1 / 13

Rise in cyber attacks at US companies

Rise in cyber attacks at US companies. “This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.”. Jay Rockefeller Senator & Commerce Committee Chairman in letter to Chairman of SEC April 9, 2013. Sources:

quanda
Download Presentation

Rise in cyber attacks at US companies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Rise in cyber attacks at US companies “This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.” Jay Rockefeller Senator & Commerce Committee Chairman in letter to Chairman of SEC April 9, 2013 Sources: http://thehill.com/blogs/hillicon-valley/technology/292919-rockefeller-asks-sec-to-step-up-cybersecurity-disclosures http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?pagewanted=all&_r=0 http://www.bloomberg.com/news/2013-05-14/iran-based-hackers-traced-to-cyber-attack-on-u-s-company.html techland.time.com/2013/09/26/major-u-s-data-providers-hit-by-cyber-attacks/ http://www.npr.org/blogs/alltechconsidered/2013/08/30/217296301/firms-brace-for-possible-retaliatory-cyberattacks-from-syria

  2. Magnitude of the Threat • Cybercrimes are widespread, systemic and insidious • Annual cost is approximately $100 billion per year • Double-digit year-over-year growth in incidents • 90% of U.S. companies surveyed had detected computer security breaches* • 74% acknowledged financial losses as a result *Source: 2011 Computer Security Institute survey

  3. Verizon 2014 Data Breach Investigations Report (April 23, 2014) • Nearly 200 breaches of payment systems used by retailers, hotels and restaurants • Cyber education and “hygiene” critical in protecting payment systems

  4. Business Consequences • Harm to business, “franchise” risk, company valuation, stock price, etc. • Long-term financial and business damage • Theft of valuable intellectual property and business plans • Theft of customer data and funds • Disruption of critical operations and corporate web sites • Headline and reputational harm

  5. Potential costs • Financial losses for company • Average cost of $500,000 and 24 days to identify and resolve an attack1 • Cyber crime cost companies $300bn - $1trillion total in 20131 • Financial losses for shareholders • ~5% drop in share price for public companies2 • Brand reputation • Value of brand can decline 17-31%, depending on nature and industry3 • Your reputation Sources: 1: 2013 Cost of Cyber Crime Study: United States, Ponemon Institute, October 2013, http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reports 2: “Anatomy of data breaches and their impact on market value,” Electronic International Interdisciplinary Conference 2012 http://www.eiic.cz/archive/?vid=1&aid=2&kid=20101-131 3: Poneman Institute, Reputation Impact of Data Breach, October 2011 http://www.scmagazine.com/breaches-lead-to-major-reputation-brand-damage/article/215595/

  6. Legal Consequences • Governmental investigations and sanctions (SEC, DOJ, State Attorneys General, FTC, etc.) • Consumer litigation • Class action lawsuits • Shareholder derivative demands • Special Board/Litigation Committees and potential claims against the corporation

  7. Push for government regulation • Cyber Intelligence Sharing & Protection Act • To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes. • Passed House of Representatives in April; Senate will not vote but is drafting competing legislation • White House Executive Order – Improving Critical Infrastructure Cybersecurity (February 12, 2013) • Establish top-to-bottom review of federal government’s efforts to defend our nation’s information and infrastructure • In conjunction, SEC Division of Corporation Finance issued guidance instructing companies to disclose cyber attacks or risks associated with breaches if such attacks or breaches are likely to be material to investors

  8. Proactive Response Plan • Detailed, step-by-step Incident Response Plan • Analysis of insurance policies to determine coverage • Legal counsel and key service providers “on speed dial” • Crisis communication strategy and trained spokespeople • Government affairs/communications with regulators • Readiness exercises that simulate an actual attack • Business continuity planning • Security audits of key vendors • Litigation and regulatory preparedness

  9. Cybersecurity Strategic Planning Checklist • Detailed, step-by-step Incident Response Plan • Adequate insurance coverage (consider Cyber policy) • Legal counsel and other service providers “on speed dial” • Crisis communication and Litigation strategies • Government affairs/communications with regulators • Readiness exercises that simulate an actual attack • Business continuity planning • Security audits of key vendors

  10. Privacy and security guidelines for boards • Establish ‘tone from the top’ through top-level policies • Review roles and responsibilities; ensure risk/accountability shared throughout organization • Ensure regular information flows to executives and board, including cyber incidents and breaches • Review annual IT budgets for privacy and security, separate from CIO’s budget • Conduct annual reviews of enterprise security program, review findings, ensure gaps and deficiencies are addressed • Evaluate adequacy of security around board materials and communication Source: Governance of Enterprise Security: How Boards & Senior Executives are Managing Cyber Risks, CyLab 2012 Report – Carnegie Mellon University

  11. Technology in the boardroom Cloud File Sharing Services Secure Board Portal In-person at Time of Meeting Courier Delivery Mobile App / PDF Reader Secure Email Internal Portal Unsecure Email PDF-BasedPortal • Key concerns • Privacy • Limited administrator control • Hacking and other security vulnerabilities • Purchase of additional secure container technology

  12. Board portal technology brings a new standard of cyber security Control access to data Data encrypted in transit and on all devices Does not track Director’s electronic footprint Regular, repeated third-party audits and penetration testing Local redundancy, data back-up and recovery

  13. Important vendor requirements • Ensure that privacy and security requirements for vendors are based upon key aspects of your organization's security program • Carefully review internal and vendor notification procedures in the event of breach or security incident

More Related