This Webcast Will Begin Shortly

If you have any technical problems with the Webcast or the streaming audio, please contact us via email at:

webcast@acc.com

Thank You!

Evolving Cybersecurity Risks in US Commercial Real Estate

September 28, 2016

Presented By:

Elena B. Antonetti, Executive Counsel, Travelers Indemnity Co. Edward Chang, Esq., 2VP Cyber Risk Mgmt., Travelers Indemnity Co.

Khizar A. Sheikh, Esq., Mandelbaum Salsburg PC J. Paul Zimmerman, Esq., Christian & Small LLP

Today’s Webinar is Sponsored by The International Society of Primerus Law

Firms

 Primerus  is  an  interna,onal  society  of  the  world’s  finest  small  to  midsize  law  firms.    Membership  in  Primerus  is  by  invita,on  only,  and  all  Primerus  law  firms  are  pre-­‐screened  before  accepted,  and  audited  annually  for  their  con,nued  commitment  to  providing  excellent  work  product  and  superior  client  service  at  reasonable  rates.  Currently,  there  are  nearly  3,000  Primerus  lawyers  in  over  180  Primerus  firms  located  in  45+  countries.    

   If  you  would  like  to  learn  more  about  Primerus,  please  visit  the  Primerus  website  at  www.Primerus.com.  

INTRODUCTION

Cyber Liability and Enforcement Risks

•  Generally applicable risks: –  Loss or theft of data (corporate, as well as third-party data) –  Denial of service –  Business email compromise

•  Risks more particular to CRE companies: –  ICS / SCADA / IoT – real world effects through attacks on building management systems –  Your tenants’ risks!

Cyber Applied to CRE Companies •  The U.S. Department of Homeland Security lists the “commercial facilities sector” as “critical

infrastructure” requiring “security” and “resilience”:

–  Entertainment and Media (e.g., motion picture studios, broadcast media) –  Gaming (e.g., casinos) –  Lodging (e.g., hotels, motels, conference centers) –  Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades) –  Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers) –  Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-

storage) –  Retail (e.g., retail centers and districts, shopping malls) –  Sports Leagues (e.g., professional sports leagues and federations)

Cyber Applied to CRE Companies •  Risk Examples:

–  The Massachusetts Attorney General fined a property management firm $15,000 after a company laptop containing unencrypted personal information was stolen.

–  A large US REIT discovered that its systems containing PII and key company information had been compromised by a cyber intrusion. The company recorded a $2.8 million cyber intrusion expense, including investigative fees and identity protection services. However, even after several months, the company had yet to fully understand the modus operandi, the exact data that was compromised, or the full amount of damage.

–  Another REIT disclosed that its HR information on employees and their dependents and beneficiaries had been accessed by an unknown third party.

–  A laptop was stolen from the management office of a large apartment complex, and company executives feared criminals would gain access to tenant data. The potential breach required roughly 10,000 past and present tenants be notified and their credit monitored.

–  A real estate management company notified an undisclosed number of housing applicants that their personal information had been exposed online. A file containing housing applicants' names, Social Security numbers, driver's license numbers, e-mail addresses and mailing addresses had been taken from a database and posted on an "unauthorized Web site.“

–  A company that maintains hotel franchises under nationwide brands suffered a data breach that exposed credit and debit card information on thousands of guests.

No “one” type of CRE company

GOVERNANCE ISSUES

What is the Board of Director’s Role in Cybersecurity? •  Companies must foster a culture of security, which can only be accomplished effectively from the

top down. It requires leadership, and leadership starts with the directors and officers.

•  Boards are generally charged with oversight, with audit and reporting being classic examples. In the cyber security context, the board must monitor whether such issues are being effectively addressed. As then U.S. Securities & Exchange Commissioner Luis Aguilar has noted:

“Although primary responsibility for risk management has historically belonged to management, the

boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs…[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.”

Luis A. Aguilar, Comm’r, U.S. Sec. & Exch. Comm’n, “Cyber Risks and the Boardroom” Conference,

Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014)(http://www.sec.gov/News/Speech/Detail/Speech/1370542057946)(last visited 08/15/2016).

What is the Board of Director’s Role in Cybersecurity? •  Directors must satisfy their duties of diligence, loyalty, and care in addressing cybersecurity and

their actions must be documented. Their efforts must be every bit as thorough as the directors’ efforts in audit, compliance, and reporting. Necessary resources must be available to directors to allow the board to conduct sufficient analysis and investigation of the company’s IS posture.

•  Best practices require that the board either include someone that has enough technical expertise to understand the challenges, issues, and options in addressing IS, or have regular access to such expertise, independent of the company’s officers.

What is the Fiduciary Responsibilities of Directors? •  Inquiries as to how the company is prepared to address newsworthy cyber events should occur

regularly:

–  What is considered to be the most valuable informational assets of the company, or the most attractive customer information held by the company?

–  Where is such information held, and are laws of other jurisdictions implicated? –  What efforts are being made to assess risks and vulnerabilities, along with utilization of

assessments to improve security? –  What is the state of the company’s data environment, including the volume of data and

whether appropriate information life cycle management is being practiced to reduce the amount of data held by the company?

–  What are potentially appropriate standards for cyber security, testing, and assessment, and is the company in compliance with them?

–  What steps are being taken to prevent, minimize, respond to, and recover from events, including as to reputational damage?

What is the Fiduciary Responsibilities of Directors?

–  What efforts are being made to educate employees regarding cyber security? –  Is security a focus of vendor management? –  Is the company staying current as to threats and safeguards, whether administrative,

technological, or physical, including the possibility of cooperative efforts with other companies and government agencies?

–  Does the company’s risk management plan address cyber security through contracts and insurance policies?

Measuring ROI of Controls and Safeguards •  The average consolidated total cost of a data breach grew from $3.8 million to $4 million. The

average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. (IBM 2016 Cost of Data Breach Study).

•  Number does not include liability risks, but does include potential loss of business. But what does this mean? •  Companies should not spend more on safeguards than the problem is worth. •  Classic methodology:

–  Annualized loss expectancy (“ALE”). –  Calculate the cost of a security incident in both tangibles like time and money, and

intangibles like reputation and competitive advantage and loss of data. –  Multiply that by the chances the incident will occur in a year.

•  Spend more than that, and you're wasting money. •  Spend less than that, and you're also wasting money. What effect do legal requirements have on this analysis?

DATA BREACH, RESPONSE & INSURANCE

Fundamental security principles

•  Prepare – “Failing to prepare is preparing to fail” –  Plan for cyber security –  Incident response and business continuity planning

•  Strong access controls – “Principle of “least privilege” –  Control administrative privileges –  Mobile device management –  Third party vendors

•  Security conscious practices and policies –  Employee on-boarding, education, and departure –  Change management

What is Data Breach & How to Respond

•  Disclaimer: This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations.

•  Potential types of data compromise: –  PII, PHI, PCI, business confidential, other 3d-party

•  Notification requirements: –  Patchwork of data privacy laws, both state and federal –  Contractual or other legal obligations –  Law enforcement? Insurance carrier?

•  Incident response: –  Do you have a tested, incident response plan? –  Outside resources: legal counsel or breach coach; forensic investigation

Ransomware: Effect on Breach Response •  On average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase

over the 1,000 daily ransomware attacks reported in 2015). (US Government).

•  FTC Chair: –  Not protecting against ransomware may violate federal law.

•  State Data Breach Laws: –  U.S. state breach notification rules are generally triggered on an unauthorized “acquisition”

and/or “access” to certain types of unencrypted personal information. –  Understand your state’s laws. –  Update incident response plans.

•  Disclaimers: –  This presentation is not a representation that coverage does or does not exist for any

particular claim or loss under any insurance policy. –  This presentation is not intended as insurance advice. A company should always seek the

advice of a qualified insurance agent or broker when considering their insurance coverage.

•  Typical cyber insurance coverage: –  Network and information security liability –  Content and media liability –  Regulatory liability –  Crisis management –  Notification –  Data recovery –  Fraud –  Extortion (ransomware) –  Business interruption (contingent?)

Cyber Insurance

} 3rd party coverages

1st party coverages

Impact on Other Insurance Coverage •  Again, there are first-party and third-party implications to a data breach, which vary according to

the type of incident.

•  With cyber policies still evolving and that still vary tremendously, coverage gaps are imminent.

•  Differences in definitions, such as “claim,” “occurrence,” etc., among different kinds of policies are common.

•  Scrutinizing coverage by analyzing how various policies would be applied to common cyber events, given how they take place and evolve, can reveal coverage gaps.

•  Sublimits and endorsements in non-cyber policies are common. Even if there is coverage under other policies, such as CGL, EPLI, etc., coverage will not likely be sufficient.

•  How is the company managing risks that cannot be feasibly insured against?

Impact on Other Insurance Coverage •  Common issues in coverage under other policies include:

–  Would the various types of cyber events trigger coverage? •  If so, at what point? •  If not, why?

–  Definitions? –  Outside the scope of coverage? –  Exclusions?

–  Are the policy limits, taking into account sublimits, sufficient? –  Do any aspects of the data environment affect coverage, such as data held by a third-party

or data owned by a third-party? –  Do any contracts to which the organization is a party affect coverage, such as through

contractual duties assumed, subrogation waivers, etc.?

COUNSEL’S ROLE

Counsel Role – Prevention

•  Significant value-add in limiting cyber risk exposure & mitigating potential reputational damage if the In-House Legal is at the table & works closely with the stakeholders: IS Security, IT, HR, Business & Compliance.

•  Well-positioned to evaluate potential vulnerabilities/gaps and assist with developing operational controls to mitigate.

•  Must know your data environment & potential exposure points to set up the ‘right-sized’ governance & policies for managing both data that your company handles & vendors/subs handle on its behalf.

•  Partner with other functions (IT, IS Security, HR, etc.) to develop & deliver training - sensitize employees to cyber risks and educate on the need to safeguard data & information resources as much as any other company asset.

•  Develop policies & training for employees to be able to handle social engineering and phishing, download software, use social media/email & protect passwords.

Counsel Role – Breach Response

•  If a breach happens, step up and take the lead with other stake holders on the breach response strategy

–  Evaluate the Damage – Categorize data to determine whether personal information was compromised and notification/other actions would be required (as opposed to optional).

–  Articulate & Manage the Response Procedures – Identify who will notify customers & report the breach event, who will contact the insurance agent and carrier and manage communications.

–  Course correct – Partner with IT to ensure that the gaps are fixed going forward and any sensitive company and client data are secure.

–  Know When to Involve Experts – Evaluate the cost/benefits of retaining Outside Counsel, Breach Managers or Breach Coaches to assist with managing a cyber breach event (fact gathering, developing a communications strategy, documenting expenses and re-securing the network).

Partnering Inside and Outside Counsel •  Each can play to their own core competencies and inherent efficiencies and strengths.

•  Maximize attorney/client and work-product protections.

•  Outside counsel looks not only to inside counsel’s legal expertise, but also: –  Organizational and institutional knowledge –  Inter-disciplinary relationships –  Legal perspective of all areas of operation –  Gatekeeper to facilitate and protect privilege –  Inside counsel can serve in several capacities in a matter that outside counsel cannot

Outside Counsel’s Vulnerabilities •  Does your outside counsel have cyber coverage?

•  What about counsel for other parties in transactions? –  Yes, you have an NDA, but what good is it? –  Are you prepared to respond to a breach of opposing counsel that has your company’s data

in a transaction or through the course of discovery?

Thank you.

•  Elena B. Antonetti •  Travelers •  Hartford, Connecticut •  email: eantonet@travelers.com

•  Edward C. Chang •  Travelers •  Hartford, Connecticut •  email: ecchang@travelers.com

•  Khizar A. Sheikh •  Mandelbaum Salsburg •  Roseland, New Jersey •  phone: (973) 243-7980 •  email: ksheikh@lawfirm.ms •  J. Paul Zimmerman •  Christian & Small LLP •  Birmingham, Alabama •  phone: (205) 250-6616 •  email: jpzimmerman@csattorneys.com

Thank you for attending another presentation from

ACC’s Webcasts

Please be sure to complete the evaluation form for this program as your comments and ideas are helpful in planning future programs.

If you have questions about this or future webcasts, please contact ACC at webcast@acc.com

This and other ACC webcasts have been recorded and are available,

for one year after the presentation date, as archived webcasts at http://www.acc.com/webcasts