Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat Environment Working Document from “Cyber Risks in the Boardroom Conference” June 12, 2015
30
Embed
Cyber Risks in the Boardroom - Sullivan & Cromwell · PDF fileCyber Risks in the Boardroom ... Employees, through negligence ......
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Draft of June 9, 2015
Cyber Risks in the BoardroomManaging Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers
Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat EnvironmentWorking Document from “Cyber Risks in the Boardroom Conference”
A recent survey of more than 9,700 executives found that:
42.8 million cybersecurity incidents were detected by the respondents during 2014, an increase of more than 48% over 2013
Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013
The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013
Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015
Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S.
The most costly breaches, however, are malicious in nature
Being prepared to handle a data breach properly may reduce the costs related to an incident significantly
Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness
Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015
Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization
Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures
Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs
Depending on your company’s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company’s security preparations
The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review
The board may consider it appropriate to meet with external advisors in the course of its oversight
Assessing Your Company’s Vulnerabilities and Risks
Your company should have a comprehensive security policy intended to address the threats it faces
The policy must comply with all applicable legal, contractual and professional requirements
The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls
The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan
Mitigating Cybersecurity Risk: Contractors and Vendors
Address threats posed by contractors and vendors
They must understand your company’s security requirements and agree to comply with them
Your company should review their cybersecurity vulnerabilities and their potential impact on your company
Your company’s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject
Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged
Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice
Identify in advance outside advisers to assist with breach response and integrate them into response planning
Technical advisers, including forensic consultants
Legal advisers
Public relations
Government relations
Credit monitoring services, if applicable
Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations