Executive Responsibility Confidential 1 Executive Responsibility - PowerPoint PPT Presentation

Executive Responsibility Confidential 1

Executive Responsibility • C-Suite Input, Responsibility and Policy Development • Duty of Care • Implementation of Policy • Foreseeable and Reasonable Mitigation • Cyber Threat + Its Impact Confidential 2

C-Suite Input, Responsibility and Policy Development • The Board sets the "tone at the top." • Boards have a general obligation to protect corporate assets, including confidential and proprietary information, reputation and goodwill. • Directors are not expected to be involved in the day-to-day business activities of company, and they are not expected to be security experts. They can generally rely upon management’s reports and the advice of outside experts. Confidential 3

Duty of Care • Directors and Executives of a company have a fiduciary duty to their shareholders to use due care in the exercise of their management responsibilities. • Failure to properly monitor and manage business risks can be considered a breach of a director's fiduciary duty and could have serious legal consequences on the directors and the company. Confidential 4

Implementation of Policy • How a company responds to a threat is critical since it can have significant implications, particularly on the company’s reputation. • It is important for a company to have the appropriate policies and guidelines in place in case a it should come under a security threat. • The company should establish security policies that: • Are appropriate to the purpose of the organization; • Include security objectives or provide the framework for setting security objectives; • Include a commitment to satisfy applicable requirements related to security; and • Include a commitment to continual improvement of the organization's security. Confidential 5

Foreseeable Risks and Reasonable Mitigation • No matter the size and complexity of the organization, there is no question as to if the company will come under a threat. • The only real questions are • Whether the organization can accurately identify what those threats are likely to be; and • Whether the organization will be able to anticipate when and where it will face these threats. • To best mitigate the foreseeable risks, organizations need to: • Establish priorities on protecting information and information resources. • Set performance expectations. • Implement an incident response plan. • Choose an appropriate insurance plan. Confidential 6

Insurance • Align • Benchmark 7 Confidential

Managing Risk Requires Strategic and Technological Solutions • Solutions include Executive Cybersecurity Risk Profile, Legal Review, and Board Level Recommendations. • Nine issues for senior executives: • Role of CEO and senior management • Direction by legal counsel: attorney/client privilege • SEC disclosure, public policy concerns, and standards development • Enterprise wide risk management strategy and governance framework • Executive and employee training and awareness • Crisis Management and communications • Application of insurance coverage to cyber events • Technology solutions for mitigating cyber risk on corporate and control networks • Mitigating material risk through Cybersecurity by Design: procurement and acquisition; secure development processes; culture Confidential 8

Cyber Risk for the Any Organization • Exposure of Intellectual Property, R&D, Trade Secrets Consequences: Corporate • Theft of bid data, M&A • Losses of Market strategy, financial documents Systems • Loss of productivity and Financial Value • Loss of personal identifiable information (medical, identity) • Loss of Competitiveness • Damage to Facilities, Reputation Industrial • Physical damage • Exposure to • Loss of productivity Regulation, Control • Operational disruption Investigation, • Systems Litigation Compromise of sensitive information Confidential 9

Cost of a Data Breach 10 Confidential 1 0

Cost of a Data Breach 11 11 Confidential

Possible Litigation • FTC v. Wyndham Worldwide • The FTC filed a complaint against Wyndham for three data breaches in 2008 and 2009 that led to more than $10.6 million in fraudulent charges. • The FTC's suit alleged that Wyndham engaged in unfair and deceptive trade practices by failing to maintain reasonable and appropriate data security for consumers' sensitive personal information and that its privacy policy informing consumers that Wyndham used “commercially reasonable efforts” to safeguard identifiable information was deceptive. 13

Four Forms of Cyber Attacks Crime Hacktivism Espionage War Crime Espionage Unauthorized computer penetration for Unauthorized computer penetration to immediate financial gain through fraud or acquire sensitive or valuable information to blackmail gain competitive advantage War Hacktivism Use of cyber attacks to cause damage Use of cyber attacks as a form of politically through severe disruption or damage of or ideologically motivated protest computer controlled systems Confidential 14 14

Hacktivism: The Basics Crime Hacktivism Espionage War  Similar to cybercrime in impact and • Less predictable adversaries with an ever-expanding target set tactics, but not financially motivated • Impacts have ranged from simple • Not a new phenomenon, but website defacement to long-term increasing in significance operational disruptions to total destruction of corporate reputation Less Predictable Threat Creates Need for Constant Reassessment of Risk Confidential 15 15

Cyber Espionage: The Basics Crime Hacktivism Espionage War  Targets and Goals: – RSA/EMC, Lockheed Martin – Intellectual Property, Research and – Google, Adobe, Intel Development data – BP, Exxon, Royal Dutch Shell, – Financial, transactional, bid data, M&A Marathon Oil, Baker Hughes – Law firms and other custodians of  Most victims entirely unaware of sensitive data attacks  Recent Victims: Confidential 16 16

Cyber Espionage: Impact Crime Hacktivism Espionage War  Conducted  MI-5 Chief to top 300 British firms: “You by national intelligence services, organized crime, often for the have been successfully penetrated by China. ” benefit of private industry  Most  US major US and European Secret Service/Verizon: 92% of corporations have been successfully firms penetrated were unaware of penetrated compromise Confidential 17 17

Cyber War: The Basics Crime Hacktivism Espionage War  Targets and Goals:  Cases: – Military and civilian infrastructure – Stuxnet, 2010 targets – Georgia, 2008 – Disruption of critical infrastructure, – Syria, 2007 communications – Estonia, 2007? – Degrading national security capabilities  Corporate targets may be attacked as part of a larger conflict Confidential 18 18

Cyber War: Impact Crime Hacktivism Espionage War  Cyber war can be conducted by  At least two dozen countries possess militaries, national intelligence services, explicit cyber warfare capabilities and state-sponsored proxy groups  Countries have deployed “logic bombs”  Attribution and determining retaliatory and malware in preparation for potential authority can be difficult future conflict “The technological capability to paralyze [the U.S.] is there now.” Leon Panetta, Secretary of Defense Confidential 19 19