1 / 9

Cybersecurity

Cybersecurity. Ed McNicholas eMcNicholas@Sidley.com www.Sidley.com/Infolaw . Cybersecurity Executive Order and Directive (Feb. 12, 2013). Congressional stalemate led to Executive Order:

satin
Download Presentation

Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity Ed McNicholas eMcNicholas@Sidley.com www.Sidley.com/Infolaw

  2. Cybersecurity Executive Order and Directive (Feb. 12, 2013) • Congressional stalemate led to Executive Order: • Development of NIST “Cybersecurity Framework” and programs to encourage voluntary adoption of the framework. • NIST Framework released for comments (Due Dec. 24, 2013) • Includes privacy and security appendices • DHS designation of CI companies (with right of reconsideration) • Creation of regulatory standards by agencies with statutory authority • Directive (Feb. 12, 2013) names 16 critical infrastructure areas • CI sectors and their designated SSAs are: Chemical (DHS); Commercial Facilities (DHS); Communications (DHS); Critical Manufacturing (DHS); Dams (DHS); Defense Industrial Base (DoD); Emergency Services (DHS); Energy (Department of Energy); Financial Services (Treasury); Food and Agriculture (Department of Agriculture (USDA) and Department of Health and Human Services (HHS)); Government Facilities (DHS and General Services Administration); Healthcare and Public Health (HHS); Information Technology (DHS); Nuclear Reactors, Materials, and Waste (DHS); Transportation Systems (DHS and Department of Transportation); and Water and Wastewater Systems (Environmental Protection Agency)

  3. Primary (Existing) Enforcement Statutes • Computer Fraud and Abuse Act of 1984 (CFAA) • Prohibits certain attacks on computer systems used in interstate and foreign commerce • Criminal and civil penalties for unauthorized access and wrongful use of computers and networks • Electronic Communications Privacy Act of 1986 (ECPA) • Prohibits interception of wire, oral, or electronic communications unless an exception applies • Establishes rules that law enforcement must follow to access data stored by service providers (ECS and RCS), e.g., search warrants, court orders and subpoenas

  4. SEC Cybersecurity Guidance • Corporation Finance guidance issued Oct. 13, 2011 (in response to Sen. Rockefeller) • 4/9/13: New Rockefeller letter seeking formal rules • Guidance characterizes cyber-attacks as targeting: • Financial assets, intellectual property, other sensitive information • Customer or business partner data • Disruption of business operations   • Disclose cyber-risks if: they “are among the most significant factors that make an investment in the company speculative or risky” • Frequency of prior incidents; probability and potential harm of future incidents • Avoid generic language

  5. Responding to an Incident Effectuate IT containment and triage Assess nature of attack; IP assets; trade secrets; financial; customer data; denial of service; geopolitical; hacktivists Determine affected systems and targeted data; gauge possible exfiltration; address persistent threats Involve outside counsel and forensic IT consultants? Identify and notify stakeholders? Consult government; national security; law enforcement; homeland security? Assess liabilities, legal compliance, contract obligations, SEC reporting, insurance, etc. Evaluate existing control systems, responsibility and accountability; implement lessons learned

  6. Managing CyberCrime Risks • Consider proper insurance • Commission and review risk assessments • Identify legal and business obligations • Monitor legal and policy developments • Address participation in industry and private sector initiatives • DHS’ US CERT Coordination Center (CERT/CC) • Information Sharing and Analysis Centers (ISACs) • Current ISACs by sector: communications, financial services, electricity, IT, surface transportation, public transit, water, multi-state

  7. Managing CyberCrime Risks -- Cont’d Develop cooperative relationship with key regulators for optimal information sharing Examine incident response and notification procedures Prepare for involvement of law enforcement/FBI/DHS Inform investors of materiality of cybersecurity risks Prepare for technical and legal responses Identify resources in advance Report regularly and follow-up at Board and CEO level

  8. Lawyer To-Do List For Cybersecurity • Overall legal compliance • Insurance coverage • Oversight and readiness for incident response • Have you vetted and tested your response ability? • Analyzing and explaining the complex legal environment • Coordination of relationships with government • Development of standards and internal policies • Does your organization learn lessons? • Managing protections and obligations in contracts, customer and vendor relationships • Addressing “Hack Back” options • Managing legal/reputational issues • Required disclosures and reporting • Fourth Amendment: Corporate agents of the government? • Privilege and selective waivers

  9. Questions? Edward McNicholas: 202-736-8010 eMcNicholas@sidley.com www.Sidley.com/InfoLaw This presentation has been prepared by Sidley Austin LLP as of October 25, 2013 for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers. BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

More Related