and Bank Examinations Leveraging FFIEC Cybersecurity Assessment, - - PowerPoint PPT Presentation

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Cyber Threats to Banks and Financial Institutions: Regulatory Requirements and Bank Examinations

Leveraging FFIEC Cybersecurity Assessment, Navigating Board

• f Director Risks and Third-Party Vendor Management

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific TUESDAY, APRIL 5, 2016

Jason M. Halper, Partner, Orrick Herrington & Sutcliffe, New York Aravind Swaminathan, Partner, Orrick Herrington & Sutcliffe, Seattle

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-873-1442 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926

• ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Cyber Threats to Banks and Financial Institutions: Regulatory Requirements and Bank Examinations

Aravind Swaminathan (Seattle), Global Co-Chair Cybersecurity and Data Privacy Jason Halper (New York), Co-Chair Financial Institutions Litigation Practice April 5, 2016

“There are only ‘two categories’ of companies affected by trade secret theft – those that know they’ve been compromised and those that don’t know yet.”

Former Attorney General Eric Holder

Scope of the Problem

6

World Economic Forum: Cyber is Top 5 Global Risk

Source: World Economic Forum Global Risks 2014

Privileged & Confidential

7

Knowing the Adversary

Threat Type Who and What

Organized Crime Organized crime rings targeting corporate data, such as personal information, health information, credit cards, for financial motives (e.g., Target) Industrial Control System Attack Targeted attack that seeks to disrupt the activities of large-scale companies or

• rganizations, including industrial control systems (e.g., Stuxnet)

Insiders Employee or contractor using access to release or ex-filtrate information for personal, competitive, or financial gain (e.g., Wikileaks)

Threat Actors

Advanced Persistent Threat (APT) Organized and state-funded groups methodically infiltrating the enterprise, often have maintained presence for months or even years (e.g., “Deep Panda”) Hacktivism Highly visible attacks to advance “movements,” based on political, policy, religious views, to raise PR spotlight, embarrass, effect change (e.g., Anonymous)

9

Attack Targets

Source: Verizon 2015 Data Breach Investigations Report

“The top two industries affected are the same as previous years: Public and Financial Services.”

10

Attack Methodologies

Source: Verizon 2015 Data Breach Investigations Report 11

• Averages based on small breaches of 5,000 to 99,000 records
• Breaches >100,000 records were excluded because they would

“skew” the results Average Loss to Organization In 2012 In 2014

Average Total Cost

(direct and indirect expenses, e.g., forensic experts,

• utsourcing hotline, free credit monitoring, discounts,

customer loss, diminished customer acquisition)

$5.5 million $6.5 million Cost per compromised record $188/record $217/record

Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States

Average Loss to Organization

12

Regulatory Developments

Regulatory Landscape: Which Way Are They Coming From?

14

FFIEC Cybersecurity Assessment Tool

15

Inherent Risk Cybersecurity Maturity Technologies and connection types Risk management and oversight Delivery channels Controls Online/Mobile products & technology svcs External dependency management Organizational characteristics Incident management External threats Regulators explicitly using in bank examinations:

• Office of the Comptroller of Currency
• National Credit Union Association

November 9, 2015 Potential New NYDFS Cyber Security Regulation Requirements

• Required Policies and Procedures (e.g., data governance/classification,

identity access management, incident response)

• Third Party Service Provider Management (e.g., multi-factor

authentication, encryption, notification for cybersecurity incidents, indemnification, security audits, reps/warranties re InfoSec)

• Chief Information Security Officer
• Cybersecurity personnel and intelligence
• Annual penetration testing and quarterly vulnerability assessments
• Audit trails for privileged user access, protection of logs, etc.
• Notification to NYDFS if reasonably likely to materially affect operations
• r triggers NY state notice, board notification, NPHI or “private

information” NY Department of Financial Services

16

Other Regulatory Guidance on Cybersecurity

Overview of Key Elements from SEC/FINRA:*

Identification of Risks & Cybersecurity Governance

• Documented information security policy
• Establish cybersecurity roles and responsibilities
• Periodic assessment of cybersecurity risks
• Periodic assessment of physical security risks
• Network mapping and inventory of technology resources
• Cybersecurity insurance
• Incorporate cybersecurity into BCP plan

Protection of Firm Network and Information

• Employee training and written guidance
• User access controls
• Use of encryption
• Change management procedures – test environment
• Documented incident response plan
• Audits of security policies

*SEC National Exam Program Alert, Vol. IV, Issue 4 “Cybersecurity Examination Sweep Summary” (Feb. 3. 2015) FINRA, “Report on Cybersecurity Practices” (Feb. 2015)

Risks Associated with Vendors and other Third Parties

• Cybersecurity assessment of vendors and third parties
• Details of cybersecurity risk in third party contracts
• Network segregation of third party access
• Logging and control of third party access

Detection of Unauthorized Activity

• Create baseline of network traffic and events
• Event aggregation and correlation
• Detection of events/intrusions, malicious code, unauthorized

users and devices

• Penetration testing and vulnerability scanning
• Data loss prevention

17

Vendors can be the “weak link” (Target HVAC) – public entities rely on

hundreds or even thousands of vendors for core operations/services

Proactive Risk Mitigation

» Pre-contract due diligence, calibrated to sensitivity level of data to be handled by vendor – e.g., vendor MUST have an IR Plan » Contractual terms with appropriate risk shifting / allocation – e.g., will you require vendor to carry cyber insurance? » Absolute clarity on definition of “breach” and mutual reporting and cost obligations in breach event » Audit rights, ability to exercise such rights (e.g., questionnaires) » Ongoing due diligence and willingness (ability) to terminate Vendor Management

18

Employee and Customer/Client Training

19

Employee training is key

• Tailor to meet staff needs
• Interactive training with participation
• Index to past experiences and threat

intelligence

• Lather, rinse, repeat

Customer training emphasis (SEC)

• 65% of broker dealers offer provide

customers with information on reducing cybersecurity risks

• 19% of advisers provide steps that

can reduce cybersecurity risks

Recent Enforcement

R.T. Jones, Investment Advisor (Sept. 22, 2015)

• Rule 30(a) of Regulation S-P (“Safeguards Rule”) –

written policies and procedures reasonably designed to: (1) insure security/confidentiality of customer records/info, (2) protect against anticipated threats or hazards to the security/integrity of customer records/info, (3) protect against unauthorized access to or use of customer records and information

• Client PII (100,000 individuals) on 3rd party-hosted server,

hacker gained full access/copy rights; no harm established

• No reasonably designed safeguards: no risk assessments,

encryption, firewalls, or incident response procedures

• Censured + $75,000 civil penalty + remedial efforts

20

Recent Enforcement

Sterne Agee, Investment Advisor (May 22, 2015)

• Rule 30(a) of Regulation S-P (“Safeguards Rule”);

NASD Conduct Rule 3010; FINRA Rule 2010

• Client PII (+350,000 individuals) on unencrypted laptop left

in a restroom and lost: account numbers, names, addresses, tax identification numbers; no harm established

• Sterne’s written supervisory procedures (WSPs) not

reasonably designed to safeguard; WSPs provided for many security measures, but not laptop encryption

• Paper trail dates from March 2009 through June 2014

showing repeated discussion of, but failure to, implement encryption (see FINRA Regulatory Notice 05-49)

• Censured + $225,000 civil penalty + remedial requirements

21

Recent Enforcement

22

Dwolla, Inc., Online Payment Processor (March 2, 2016)

• Sections 1031(a) & 1036(a)(1) of Consumer Financial Protection Act;
• Advertised 100% encryption, “bank-level hosting and security

environment,” and “set[] new precedent for the industry for safety and security”

• Failed:
• to adopt and implement reasonable data security policies and procedures

(or even comply with ones that it had adopted),

• to conduct periodic security risk assessments, did not adequately train

employees, and

• to ensure that the software and applications it developed were secure.
• No cybersecurity incident, data breach, or other specific consumer

harm appears to have prompted CFPB’s investigation

• $100,000 civil penalty + 5-year consent order

• Private class actions

» fast-and-furious: Anthem suits filed within 24 hours » multi-district: Target, Home Depot » multi-front: Schnucks Grocery vs. plaintiffs and insurers » standing defense in question: Neiman Marcus

• Issuing Bank litigation in PCI/card breaches
• Contractual enforcement

» Payment Card Industry (PCI), credit card brand companies » Customer claims via contracts, privacy policies, terms of use

• Suits against directors alleging breach of fiduciary duty

Civil Litigation

23

Cyber Governance

Privileged & Confidential

Cybersecurity Governance

Regulators say governance framework is essential:

• To allocate adequate resources to

cybersecurity and set priorities

• To mitigate risks
• To lay groundwork to avoid or

reduce harms

• Must be supported by intelligent,

fact-based decision making

• Use cybersecurity frameworks (e.g.,

NIST)

• Bridge communication gaps

between cybersecurity experts and executives

• Assess security through common

performance measurement tools

25

• Cyber or not, the Board’s fiduciary duties are the same:

− Duty of care − Duty of loyalty (includes duty of good faith) − Caremark standard − Risk oversight function

Fiduciary Duties Under State Law

Privileged & Confidential

26

Sample Shareholder Derivative Cases

− Heartland Payment Systems (January 20, 2009): Malware on payment processing network, compromised potentially 100 million credit cards. − Target Corporation (December 15, 2013): Network breach compromised potentially 110 million credit cards. − Wyndham Worldwide Corporation: Three separate breaches that compromised 619,000 records, leading to FTC enforcement action for unfair and deceptive trade practices. − The Home Depot, Inc. (September 3, 2014): Network breach compromised potentially 56 million credit cards Allegations Against Directors

• Breach of fiduciary duty of care, loyalty, and good faith (Heartland,

Target, Wyndham, Home Depot)

• Unjust enrichment (Heartland)
• Abuse of control (Heartland)
• Gross mismanagement (Heartland)
• Waste of corporate assets (Heartland, Target, Wyndham, Home

Depot)

27

• Failed to implement and monitor effective cybersecurity program
• Failed to protect company assets and business by recklessly

disregarding cybersecurity risks and ignoring “red flags”

• Failed to implement and maintain internal controls to protect

customer or employee personal and financial information

• Failed to take reasonable steps to timely notify individuals that

company’s information security system was breached

• Caused or allowed company to disseminate materially false and

misleading statements to shareholders regarding incident

• Failed to implement controls or oversee cybersecurity program,

resulting in a waste of corporate assets

• Made false or misleading cyber-risk disclosures in public filings

Typical Post-Breach Claims Against Directors

Privileged & Confidential

28

29 29

How to Protect Board Members

Protection Against Shareholder Claims for Breach of Duty

• Lay a foundation to use the “business judgment” rule to shield the board

from shareholder claims

• Business judgment rule is a presumption that, if directors acted in good faith, with

reasonable skill and prudence, and reasonable belief they were acting in corporation’s best interests

• Applies unless shareholders can show lack of business judgment or majority of board not

disinterested and independent

• Directors may rely on cyber experts to enable them to exercise proper skill and prudence

(due care)

• Directors are protected by business judgment rule unless shareholders

allege (i) failure to implement a board-level oversight and reporting system, or (ii) directors substantially disregarded cybersecurity reports and red flags

• Directors must evaluate cybersecurity risks, with regular updates
• Directors must implement effective continuous monitoring of systems
• Directors must receive and consider periodic cybersecurity reporting
• Directors must allocate adequate resources to address possible risks
• Document all actions in board and committee packets, minutes and reports
• Ensure cybersecurity disclosures are not false or misleading in light of the

most current and evolving information, and include specific and relevant warnings of evolving risks

Protecting the Board (con’t)

Protection Against Investor/SEC Claims for False/Misleading Statements

• Do: Make disclosures of what you do to address cybersecurity threats

» We utilize intrusion threat detection and protection systems. » We conduct regular internal and external cybersecurity assessments.

• Do not: Make statements about what threats you protect against or how

your cybersecurity systems protect against threats

» We have state-of-the-art intrusion protection systems that prevent individuals from gaining access to our proprietary network without authorization.

• Do: Prepare risk disclosures that are specific, without disclosing key

details about cybersecurity measures

» We collect and maintain personal identifying information, such as credit card information, that is collected via point-of-sale terminals across the globe. A malware attack on any point-of-sale terminal could result in loss of customer data and confidence in our ability to protect their information because of the data breach, resulting in an adverse impact on sales. » We maintain valuable intellectual property on our computer networks, which, if accessed without authorization, could result in loss of revenue if that information is used to develop counterfeit information.

• Do: Prepare more generalized risk disclosures that supplement specific

disclosures

30

Section 102(b)(7) Charter Provisions

• Delaware Gen. Corp. Law Sec. 102(b)(7) permits shareholders to

adopt a Charter provision that precludes monetary liability on part of directors of Delaware companies for breaches of due care

• Prevalent among Delaware corporations
• Results in dismissal of claims seeking money damages from

directors for breaches of the duty of care, including in the cybersecurity area

• Does not protect against breaches of the duty of loyalty or result in

dismissal of claims seeking injunctive or other equitable relief

• Query: Can a failure to adopt and implement reasonable

cybersecurity measures be considered a breach of loyalty/bad faith?

31

Best Practices for Board

• Direct implementation of cybersecurity plan that includes:

» Development of policies and procedures » Regular updating of the security plan, policies and procedures

• Oversight of:

» Enforcement of cybersecurity plan’s policies and procedures » Accountability for non-compliance; incentivize compliance

• Monitor effectiveness of:

» Internal Controls » External Controls

• Allocate adequate resources for the identified risks and the plan

for remediation

Privileged & Confidential

32

Internal and External Controls

• Internal Controls

» CISO (or similar) certification of compliance with cybersecurity polices and procedures » Internal testing and validation of compliance » Periodic reporting to Audit Committee

• External Controls

» Retain independent cybersecurity firm » Conduct assessment of cybersecurity program/posture » Use established framework for assessment and evaluation, such as National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure and/or FFIEC Tools » Periodic reporting to Audit Committee

• Document Process

Privileged & Confidential

33

Key Elements of Proactive Cybersecurity Program

• Executive CISO or equivalent function responsible for cybersecurity

with regular and direct reporting to Board (Audit/Risk) Committee

• Inventory of data and network assets subject to attack (e.g., data map
• r network map)
• Regular enterprise-wide cybersecurity assessments, properly scoped

and managed (not just “pen tests” or routine vulnerability scans, but more holistic)

• Participation in threat intelligence sharing forums to develop

understanding of threat landscape (e.g., FS-ISAC)

• Certification to ISO/IEC standards, such as ISO/IEC 27001:013
• Encryption of sensitive data in-transit and at-rest, as appropriate . . . as

the bare minimum of protective controls

Privileged & Confidential

34

Key Elements (cont’d)

• Inclusion of cybersecurity-related provisions and audit rights in vendor

and business partner contracts, with program for auditing compliance

• Development of security breach incident response plan (IRP);

periodically tabletop, refine, update

• Implementation of training programs for employees and security team
• n cybersecurity awareness and response
• Retention of experts and consultants to provide technical services for

purpose of providing legal advice regarding risk

• Procurement of cyber insurance to cover costs of forensic analysis,

legal services, public relations, credit monitoring, litigation defense, etc.

Privileged & Confidential

35

DISCUSSION

Privileged & Confidential

Aravind Swaminathan

• Aravind Swaminathan is a global co-chair of the firm's Cybersecurity

& Data Privacy team, which is nationally ranked by The Legal 500 for "high-level practical experience and understanding of the law.”

• Aravind is an accomplished trial lawyer and former federal

prosecutor in the complex crimes unit. He has extensive experience in cybersecurity and data breaches, government and internal investigations, and privacy-related matters. Aravind advises clients in proactive assessment and management of internal and external cybersecurity risks, breach incident response planning, and corporate governance related to cybersecurity.

• Aravind has directed dozens of internal data breach investigations

and incident response efforts, including incidents with national security implications. He also represents companies and

• rganizations facing cybersecurity and privacy-oriented class action
• litigation. Aravind is a sought-after speaker on cybersecurity issues,

including threat landscapes, mitigation strategies, incident response plans, and threat management in mobile device ecosystems.

Orrick, Herrington & Sutcliffe LLP

701 Fifth Avenue Suite 5600 Seattle, WA 98104 (206) 839-4340 aswaminathan@orrick.com

38

Jason Halper

• Jason Halper is the co-chair of the Financial Institutions Litigation
• Practice. Jason is a seasoned litigator and trial lawyer with more

than two decades of experience representing financial institutions, Fortune 500 companies and other clients in high-stakes litigation and regulatory matters. He is a member of the Trial Bar of the Northern District of Illinois and has tried cases to jury verdict or decision in federal and state courts, regulatory tribunals and arbitrations.

• Jason represents public and private companies, underwriters,

lenders, professional firms, corporate directors and other individuals in a variety of industries in securities, derivative, ERISA and RICO class actions, SEC and stock exchange investigations and arbitrations, internal investigations, suits claiming breaches of fiduciary duty, insider trading or other misconduct by corporate directors, substantial contract disputes, bankruptcy-related proceedings, and litigation arising from M&A or other transactions involving changes in or contests for corporate control in Delaware Chancery Court and elsewhere.

• Jason is also an adjunct professor in corporate and securities law at

the University of Pennsylvania Law School, and a frequent speaker and author.

Orrick, Herrington & Sutcliffe LLP

51 West 52nd Street New York, New York 10019 (212) 506-5133 jhalper@orrick.com

39