not Track” proposed as simplified choice mechanism
• Choice not required for a narrow set of practices– Fulfillment– Internal operations– Fraud prevention– Legal compliance– First-party marketing– Contextual advertising
Behavioral Advertising Litigation Risks
Lawsuits regarding cookies, flash cookies, super-cookies
Unsettled law ECPA CFAA
Multi-million dollar
Class-action Settlements
Cyber Liability a Board-Level Issue
Lauri Floresca
Partner
Woodruff-Sawyer & Co.
Cyber Liability: a Board-Level Issue
Boards increasingly focused on cyber risk exposures ERM Risk Oversight Rules adopted
by SEC in 2009
Media attention on high profile breaches grows in 2011
SEC issues informal guidance on cyber risk disclosure in October 2011
In a technology driven world, most companies have some exposure to cyber liability. Customer Records
Employee Records
How to quantify? And how to remediate?
Average Cost of Breach
SEC Guidance: A Closer LookOctober 2011 SEC guidance suggests that listed companies should add disclosure on
cyber liability to their risk factors based on:1. The “probability of cyber incidents occurring”
2. The “quantitative and qualitative magnitude of those risks”
Probability ≈ 100%
Magnitude much more difficult to assess
SEC also suggests that companies include a description of “relevant insurance coverage” Not straight-forward
Many different types of insurance policies address cyber liability exposures, and all of them have some coverage limitations
SEC notes that relevant costs may include: Remediation costs – insurable, sublimits often apply
Increased cyber security protection costs – not generally insurable
Lost revenues resulting from a cyber attack – insurable, significant limitations/waiting periods
Litigation - insurable
Reputational damage – specialized insurance products available, limited in scope
Evolution of Cyber Liability Insurance
Why you need Cyber Liability Insurance
Identifying Your Cyber Liability
Third-party v. First-party Coverage
Contract Liability in the CloudGrowth in cloud computing and outsourced I/T function creates new challenges
I/T infrastructure may be improved by outsourcing to a reputable cloud vendor – but lose some elements of control
Will cloud vendor be a more attractive target for a serious hacker (criminal or “hacktivism”?)
Compliance with data breach notification rests with the data owner – does not matter if you outsourcing data processing or storage
Contracts with vendors likely limit their liability – but can vary substantially Often limited to 12 months of revenue paid to cloud provider
Large cloud providers may offer no indemnity whatsoever under a standard contract, wiling to negotiate for large customers
Make sure that your cyber liabialty insurance extends coverage in the event your data is breached while under control of a third party
Negotiate with vendor to maximize your chance of recovery if a breach is their fault
Ask your vendor for confirmation of their coverage – for them, falls under traditional technology “E&O” coverage module
Q&A