WELCOME TO OUR WEBINAR - DLA Piper/media/Files/Insights/Events/2015/05/Su… · 7 DIRECTORS GENERAL COUNSEL Data security 48% Data security 55% Operational risk 40% Operational risk

Cybersecurity and Supply ChainRisk Management

If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information.

US participants: 800 732 8470

Outside the US: +1 212 231 2900

The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Tuesday, May 12, 2015 | 1:00 p.m. EDT

WELCOME TO OUR WEBINAR

Speakers

2

Vinny SanchezPartner and Co-Chair,Cybersecurity practice, DLA Piper

Ryan SulkinAssociate, Cybersecurity practice,DLA Piper

Agenda

Setting the Stage

Key Considerations for an Effective Risk ManagementProgram Governing Cyber-Risks in the Supply Chain

Pre-Contract Selection and Due Diligence

Contract Process: Risk Mitigation and Allocation

Post-Contracting Vendor Management and Assessments

Next Steps

3

Setting the Stage

4

Setting the Stage: Corporate Asset

Values at Risk

Significant shift in corporate asset value from the physical tothe virtual

Rapid digitization of corporate assets

Tremendous benefits in digitizing our everyday lives

BUT

Tremendous risks exist

Trillions of dollars move through the financial system eachday

Estimates of between $9 and $21 trillion of global economicvalue creation at risk in next 5-7 years

5

Setting the Stage: Impact on Corporate

Asset Value

Loss of consumer confidence (which means real dollars)

Loss of reputation

Loss of IP

Loss of data

Manipulation of data and detrimental reliance

Disruption to infrastructure (traffic patterns, trading, energyconsumption, etc.)

Disruption to daily life (connected car, automated home,health/death, etc.)

Shareholder derivative actions

Director liability

Fine, penalties and possibly even jail6

7

DIRECTORS GENERAL COUNSEL

Data security 48% Data security 55%

Operational risk 40% Operational risk 47%

Company reputation 40% Management of outside

legal fees

38%

M&A transactions 37% Company reputation 35%

Investor relations 30% Disaster recovery 35%

Executive compensation 30% E-discovery 33%

SEC/regulatory compliance 28% FCPA 30%

Disaster recovery 27% Global business expansion 29%

Internal controls 26% Internal controls 26%

Global business expansion 26% Executive compensation 26%

Setting the Stage: Top 10 Concerns for Directors

and General Counsel

Source: FTI Consulting

Setting the Stage: Cyber-incidents

In 2014, hacking incidents represented the leading cause of databreach incidents, accounting for 29.0 percent of the breaches trackedby the ITRC.

This was followed for the second year in a row by breaches involvingSubcontractor/Third Party at 15.1 percent.

Complexity and sophistication of hackers is increasing dramatically

And it is not always who/what you would suspect:

Refrigeration, heating and air conditioning subcontractor

Background check provider

Customer/Employee mailings

Cleaning service

Theft/sabotage by an individual

8

Setting the Stage: The Supply Chain

Competition increasing for cost-effective resources (includingbrainpower)

Long, international supply chains may be an unavoidablenecessity

Increasing majority of cyberattacks are against smallerorganizations with more limited resources

These smaller organizations are a pathway to larger targets

9

Setting Stage: Remember This!!!

Cybersecurity is about more than PII

Cybersecurity also involves:

Business confidential information (trade secrets, third partyinformation, etc.)

Intellectual Property

Mission critical systems

Infrastructure

Transportation

Your ability to operate your business (i.e., business continuity)

10

Key Considerations for an EffectiveRisk Management Program

Governing Cyber-Risks in theSupply Chain

11

Key Considerations: What to do?

Objectives:

Establish a risk management program focused on cyber-risks inthe supply chain.

Leverage supply chain as a “value-add” for purposes ofcybersecurity.

Mitigate inherent risk of third parties through a mixture of contract,technical design and “know your vendor” diligence andmanagement techniques.

12

Key Considerations: What to do?

The “How:”

Focus on Methods and Solutions: Adopt a thoughtful approach torisk taking consistent with your company’s values, business needsand appetite for risk.

Supply chain as a portfolio

Gatekeeping requirements

Pre-contract approvals

Contract signing approvals

Post-contract singing checkpoints

Robust internal governance structures and recordkeepingthroughout

13

Key Considerations: Who is in the

Supply Chain?

14

Evaluate your supply chain with sufficientbreadth:

Third parties that provide technicalservices to you (e.g., hosting,support, managed services)(“Technical Service Providers”)

Third parties that provide non-technical services, (e.g., ACcompany) but, have access toenvironments/systems or can createvulnerabilities (“Non-TechnicalService Providers”)

Third parties to which you outsourcesecurity responsibilities (“SecurityService Providers”)

Key Considerations: An Integrated View

15

Subs of Subs

Understandwhat’s at stake

Assign andmanageappropriaterisk

Compare riskabsorbed vs.risk shifted

Accept andmanageappropriaterisk

Key Considerations: Potential Liability

Examples for potential claims resulting from a poorly managed supply chain:

Failure to identify risk in advance of selection (i.e., negligent hiring)

Failure to mitigate the risk

Failure to proactively manage

Failure to properly insure

FTC and State Actions

Deceptive and Unfair Practices – Far Reaching

Breach of Contract Claims

Tort Claims (duty per state statute; fraud; neg. misrepresentation, unfairpractices, etc.)

Lone Star vs Heartland (5th Circuit)

Shareholder Derivative Suits

Violation of Fed/State Licenses/Certifications

16

Cyber-security

- Controls- Certs- Audits- Design- Ability to

Operate

BusinessContinuity

Disaster Recovery

Key Considerations: BCP

Pre-Contract Selection

and

Due Diligence

18

Pre-Contract Selection and Due

Diligence: Common Considerations

Varying levels of access/responsibility

Relationship typically governed by contract, although notnecessarily “approved” form

May be frequent turnover

Often reliance on reputational trust or lack of prior incidents

Often overlapping responsibilities with internal functions and/orother suppliers

Varying levels of insight into day-to-day responsibilities

Varying levels of creditworthiness

Varying levels of ability to “cause harm”

Varying levels of contractual responsibility should harm occur

Varying pass-through requirements from third parties

19

Pre-Contract Selection and Due

Diligence: Objectives

Objectives:

Evaluate and understand sufficiency of cyber-security protections andmaterial, unresolved risks

Ask the hard questions (e.g., creditworthiness, prior breaches)

Assign appropriate risk ranking

Understand how it works; understand what you are not buying

Understand your responsibilities vs. the service provider’s

Where possible, seek to move beyond the standard report

Where possible, leverage independent evaluations of the solution

Differentiate between promises made in due diligence and contractpromises

Establish consistent standards for suppliers, categorized by the sensitivityor mission criticality of the function/system/data at issue

Obtain adequate buy-in from key internal stakeholders

20

Contract Process:

Risk Mitigation and Allocation

21

Key Contract Provisions: Risk Mitigation

Ensure “relied upon” due diligence promises are reflected in the signedagreement; Know your “must haves”

Risk Mitigation clauses:

Security/Privacy commitments

Compliance with policies

Cross-border data transfers

Clear delineations of your responsibilities and the service provider’s

Audit/Testing/Records/Certifications/Issue Remediation

Notice of data breach/suspected data breach

Incident response and investigation protocols

Information/evidence preservation

22

23

Key Contract Provisions: Risk Allocation

Business Process

(Internal Operation)

Risk

People

Assets

Costs

Risk?

People

Assets

ReducedCosts

Reduced Risk?

Incremental Risk?

Business Process

(Supply Chain Provider)

?

Key Contract Provisions: Risk Allocation

Usual suspects

Reps/Warranties

Indemnification

Appropriate Limitations on Liability

Insurance

Pass through requirements from third parties

Standards of Liability

Strict

Gross

Negligence/Breach of Contract

Foreseeable downstream risk???

24

What does the Future Hold?

Service Integration and Management Models (“SIAM”)

Multi-party governance frameworks

Collaboration principles

Information-sharing

Dependencies

Cross-liability mitigation and allocation strategies

Dispute resolution mechanisms

25

InhouseService Desk?

SupplierC, etc

Services Agreements• Multiple , bilateral , bindingagreements between the customerand each external supplier• Requires supplier to deliver servicesin accordance with customerrequirements• Requires suppliers to comply withOverarching Governance Framework,Common Processes, DependenciesRegister and any OLAs

Collaboration Agreement• Single, multi-party, bindingagreement between the customerand each external supplier• As a minimum, requires suppliers tocollaborate

SupplierA

SupplierB

OLAs: [Multiple, bilateral] non-binding operational arrangements between relevant suppliers and customer for self-provideservices

Tech Ops andOther

customer self-provide

Overarching Governance Framework

Common Processes (change management, incident/project management, etc)

Dependencies Register (determines if suppliers entitled to ‘relief’ under SA where default caused by another supplier)

E2E ‘Bible’Single document maintained by SIAMwhich provides E2E service picture

Customer

O/Sourced ServiceDesk (Supplier A)

SIAM

20848262.1 26

Contractual Structure – "Full fat" SIAM

Post-Contracting Vendor Management

and Assessments

Post-Contracting VendorManagement and Assessments

27

Post-Contracting Vendor Management

and Assessments

28

Post-Contracting Vendor Management and

Assessments: Objectives

Objectives:

Leverage audit rights (paper vs. eyes/independent testing)

Request and review required reports and certifications

Ensure adequate review of changes

Monitor changes in service/deliverable requirements that maydrive additional or different cyber-security needs

Amend contract documents as necessary

Adjust risk rankings as necessary

Monitor creditworthiness and incident frequencies

Consider overall allocation of risk in light of evolving circumstances

Ensure appropriate responsiveness to evolving threat landscape

29

Post-Contracting Vendor Management

and Assessments: Solution-Focused

Proper alignment between “negotiated for” solution and actuallyimplemented solution

Consider technical design changes to mitigate risk/contractdeficiencies

Appropriate approvals for any material changes to the previouslyapproved security plan

Proper testing/audit before each go-live

Vetted change control processes/procedures

Confirm risk ranking and adequacy of current contractdocumentation

No surprises

Frequent, scheduled reviews going forward

30

Next Steps

Next Steps

31

Next Steps: Getting Started Today

Gaining Momentum is Key:

Map your suppliers – what’s where, and with who

Classify assets you need to protect by level of sensitivity

(e.g. trade secrets, intellectual property, credentials, information subjectto contractual obligations, information that would trigger data breachnotice obligation)

Address deficiencies in a prioritized approach based on risk assessment

Review existing contracts for sufficiency

Amend existing contracts when/if possible

Correct design flaws

Going forward, strategically allocate riskiest assets in a manner that bestleverages strongest suppliers, contracts and technical designs

Establish “must haves” and risk tolerance thresholds

Establish cross-organizational governance team

Establish role of Board and Executive management

32

CYBERTRAKSM

33

DELIVERING CRITICALGLOBAL INFORMATIONAT A KEYSTROKE