NAVIGATING the CYBERSECURITY STORM A Guide for Directors and Officers BY PAUL A. FERRILLO EDITED BY BILL BROWN published by sponsored by sponsored by 1 © 2015 by Paul A. Ferrillo. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any other information storage or retrieval system without prior written permission. To use the information contained in this book for a greater purpose or application, contact Paul A. Ferrillo via [email protected] 2 Is your company protected from the Internet of RiskSM? With CyberEdge® cyber insurance solutions you can enjoy the Business Opportunity of Things. 20 billion objects are connected to the Internet, what everyone is calling the Internet of Things. This hyperconnectivity opens the door both to the future of things, and to greater network vulnerabilities. CyberEdge end-to-end cyber risk management solutions are designed to protect your company from this new level of risk. So that you can turn the Internet of Things into the next big business opportunity. To learn more and download the free CyberEdge Mobile App, visit www.AIG.com/CyberEdge Insurance, products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Insurance and services may not be available in all jurisdictions, and coverage is subject to actual policy language. For additional information, please visit our website at www.AIG.com. ABOUT PAUL A. FERRILLO Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Mr. Ferrillo has substantial experience in the representation of public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, Mr. Ferrillo has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of several significant securities class actions alleging accounting irregularities and/or financial fraud. Mr. Ferrillo has represented companies in a wide range of industries, including retail, apparel, insurance, financial services, energy, oil and gas, and real estate. Mr. Ferrillo also regularly counsels clients in the growing field of cybersecurity corporate governance, which is an increasingly important part of a Board’s enterprise risk management function. Mr. Ferrillo also counsels clients on cyber governance best practices (using as a base the National Institute of Standards and Technology cybersecurity framework, which was announced on February 14, 2014), third-party vendor due diligence issues, cybersecurity regulatory compliance issues for Private Equity firms, Hedge Funds, and Financial Institutions that have been promulgated by the SEC, FINRA, the FTC, and the FDIC/OCC, the preparation and practicing of cybersecurity incident response plans, as well as evaluating and procuring cyber liability insurance to protect against losses suffered by Companies as a result the theft of consumer or personally identifiable information, or as a result of the destruction of servers and corporate infrastructure. Outside of his D&O insurance practice, Mr. Ferrillo is a prolific writer, speaker, and commentator on a wide range of subjects. He is a frequent contributor of articles concerning securities, cybersecurity, corporate governance, and accounting fraud issues to the New York Law Journal, D&O Diary, Harvard Law School’s Forum on Corporate Governance and Financial Regulation, and other national publications and forums, and is a frequent speaker on securities law, corporate governance, and directors’ and officers’ liability insurance issues for the ALI-ABA, the New York State Bar Association, the American Conference Institute, NACD, and the Directors’ Roundtable. Mr. Ferrillo also is a co-editor of and contributor to The 10b-5 Guide, Weil’s annual review of securities fraud litigation in the United States. This book is provided “as is,” with all faults, without warranties of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. [email protected] | (212) 310-8372 Direct II • • • Unmatched Legacy in Complex Corporate Investigations K2 Intelligence is redefining 21st century corporate intelligence by combining deep subject matter expertise with cutting edge technology in an unprecedented way. We bring to bear the best multi-disciplinary and multi-national team in the business to solve our clients’ most difficult problems. • • • Complex Investigations • Business Intelligence • Investigative Due Diligence • Anti-Money Laundering and Regulatory Compliance • Integrity Monitoring and Compliance • Data Analytics and Visualization • Board Advisory • Cybersecurity Investigations and Defense K2intelligence.com New York · London · Madrid · Tel Aviv · Geneva III To my beautiful and courageous wife Patricia: you are my rock, my Northstar, my everything. Thank you for supporting me always. — Paul IV AUTHOR’S NOTE: This book could not have come about without the help, support and guidance of so many people and firms, who I want to thank. First, my editor, Bill Brown, whose wisdom is well beyond mine, and who spent countless hours with me on drafts, and edits, and more drafts and edits. Jeff Cohen, from Advisen, who always believed in me and the book from Day One. Several partners at Weil Gotshal & Manges, LLP gave me an infinite amount of support and guidance, most especially Michael Epstein and Randi Singer (Randi of course, helping me with several chapters, including her excellent work on privacy). There are others to thank: K2 Intelligence (Austin Berglas), PwC (David Burg), Mandiant (Kevin Mandia), Levick Communications (Richard Levick), and countless other firms whose guidance and statistics I relied upon to help educate the readers on all that is going on in the cyber ecosystem. And thanks especially to John Doyle, Robert Schimek and Tracie Grella at the American International Group, Inc. - your support throughout the years has been invaluable, and most appreciated. published by sponsored by sponsored by V FOREWORD As my close friends and family know, I am a big fan of Marvel Comics, and a huge fan of the Avengers series. In fact, one of my wife’s cousins calls me Director Nick Fury (the boss of the Avengers). He’s the guy who keeps his one good eye on everything and everybody. Always three steps ahead. Never behind. Always fighting for good. When thinking about it, I more identify myself as Captain America, the guy who always wears his heart (or the flag) on his sleeve. The guy who is never afraid. The guy who people want in their fox hole if anything bad happens to them. The guy who tries his best to get his friend, client, or company out of harm’s way. That is really the reason I wrote this book. Because I foresee more trouble ahead if things don’t change. And change soon. Nearly two years after the Target cyber-attack, I still see companies getting hacked daily. I still see statistics saying people don’t pay enough attention to cybersecurity. And I saw personally the damage the OPM hack caused to several of my friends, all of whom were retired government or military workers, whose personal information got stolen. They all called me for help. I did give them good practical advice about watching credit reports, bank accounts, etc. and generally how to protect themselves. But really the damage to their psyche was already done. Their personal information was stolen. My friends were both mad, and sad. And I don’t like that. I am not the world’s most cyber knowledgeable lawyer. I don’t pretend to be. Nor am I the most knowledgeable corporate governance lawyer in the world. I don’t pretend to be that either. However, I am a student of history. I have lived and worked through the S&L crisis, the Tech boom and bust in 2000-2002, and the financial crisis of 2007-2008. I have seen bad things happen to good people. Really good people who cared greatly about their companies, their firms and their country. I care too. That is the reason I wrote this book. In the pages ahead we try to pull together very difficult and complex topics regarding IT and informational management and distill them, from “tech speak” to plain English. What are the right answers to those questions? I don’t know. And it depends, as every company is different. I can only give you the questions. The challenge is for you to have those discussions internally with your company’s C-Suite and IT staff, and come up with practical solutions. Answering our questions will take effort and a lot of communication. Answering our questions may take a lot of meetings, and may require a lot of advice from both IT experts, and VI maybe even from us lawyers. As I said, I cannot assure you of what the right answers are. The one thing I can say is that by having these cybersecurity discussions and communications on a regular basis should help all companies come up with better ideas, better plans, and hopefully allow them to make better business judgments that may ultimately help their customers, their clients, and their investors and regulators understand they are doing everything possible to make the information they keep and store (whether internally or in the cloud) as safe and secure as possible from a cyber-attack. And if your company is ultimately the subject of a cyber-attack, if your company takes “a cyber punch” to the head, we try and give practical advice on cyber incident response plans and procedures to help get you “off the canvas” and back on your feet as soon as possible.