welcome to our webinar - dla piper/media/files/insights/events/2015/05/su… · 7 directors general...
TRANSCRIPT
Cybersecurity and Supply ChainRisk Management
If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information.
US participants: 800 732 8470
Outside the US: +1 212 231 2900
The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
Tuesday, May 12, 2015 | 1:00 p.m. EDT
WELCOME TO OUR WEBINAR
Speakers
2
Vinny SanchezPartner and Co-Chair,Cybersecurity practice, DLA Piper
Ryan SulkinAssociate, Cybersecurity practice,DLA Piper
Agenda
Setting the Stage
Key Considerations for an Effective Risk ManagementProgram Governing Cyber-Risks in the Supply Chain
Pre-Contract Selection and Due Diligence
Contract Process: Risk Mitigation and Allocation
Post-Contracting Vendor Management and Assessments
Next Steps
3
Setting the Stage
4
Setting the Stage: Corporate Asset
Values at Risk
Significant shift in corporate asset value from the physical tothe virtual
Rapid digitization of corporate assets
Tremendous benefits in digitizing our everyday lives
BUT
Tremendous risks exist
Trillions of dollars move through the financial system eachday
Estimates of between $9 and $21 trillion of global economicvalue creation at risk in next 5-7 years
5
Setting the Stage: Impact on Corporate
Asset Value
Loss of consumer confidence (which means real dollars)
Loss of reputation
Loss of IP
Loss of data
Manipulation of data and detrimental reliance
Disruption to infrastructure (traffic patterns, trading, energyconsumption, etc.)
Disruption to daily life (connected car, automated home,health/death, etc.)
Shareholder derivative actions
Director liability
Fine, penalties and possibly even jail6
7
DIRECTORS GENERAL COUNSEL
Data security 48% Data security 55%
Operational risk 40% Operational risk 47%
Company reputation 40% Management of outside
legal fees
38%
M&A transactions 37% Company reputation 35%
Investor relations 30% Disaster recovery 35%
Executive compensation 30% E-discovery 33%
SEC/regulatory compliance 28% FCPA 30%
Disaster recovery 27% Global business expansion 29%
Internal controls 26% Internal controls 26%
Global business expansion 26% Executive compensation 26%
Setting the Stage: Top 10 Concerns for Directors
and General Counsel
Source: FTI Consulting
Setting the Stage: Cyber-incidents
In 2014, hacking incidents represented the leading cause of databreach incidents, accounting for 29.0 percent of the breaches trackedby the ITRC.
This was followed for the second year in a row by breaches involvingSubcontractor/Third Party at 15.1 percent.
Complexity and sophistication of hackers is increasing dramatically
And it is not always who/what you would suspect:
Refrigeration, heating and air conditioning subcontractor
Background check provider
Customer/Employee mailings
Cleaning service
Theft/sabotage by an individual
8
Setting the Stage: The Supply Chain
Competition increasing for cost-effective resources (includingbrainpower)
Long, international supply chains may be an unavoidablenecessity
Increasing majority of cyberattacks are against smallerorganizations with more limited resources
These smaller organizations are a pathway to larger targets
9
Setting Stage: Remember This!!!
Cybersecurity is about more than PII
Cybersecurity also involves:
Business confidential information (trade secrets, third partyinformation, etc.)
Intellectual Property
Mission critical systems
Infrastructure
Transportation
Your ability to operate your business (i.e., business continuity)
10
Key Considerations for an EffectiveRisk Management Program
Governing Cyber-Risks in theSupply Chain
11
Key Considerations: What to do?
Objectives:
Establish a risk management program focused on cyber-risks inthe supply chain.
Leverage supply chain as a “value-add” for purposes ofcybersecurity.
Mitigate inherent risk of third parties through a mixture of contract,technical design and “know your vendor” diligence andmanagement techniques.
12
Key Considerations: What to do?
The “How:”
Focus on Methods and Solutions: Adopt a thoughtful approach torisk taking consistent with your company’s values, business needsand appetite for risk.
Supply chain as a portfolio
Gatekeeping requirements
Pre-contract approvals
Contract signing approvals
Post-contract singing checkpoints
Robust internal governance structures and recordkeepingthroughout
13
Key Considerations: Who is in the
Supply Chain?
14
Evaluate your supply chain with sufficientbreadth:
Third parties that provide technicalservices to you (e.g., hosting,support, managed services)(“Technical Service Providers”)
Third parties that provide non-technical services, (e.g., ACcompany) but, have access toenvironments/systems or can createvulnerabilities (“Non-TechnicalService Providers”)
Third parties to which you outsourcesecurity responsibilities (“SecurityService Providers”)
Key Considerations: An Integrated View
15
Subs of Subs
Understandwhat’s at stake
Assign andmanageappropriaterisk
Compare riskabsorbed vs.risk shifted
Accept andmanageappropriaterisk
Key Considerations: Potential Liability
Examples for potential claims resulting from a poorly managed supply chain:
Failure to identify risk in advance of selection (i.e., negligent hiring)
Failure to mitigate the risk
Failure to proactively manage
Failure to properly insure
FTC and State Actions
Deceptive and Unfair Practices – Far Reaching
Breach of Contract Claims
Tort Claims (duty per state statute; fraud; neg. misrepresentation, unfairpractices, etc.)
Lone Star vs Heartland (5th Circuit)
Shareholder Derivative Suits
Violation of Fed/State Licenses/Certifications
16
Cyber-security
- Controls- Certs- Audits- Design- Ability to
Operate
BusinessContinuity
Disaster Recovery
Key Considerations: BCP
Pre-Contract Selection
and
Due Diligence
18
Pre-Contract Selection and Due
Diligence: Common Considerations
Varying levels of access/responsibility
Relationship typically governed by contract, although notnecessarily “approved” form
May be frequent turnover
Often reliance on reputational trust or lack of prior incidents
Often overlapping responsibilities with internal functions and/orother suppliers
Varying levels of insight into day-to-day responsibilities
Varying levels of creditworthiness
Varying levels of ability to “cause harm”
Varying levels of contractual responsibility should harm occur
Varying pass-through requirements from third parties
19
Pre-Contract Selection and Due
Diligence: Objectives
Objectives:
Evaluate and understand sufficiency of cyber-security protections andmaterial, unresolved risks
Ask the hard questions (e.g., creditworthiness, prior breaches)
Assign appropriate risk ranking
Understand how it works; understand what you are not buying
Understand your responsibilities vs. the service provider’s
Where possible, seek to move beyond the standard report
Where possible, leverage independent evaluations of the solution
Differentiate between promises made in due diligence and contractpromises
Establish consistent standards for suppliers, categorized by the sensitivityor mission criticality of the function/system/data at issue
Obtain adequate buy-in from key internal stakeholders
20
Contract Process:
Risk Mitigation and Allocation
21
Key Contract Provisions: Risk Mitigation
Ensure “relied upon” due diligence promises are reflected in the signedagreement; Know your “must haves”
Risk Mitigation clauses:
Security/Privacy commitments
Compliance with policies
Cross-border data transfers
Clear delineations of your responsibilities and the service provider’s
Audit/Testing/Records/Certifications/Issue Remediation
Notice of data breach/suspected data breach
Incident response and investigation protocols
Information/evidence preservation
22
23
Key Contract Provisions: Risk Allocation
Business Process
(Internal Operation)
Risk
People
Assets
Costs
Risk?
People
Assets
ReducedCosts
Reduced Risk?
Incremental Risk?
Business Process
(Supply Chain Provider)
?
Key Contract Provisions: Risk Allocation
Usual suspects
Reps/Warranties
Indemnification
Appropriate Limitations on Liability
Insurance
Pass through requirements from third parties
Standards of Liability
Strict
Gross
Negligence/Breach of Contract
Foreseeable downstream risk???
24
What does the Future Hold?
Service Integration and Management Models (“SIAM”)
Multi-party governance frameworks
Collaboration principles
Information-sharing
Dependencies
Cross-liability mitigation and allocation strategies
Dispute resolution mechanisms
25
InhouseService Desk?
SupplierC, etc
Services Agreements• Multiple , bilateral , bindingagreements between the customerand each external supplier• Requires supplier to deliver servicesin accordance with customerrequirements• Requires suppliers to comply withOverarching Governance Framework,Common Processes, DependenciesRegister and any OLAs
Collaboration Agreement• Single, multi-party, bindingagreement between the customerand each external supplier• As a minimum, requires suppliers tocollaborate
SupplierA
SupplierB
OLAs: [Multiple, bilateral] non-binding operational arrangements between relevant suppliers and customer for self-provideservices
Tech Ops andOther
customer self-provide
Overarching Governance Framework
Common Processes (change management, incident/project management, etc)
Dependencies Register (determines if suppliers entitled to ‘relief’ under SA where default caused by another supplier)
E2E ‘Bible’Single document maintained by SIAMwhich provides E2E service picture
Customer
O/Sourced ServiceDesk (Supplier A)
SIAM
20848262.1 26
Contractual Structure – "Full fat" SIAM
Post-Contracting Vendor Management
and Assessments
Post-Contracting VendorManagement and Assessments
27
Post-Contracting Vendor Management
and Assessments
28
Post-Contracting Vendor Management and
Assessments: Objectives
Objectives:
Leverage audit rights (paper vs. eyes/independent testing)
Request and review required reports and certifications
Ensure adequate review of changes
Monitor changes in service/deliverable requirements that maydrive additional or different cyber-security needs
Amend contract documents as necessary
Adjust risk rankings as necessary
Monitor creditworthiness and incident frequencies
Consider overall allocation of risk in light of evolving circumstances
Ensure appropriate responsiveness to evolving threat landscape
29
Post-Contracting Vendor Management
and Assessments: Solution-Focused
Proper alignment between “negotiated for” solution and actuallyimplemented solution
Consider technical design changes to mitigate risk/contractdeficiencies
Appropriate approvals for any material changes to the previouslyapproved security plan
Proper testing/audit before each go-live
Vetted change control processes/procedures
Confirm risk ranking and adequacy of current contractdocumentation
No surprises
Frequent, scheduled reviews going forward
30
Next Steps
Next Steps
31
Next Steps: Getting Started Today
Gaining Momentum is Key:
Map your suppliers – what’s where, and with who
Classify assets you need to protect by level of sensitivity
(e.g. trade secrets, intellectual property, credentials, information subjectto contractual obligations, information that would trigger data breachnotice obligation)
Address deficiencies in a prioritized approach based on risk assessment
Review existing contracts for sufficiency
Amend existing contracts when/if possible
Correct design flaws
Going forward, strategically allocate riskiest assets in a manner that bestleverages strongest suppliers, contracts and technical designs
Establish “must haves” and risk tolerance thresholds
Establish cross-organizational governance team
Establish role of Board and Executive management
32
CYBERTRAKSM
33
DELIVERING CRITICALGLOBAL INFORMATIONAT A KEYSTROKE