Skadden, Arps, Slate, Meagher & Flom LLP Cybersecurity and Privacy 2015│1 Beijing Boston Brussels Chicago Frankfurt Hong Kong Houston London Los Angeles Moscow Munich New York Palo Alto Paris São Paulo Seoul Shanghai Singapore Sydney Tokyo Toronto Washington, D.C. Wilmington Cybersecurity and Privacy 2015: Presentation to Institute of International Bankers October 2015
23
Embed
Cybersecurity and Privacy 2015: Presentation to Institute ... · Cybersecurity and Privacy 2015│1 Skadden, Arps, Slate, Meagher & Flom LLP Beijing Boston Brussels Chicago Frankfurt
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│1
Beijing
Boston
Brussels
Chicago
Frankfurt
Hong Kong
Houston
London
Los Angeles
Moscow
Munich
New York
Palo Alto
Paris
São Paulo
Seoul
Shanghai
Singapore
Sydney
Tokyo
Toronto
Washington, D.C.
Wilmington
Cybersecurity and Privacy 2015: Presentation to Institute of International Bankers
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│3
• Published Report on Cybersecurity Practices and an Investor Alert (Feb 2015)
− Goal: help broker-dealers better prepare for and respond to threats posed by cyberattacks.
• Identifies principles and effective practices, grounded in risk management
− Recognizes that no single approach will work for all firms
• Although technology controls are discussed, the focus is on management and governance
FINRA GUIDANCE
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│4
• Conducting a risk assessment to understand the cybersecurity risks a company faces across all activities and assets;
• Instituting a strong governance framework with strong leadership at the board and senior management levels;
• Implementing technical controls, including a "defense-in-depth" approach;
• Developing, implementing and testing incident response plans (which should include steps toward containment, mitigation, eradication, recovery, investigation, notification and making customers whole);
• Undertaking strong diligence and management of vendor relationships;
• Conducting effective training to certain staff about cybersecurity risks;
• Participating in intelligence-sharing opportunities; and
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│6
KEY LITIGATION ISSUES
• Every cyberattack results in multiple class action lawsuits – with no end in sight
− Consumers and shareholders
• Courts are split on the type of harm that is sufficient to defeat a motion to dismiss based on “standing”
− But recent case finding standing may have shifted the landscape Remijas v. Neiman Marcus (7th Cir. 2015)
• Potentially low bar on proving consumer exposure to cybersecurity claims (based on Tobacco litigations)
− Opperman v. Path, Inc., N.D. Cal. 2015
• Settlements have been modest so far, but this has not deterred the class action bar
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│7
THE TARGET LITIGATION
• “Around September 2013, numerous members of Target’s security staff raised concerns about what they believed to be vulnerabilities in Target’s payment card system. The vulnerabilities were due to updates being made to Target’s cash registers, presumably in conjunction with the rolling out of the FireEye security software. The warnings went unheeded and Target officials ordered no further investigation.”
• “Target could have required vendors to more closely monitor the integrity of their critical system files.”
• “Target failed to disclose to Consumer Plaintiffs and members of the Class that its computer systems and security practices were inadequate to reasonably safeguard customers’ personal and financial information and failed to immediately and accurately notify its customers of the data breach.”
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│8
THE HOME DEPOT LITIGATION
• “Despite alarms as far back as 2008, Home Depot was slow to raise its defenses ... ”
• “Home Depot failed to discover the attack and notify consumers in a timely manner”
• “Home Depot had a duty to put in place policies and procedures designed to protect and prevent the theft or dissemination of PII.”
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│22
“[B]oards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk – and there can be little doubt that cyber-risk also must be considered as part of [a] board’s overall risk oversight.”
– SEC Commissioner Luis A. Aguilar “Cyber Risks and the Boardroom” NYSE Conference June 10, 2014
CYBER RISKS AND THE BOARDROOM
Skadden, Arps, Slate, Meagher & Flom LLPCybersecurity and Privacy 2015│23
• National Association of Corporate Directors (NACD), together with AIG and the Internet Security Alliance, has identified five steps all corporate boards should consider to enhance their oversight of cyber risks:
− Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
− Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances
− Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
− Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
− Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach