Cyber Security Risks and Apportioning of Liability: What You Need to Know in 2016 and Beyond
A global survey of Cyber Security Risk conducted by the Information Systems Audit and Control Association this year suggests that most companies are not well prepared for cyber security threats despite the dramatic increase in the number, frequency, and sophistication of incidents. Most companies also are poorly prepared to identify or to respond to threats. In 2015 and the first two quarters of 2016, consumer confidence in the security of their finances and information was further eroded by numerous serious breaches in the government, in hospitals, in corporations and in personal email accounts.
New technological developments create new security risks. Yet, concurrently, new vulnerabilities evolve in some older technologies; especially those used online. In 2016 and beyond, cyber security threats will increase in frequency, complexity, and variety. Ransomware attacks will increase in frequency with emphasis upon hospitals and large corporations holding valuable information, especially in cloud services. Newer mobile payments systems will provide new opportunities for crackers and hackers to breach financial accounts. The interconnection of all sorts of equipment via the Internet-of-Things will create a vast variety of new cyber security threats. Wearable devices, robotic surgical equipment, and medical devices will face breaches that may lead to deaths of the wearers or patients (cardiac pacemakers, insulin pumps, etc.). More broadly and of equal concern is the growing risk faced by utility companies, especially the nuclear, hydrological, and electrical industry. Attacks on these utilities can cause widespread economic loss as well as threats to human health.
Planning to resist and mitigate cyber-attacks is the best solution. However, taking action to remedy and recover from cyber-attacks is equally important. By and large, most corporation’s efforts have been indolent and somewhat lackluster in both cases. Worse still, many vulnerabilities remain undetected or unmitigated, often for several years. Responsibility for cyber security rests with every individual in a company from top executives to the cleaning staff. It is critical that executives, board members, and managers are knowledgeable and enforce security procedures. IT and security staff need to undertake penetration testing, computer forensic analysis, and fraud mitigation simulation. 'Intelligence' based security must be used to augment traditional technologies such as firewalls and security software. Continuous monitoring and advanced analysis of data transmission and transactions will be critical to ensure robust security. As companies step up their cyber defenses, they can also learn from the best practices developed by utility companies, which have been subject to cybersecurity regulation for almost a decade and have developed a number of legal and policy tools to mitigate their risk and reduce their liability.
In this two hour, CLE webinar, our panel of key thought leaders and practitioners assembled by The Knowledge Group will provide a review and in-depth discussion of Cyber Security Risks and the Apportioning of Liability. Speakers will explain current cyber security threats, the implications of liability due to cyber security risk and the best practices to avoid cyber security incidents and to recover and remedy them if they occur. Key topics include:
- Cyber Security Risks and Liabilities- An Overview
- Cyber Security Trends
- Apportioning Liability for Cyber Losses
- Cyber Security Violations, Costs, and Legal Consequences
- Cyber Security Regulations
- Cyber Security Risk Mitigation
- Best Practices
Ray Suarez, Director, Product Management
- Just as in physical security of a corporate facility, InfoSec responsibility needs to be pushed down into the organization as a cultural norm. Employees need to be taught, enabled, and held accountable for controlling and managing corporate risk.
- Regardless of the size and complexity of their networks, organizations need the ability to accurately identify vulnerabilities that pose the greatest threat to critical business assets. This starts by identifying business assets with the help of business leaders (hint: if it's in the data center, it's probably critical). Once critical assets are identified, teams can then focus on vulnerabilities that increase risk. Only then can you identify and move quickly to remediate the important threats.
- The risk of poor Identity Management goes hand in hand when trying to secure an organization. Identity Management "vulnerabilities" will not be identified by a web application or network scanner. InfoSec leaders need a comprehensive, continuous view and analysis of the relationships between identities, access rights, policies, resources and activities across a multitude of enterprise systems and resources. What is more dangerous than a disgruntled ex-employee with valid credentials and high privileges.
J. Daniel Skees, Partner-Elect
Morgan, Lewis & Bockius LLP
- Utilities face different cybersecurity risks than most companies. Rather than protecting intellectual property, privacy, and the financial well-being of the company, utilities’ primary focus is on the protection of the cyber systems that control their industrial control systems.
- The risks of cybersecurity failures for utilities are magnified by the nature of the harm that cyberattacks can cause, from the opening of dams, to the burnout of large generators, to the tripping of key transmission assets. Any of those failures can have catastrophic effects on the surrounding populations, leading to widespread blackouts, destruction, and loss of human life.
- Utility liability protections under those circumstances have not been fully tested, because existing protections (tariffs, indemnification, and insurance) are premised on damage caused by acts of god or operational negligence, not by sophisticated attacks from foreign states or non-state actors.
- Intelligent partnering with federal and state security and defense agencies can provide an effective tool to reduce those risks given recent statutory and regulatory changes.
- Other industries facing risks of cyberattacks on control systems such as transportation and manufacturing can undertake similar partnerships to manage their cyber security risk.
Kevin Petrasic, Partner
White & Case LLP
- Financial institutions face unique pressure from regulators and customers to account for cybersecurity risks and maintain appropriate controls to mitigate harm arising from cybersecurity attacks generally and data breaches in particular.
- Regulatory scrutiny and compliance requirements
- Recognizing the increasing volume and sophistication of cyber threats, regulators are increasingly demanding that institutions have a robust security and compliance infrastructure to identify, assess, and mitigate these cybersecurity risks.
- Cybersecurity attacks may have one or more of a variety of goals, including theft of corporate and/ or consumer customer data, compromising payment or messaging networks to manipulate transfer of funds, or shutting down service altogether.
- In June 2016, FFIEC released a statement regarding recent cyberattacks against interbank networks and wholesale payment systems, which resulted in the theft of millions of dollars, and instructed banks to use multiple layers of security controls to establish several lines of defense, such as:
- Conduct ongoing information security risk assessments
- Perform security monitoring, prevention, and risk mitigation
- Protect against unauthorized access
- Implement and test controls around critical systems regularly
- Manage business continuity risk
- Enhance information security awareness and training programs
- Participate in industry information-sharing forums
- Disclosures and notifications
- Financial institutions face unique challenges in deciding whether and when they must notify regulators and customers of a breach. Not every cybersecurity incident results in definitive threat to consumer data, but notification triggers may vary widely due to state-by-state approach.
- Similarly, public companies must consider whether the occurrence of a cybersecurity incident is material information that must be disclosed.
- Apportioning of liability, vendor management, and cybersecurity insurance
- Following any major data breach, financial institutions are almost always involved in litigation, either seeking to recoup costs from a third-party service provider that was either hacked or defending against claims from customers seeking recompense for the theft of their corporate or personal financial information.
- Cybersecurity insurance and contractual indemnification for breaches caused by service providers’ IT cybersecurity weaknesses or damages suffered due to attacks on third-parties is increasingly important to containing the financial harm suffered by institutions that are first-party or third-party victims of a cybersecurity attack.
Samuel Lanier Felker, Shareholder
- What is ransomware?
- Strategies to prevent attacks
- What to do if infected with Ransomware?
- Report to law enforcement
- Reporting and notice requirements under HIPAA and state laws
- Mississippi Medical Center
- Oregon Health & Science University
- Catholic Health Care Services of the Archdiocese of Philadelphia
- The problem
- The National Institute of Standards and Technology
Who Should Attend:
- IT Lawyers
- Privacy and Data Security Lawyers
- Compliance and Risk Professionals
- Chief Information Officers
- Chief Security Officers
- IT Security Officers
- Cyber Security Professionals
- Privacy and Data Security Professionals
- Public, Private, and Multinational Corporate Officers
Ray Suarez is the Director of Product Management for all of Core Securities’ vulnerability products. In this role he is responsible for the strategic planning and market development of Core’s suite of penetration testing and vulnerability management solutions. During his career he has been involved with delivering security products for networks, databases, server and desktop technologies that have proven vital to the protection of mission critical systems and IT services. He has held senior management roles in marketing and product management at companies such as Enterasys, Symantec, CA, Axent Technologies, AltaVista Software, and Sybase.
Ray Suarez is the Director of Product Management for all of Core Securities’ vulnerability products. In this role he is responsible …
Kevin Petrasic is a banking partner and Global Head of the Financial Institutions Advisory practice of White & Case LLP, based in the Firm’s New York and Washington, DC offices. He advises banks and financial firms on regulatory, transactional, compliance, supervisory, enforcement, legislative, and policy issues. His clients include domestic and foreign banks, investment banks, private equity and hedge funds, investment managers and advisers, securities firms, insurance companies, payments companies, and FinTech firms.
Kevin has extensive experience in Dodd-Frank compliance, bank holding company regulation, anti-money laundering issues and OFAC compliance, credit card and consumer financial compliance laws, UDAAP issues, data privacy and data breach issues, compliance laws impacting payments systems, mergers and acquisitions, bank powers and activities, legislative matters, mortgage market regulation, and corporate governance.
He has over 20 years of government experience, including serving as Special Counsel, Managing Director of External Affairs, Director of Congressional Affairs, Legislative Counsel, and Assistant Chief Counsel at the US Treasury Department's Office of Thrift Supervision, as well as Counsel to the former US House Banking Committee.
Kevin Petrasic is a banking partner and Global Head of the Financial Institutions Advisory practice of White & Case LLP, …
J. Daniel Skees represents electric utilities before the Federal Energy Regulatory Commission (FERC) and other agencies on rate, regulatory, and transaction matters. He handles rate and tariff proceedings, electric utility and holding company transactions, reliability standards development and compliance, and FERC rulemaking proceedings. The mandatory electric reliability standards under Section 215 of the Federal Power Act, including those protecting critical electric control systems from cyberattacks, are a major focus of Dan’s practice. He advises clients regarding compliance with reliability standards, and helps them participate in the development of new standards.
Dan’s counsel includes the unique compliance concerns presented by the Critical Infrastructure Protection (CIP) reliability standards. Working with business and technical leads within companies and their outside IT consultants, he assists electric utilities in designing their CIP compliance programs and defending those efforts when necessary. The process includes proceedings on reliability compliance before FERC, the North American Electric Reliability Corporation (NERC), and regional entities charged with enforcing compliance.
J. Daniel Skees represents electric utilities before the Federal Energy Regulatory Commission (FERC) and other agencies on rate, regulatory, and …
Sam Felker, shareholder in the Firm's Nashville office, is a member of the Firm's Privacy and Information Security Team. Sam assists clients with data security and privacy concerns, including data breach response, and he was recently certified as an Information Privacy Professional by the International Association of Privacy Professionals. For over 30 years, Sam has focused his practice on complex litigation and has represented clients in significant commercial litigation involving insurance coverage, securities fraud, breach of contract, theft of trade secrets, defamation and intellectual property. Sam is well-versed in all forms of alternative dispute resolution and is a trained mediator.
Sam Felker, shareholder in the Firm's Nashville office, is a member of the Firm's Privacy and Information Security Team. Sam …
Print and review course materials
Method of Presentation:
NASBA Field of Study:
NY Category of CLE Credit:
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
About Core Security
Courion recently changed its name to Core Security. The company provides market-leading, threat-aware, identity, access and vulnerability management solutions that provide actionable intelligence and context needed to manage security risks across the enterprise. Solutions include multi-factor authentication, provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and vulnerability management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make better security remediation decisions and maintain compliance.
About White & Case LLP
White & Case is an international law firm that serves companies, governments and financial institutions, and is consistently ranked at the top of the list of global law firms. The firm’s Financial Institutions Advisory practice advises on a wide range of issues affecting banks and nonbank financial firms, including regulatory and compliance matters; transactions and structuring; disputes, enforcement and investigations; risk management and legal assistance in day-to-day operations; and cross-border legal and regulatory implications for firms with a global multijurisdictional presence. The firm’s clients include domestic and international banking organizations, investment banks, and an extensive list of nonbank financial firms that includes investment funds and advisers, private equity and hedge funds, sovereign wealth funds, outsourcing and other third party service providers, Fintech enterprises, and other key players in the financial industry sector. The firm also advises many of the largest banks in the US, UK, Latin America, Europe, the Middle East, Africa and Asia.
About Morgan, Lewis & Bockius LLP
Founded in 1873, Morgan Lewis is a full-service international law firm that offers more than 2,000 lawyers, patent agents, benefits advisers, regulatory scientists, and other specialists in 28 offices across North America, Europe, Asia, and the Middle East. The firm provides comprehensive litigation, corporate, transactional, regulatory, intellectual property, and labor and employment legal services to clients across industries and of all sizes—from globally established industry leaders to just-conceived start-ups.
About Baker Donelson
Baker Donelson provides expertise in over 30 practice areas with more than 650 attorneys and public policy advisors. The Privacy and Information Security Team is comprised of 30 attorneys, six of whom are CIPP/US accredited and one attorney who is CISSP accredited. Baker Donelson has experience in all areas of information management – from privacy and data security planning and design, to compliance, to data breach and litigation management. We provide our clients with concise and knowledgeable counsel in order to address all issues that may arise during the information life cycle. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 20 offices in Alabama, Florida, Georgia, Louisiana, Mississippi, Tennessee, Texas and Washington, D.C. Ranked as the 64th largest law firm in the U.S., Baker Donelson is recognized by FORTUNE magazine as one of the "100 Best Companies to Work For."