table of contents introductions — the cyberthreat in the …€¦ · internet security alliance...

5
viii TABLE OF CONTENTS iii INTRODUCTION New York Stock Exchange — Tom Farley, President v FOREWORD Visa Inc. — Charles W. Scharf, CEO Introductions — The cyberthreat in the digital age 3 1. PREVENTION: CAN IT BE DONE? Palo Alto Networks Inc. — Mark McLaughlin, CEO 9 2. THE THREE Ts OF THE CYBER ECONOMY The Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security and Jim Pflaging, Principal 17 3. CYBER GOVERNANCE BEST PRACTICES Georgia Institute of Technology, Institute for Information Security & Privacy — Jody R. Westby, Esq., Adjunct Professor 27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS Institutional Shareholder Services Inc. — Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research 33 5. TOWARD CYBER RISKS MEASUREMENT World Economic Forum — Elena Kvochko, co-author of Towards the Quantification of Cyber Threats report and Danil Kerimi, Director, Center for Global Industries 37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH Former CIO of The United States Department of Energy — Robert F. Brese I. Cyber risk and the board of directors 51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner TABLE OF CONTENTS

Upload: others

Post on 11-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: TABLE OF CONTENTS Introductions — The cyberthreat in the …€¦ · Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

■ viii

TABLE OF CONTENTSiii INTRODUCTION

New York Stock Exchange — Tom Farley, President

v FOREWORDVisa Inc. — Charles W. Scharf, CEO

Introductions — The cyberthreat in the digital age3 1. PREVENTION: CAN IT BE DONE?

Palo Alto Networks Inc. — Mark McLaughlin, CEO

9 2. THE THREE Ts OF THE CYBER ECONOMYThe Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security and Jim Pfl aging, Principal

17 3. CYBER GOVERNANCE BEST PRACTICESGeorgia Institute of Technology, Institute for Information Security & Privacy — Jody R. Westby, Esq., Adjunct Professor

27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDSInstitutional Shareholder Services Inc. — Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research

33 5. TOWARD CYBER RISKS MEASUREMENTWorld Economic Forum — Elena Kvochko, co-author of Towards the Quantifi cation of Cyber Threats report and Danil Kerimi, Director, Center for Global Industries

37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING ITInternet Security Alliance — Larry Clinton, CEO

43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACHFormer CIO of The United States Department of Energy — Robert F. Brese

I. Cyber risk and the board of directors51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER

OBLIGATIONSOrrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner

TABLE OF CONTENTS

Page 2: TABLE OF CONTENTS Introductions — The cyberthreat in the …€¦ · Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

ix ■

TABLE OF CONTENTS

57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES AND DISCLOSURESFish & Richardson P.C. — Gus P. Coldebella, Principal and Caroline K. Simons, Associate

65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDSInternet Security Alliance and National Association of Corporate Directors — Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD

71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINTStroz Friedberg LLC — Erin Nealy Cox, Executive Managing Director

79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONSDell SecureWorks — Mike Cote, CEO

II. Cyber risk corporate structure87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT

QUESTIONSPalo Alto Networks Inc. — Davis Hake, Director of Cybersecurity Strategy

91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAMCoalfi re — Larry Jones, CEO and Rick Dakin, CEO (2001-2015)

III. Cybersecurity legal and regulatory considerations

101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATABooz Allen Hamilton — Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate, Agatha O'Malley, Senior Associate, Jaqueline Cooney, Lead Associate and Waiching Wong, Associate

107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIESData Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC — Elizabeth McGinn, Partner; Rena Mears, Managing Director; Stephen Ruckman, Senior Associate; Tihomir Yankov, Associate; and Daniel Goldstein, Senior Director

Page 3: TABLE OF CONTENTS Introductions — The cyberthreat in the …€¦ · Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

■ x

TABLE OF CONTENTS

115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERSBaker & McKenzie — David Lashway, Partner; John Woods, Partner; Nadia Banno, Counsel, Dispute Resolution; and Brandon H. Graves, Associate

121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCEK&L Gates LLP — Roberta D. Anderson, Partner

129 19. CONSUMER PROTECTION: WHAT IS IT?Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa Ventrone, Partner and Lindsay Nickle, Partner

137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGEFish & Richardson P.C. — Gus P. Coldebella, Principal

143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESSLatham & Watkins LLP — Jennifer Archie, Partner

151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROADKaye Scholer LLP — Adam Golodner, Partner

157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACTPillsbury Winthrop Shaw Pittman LLP — Brian Finch, Partner

163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEESLittler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group

IV: Comprehensive approach to cybersecurity

171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENTBooz Allen Hamilton — Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate

177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIESBooz Allen Hamilton — Bill Stewart, Executive Vice President; Jason Escaravage, Vice President; and Christian Paredes, Associate

Page 4: TABLE OF CONTENTS Introductions — The cyberthreat in the …€¦ · Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

xi ■

V. Design best practices187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY

RISK MANAGEMENTIntercontinental Exchange & New York Stock Exchange — Jerry Perullo, CISO

193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTIONPalo Alto Networks Inc.

VI. Cybersecurity beyond your network207 29. SUPPLY CHAIN AS AN ATTACK CHAIN

Booz Allen Hamilton — Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate

213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCINGCovington & Burling LLP — David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate

219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDERDelta Risk LLC — Thomas Fuhrman, President

229 32. THE INTERNET OF THINGSThe Chertoff Group — Mark Weatherford, Principal

VII. Incident response237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS

U.S. Department of Justice — CCIPS Cybersecurity Unit

243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSEBooz Allen Hamilton — Jason Escaravage, Vice President;Anthony Harris, Senior Associate; James Perry, Senior Associate; and Katie Stefanich, Lead Associate

249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORSFidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist

255 36. FORENSIC REMEDIATIONFidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist and Ryan Vela, Regional Director, Northeastern North America Cybersecurity Services

TABLE OF CONTENTS

Page 5: TABLE OF CONTENTS Introductions — The cyberthreat in the …€¦ · Internet Security Alliance — Larry Clinton, CEO 43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

■ xii

TABLE OF CONTENTS

261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATIONRackspace Inc. — Brian Kelly, Chief Security Offi cer

267 38. CYBER INCIDENT RESPONSEBakerHostetler — Theodore J. Kobus, Partner and Co-Leader, Privacy and Data Protection; Craig A. Hoffman, Partner; and F. Paul Pittman, Associate

275 39. COMMUNICATING AFTER A CYBER INCIDENTSard Verbinnen & Co — Scott Lindlaw, Principal

VIII. Cyber risk management investment decisions

283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSUREAxio Global, LLC — Scott Kannry, CEO and David White, Chief Knowledge Offi cer

289 41. INVESTMENT IN CYBER INSURANCELockton Companies Inc. — Ben Beeson, Senior Vice President, Cybersecurity Practice

IX. Cyber risk and workforce development297 42. CYBER EDUCATION: A JOB NEVER FINISHED

NYSE Governance Services — Adam Sodowick, President

301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVESWells Fargo & Company — Rich Baich, CISO

307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENTBooz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez, Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew Smallwood, Lead Associate

313 45. BUILDING A CYBER-SAVVY BOARDKorn Ferry — Jamey Cummings, Senior Client Partner; Joe Griesedieck, Vice Chairman and Co-Leader, Board and CEO Services; and Aileen Alexander, Senior Client Partner

319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLEEgon Zehnder — Kal Bittianda, Selena Loh LaCroix, and Chris Patrick

325 CONTRIBUTOR PROFILES