Upload
leminh
View
216
Download
0
Embed Size (px)
Citation preview
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Cyber Threats to Banks and Financial
Institutions: Regulatory Requirements
and Bank Examinations Leveraging FFIEC Cybersecurity Assessment, Navigating Board
of Director Risks and Third-Party Vendor Management
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, APRIL 5, 2016
Jason M. Halper, Partner, Orrick Herrington & Sutcliffe, New York
Aravind Swaminathan, Partner, Orrick Herrington & Sutcliffe, Seattle
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-873-1442 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Cyber Threats to Banks and Financial Institutions: Regulatory Requirements
and Bank Examinations
Aravind Swaminathan (Seattle), Global Co-Chair Cybersecurity and Data Privacy Jason Halper (New York), Co-Chair Financial Institutions Litigation Practice
April 5, 2016
“There are only ‘two categories’ of companies affected
by trade secret theft – those that know they’ve been
compromised and those that don’t know yet.”
Former Attorney General Eric Holder
Scope of the Problem
6
World Economic Forum: Cyber is Top 5 Global Risk
Source: World Economic Forum Global Risks 2014
Privileged & Confidential
7
Threat Type Who and What
Organized Crime Organized crime rings targeting corporate data, such as personal information, health information, credit cards, for financial motives (e.g., Target)
Industrial Control System Attack
Targeted attack that seeks to disrupt the activities of large-scale companies or organizations, including industrial control systems (e.g., Stuxnet)
Insiders Employee or contractor using access to release or ex-filtrate information for personal, competitive, or financial gain (e.g., Wikileaks)
Threat Actors
Advanced Persistent Threat (APT)
Organized and state-funded groups methodically infiltrating the enterprise, often have maintained presence for months or even years (e.g., “Deep Panda”)
Hacktivism Highly visible attacks to advance “movements,” based on political, policy, religious views, to raise PR spotlight, embarrass, effect change (e.g., Anonymous)
9
Attack Targets
Source: Verizon 2015 Data Breach Investigations Report
“The top two industries affected are the same as previous years: Public and Financial Services.”
10
• Averages based on small breaches of 5,000 to 99,000 records
• Breaches >100,000 records were excluded because they would “skew” the results
Average Loss to Organization In 2012 In 2014
Average Total Cost
(direct and indirect expenses, e.g., forensic experts, outsourcing hotline, free credit monitoring, discounts, customer loss, diminished customer acquisition)
$5.5 million $6.5 million
Cost per compromised record $188/record $217/record
Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States
Average Loss to Organization
12
FFIEC Cybersecurity Assessment Tool
15
Inherent Risk Cybersecurity Maturity
Technologies and connection types Risk management and oversight
Delivery channels Controls
Online/Mobile products & technology svcs External dependency management
Organizational characteristics Incident management
External threats
Regulators explicitly using in bank examinations:
• Office of the Comptroller of Currency
• National Credit Union Association
November 9, 2015
Potential New NYDFS Cyber Security Regulation Requirements
• Required Policies and Procedures (e.g., data governance/classification, identity access management, incident response)
• Third Party Service Provider Management (e.g., multi-factor authentication, encryption, notification for cybersecurity incidents, indemnification, security audits, reps/warranties re InfoSec)
• Chief Information Security Officer
• Cybersecurity personnel and intelligence
• Annual penetration testing and quarterly vulnerability assessments
• Audit trails for privileged user access, protection of logs, etc.
• Notification to NYDFS if reasonably likely to materially affect operations or triggers NY state notice, board notification, NPHI or “private information”
NY Department of Financial Services
16
Other Regulatory Guidance on Cybersecurity
Overview of Key Elements from SEC/FINRA:*
Identification of Risks & Cybersecurity Governance
Documented information security policy
Establish cybersecurity roles and responsibilities
Periodic assessment of cybersecurity risks
Periodic assessment of physical security risks
Network mapping and inventory of technology resources
Cybersecurity insurance
Incorporate cybersecurity into BCP plan
Protection of Firm Network and Information
Employee training and written guidance
User access controls
Use of encryption
Change management procedures – test environment
Documented incident response plan
Audits of security policies
*SEC National Exam Program Alert, Vol. IV, Issue 4 “Cybersecurity Examination Sweep Summary” (Feb. 3. 2015)
FINRA, “Report on Cybersecurity Practices” (Feb. 2015)
Risks Associated with Vendors and other Third Parties
Cybersecurity assessment of vendors and third parties
Details of cybersecurity risk in third party contracts
Network segregation of third party access
Logging and control of third party access
Detection of Unauthorized Activity
Create baseline of network traffic and events
Event aggregation and correlation
Detection of events/intrusions, malicious code, unauthorized users and devices
Penetration testing and vulnerability scanning
Data loss prevention
17
Vendors can be the “weak link” (Target HVAC) – public entities rely on hundreds or even thousands of vendors for core operations/services
Proactive Risk Mitigation
» Pre-contract due diligence, calibrated to sensitivity level of data to be handled by vendor – e.g., vendor MUST have an IR Plan
» Contractual terms with appropriate risk shifting / allocation – e.g., will you require vendor to carry cyber insurance?
» Absolute clarity on definition of “breach” and mutual reporting and cost obligations in breach event
» Audit rights, ability to exercise such rights (e.g., questionnaires)
» Ongoing due diligence and willingness (ability) to terminate
Vendor Management
18
Employee and Customer/Client Training
19
Employee training is key
• Tailor to meet staff needs
• Interactive training with participation
• Index to past experiences and threat
intelligence
• Lather, rinse, repeat
Customer training emphasis (SEC)
• 65% of broker dealers offer provide
customers with information on
reducing cybersecurity risks
• 19% of advisers provide steps that
can reduce cybersecurity risks
Recent Enforcement
R.T. Jones, Investment Advisor (Sept. 22, 2015)
Rule 30(a) of Regulation S-P (“Safeguards Rule”) – written policies and procedures reasonably designed to: (1) insure security/confidentiality of customer records/info, (2) protect against anticipated threats or hazards to the security/integrity of customer records/info, (3) protect against unauthorized access to or use of customer records and information
Client PII (100,000 individuals) on 3rd party-hosted server, hacker gained full access/copy rights; no harm established
No reasonably designed safeguards: no risk assessments, encryption, firewalls, or incident response procedures
Censured + $75,000 civil penalty + remedial efforts
20
Recent Enforcement
Sterne Agee, Investment Advisor (May 22, 2015)
Rule 30(a) of Regulation S-P (“Safeguards Rule”);
NASD Conduct Rule 3010; FINRA Rule 2010
Client PII (+350,000 individuals) on unencrypted laptop left in a restroom and lost: account numbers, names, addresses, tax identification numbers; no harm established
Sterne’s written supervisory procedures (WSPs) not reasonably designed to safeguard; WSPs provided for many security measures, but not laptop encryption
Paper trail dates from March 2009 through June 2014 showing repeated discussion of, but failure to, implement encryption (see FINRA Regulatory Notice 05-49)
Censured + $225,000 civil penalty + remedial requirements 21
Recent Enforcement
22
Dwolla, Inc., Online Payment Processor (March 2, 2016)
Sections 1031(a) & 1036(a)(1) of Consumer Financial Protection Act;
Advertised 100% encryption, “bank-level hosting and security environment,” and “set[] new precedent for the industry for safety and security”
Failed:
to adopt and implement reasonable data security policies and procedures (or even comply with ones that it had adopted),
to conduct periodic security risk assessments, did not adequately train employees, and
to ensure that the software and applications it developed were secure.
No cybersecurity incident, data breach, or other specific consumer harm appears to have prompted CFPB’s investigation
$100,000 civil penalty + 5-year consent order
• Private class actions
» fast-and-furious: Anthem suits filed within 24 hours
» multi-district: Target, Home Depot
» multi-front: Schnucks Grocery vs. plaintiffs and insurers
» standing defense in question: Neiman Marcus
• Issuing Bank litigation in PCI/card breaches
• Contractual enforcement
» Payment Card Industry (PCI), credit card brand companies
» Customer claims via contracts, privacy policies, terms of use
• Suits against directors alleging breach of fiduciary duty
Civil Litigation
23
Cybersecurity Governance
Regulators say governance framework
is essential:
• To allocate adequate resources to
cybersecurity and set priorities
• To mitigate risks
• To lay groundwork to avoid or
reduce harms
• Must be supported by intelligent,
fact-based decision making
• Use cybersecurity frameworks (e.g.,
NIST)
• Bridge communication gaps
between cybersecurity experts and
executives
• Assess security through common
performance measurement tools
25
• Cyber or not, the Board’s fiduciary duties are the same:
− Duty of care
− Duty of loyalty (includes duty of good faith)
− Caremark standard
− Risk oversight function
Fiduciary Duties Under State Law
Privileged & Confidential
26
Sample Shareholder Derivative Cases
− Heartland Payment Systems (January 20, 2009): Malware on payment processing network, compromised potentially 100 million credit cards.
− Target Corporation (December 15, 2013): Network breach compromised potentially 110 million credit cards.
− Wyndham Worldwide Corporation: Three separate breaches that compromised 619,000 records, leading to FTC enforcement action for unfair and deceptive trade practices.
− The Home Depot, Inc. (September 3, 2014): Network breach compromised potentially 56 million credit cards
Allegations Against Directors
• Breach of fiduciary duty of care, loyalty, and good faith (Heartland, Target, Wyndham, Home Depot)
• Unjust enrichment (Heartland)
• Abuse of control (Heartland)
• Gross mismanagement (Heartland)
• Waste of corporate assets (Heartland, Target, Wyndham, Home Depot)
27
• Failed to implement and monitor effective cybersecurity program
• Failed to protect company assets and business by recklessly disregarding cybersecurity risks and ignoring “red flags”
• Failed to implement and maintain internal controls to protect customer or employee personal and financial information
• Failed to take reasonable steps to timely notify individuals that company’s information security system was breached
• Caused or allowed company to disseminate materially false and misleading statements to shareholders regarding incident
• Failed to implement controls or oversee cybersecurity program, resulting in a waste of corporate assets
• Made false or misleading cyber-risk disclosures in public filings
Typical Post-Breach Claims Against Directors
Privileged & Confidential
28
29 29
How to Protect Board Members
Protection Against Shareholder Claims for Breach of Duty
• Lay a foundation to use the “business judgment” rule to shield the board
from shareholder claims Business judgment rule is a presumption that, if directors acted in good faith, with
reasonable skill and prudence, and reasonable belief they were acting in corporation’s best
interests
Applies unless shareholders can show lack of business judgment or majority of board not
disinterested and independent
Directors may rely on cyber experts to enable them to exercise proper skill and prudence
(due care)
• Directors are protected by business judgment rule unless shareholders
allege (i) failure to implement a board-level oversight and reporting
system, or (ii) directors substantially disregarded cybersecurity reports
and red flags Directors must evaluate cybersecurity risks, with regular updates
Directors must implement effective continuous monitoring of systems
Directors must receive and consider periodic cybersecurity reporting
Directors must allocate adequate resources to address possible risks
Document all actions in board and committee packets, minutes and reports
• Ensure cybersecurity disclosures are not false or misleading in light of the
most current and evolving information, and include specific and relevant
warnings of evolving risks
Protecting the Board (con’t)
Protection Against Investor/SEC Claims for False/Misleading Statements
• Do: Make disclosures of what you do to address cybersecurity threats » We utilize intrusion threat detection and protection systems.
» We conduct regular internal and external cybersecurity assessments.
• Do not: Make statements about what threats you protect against or how your cybersecurity systems protect against threats » We have state-of-the-art intrusion protection systems that prevent individuals from
gaining access to our proprietary network without authorization.
• Do: Prepare risk disclosures that are specific, without disclosing key details about cybersecurity measures » We collect and maintain personal identifying information, such as credit card information,
that is collected via point-of-sale terminals across the globe. A malware attack on any point-of-sale terminal could result in loss of customer data and confidence in our ability to protect their information because of the data breach, resulting in an adverse impact on sales.
» We maintain valuable intellectual property on our computer networks, which, if accessed without authorization, could result in loss of revenue if that information is used to develop counterfeit information.
• Do: Prepare more generalized risk disclosures that supplement specific disclosures
30
Section 102(b)(7) Charter Provisions
• Delaware Gen. Corp. Law Sec. 102(b)(7) permits shareholders to
adopt a Charter provision that precludes monetary liability on part of
directors of Delaware companies for breaches of due care
• Prevalent among Delaware corporations
• Results in dismissal of claims seeking money damages from
directors for breaches of the duty of care, including in the
cybersecurity area
• Does not protect against breaches of the duty of loyalty or result in
dismissal of claims seeking injunctive or other equitable relief
• Query: Can a failure to adopt and implement reasonable
cybersecurity measures be considered a breach of loyalty/bad faith?
31
Best Practices for Board
• Direct implementation of cybersecurity plan that includes:
» Development of policies and procedures
» Regular updating of the security plan, policies and procedures
• Oversight of:
» Enforcement of cybersecurity plan’s policies and procedures
» Accountability for non-compliance; incentivize compliance
• Monitor effectiveness of:
» Internal Controls
» External Controls
• Allocate adequate resources for the identified risks and the plan for remediation
Privileged & Confidential
32
Internal and External Controls
• Internal Controls
» CISO (or similar) certification of compliance with cybersecurity polices and procedures
» Internal testing and validation of compliance
» Periodic reporting to Audit Committee
• External Controls
» Retain independent cybersecurity firm
» Conduct assessment of cybersecurity program/posture
» Use established framework for assessment and evaluation, such as National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure and/or FFIEC Tools
» Periodic reporting to Audit Committee
• Document Process Privileged & Confidential
33
Key Elements of Proactive Cybersecurity Program
• Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee
• Inventory of data and network assets subject to attack (e.g., data map or network map)
• Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic)
• Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., FS-ISAC)
• Certification to ISO/IEC standards, such as ISO/IEC 27001:013
• Encryption of sensitive data in-transit and at-rest, as appropriate . . . as the bare minimum of protective controls
Privileged & Confidential
34
Key Elements (cont’d)
• Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance
• Development of security breach incident response plan (IRP); periodically tabletop, refine, update
• Implementation of training programs for employees and security team on cybersecurity awareness and response
• Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk
• Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc.
Privileged & Confidential
35
Aravind Swaminathan
• Aravind Swaminathan is a global co-chair of the firm's Cybersecurity
& Data Privacy team, which is nationally ranked by The Legal 500
for "high-level practical experience and understanding of the law.”
• Aravind is an accomplished trial lawyer and former federal
prosecutor in the complex crimes unit. He has extensive experience
in cybersecurity and data breaches, government and internal
investigations, and privacy-related matters. Aravind advises clients
in proactive assessment and management of internal and external
cybersecurity risks, breach incident response planning, and
corporate governance related to cybersecurity.
• Aravind has directed dozens of internal data breach investigations
and incident response efforts, including incidents with national
security implications. He also represents companies and
organizations facing cybersecurity and privacy-oriented class action
litigation. Aravind is a sought-after speaker on cybersecurity issues,
including threat landscapes, mitigation strategies, incident response
plans, and threat management in mobile device ecosystems.
Orrick, Herrington &
Sutcliffe LLP
701 Fifth Avenue
Suite 5600
Seattle, WA 98104
(206) 839-4340
38
Jason Halper
• Jason Halper is the co-chair of the Financial Institutions Litigation
Practice. Jason is a seasoned litigator and trial lawyer with more
than two decades of experience representing financial institutions,
Fortune 500 companies and other clients in high-stakes litigation
and regulatory matters. He is a member of the Trial Bar of the
Northern District of Illinois and has tried cases to jury verdict or
decision in federal and state courts, regulatory tribunals and
arbitrations.
• Jason represents public and private companies, underwriters,
lenders, professional firms, corporate directors and other individuals
in a variety of industries in securities, derivative, ERISA and RICO
class actions, SEC and stock exchange investigations and
arbitrations, internal investigations, suits claiming breaches of
fiduciary duty, insider trading or other misconduct by corporate
directors, substantial contract disputes, bankruptcy-related
proceedings, and litigation arising from M&A or other transactions
involving changes in or contests for corporate control in Delaware
Chancery Court and elsewhere.
• Jason is also an adjunct professor in corporate and securities law at
the University of Pennsylvania Law School, and a frequent speaker
and author.
Orrick, Herrington &
Sutcliffe LLP
51 West 52nd Street
New York, New York 10019
(212) 506-5133
39