CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK. By: Andrew Serwin

Similar documents
Cybersecurity Insurance: New Risks and New Challenges

Cybersecurity Insurance: The Catalyst We've Been Waiting For

Cyber Incident Response When You Didn t Have a Plan

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Cyber-Insurance: Fraud, Waste or Abuse?

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Anatomy of a Data Breach

Evaluating Your Company s Data Protection & Recovery Plan

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Cyber Risks & Insurance

The Guide to Budgeting for Insider Threat Management

Vaco Cyber Security Panel

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

The Race to GDPR: A Study of Companies in the United States & Europe

Cyber Risks & Cyber Insurance

NONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

HEALTHCARE BREACH TRIAGE

The General Data Protection Regulation s Impact on M&A

H 7789 S T A T E O F R H O D E I S L A N D

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

SOX, Corporate Governance and Working with the Board

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

503 SURVIVING A HIPAA BREACH INVESTIGATION

Board of Directors Role in Corporate Compliance and Ethics

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Risky Business: Protecting the Personal Assets of Ds&Os. Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP

Determining Whether You Are a Business Associate

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

Trade Secret Theft: Protecting the Crown Jewels March 25, 2015

Cyber Risk Mitigation

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Compliance With the Red Flags Rules

DATA PROTECTION ADDENDUM

DATA PROCESSING AGREEMENT/ADDENDUM

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

South Carolina General Assembly 122nd Session,

2016 Risk Practices Survey

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

Aligning Risk Management with CU Business Strategy

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Whistleblower Update MAPI LAW COUNCIL MEETING FALL Miriam Fisher Eric Swibel November 9, 2017

Best Practices Trump Regulatory Compliance

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

The Cost of Identity Theft to Business What Business Owners Must Know Now

RIMS Cyber Presentation

Cyber Risk & Insurance

2/13/2013 MANAGING A COMPLIANCE CRISIS: BE PREPARED! THE CASE FOR COMPLIANCE:

Cyber Security Liability:

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Frequently Asked Questions

Risk Associated with Meetings

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

Cyber & Privacy Liability and Technology E&0

DATA PROCESSING ADDENDUM

Information Security and Third-Party Service Provider Agreements

Cyber Risk Management

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

FIDUCIARY DUTIES OF THE BOARD OF DIRECTORS

H E A L T H C A R E L A W U P D A T E

CYBER LIABILITY REINSURANCE SOLUTIONS

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

How to Cut Down on Security Risks:

1.5 This policy meets the guidance provided by the ICO on data security breach management.

Cybersecurity Curveballs in Vendor Risk Management Programs

Your defence toolkit. How to combat the cyber threat

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

New legislation brings changes to how data is handled

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

RISK MANAGEMENT FRAMEWORK OVERVIEW

HOW TO EXECUTE THIS DPA:

CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP

The Impact of Technology on Nonprofit Governance (and its Regulation)

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

Governing Body Responsibilities for Implementing Effective Compliance and Ethics Programs

Outside the Courtroom Auditing Under Legal Privilege. Houston IIA Conference

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Sponsored by. Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment

Tech and Cyber Claims Services

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

LIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE

SECURITY SAFEGUARD BREACH GUIDE

Cyber Security & Insurance Solution Karachi, Pakistan

Transcription:

CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK By: Andrew Serwin January 19, 2018

Overview What are companies concerned about? What information are we concerned about? Cybersecurity Who are the threat actors? Steps to address a breach Consequences of a breach Examples of incidents Steps to prepare and respond Notice on a global basis Litigation and enforcement Morrison & Foerster LLP 1

Overview Continued How concerned are Boards? What are the relevant legal obligations for the Board? How should the Board think about cyber? Where should cyber be addressed at the Board? What are the threats and challenges? What should the Board do about cyber? What should Management do about cyber? What are emerging SEC issues regarding cyber? Lessons learned and takeaways What questions should you ask? Morrison & Foerster LLP 2

Top-Level Concerns Controller v. processor Data misuse Generally a first-party issue Failure to fully disclose data practices; Failure to comply with applicable laws; Marketing mistakes; and Others. Attacks Third-party focused There are two primary types of attacks: Theft of information (e.g., PI, trade secrets); and Attacks on the grid (e.g., denial of service, attempts to shutdown systems). Morrison & Foerster LLP 3

All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 4

Understanding the Cyber Threat YESTERDAY Threat Actors Isolated Criminals Script Kiddies Goals Identity Theft Self-promotion Theft of Content or Services TODAY Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 5

Breaches are on the Rise Security breaches are becoming more common and reported on more frequently Morrison & Foerster LLP 6

Have you Stopped Buying Based upon a Breach? 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 7

You ve Been Breached Now What? Investigate and stop intrusion. Determine notice obligations and comply with deadlines. Evaluate whether PR firm is needed. Morrison & Foerster LLP 8

Common Issues Escalation Privilege Who is in charge? The role of third-party vendors Morrison & Foerster LLP 9

Should You Hire a Vendor? Vendors can investigate breach and plug infiltration. You may also need third parties for notice-related issues, PR, and other services. Morrison & Foerster LLP 10

Tips & Suggestions Regarding Privilege in the U.S. Copying a lawyer on an email does not necessarily make it privileged. To be privileged, the email must be seeking legal advice or contain legal advice. Limit the distribution of documents containing legal advice to people who have a need to know. Do not cc: or forward emails containing legal advice to any third party (e.g., government, other companies). Stamp or add legend to documents that are privileged to make them easy to identify. But simply stamping everything privileged can hurt more than it helps, so don t overuse the designation. Morrison & Foerster LLP 11

Privilege Quick-Reference Guide Attorney-Client Privilege: DO: Only applies to communications with lawyers regarding legal advice Is usually lost (waived) if shared outside the company Consult with attorneys before hiring consultants to decide whether the engagement should be privileged Ask attorney before forwarding privileged email DON'T: Wait to consult attorney before taking initial steps to stop an incident Put heat-of-the-moment opinions or speculations in writing that could later embarrass the company Forward privileged emails to people who do not have a need to know or who are outside the company Morrison & Foerster LLP 12

What are the Consequences of a Breach? Impact on brand/trust; Bad PR; Corporate governance issues; Significant costs and use of internal resources; Enforcement by regulators on a global basis; and Private litigation in the United States. Morrison & Foerster LLP 13

Incident Number 1 IP Theft A publically traded U.S. company has spent a significant amount of money creating a chemical compound that is critical to the manufacturing of solar panels, and it is protecting the compound via trade secret protection. A month before the company is getting ready to release the product, the General Counsel receives a call from the FBI informing her that there are indicators that a foreign state has penetrated the company s network and stolen a significant amount of data, including the proprietary formula for the solar panel compound, as well as other intellectual property. What do you do? Morrison & Foerster LLP 14

Incident Number 2 PII Theft A Fortune 50 retailer receives a call from a prominent member of the press informing the company that he is aware of a security breach involving the company and over 40,000,000 credit cards. He will be making the breach public in 24 hours and asks for a comment from the company. What do you do? Morrison & Foerster LLP 15

Incident Number 3 A Grid Attack A global Financial Services company sees an uptick in fraud and subsequently discovers that it has been attacked and 200,000,000 user credentials have been stolen from the company. The company hires a forensic expert who determines how the attackers have accessed the network and then takes steps to block the attackers from having continued access. As soon as the attackers are removed from the system, the company is hit with a sophisticated Distributed Denial of Service (DDoS) attack that causes its entire network to crash. What do you do? Morrison & Foerster LLP 16

Incident Number 4 Public Embarrassment A Fortune 100 health care company with a significant number of government contracts receives an email from a Hacktivist group demanding a number of concessions from the company, including terminating certain lines of business that the Hacktivists find objectionable, or the group will begin disseminating damaging information regarding the company. The company has 48 hours to respond, and it does not meet the group s demands. The Hacktivists respond by posting numerous emails on a Peer-to- Peer Network that reveal a pattern of inappropriate conduct by the CEO, and seem to indicate that there may be government fraud occurring. The company is given another 48 hours to meet the Hacktivist s demands. Morrison & Foerster LLP 17

What Can Companies Do to Prepare? Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review. Morrison & Foerster LLP 18

What Should Companies do to Respond? When a breach occurs: Containment and recovery; Advising on information sharing strategy (e.g., critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a lessons learned review. Morrison & Foerster LLP 19

Notice of Security Breach Legislation Common issues: When notice must be given; The form of the notice; Who notice must be given to; The scope of federal preemption; and The effect of existing security policies. Morrison & Foerster LLP 20

Data Breach Laws Vary by State in the U.S. Most states have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving their personally-identifiable information occurs. The requirements of these laws vary and sometimes conflict. Morrison & Foerster LLP 21

There Are Federal Laws as Well HIPAA is an emerging issue for many technology companies. Morrison & Foerster LLP 22

GDPR GDPR attempts to harmonize European data protection rules, including implementing a European notice of security breach rule. Morrison & Foerster LLP 23

GDPR What Is a Breach? Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. Morrison & Foerster LLP 24

Notice Requirements A Controller must notify the Individual of a Personal Data Breach, without undue delay, where that Personal Data Breach is likely to result in a high risk to the rights and freedoms of the Individual in order to allow him or her to take the necessary precautions. The Controller also must notify the DPA of a Personal Data Breach, unless the Personal Data is unlikely to result in a risk to the rights and freedoms of the Individual, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Exceptions. Morrison & Foerster LLP 25

Asia/South Asia: Data Security Reasonable organizational, technical, and administrative measures to protect data. More detailed rules in: India Japan Korea Taiwan Morrison & Foerster LLP 26

Examples of Asian Countries with Breach Notification Laws or Voluntary Standards Japan Korea Philippines Singapore Taiwan Morrison & Foerster LLP 27

Strategy for Compliance Review and comply with the breach notifications laws for each relevant country or state (i.e., those states where individuals whose personal information is held by the company reside, or where your data controller exists). Time is often of the essence. Determine whether other entities need to be contacted (state attorney general, office of consumer affairs, FTC, consumer credit reporting agencies). Morrison & Foerster LLP 28

What If I Fail to Notify? Failure to notify could result in enforcement action, penalties, or lawsuits brought by affected consumers. Morrison & Foerster LLP 29

The Different Legal Fronts A high-profile nationwide breach may require the largest coordinated legal effort in a company s history Government investigations State AGs FTC SEC Functional regulators (e.g., FCC, HHS, federal banking agencies) Congress International regulators (e.g., Canada OPC) Litigation Consumer class actions Shareholder suits Bank class actions Morrison & Foerster LLP 30

Class Action Risk for Data Breach Class action bar has targeted companies that are victims of data breaches. File multiple copycat class actions across the country. Brought on behalf of nationwide and state classes. Morrison & Foerster LLP 31

Legal Theories Violation of state consumer protection laws Negligence Breach of contract Invasion of privacy Violations of state data security regulations (e.g., Mass. Data Security Reg.) Violations of federal data compliance/security regulations (e.g., FCRA, ECPA, CFAA, etc.) Civil RICO Morrison & Foerster LLP 32

How Concerned are Boards about Cyber? According to a 2016 NACD survey, 46% of Boards were concerned about cyber, the fourth highest ranked concern of Boards for 2016. Morrison & Foerster LLP 33

Have You Stopped Buying Based upon a Breach? Research by the Lares Institute in 2015. 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 34

Fiduciary Duties Generally Fiduciary duties are state law specific. Generally, directors have: Duty of Care Duty of Loyalty Duty of Oversight The most relevant duties are the Duty of Care and Oversight. Morrison & Foerster LLP 35

Duty of Care The Board must act on an informed basis after due consideration of relevant materials and proper deliberation. Adequate procedure drives the court s inquiry did the Board: have access to relevant information? receive input from management and advisors? consider alternatives? follow a reasonable process? adequately deliberate? Directors may rely on the reports and advice of appropriate advisors, including officers and employees of the Company, counsel, and other professionals. Morrison & Foerster LLP 36

Business Judgment Rule Ordinarily, a decision to take action, or a conscious decision not to act, is entitled to the protection of the business judgment rule and a court will not substitute its judgment for that of the Board. To be eligible for this protection, the Board s actions must be: Based on material information available with reasonable diligence and inquiry Made in good faith Made in the honest belief that the action taken or not taken is in the best interest of the Company and its stockholders Made without a conflict of interest A person challenging the Board s decision has burden to show the Board failed to satisfy its fiduciary duties. Morrison & Foerster LLP 37

Duty of Oversight In re Caremark (Del. Ch. 1996) Duty of oversight: A director s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards. Stone v. Ritter (Del. 2006) To establish a breach of oversight, it must be pleaded and proven that: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. Morrison & Foerster LLP 38

Understanding Cyber Cyber is an asymmetric threat. This means that the attackers may know more about your vulnerabilities than management does. The Board will inherently know less about the vulnerabilities than management. Ultimately managing cyber risk is a governance issue; and to appropriately manage this risk, the Board must understand the potential risks to the business. Information Risk/Value Information is an asset of the company, and the Board should ensure that it is appropriately protected, valued, and utilized for the benefit of the company. Morrison & Foerster LLP 39

The Costs of Cyber Costs of not addressing cyber can include: Financial; Legal/compliance; Reputational; and Operational risks. But there are costs to consider when addressing cyber: Costs of remediation; Customer friction; Loss of productivity; and Breaking systems. Ultimately, management must balance all of these costs and determine what the appropriate risk governance strategy is. Morrison & Foerster LLP 40

What Is Your Cyber Risk Tolerance? After examining the potential impact of a cyber event, management, with appropriate input from the Board, should determine what the company s risk tolerance is regarding cyber. Ultimately, the Board needs to understand the earnings impact of the risk tolerance of the Company and ensure that it and management are aligned, and it must ensure, via its oversight responsibility, that Company management appropriately addresses cyber. Morrison & Foerster LLP 41

Where Should Cyber Sit at the Board? Dodd-Frank requires certain financial institutions to have a Risk Committee at the Board. While it is not required for other companies, some Boards have created Risk Committees. The Board should determine where cyber fits in any relevant committees of the Board, whether that is through Audit, Risk, or other committees. While it is not a requirement, Boards should consider whether cyber should factor into other committees, including compensation, nominating and governance, as well as how it should fit into the Board Agenda. Morrison & Foerster LLP 42

All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 43

Understanding the Cyber Threat Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 44

Challenges Threat actors have more time and more resources The threats constantly changing Inadequate information sharing Chief Information Security Officers cite gaps in skill sets on their teams, lack of bandwidth, and inadequate budgets as some of the biggest issues Morrison & Foerster LLP 45

Ramifications Cyber can impact the Company in a number of ways: Loss of trust/reputational harm; Bad PR; Impact on earnings due to: Loss of customers (including for B-to-B Companies); Increased costs that result from fines, response costs, investigative costs, litigation costs and settlements, remediation costs, as well as many others; and Significant distraction for employees, management, and the Board. Morrison & Foerster LLP 46

What Should the Board Do? Understand the cyber risk profile of the Company by discussing this with management, and any appropriate third parties; As appropriate, engage with management, to help set the risk tolerance for the company; Make sure that management has appropriate processes and programs to engage in appropriate risk assessment, which include identifying, assessing, and mitigating risk; Make sure that management appropriately communicates the risk; Engage in appropriate oversight by: making sure that cyber is appropriately addressed by the Board, including through relevant committees; ensuring that risks are appropriately remediated; and the cyber risk program is otherwise functioning appropriately; and Do an appropriate, executive-level table-top exercise. Morrison & Foerster LLP 47

What Should Management Do? Conduct an appropriate enterprise cyber risk assessment; Determine what your most critical systems and information are; Assist the Board with determining the Company s risk tolerance; Create an appropriate, cross-functional risk governance structure that continually assesses and improves cyber risk This includes organizational, behavioral, and technical changes; Keep the Board appropriately informed of the Company s cyber risks; Align incentives for employees with the risk tolerance of the Company; Make sure escalation criteria are clear; and Engage in appropriate business continuity planning; Morrison & Foerster LLP 48

What Should Management Do? Appropriately manage the company s cyber risks, via an appropriate cyber risk mitigation program, including appropriately remediating known cyber issues; Have a third-party evaluate your company (under privilege); Test and train employees, as appropriate, on common attack vectors such as phishing ; Make sure escalation criteria are clear; Appropriately plan for any foreseeable business disruption due to cyber; Engage in appropriate information sharing; Develop appropriate relationships with law enforcement; and Practice responding to a security incident. Morrison & Foerster LLP 49

SEC Issues Risk Factors need to be reviewed When to Disclose a Breach Enforcement (Coordination with DOJ) Pre-Breach Questions Post Breach Questions Morrison & Foerster LLP 50

Lessons Learned from Breaches Unclear decision making paths Unclear escalation criteria Lack of practice on incident response plan Lack of business continuity planning Morrison & Foerster LLP 51

Board Dos and Don ts Ask the right questions Ask if the right experts have been retained Engage in appropriate oversight Morrison & Foerster LLP 52

What Should the Board Be Asking? Is our actual cyber risk consistent with our intended cyber risk? Have we considered appropriate risk shifting devices, such as insurance? Is the Board appropriately engaged regarding cyber, and does it have the appropriate organizational structures, including committees, to meet its oversight obligations? This includes assessing how often, and where, cyber is reported on to the Board. What organizational structures at the management level exist to measure, govern, and assess data and information risk, and how are threat assessments managed and reported? Does management appropriately report on cyber risk to the Board? Does management consider cyber risk, as appropriate, when it makes decisions regarding new products or services? Morrison & Foerster LLP 53

What Should the Board Be Asking? Has management reviewed and de-conflicted these cyber organizational structures with the organizational structures for other risks i.e., is your cyber risk management consistent in approach with the management of other risks? Have the company's security processes and systems been reviewed by a third-party assessor? Third-party review of cybersecurity readiness can be a crucial factor in defending the company after a security incident, as well as helping a company to take reasonable steps to prepare for and defend against a cyberattack. Has internal audit been appropriately engaged? Does the company have an incident response plan, and are the appropriate business leaders identified in it? Is it cross-functional? Have you tested it through a tabletop? Morrison & Foerster LLP 54

What Should the Board Be Asking? Has the level of penetration testing (internal and external), software patching, and other similar activities been reviewed by a third party to ensure it is adequate for your company? Has the company benchmarked its cybersecurity risk posture against those of other similar businesses? Has management determined what the company s information sharing strategy is? Has management allocated responsibility for protecting the Company s information assets appropriately? Has management completed a high-level data inventory of the company's information assets so that it has an understanding of what information the Company has and generally where it is located? Morrison & Foerster LLP 55

What Should the Board Be Asking? Has management done a thorough review of policies and procedures to ensure that they comply with the relevant data security laws and are consistent with industry best practice? Has management done appropriate resiliency planning for a cyber attack? Morrison & Foerster LLP 56

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback