1 / 16

Hot Topics in the Financial Industry: Cybersecurity PANELISTS:

Hot Topics in the Financial Industry: Cybersecurity PANELISTS: Douglas W. Henkin , Partner, BakerBotts L.L.P.  Maneesha Mithal , Associate Director, U.S. Federal Trade Commission, Division of Privacy and Identity Protection

deborahv
Download Presentation

Hot Topics in the Financial Industry: Cybersecurity PANELISTS:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hot Topics in the Financial Industry: Cybersecurity PANELISTS: Douglas W. Henkin, Partner, BakerBottsL.L.P.  ManeeshaMithal, Associate Director, U.S. Federal Trade Commission, Division of Privacy and Identity Protection David M. Ross, Assistant General Counsel, MetLife

  2. Cybersecurity Background • Cybersecurity is the ability to maintain controls over information technology systems so that there is (i) no unintended access to or interference with those systems and (ii) no unintended exfiltration of data from those systems

  3. Significance and Types of Cybersecurity Issues: • Hacking and data breaches are increasing, as are the methods hackers use — always assume someone smarter than you is attacking or trying to attack your systems • Intentional malfeasance • Cyberwarfare (i.e., kinetic attacks) • Criminal activity (theft of data or IP, ransomware) • Fun (joyriding kids who learn hacking from the Internet) • Accidents • Rogue employees/ex-employees

  4. What Data is at Risk? • Customer information (i.e., account-related information) • Employee information • Vendor information • Intellectual Property • Other confidential information

  5. What Systems Are at Risk? • Customer-facing systems • HR systems • Third-party provided systems • Finance systems • Large-scale process control/industrial systems

  6. State of the Law • US • Federal Law • Existing Statutes (HIPAA, G-L-B, FTC Act) • Executive Order (February 9, 2016) establishing Commission on Enhancing National Cybersecuritywithin the Department of Commerce to “make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices … “

  7. State of the Law • US • State Law (mostly focuses on PII and breach notification) • State privacy laws and insurance laws • Contract law • Case law • Self-regulatory approaches (i.e., Payment Card Industry)

  8. State of the Law • Rest of the World • EU Model — Focuses on data transfer restrictions • Changing EU Model • Privacy Shield • New Data Protection Regulation (GDPR) • New cyber statute • Other rest-of-world concerns (i.e., how to integrate systems that need to communicate across jurisdictions)

  9. MINIMIZING RISK — BEST PRACTICES • Corporate Governance • Have regular discussions of data privacy, integrity, and security at board meetings, led by the GC, CIO, CTO, or other responsible party • If you don’t already, consider having a Chief Information Security Office, whose only job is to address these sorts of issues and make sure the company is doing as much as it possibly can to avoid breaches • Consider delegating responsibility for these issues to a board committee as well • Periodically test the company’s systems and standards, pay attention to what the tests reveal, and document what’s done to fix any identified issues (or why they don’t need to be fixed). At least some of the testing should be done by outside entities that specialize in penetration testing • Establish a team, with counsel involved, to function as a response team to investigate and respond to any incursion or breach

  10. IT Security Policies and Procedures • Frameworks (NIST, COBOL, etc.) • Training and evaluation policies (including, when necessary, restricting access to employees who don’t do training or learn what’s taught) • Travel policies (i.e., restrictions on what devices can be taken to certain countries and how devices can be used when traveler returns) • Risk-Based and Technology-Based Approaches Compared

  11. Information Sharing • Government/Private Sector • February 2016 Executive Order establishing cybersecurity commission • InfraGard (www.infragard.org) • DHS • Private Sector/Private Sector • Industry-specific information sharing and analysis groups (i.e., FS-ISAC — www.fsisac.com)

  12. Playbook Create the Program Train and Test Actively Monitor • Create Governance Structure • Identify assets to be protected • Conduct risk assessment • Identify and select controls • Test and Implement controls • Use technology to enhance controls, where appropriate • Implement incident response program • Build Business Continuity/Disaster Recovery (BC/DR) Program • Integrate Physical Security • Create metrics to measure program effectiveness • Training and awareness • Require contractors and vendors to implement adequate security • Periodically Test Incident Response and BC/DR • Periodically test controls • Periodically review the ESP and make necessary adjustments • Use Metrics to measure effectiveness • Actively monitor and adapt security controls and practices • Use metrics to measure effectiveness

  13. Exercises • Testing your systems and training must be consistent and documented • Tabletop exercises • System and employee testing • Reporting and followup to address issues

  14. Contracts • Scrub your most important contracts • Do your agreements with your customers have strong and enforceable venue, choice of law, and limitation of liability provisions? • Do your agreements with your business counterparties contain the best indemnification and allocation of risks and responsibilities? Do they establish best practices as between you and your counterparties? • Do you audit your vendors and counterparties’ compliance with your contracts and best practices and document those audits? • For example, a breach at one of your vendors could enable a hacker to get information needed to attack yoursystem, or even attack your systems through that vendor’s systems.

  15. Insurance • Consider discussing with your company’s insurance broker and counsel whether your existing insurance (including commercial crime policies) covers cyber risks — don’t assume a CGL policy covers cyber risks • Cyber-specific coverage is available — more than 50 underwriters in the US and London insure risks like these, and it’s important to have a broker who understands the markets and what is available • This type of insurance can be written to cover not only third-party liability claims, but also first-party losses (such as business interruption and extortion threats) as well as the often large (and unanticipated) crisis management fees and expenses • All else being equal, the more you follow best practices, the less cyber-specific insurance will cost

  16. Questions?

More Related