table of contents introductions — the cyberthreat in the …€¦ · internet security alliance...
TRANSCRIPT
■ viii
TABLE OF CONTENTSiii INTRODUCTION
New York Stock Exchange — Tom Farley, President
v FOREWORDVisa Inc. — Charles W. Scharf, CEO
Introductions — The cyberthreat in the digital age3 1. PREVENTION: CAN IT BE DONE?
Palo Alto Networks Inc. — Mark McLaughlin, CEO
9 2. THE THREE Ts OF THE CYBER ECONOMYThe Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security and Jim Pfl aging, Principal
17 3. CYBER GOVERNANCE BEST PRACTICESGeorgia Institute of Technology, Institute for Information Security & Privacy — Jody R. Westby, Esq., Adjunct Professor
27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDSInstitutional Shareholder Services Inc. — Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research
33 5. TOWARD CYBER RISKS MEASUREMENTWorld Economic Forum — Elena Kvochko, co-author of Towards the Quantifi cation of Cyber Threats report and Danil Kerimi, Director, Center for Global Industries
37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING ITInternet Security Alliance — Larry Clinton, CEO
43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACHFormer CIO of The United States Department of Energy — Robert F. Brese
I. Cyber risk and the board of directors51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER
OBLIGATIONSOrrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner
TABLE OF CONTENTS
ix ■
TABLE OF CONTENTS
57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES AND DISCLOSURESFish & Richardson P.C. — Gus P. Coldebella, Principal and Caroline K. Simons, Associate
65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDSInternet Security Alliance and National Association of Corporate Directors — Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD
71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINTStroz Friedberg LLC — Erin Nealy Cox, Executive Managing Director
79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONSDell SecureWorks — Mike Cote, CEO
II. Cyber risk corporate structure87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT
QUESTIONSPalo Alto Networks Inc. — Davis Hake, Director of Cybersecurity Strategy
91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAMCoalfi re — Larry Jones, CEO and Rick Dakin, CEO (2001-2015)
III. Cybersecurity legal and regulatory considerations
101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATABooz Allen Hamilton — Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate, Agatha O'Malley, Senior Associate, Jaqueline Cooney, Lead Associate and Waiching Wong, Associate
107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIESData Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC — Elizabeth McGinn, Partner; Rena Mears, Managing Director; Stephen Ruckman, Senior Associate; Tihomir Yankov, Associate; and Daniel Goldstein, Senior Director
■ x
TABLE OF CONTENTS
115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERSBaker & McKenzie — David Lashway, Partner; John Woods, Partner; Nadia Banno, Counsel, Dispute Resolution; and Brandon H. Graves, Associate
121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCEK&L Gates LLP — Roberta D. Anderson, Partner
129 19. CONSUMER PROTECTION: WHAT IS IT?Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa Ventrone, Partner and Lindsay Nickle, Partner
137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGEFish & Richardson P.C. — Gus P. Coldebella, Principal
143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESSLatham & Watkins LLP — Jennifer Archie, Partner
151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROADKaye Scholer LLP — Adam Golodner, Partner
157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACTPillsbury Winthrop Shaw Pittman LLP — Brian Finch, Partner
163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEESLittler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group
IV: Comprehensive approach to cybersecurity
171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENTBooz Allen Hamilton — Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate
177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIESBooz Allen Hamilton — Bill Stewart, Executive Vice President; Jason Escaravage, Vice President; and Christian Paredes, Associate
xi ■
V. Design best practices187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY
RISK MANAGEMENTIntercontinental Exchange & New York Stock Exchange — Jerry Perullo, CISO
193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTIONPalo Alto Networks Inc.
VI. Cybersecurity beyond your network207 29. SUPPLY CHAIN AS AN ATTACK CHAIN
Booz Allen Hamilton — Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate
213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCINGCovington & Burling LLP — David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate
219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDERDelta Risk LLC — Thomas Fuhrman, President
229 32. THE INTERNET OF THINGSThe Chertoff Group — Mark Weatherford, Principal
VII. Incident response237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
U.S. Department of Justice — CCIPS Cybersecurity Unit
243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSEBooz Allen Hamilton — Jason Escaravage, Vice President;Anthony Harris, Senior Associate; James Perry, Senior Associate; and Katie Stefanich, Lead Associate
249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORSFidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
255 36. FORENSIC REMEDIATIONFidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist and Ryan Vela, Regional Director, Northeastern North America Cybersecurity Services
TABLE OF CONTENTS
■ xii
TABLE OF CONTENTS
261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATIONRackspace Inc. — Brian Kelly, Chief Security Offi cer
267 38. CYBER INCIDENT RESPONSEBakerHostetler — Theodore J. Kobus, Partner and Co-Leader, Privacy and Data Protection; Craig A. Hoffman, Partner; and F. Paul Pittman, Associate
275 39. COMMUNICATING AFTER A CYBER INCIDENTSard Verbinnen & Co — Scott Lindlaw, Principal
VIII. Cyber risk management investment decisions
283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSUREAxio Global, LLC — Scott Kannry, CEO and David White, Chief Knowledge Offi cer
289 41. INVESTMENT IN CYBER INSURANCELockton Companies Inc. — Ben Beeson, Senior Vice President, Cybersecurity Practice
IX. Cyber risk and workforce development297 42. CYBER EDUCATION: A JOB NEVER FINISHED
NYSE Governance Services — Adam Sodowick, President
301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVESWells Fargo & Company — Rich Baich, CISO
307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENTBooz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez, Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew Smallwood, Lead Associate
313 45. BUILDING A CYBER-SAVVY BOARDKorn Ferry — Jamey Cummings, Senior Client Partner; Joe Griesedieck, Vice Chairman and Co-Leader, Board and CEO Services; and Aileen Alexander, Senior Client Partner
319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLEEgon Zehnder — Kal Bittianda, Selena Loh LaCroix, and Chris Patrick
325 CONTRIBUTOR PROFILES