Corporate Cyber Attacks: Managing Risk to Avoid Reputation Harm

Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │1

GOOD. SMART.BUSINESS. PROFIT.TM


CORPORATE CYBERATTACKS: MANAGING RISK TO AVOID REPUTATIONAL HARM

September 18, 2014


Chelsie ChmelaEvents [email protected]

We encourage you to engage during the Q&A portion of today’s webcast by using the “Submit Question” button located within your West LegalEdcenter experience or the Chat Box in ReadyTalk

HOST

QUESTIONS

MATERIALS Included in your registration: • Event recording and deck: West LegalEdcenter provides on-demand event

access for 180 days or until the end of your subscription, if sooner. Ethisphere will provide the recording and presentation deck following the live event to ReadyTalk attendees.

3


Stuart LeviPartnerSkadden, Arps, Slate Meagher & Flom LLP & Affliates

Devon KerrSenior ConsultantMandiant

SPEAKING TODAY


Beijing

Boston

Brussels

Chicago

Frankfurt

Hong Kong

Houston

London

Los Angeles

Moscow

Munich

New York

Palo Alto

Paris

São Paulo

Shanghai

Singapore

Sydney

Tokyo

Toronto

Washington, D.C.

Wilmington

Privacy and Cybersecurity 2014: The Current State of Affairs

•Presented by•Stuart Levi


PRIVACY V. CYBERSECURITY

• Privacy policy compliance

• Big data mining• Privacy regulations• Internet of things• Do not track• Location data• Global enforcement

Privacy



• Data breaches• Non-data cyber theft• Denial of service attacks• Compliance with security

policies• NIST guidelines

Cybersecurity



Government Spying

• Snowden revelations• Access to records through

public companies• Government monitoring• Global implications



PRIVACY CYBERSECURITY

Government spying

DataBreaches

Increased demandsforprivacyregulation


THE REALITY COMPANIES FACE TODAY

• Data breaches and cyberattacks are increasingly common.

• More companies are considered “targets of choice.”

• A large segment of the security community has adopted an “assume you’ve been breached” mentality.

• Attacks are from:

− Hackers looking to profit

− State-sponsored organizations

− Hackers looking to wreak havoc



• Attacks are not limited to personal information:

− Theft of intellectual property

− Theft of business information

− Denial of service attacks

• No industry is immune from attack.

• Rapid detection has become as important as threat prevention.

− Each day the threat is not detected, the level of damage and harm increases

• Locating the source of the harm is becoming more difficult



• Informative statistics from the Verizon 2013 Data Breach Investigations Report:

− 78% of intrusions were rated as “low difficulty”

− 69% discovered by external parties

− 66% took multiple months to discover

− 75% are considered opportunistic attacks

− 80% involved authentication based attacks

• Each statistic presents a potential liability risk.


KEY LEGAL THREATS TODAY

• FTC enforcement activity

− “Misleading” consumers by “promising” industry-standard or robust security

− Inadequate security protection

• Shareholder litigation

− For any cybersecurity loss (not just data breaches)

» Denial of service

» Loss of intellectual property or confidential information

• Data breach class actions


THE RESPONSE CLOCK HAS ACCELERATED

HISTORICAL PRACTICE

COMPANIES OFTEN DELAYED NOTICE UNTIL FULL FORENSIC ANALYSIS WAS DONE» Provided time to formulate a

response and manage PR, communications and legal

» Companies often hopeful that forensics analysis would reveal notice was not required

» Sometimes delay was required by law enforcement, but this was the exception


THE RESPONSE CLOCK HAS ACCELERATED

• Today, companies face a new and pressing reality:

− Privacy advocates/activists

» Learning of breaches and threatening to go public if the company does not disclose

» Generally unsympathetic to pleas that the company needs more time to formulate its response

− Insurance plans may require prompt notice


DATA SECURITY CLASS ACTIONS ARE ON THE RISE

• Plaintiffs’ lawyers are looking to cash in on the increase in data security breaches at retailers, banks and other institutions.

• Their tool of choice: large-scale class actions based around theories of alleged damage to consumers’ privacy.

• While relatively few cases have been filed so far, the number will undoubtedly grow.


THE FTC AND PLAINTIFF LAWYERS NEED A HOOK

• The company failed to install or implement adequate security protections.

− Were there internal or consultant recommendations that were ignored?

• The company “misled” customers about the level of its security.

• The company’s procedures or policies were lacking or not followed.

− Security policies

− Vendor policies

• C-suite and/or board was not adequately kept apprised of security procedures.

• The company took too long to provide notice of a data breach or to respond to an attack


KEY TAKEAWAY

The goal of every company today should be to eliminate as many of these hooks as possible


STEPS EVERY COMPANY SHOULD BE TAKING TODAY

• Privacy audit and implementation

• Risk assessment

• Establish a rapid response team

• Testing

• Privacy by design

• Evaluate insurance coverage


PRIVACY AUDITS

• Typically performed by a law firm and/or external consultant

− External advisers see issues that are hidden to companies

» View each issue from a “what if” lawsuit perspective

− “Good fact” in the event of a litigation

− External advisers have the benefit of seeing best practices at other companies

− Provides regulators with comfort


PRIVACY AUDITS

• Key Steps:

− Where is data coming into the company?

− How is data used and what controls are in place?

− How are security decisions made and implemented?

− Do internal and external privacy policies align with actual practice?

» Very often they do not

− What is the company saying about its security practices?

− What is the company disclosing in its public filings?

− How are company executives and board members kept informed?

− How mature is the privacy program?

− What sort of training/retraining is provided?

• Critical Step: Need to act on audit recommendations


RISK ASSESSMENT

• What types of personal information could be compromised?

• Is there a risk of confidential information being compromised?

• What is the potential for lost business?

• Is there a potential for regulatory scrutiny?

• Is there a potential for fines and penalties?

• What is the potential for damage to reputation/loss

of trust/media publicity?


ESTABLISHING A RAPID RESPONSE TEAM

• Critical in a world where you may lose control of the response timing

• Key stakeholders will bring unique and important perspectives

− IT, legal, security, PR/communications, HR, risk management,corporate management, government relations

• Scrambling to figure out the team once an incident occurs is inefficient and dramatically increases the risk of a misstep

• Create a playbook of how incidents will be handled

• Understand the data breach notification requirements

• Understand SEC disclosure obligations


TESTING

• Critical to test your incident response plan at least semi-annually

− Consider different scenarios

• Consider creating a report of areas to improve

− But assess the risks of creating such a report

• Assess roles and responsibilities

− Did people leave?

− Was there any internal restructuring?

− Were new systems implemented?


TESTING

• Update process documents

• Review third-party vendor contacts

» PR

» Forensics

» Notification

» Legal

− Are these still the right contacts?

• Any changes to law


PRIVACY BY DESIGN

• Area of focus for the FTC

» Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services

• Now a critical area for risk mitigation

• Key ideas:

− Proactive not reactive

− Privacy embedded into the design process

− Visibility and transparency within the organization

− Privacy and security as part of the corporate culture


EVALUATE INSURANCE COVERAGE

CRITICAL AREAS OF CYBER INSURANCE

− Network security liability (third party)

− Privacy liability (third party)

− Professional liability (third party)

− Notification costs

− Regulatory defense

− Data loss/recreation

− Business Interruption


Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates


Devon Kerr Senior Consultant

© Copyright 2010

Introductions Overview Building an investigation-ready environment During an intrusion Post-incident activities Q&A

Introduction Slide

30

© Copyright 2010

All information is derived from MANDIANT observations in non-classified

environments

Some information has been sanitized to protect our clients’ interests

Important note

31

© Copyright 201032

DEVON KERR

Former IT operations (10+ years)

Lead investigator and forensic analyst

Develop internal training for Mandiant consultants

More than15 investigations this year

Introductions

© Copyright 2010

Build an investigation-ready environment:− Logging and monitoring− Fundamental security controls− Important procedures

Preparing for a breach

33

© Copyright 2010

Before the breach…− Centralize logs and alerts into a unified dashboard

Consolidation reduces effort and increases efficiency Collect logs for user logins of all kinds Increase the amount of logs retained Make sure you can actually get the logs out of the system

− Implement application whitelisting on all critical systems Ensures that only approved software will run Easiest and cheapest way to slow down an attacker

Good for detecting attackers if you centralize these logs, too!

Investigation readiness

34

© Copyright 2010

Before the breach…(continued)− Know where your data is

Intellectual property, financial data, competitive business data (sales, marketing, business logic)

Know the role of critical systems

− Identify Internet points of presence Egress points for user Internet access VPN devices Direct connections to service providers and partners DMZs

− Patch operating system and third party software Critical vulnerabilities should be patched within 2 days


35

© Copyright 2010

Before the breach…(continued)− Harden the environment

Block network traffic leaving your environment that doesn’t have a known business purpose

Strengthen systems administration by using dedicated management systems

Identify all users with admin-level privileges and revoke those rights

Domain administrators shouldn’t use privileged accounts for regular computer and network activities – only administration

Implement a second factor of authentication, like a token, for remote access (VPN)


36

© Copyright 2010

Facilitating the investigation− Respond to requests quickly

Identifying the function of a system Identifying all systems which may contain a specific type of

data (PII, finacial records, etc) Be able to search logs on-demand

Ex: search all log sources for an IP address Be able to share logs with investigators

Ex: provide a copy of all VPN logs

During an incident

37

© Copyright 2010

Remediating− Work with investigators to develop a remediation plan

that includes short-term tactical and longer-term strategic objectives Block malicious IP addresses Sinkhole malicious domain names Take infected systems offline and rebuild Perform an enterprise password reset …

During an incident

38

© Copyright 2010

When the smoke clears− Determine notification requirements based on incident

type, jurisdiction, and industry− Develop a coordinated message for the public

Understand that the public may include clients, regulatory bodies, and shareholders

− Conduct a lessons learned exercise− Develop metrics

Time from incident to detection, detection to investigation, detection to remediation, etc

Review metrics after each incident

Post-incident activities

39

© Copyright 2010

Q&A

40

© Copyright 2010

Devon Kerr Senior Consultant

© Copyright 2010

Q&A

© Copyright 2010

This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.

For more information on BELA contact:

Laara van Loben SelsSenior Director, Engagement [email protected]

Business Ethics Leadership Alliance (BELA)

mailto:[email protected]

© Copyright 2010

October 30, 2014Cyber-Security, IP Theft and Data Breaches: Practical Steps to Protect Corporate Assets

Internally and with Third Parties

All upcoming Ethisphere events can be found at:

http://ethisphere.com/events/

PLEASE JOIN US FOR

http://ethisphere.com/events/

© Copyright 2010

THANK YOU