Panelists: Anna Catalano Independent Director Lauren Neiswender - - PowerPoint PPT Presentation

What Directors (and Corporate Secretaries) Need to Know

Panelists:

Anna Catalano – Independent Director Lauren Neiswender – General Counsel, Blue Nile Andy Roth – Partner, Dentons Moderator: Byron Loflin, CEO, Center for Board Excellence

Panel Biographies

Anna Catalano – manages an active board portfolio, serving on the Boards of Directors of Mead Johnson Nutrition, Willis Towers Watson, Kraton Performance Polymers, and Chemtura Corporation, and as an Advisory Board member to Edelman Berland. She is a certified Board Leadership Fellow of the National Association of Corporate Directors, and advisor to the NACD Texas/Tri-Cities Chapter. In the not-for-profit sector, she is a member of the National Board of Directors of the Alzheimer’s Association, the Houston Grand Opera, and an honorary co-founder of the Kellogg Innovation Network at Northwestern University. Lauren Neiswender – As General Counsel, Lauren handles all legal matters for Blue Nile, and offers counsel to the Board of Directors and employees on topics, such as intellectual property, human resources, tax, marketing, privacy, and more. In her own words, “I love working with the various groups that make up Blue Nile and advising on the efforts that are revolutionizing the way consumers shop for diamonds and fine jewelry.” When not advising, Lauren takes advantage of all the Pacific Northwest has to offer with her husband and two children. Andy Roth – is a Partner and Chair of Dentons' Global Privacy and Cybersecurity Group. Andy helps clients proactively manage risks by implementing strong policies and controls. Andy also specializes in incident response and crisis management, including high profile data breaches involving investigations by government agencies. Andy also helps clients leverage data responsibly to drive insight and innovation, recent work includes advising on digital marketing, cross-border data transfers, employee privacy, and third-party vendor management. Prior to Dentons, Andy was Chief Privacy Officer of American Express, ranked “The #1 Most Trusted Company for Privacy” five years in a row under his leadership. Byron Loflin – is CEO and is the chief architect of the Center for Board Excellence’s (CBE) unique evaluation platform. Prior to CBE, Byron was CEO at Select Homes, Inc. from 1998-2009, was an investment manager at AIG-VALIC from 1989-98, and worked in the U.S. Congress 1983-84. Byron is currently Corporate Secretary and a Board member at Greensboro Downtown Parks Inc. and has held board positions at Arkosian Software, Select Homes, Inc., Greensboro Soccer Club, and Guilford County-wide PTA. Byron is a graduate of James Madison University and Harvard Business School.

Topics:

• How does the Cybersecurity Act of 2015 affect your

company?

• What should be reported to the board, when and by

whom?

• Does the board need members with specific tech and cyber

expertise?

• Should the board have a committee focused on IT and

cyber security?

• Is your board prepared for a cyber incident?

Cybersecurity Act of 2015

Section 104 of S.754 is titled “Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats.” The act specifically permits network operators to take three kinds of steps “for cybersecurity purposes.” 1. Network operators can monitor; 2. They can operate defensive measures; 3. They can share information with others. The first two of these powers can be outsourced, too. With “written consent,” a network operator can allow another entity to monitor its network and operate defensive measures on its behalf. How does the Act affect your company?

What should be reported to the board, when and by whom?

• Do we have the right aptitude and education to address our

IT security oversight needs?

• Who should report to the board on Cybersecurity?
• When should the board be alerted?
• How should the Board be engaged in the company’s Crisis

Management Plan?

• How often should the board discuss and be updated?

Cybersecurity Concerns

• Board & C-Suite Conversations should include

– Process – how are decisions made? – Decision making authority – who owns it? – Access points – what are all the access points into the company – Review of external suppliers, outsourcers – whose systems are you dependent on – who holds keys to the kingdom?

• B2B companies are not taking cyber seriously enough due to the

predominate public focus on loss of customer/consumer data

• Infrastructure and manufacturing systems integrity are risks that

many companies are not considering

• General lack of digital world and social media knowledge among

most board members

Does the board need members with specific tech and cyber expertise?

• Where should governance of cyber security

responsibility reside on the board? – Audit committee? – Risk committee? – Full board?

• What level of technology expertise is expected or

required of a board member today?

• Should the board have a committee focused on IT

and cyber security?

Is your board prepared for a cyber incident?

Controls

1. Governance oversight 2. Risk Assessment 3. Vendor management

Incident

1. Identify stakeholders 2. Who makes what decisions 3. Engage outside resources early 4. Diligent progress and resolution

Prevention Response

Resources

The Society’s page, “CYBERSECURITY/DATA PRIVACY”, is wealth of information:

• http://www.governanceprofessionals.org/currenttopiclandingpages/cybersecurity

“How does the Cybersecurity Act of 2015 change the Internet surveillance laws?” by Orin Kerr:

• https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-

change-the-internet-surveillance-laws/ A good resource for breach facts and other pertinent information:

• https://blackopspartners.com/the-top-12-security-breach-facts-every-c-level-exec-and-board-member-must-know/

Sidley: “Board Oversight of Cybersecurity Risks”:

• http://www.sidley.com/~/media/files/newsinsights/publications/2014/03/board-oversight-of-cybersecurity-

risks/files/view-article/fileattachment/board-oversight-of-cybersecurity-risks--march-2014.pdf “CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK”, IIARF Research Report:

• https://www.theiia.org/bookstore/downloads/freetoall/5036.dl_GRC%20Cyber%20Security%20Research%20Report.pdf

“Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom”:

• https://www.kpmg.com/BM/en/IssuesAndInsights/ArticlesPublications/Documents/Advisory/2015Documents/Cyber-

Security-and-Board-Oversight.pdf “Cyber Security: Five Leadership Issues Worthy of Board and Executive Attention”:

• http://www.russellreynolds.com/insights/thought-leadership/Documents/Cyber%20Security%20-

%20Five%20Leadership%20Issues%20Worthy%20of%20Board%20and%20Executive%20Attention.pdf CBE: “12 Cyber Security Questions Every Board Should Ask”:

• http://info.boardevaluations.com/12-cyber-security-questions

DENTONS: “Are You Doing Enough to Prevent Cyber Attacks?”

• http://www.dentons.com/en/insights/alerts/2013/june/17/are-you-doing-enough-to-prevent-cyber-attacks

Additional support information

Internet traffic

by search volume Surface web < 6% Peer-2-peer < 60% Deep web < 30%

Director Cybersecurity Checklist

 Perform an annual board legal vulnerability assessment by a leading specialized cyber law firm.  Perform biannual data breach exercises with the entire C-level.  Perform annual board cyber vulnerability assessments facilitated by a leading specialized cyber firm.  Perform a company-wide transformation to data-centric security with emphasis on insider threat.  Require cybersecurity updates at each board meeting separately by CIO, CISO and Risk executive.  Place a cybersecurity director on the board or have a leading unbiased firm act as an advisor to the board.

Source: BLACKOPS Partners Corporation

Do’s and don’ts of the internet

• Do verify the email address of the sender.
• Learn to right click and verify.
• Don’t click on a link that you did not expect to receive.
• If you have a “wipe my phone” option, do turn it on.
• When in doubt call the email originator.
• Use a password that is considered highly secure. It should be

random, at least 8 characters and not of importance to you.

• Don’t share your password.
• Do use different passwords on different sites.
• Do set the lock feature on your phone and tablet.

Recent Cyber Attacks

September 2015

• Excellus BlueCross BlueShield – Hackers breached BCBS encryption to gain access to over 10M

customer records.

• Trump Hotel Collection – 7 Trump hotels in US & Canada suffered a breach via malware collecting

customer information.

• WhatsApp – 200,000 users are at risk or have been compromised via malicious code collecting

their information. October 2015

• Experian – Hacker attack took names, addresses, and social security of +15M people.
• Scottrade – 4.6 M user’s personal information targeted in 2013-14.
• Bugat/Dridex Botnet - $10 M in losses due to financial information being stolen from users

January 2016

• New West Health Services – 28,209 people effected
• Blue Shield of California - 20,764 people effected
• SNHU – 140,000 student records effected
• Centene – 950,000 patient records breached

February 2016

• University of Central Florida – 63,000 students effected
• IRS – 101,000 taxpayer’s information were reported breached via malware by hackers

March 2016

• 21st Century Oncology – 2.2M patients information were accessed by hackers via patient database

breach.