Executive Responsibility Confidential 1 Executive Responsibility - - PowerPoint PPT Presentation

Executive Responsibility

1

Confidential

Executive Responsibility

Confidential 2

• C-Suite Input, Responsibility and Policy Development
• Duty of Care
• Implementation of Policy
• Foreseeable and Reasonable Mitigation
• Cyber Threat + Its Impact

• The Board sets the "tone at the top."
• Boards have a general obligation to protect corporate assets, including

confidential and proprietary information, reputation and goodwill.

• Directors are not expected to be involved in the day-to-day business

activities of company, and they are not expected to be security experts. They can generally rely upon management’s reports and the advice of

• utside experts.

3

C-Suite Input, Responsibility and Policy Development

Confidential

• Directors and Executives of a company have a fiduciary duty to their

shareholders to use due care in the exercise of their management responsibilities.

• Failure to properly monitor and manage business risks can be

considered a breach of a director's fiduciary duty and could have serious legal consequences on the directors and the company.

4

Duty of Care

Confidential

• How a company responds to a threat is critical since it can have

significant implications, particularly on the company’s reputation.

• It is important for a company to have the appropriate policies and

guidelines in place in case a it should come under a security threat.

• The company should establish security policies that:
• Are appropriate to the purpose of the organization;
• Include security objectives or provide the framework for setting security
• bjectives;
• Include a commitment to satisfy applicable requirements related to security;

and

• Include a commitment to continual improvement of the organization's security.

5

Implementation of Policy

Confidential

• No matter the size and complexity of the organization, there is no

question as to if the company will come under a threat.

• The only real questions are
• Whether the organization can accurately identify what those threats are likely to

be; and

• Whether the organization will be able to anticipate when and where it will face

these threats.

• To best mitigate the foreseeable risks, organizations need to:
• Establish priorities on protecting information and information resources.
• Set performance expectations.
• Implement an incident response plan.
• Choose an appropriate insurance plan.

6

Foreseeable Risks and Reasonable Mitigation

Confidential

• Align
• Benchmark

7

Insurance

Confidential

• Solutions include Executive Cybersecurity Risk Profile, Legal Review, and

Board Level Recommendations.

• Nine issues for senior executives:
• Role of CEO and senior management
• Direction by legal counsel: attorney/client privilege
• SEC disclosure, public policy concerns, and standards development
• Enterprise wide risk management strategy and governance framework
• Executive and employee training and awareness
• Crisis Management and communications
• Application of insurance coverage to cyber events
• Technology solutions for mitigating cyber risk on corporate and control networks
• Mitigating material risk through Cybersecurity by Design: procurement and

acquisition; secure development processes; culture

Managing Risk Requires Strategic and Technological Solutions

Confidential 8

Cyber Risk for the Any Organization

• Exposure of Intellectual

Property, R&D, Trade Secrets

• Theft of bid data, M&A

strategy, financial documents

• Loss of productivity
• Loss of personal identifiable

information (medical, identity)

Corporate Systems

• Physical damage
• Loss of productivity
• Operational disruption
• Compromise of sensitive

information

Industrial Control Systems

Consequences:

• Losses of Market

and Financial Value

• Loss of

Competitiveness

• Damage to Facilities,

Reputation

• Exposure to

Regulation, Investigation, Litigation

Confidential 9

Cost of a Data Breach

Confidential 1 10

Cost of a Data Breach

Confidential 11 11

Possible Litigation

• FTC v. Wyndham Worldwide
• The FTC filed a complaint against Wyndham for three data breaches in 2008

and 2009 that led to more than $10.6 million in fraudulent charges.

• The FTC's suit alleged that Wyndham engaged in unfair and deceptive trade

practices by failing to maintain reasonable and appropriate data security for consumers' sensitive personal information and that its privacy policy informing consumers that Wyndham used “commercially reasonable efforts” to safeguard identifiable information was deceptive.

13

Four Forms of Cyber Attacks

Crime Unauthorized computer penetration for immediate financial gain through fraud or blackmail Hacktivism Use of cyber attacks as a form of politically

• r ideologically motivated protest

Espionage Unauthorized computer penetration to acquire sensitive or valuable information to gain competitive advantage War Use of cyber attacks to cause damage through severe disruption or damage of computer controlled systems

Crime Hacktivism Espionage War

Confidential 14 14

• Similar to cybercrime in impact and

tactics, but not financially motivated

• Not a new phenomenon, but

increasing in significance

• Less predictable adversaries with an

ever-expanding target set

• Impacts have ranged from simple

website defacement to long-term

• perational disruptions to total

destruction of corporate reputation

Hacktivism: The Basics

Less Predictable Threat Creates Need for Constant Reassessment of Risk

Crime Hacktivism Espionage War

Confidential 15 15

Cyber Espionage: The Basics

• Targets and Goals:

– Intellectual Property, Research and Development data – Financial, transactional, bid data, M&A

• Most victims entirely unaware of

attacks

• Recent Victims:

– RSA/EMC, Lockheed Martin – Google, Adobe, Intel – BP, Exxon, Royal Dutch Shell, Marathon Oil, Baker Hughes – Law firms and other custodians of sensitive data

Crime Hacktivism Espionage War

Confidential 16 16

Cyber Espionage: Impact

• Conducted

by national intelligence services, organized crime, often for the benefit of private industry

• Most

major US and European corporations have been successfully penetrated

• MI-5 Chief to top 300 British firms: “You

have been successfully penetrated by China.”

• US

Secret Service/Verizon: 92%

• f

firms penetrated were unaware

• f

compromise

Crime Hacktivism Espionage War

Confidential 17 17

Cyber War: The Basics

• Targets and Goals:

– Military and civilian infrastructure targets – Disruption of critical infrastructure, communications – Degrading national security capabilities

• Corporate targets may be attacked as

part of a larger conflict

• Cases:

– Stuxnet, 2010 – Georgia, 2008 – Syria, 2007 – Estonia, 2007?

Crime Hacktivism Espionage War

Confidential 18 18

Cyber War: Impact

• Cyber war can be conducted by

militaries, national intelligence services, and state-sponsored proxy groups

• Attribution and determining retaliatory

authority can be difficult

• At least two dozen countries possess

explicit cyber warfare capabilities

• Countries have deployed “logic bombs”

and malware in preparation for potential future conflict “The technological capability to paralyze [the U.S.] is there now.” Leon Panetta, Secretary of Defense

Crime Hacktivism Espionage War

Confidential 19 19