Prevention, Crisis Management, and Mitigating Personal Liability

Thursday, January 31, 2019
8:00 a.m. – 8:30 a.m. Breakfast & Registration
8:30 a.m. – 10:30 a.m. Program

Seyfarth Shaw LLP New York Office
The New York Times Building
620 Eighth Avenue
New York, NY 10018

Seyfarth Attorneys:

Kevin Lesinski
Richard Lutkus
Gregory Markel
William Prickett

There is no cost to attend but registration is required and seating is limited.

This program will provide Boards, C-Suites and General Counsels with best practice strategies for avoiding unauthorized breaches of electronic data; managing them if they occur; and addressing personal liability risks for Boards and executives. The Distinguished Speakers are experienced cyber security experts from Seyfarth Shaw, KPMG, law enforcement, and current directors.

Best Practices for Avoiding and Managing Threats

Cybersecurity experts and industry professionals will share their views on these questions:

  • What are your top lessons learned from investigating cyber breach incidents?
  • What are the most important considerations when developing an overall incident response plan?

Potential Liability Risk for the Board 

Securities litigators will emphasize the importance of having a clear plan and robust escalation processes to respond quickly and effectively when an incident occurs. Critical issues to be discussed include:

  • Fiduciary duties and director liability
  • Cyber risk landscape and regulatory environment
  • Role of information governance in minimizing damages from cyberattacks
  • Cyber risk assessment and implementation of defensive technology
  • Insurance coverage and other risk mitigation strategies

Two hours of New York CLE credits are approved.

If you have any questions, please contact Morgan Coury at mcoury@seyfarth.com and reference this event.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its draft of a voluntary cybersecurity framework last Tuesday that provides a means to better evaluate cyber risk, and prepare better defenses against ever-increasing online attacks. 

NIST’s “Preliminary Cybersecurity Framework”, to be finalized in February 2014 after a period for public comment, originated with Executive Order 13636 from President Barack Obama, which identified cyber threats to critical infrastructure as “one of the most serious national security challenges”. The Executive Order specified that NIST should produce a framework document. The new framework sets out specific steps and best practices for organizations of all sizes so they can better protect the country’s critical infrastructure.

However, protecting the country’s critical infrastructure isn’t the only use of this Framework. With the pervasiveness of cyber-threats to a company’s information assets, officers and directors of companies who rely heavily on those assets have a duty to protect them. The challenge is that while the security knowledge domain is fairly mature and robust, that knowledge domain is normally not in the Board or C-Suite. Consequently, it is difficult for business leaders and management to effectively understand what risks they face and how they might be able to mitigate them.

The government’s document sets out a risk-based approach to understanding and mitigating cyber-threats. IT starts by outlining five basic functions for security strategies: identify, protect, detect, respond, and recover. This serves as a model that companies can use to tailor to their own, more specific cybersecurity response strategies. The framework sets out standards and best practices at a high level, but it remains up to companies and their cybersecurity teams to create their own risk profiles and determine what are the gravest threats they face.

The framework is a good start. In structure, it resembles other business oriented risk matrices. The framework is broken into a “Core” (the desired outcomes of any strategy) a “Profile” (a means to describe the current state of the strategy, and the desired target state – thus allowing for an easy gap analysis), and “Tiers” (a description of the maturity level of the strategy). These three components of the framework give a common language for non-security business leaders to discuss and address cybersecurity.

The framework does have some limitations. Currently, the content which comes bundled in the framework doesn’t fully explore the heavily interconnected nature of modern business and technology delivery models. Traditionally, business or technology delivery were “point-to-point” (e.g. you bought a computer, or you received a service from, *a* company. You knew who you were dealing with at any given point in a transaction). Now, most businesses have a multi-layered delivery model – even for hard goods like phones and network gear.

 Consequently, supply-chain management is much more a risk vector than it has been in the past. Any security framework will need to recognize this ecosystem and provide techniques to deal with it. At present, additional content will need to be added to the Framework to take into account the non-linear and multi-layer delivery models of a public or hybrid cloud service provider.

 Regardless, the Framework gives a good starting point for a “management-friendly” tool to attack the risks inherent in the information age. Historically, an “ideology of plausible deniability” seemed to be the norm in board rooms. This is no longer the case. The minimum standards of care established by the government’s plan help show that information security is a risk that needs to be managed just like financial reporting. At the end of the day, this may lead to an increase in class actions against companies over their real or perceived cybersecurity shortcomings. It is not merely an issue left to the folks in IT – it is now a Board responsibility, and this Framework actually does provide a good starting point for the Board to take up that responsibility.