scce workshop: cyber threats, information security and ... · discussion of cybersecurity issues...
TRANSCRIPT
1
Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel
SCCE Workshop:Cyber Threats, Information Security and Compliance: Future Trends and Leading Practices in an Evolving Threat Environment
Pamela Passman, CEO and PresidentCraig Moss, COO
Center for Responsible Enterprise And Trade (CREATe.org)
CREATe.org - Proprietary and Confidential
Today we will cover:
How will the evolving digital environment impact compliance?
What leading practices will effectively mitigate top threats?
What is the best way to effectively engage a cross-functional team in managing evolving risks associated with cyber threats and the loss of confidential information?
2
Third Party Compliance: Challenges
• Complex, fragmented, evolving• Limited visibility
Aston Martin forced to recall 17,590 cars due to faulty parts
Contractor used counterfeit
DuPont plastic material to mold
pedal arms
How did it happen? Who knew what…
when?
3
Top perceived compliance-related risk in next five years
Data security
Privacy/confidentiality
Bribery/corruption
Third-party compliance
Top Supply Chain Risk Concerns
1 –
2 –
3 – Legal/regulatory issues
4 –
5 – Data security/IT incidents
6 –
7 –
8 – IPR breach/counterfeits
9 –
• Internet of Things, 3D printing, robotics • Complex ecosystems• Big data, predictive analytics
• Interconnected stakeholders• 24/7 social media, news• Increased regulation, standards
4
• Platform business models• Product/service localization• Partnerships to create value
• Builds awareness• Communicates expectations • Builds on management systems
5
Security & Confidentiality Management
Management SystemCategories
•
•
•
“The Framework creates a common language for the discussion of cybersecurity issues that can facilitate internal and external collaboration.”
“Organizations that adopt the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cybersecurity and privacy regulations.”
• Turning risks into advantages• Beyond compliance• Strategic decisions
7
• Numerous examples of key trade secrets being stolen
2 employees worked with Korean company to take Kevlar secrets
Alleged N. Korean government hack taking unfinished movie scripts and unreleased films, plus other confidential data
1% - 3% of GDPEstimates of losses due to trade
secret theft in US and other
advanced countries
CREATe/PwC Economic Impact of
Trade Secret Theft
• Government support for protection of private sector’s economically valuable confidential information
• Prerequisite for protection: “reasonable steps/efforts” to keep the material secret
There is no legal protection for the material, and no redress for theft of the material, if such “reasonable steps” are not taken
New & Expanded Regulation
• Federal legal actions now allowed under Defend Trade Secrets Act
• Increased prosecutions under Economic Espionage Act
• Import bans by International Trade Commission for unfair trade practices
• New international trade-secret legislation. e.g., 2016 EU-wide Trade Secrets Directive
What are you protecting, and protecting against?• “We protect everything” is not a sufficiently detailed objective• Focused ERM is vital
People, Process and Technology
Effective trade secret protection:
Security & Confidentiality Management
8
Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel
Scenario 1: Protection of Trade Secretsand Confidential Information
Conduct a “team meeting” to plan ahead to better protect trade secrets and confidential information.
Assign roles: CEO, and executives from BAD’s IT, security, R&D, HR, supplier, product team, finance, and/or legal/compliance departments
Discuss this question and get input from all functional areas
• Turn back the clock by six months. How can you avoid the incident or minimize the impact of this and future loss of trade secrets?
• List the top three to five realistic actions that could be taken1) ___________________________2) ___________________________3) ___________________________
Focus on the people, processes and technology already in place, not just capital expenditures. The CREATe management-system categories can be a source of ideas.
Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel
Cybersecurity Environment
9
• Employees remain the top source of compromise− Current employees: 34%− Former employees: 29%
• Incidents among business partners climbed to 22% (from 18%)
• Other sources of security incidents: hackers, organized crime, competitors, nation states
Global Cyber Threats
At-A-Glance (2015)
Companies with cyber incidents in the past year: 79%
Increase in cyber incidents: 38%
Companies with > $10M in losses from cyber incidents: 10%
PwC 2016 State of Information Security Survey
• Government objectives - to protect: Personal, health, financial data National security Critical infrastructure Financial markets Business competitiveness
• Risks for business: Increased compliance costs Increased reporting and
transparency Legal liability and costs Loss of competitive edge,
business, reputation
New and Expanded Regulation
• Cybersecurity requirements in financial, health, other sectors
• Government procurement
• Tighter contract requirements
• Securities regulation and enforcement
• Unfair-trade law requirements
• Shareholder and customer lawsuits
• Identify security objectives• Assess type, likelihood,
and seriousness of risks• Manage identified risks • Measure and improve
People, Process and Technology
• Policies/procedures, records, contracts
• Cross-functional team• Risk assessment• Third party management• Training, capacity building • Physical security• Monitoring, measurement• Corrective actions,
improvement
What are you protecting, and protecting against?
Not just an IT problem
10
Pamela Passman, President and CEOAllen Dixon, Intellectual Property Counsel
Scenario 2: Cybersecurity
Assemble a cross-functional team: CEO, and executives from BAD’s IT, security, PR, HR, supplier, product team, finance, and/or legal/compliance departments
What are the top five actions that your cross functional team would set in motion to respond quickly to this incident and to Big Car?
1) ___________________________2) ___________________________3) ___________________________4) ___________________________5) ___________________________
Focus on the people, processes and technology already in place, not just capital expenditures. The CREATe management-system categories can be a source of ideas.
•
•
•
•
11
Thank You!
Pamela Passman, [email protected] Moss, [email protected]
Center for Responsible Enterprise And Trade (CREATe.org)
CREATe.org - Proprietary and Confidential