1

Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel

SCCE Workshop:Cyber Threats, Information Security and Compliance: Future Trends and Leading Practices in an Evolving Threat Environment

Pamela Passman, CEO and PresidentCraig Moss, COO

Center for Responsible Enterprise And Trade (CREATe.org)

CREATe.org - Proprietary and Confidential

Today we will cover:

How will the evolving digital environment impact compliance?

What leading practices will effectively mitigate top threats?

What is the best way to effectively engage a cross-functional team in managing evolving risks associated with cyber threats and the loss of confidential information?

2

Third Party Compliance: Challenges

• Complex, fragmented, evolving• Limited visibility

Aston Martin forced to recall 17,590 cars due to faulty parts

Contractor used counterfeit

DuPont plastic material to mold

pedal arms

How did it happen? Who knew what…

when?

3

Top perceived compliance-related risk in next five years

Data security

Privacy/confidentiality

Bribery/corruption

Third-party compliance

Top Supply Chain Risk Concerns

1 –

2 –

3 – Legal/regulatory issues

4 –

5 – Data security/IT incidents

6 –

7 –

8 – IPR breach/counterfeits

9 –

• Internet of Things, 3D printing, robotics • Complex ecosystems• Big data, predictive analytics

• Interconnected stakeholders• 24/7 social media, news• Increased regulation, standards

4

• Platform business models• Product/service localization• Partnerships to create value

• Builds awareness• Communicates expectations • Builds on management systems

5

Security & Confidentiality Management

Management SystemCategories

•

•

•

“The Framework creates a common language for the discussion of cybersecurity issues that can facilitate internal and external collaboration.”

“Organizations that adopt the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cybersecurity and privacy regulations.”

• Turning risks into advantages• Beyond compliance• Strategic decisions

6

Trade Secrets & Loss of Information

7

• Numerous examples of key trade secrets being stolen

2 employees worked with Korean company to take Kevlar secrets

Alleged N. Korean government hack taking unfinished movie scripts and unreleased films, plus other confidential data

1% - 3% of GDPEstimates of losses due to trade

secret theft in US and other

advanced countries

CREATe/PwC Economic Impact of

Trade Secret Theft

• Government support for protection of private sector’s economically valuable confidential information

• Prerequisite for protection: “reasonable steps/efforts” to keep the material secret

There is no legal protection for the material, and no redress for theft of the material, if such “reasonable steps” are not taken

New & Expanded Regulation

• Federal legal actions now allowed under Defend Trade Secrets Act

• Increased prosecutions under Economic Espionage Act

• Import bans by International Trade Commission for unfair trade practices

• New international trade-secret legislation. e.g., 2016 EU-wide Trade Secrets Directive

What are you protecting, and protecting against?• “We protect everything” is not a sufficiently detailed objective• Focused ERM is vital

People, Process and Technology

Effective trade secret protection:

Security & Confidentiality Management

8

Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel

Scenario 1: Protection of Trade Secretsand Confidential Information

Conduct a “team meeting” to plan ahead to better protect trade secrets and confidential information.

Assign roles: CEO, and executives from BAD’s IT, security, R&D, HR, supplier, product team, finance, and/or legal/compliance departments

Discuss this question and get input from all functional areas

• Turn back the clock by six months. How can you avoid the incident or minimize the impact of this and future loss of trade secrets?

• List the top three to five realistic actions that could be taken1) ___________________________2) ___________________________3) ___________________________

Focus on the people, processes and technology already in place, not just capital expenditures. The CREATe management-system categories can be a source of ideas.

Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel

Cybersecurity Environment

9

• Employees remain the top source of compromise− Current employees: 34%− Former employees: 29%

• Incidents among business partners climbed to 22% (from 18%)

• Other sources of security incidents: hackers, organized crime, competitors, nation states

Global Cyber Threats

At-A-Glance (2015)

Companies with cyber incidents in the past year: 79%

Increase in cyber incidents: 38%

Companies with > $10M in losses from cyber incidents: 10%

PwC 2016 State of Information Security Survey

• Government objectives - to protect: Personal, health, financial data National security Critical infrastructure Financial markets Business competitiveness

• Risks for business: Increased compliance costs Increased reporting and

transparency Legal liability and costs Loss of competitive edge,

business, reputation

New and Expanded Regulation

• Cybersecurity requirements in financial, health, other sectors

• Government procurement

• Tighter contract requirements

• Securities regulation and enforcement

• Unfair-trade law requirements

• Shareholder and customer lawsuits

• Identify security objectives• Assess type, likelihood,

and seriousness of risks• Manage identified risks • Measure and improve

People, Process and Technology

• Policies/procedures, records, contracts

• Cross-functional team• Risk assessment• Third party management• Training, capacity building • Physical security• Monitoring, measurement• Corrective actions,

improvement

What are you protecting, and protecting against?

Not just an IT problem

10

Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel

Scenario 2: Cybersecurity

Assemble a cross-functional team: CEO, and executives from BAD’s IT, security, PR, HR, supplier, product team, finance, and/or legal/compliance departments

What are the top five actions that your cross functional team would set in motion to respond quickly to this incident and to Big Car?

1) ___________________________2) ___________________________3) ___________________________4) ___________________________5) ___________________________

Focus on the people, processes and technology already in place, not just capital expenditures. The CREATe management-system categories can be a source of ideas.

•

•

•

•

11

Thank You!

Pamela Passman, Ppassman@CREATe.orgCraig Moss, Cmoss@CREATe.org

Center for Responsible Enterprise And Trade (CREATe.org)

CREATe.org - Proprietary and Confidential