What Directors (and Corporate Secretaries) Need to Know Panelists: Anna Catalano – Independent Director Lauren Neiswender – General Counsel, Blue Nile Andy Roth – Partner, Dentons Moderator: Byron Loflin, CEO, Center for Board Excellence
Panel Biographies Anna Catalano – manages an active board portfolio, serving on the Boards of Directors of Mead Johnson Nutrition, Willis Towers Watson, Kraton Performance Polymers, and Chemtura Corporation, and as an Advisory Board member to Edelman Berland. She is a certified Board Leadership Fellow of the National Association of Corporate Directors, and advisor to the NACD Texas/Tri-Cities Chapter. In the not-for-profit sector, she is a member of the National Board of Directors of the Alzheimer’s Association, the Houston Grand Opera, and an honorary co -founder of the Kellogg Innovation Network at Northwestern University. Lauren Neiswender – As General Counsel, Lauren handles all legal matters for Blue Nile, and offers counsel to the Board of Directors and employees on topics, such as intellectual property, human resources, tax, marketing, privacy, and more. In her own words, “I love working with the various groups that make up Blue Nile and advising on the efforts that are revolutionizing the way consumers shop for diamonds and fine jewelry.” When not advising, Lauren takes advantage of all the Pacific Northwest has to offer with her husband and two children. Andy Roth – is a Partner and Chair of Dentons' Global Privacy and Cybersecurity Group. Andy helps clients proactively manage risks by implementing strong policies and controls. Andy also specializes in incident response and crisis management, including high profile data breaches involving investigations by government agencies. Andy also helps clients leverage data responsibly to drive insight and innovation, recent work includes advising on digital marketing, cross-border data transfers, employee privacy, and third-party vendor management. Prior to Dentons, Andy was Chief Privacy Officer of American Express, ranked “The #1 Most Trusted Company for Privacy” five years in a row under his leadership. Byron Loflin – is CEO and is the chief architect of the Center for Board Excellence’s (CBE) unique evaluation platform. Prior to CBE, Byron was CEO at Select Homes, Inc. from 1998-2009, was an investment manager at AIG-VALIC from 1989-98, and worked in the U.S. Congress 1983-84. Byron is currently Corporate Secretary and a Board member at Greensboro Downtown Parks Inc. and has held board positions at Arkosian Software, Select Homes, Inc., Greensboro Soccer Club, and Guilford County-wide PTA. Byron is a graduate of James Madison University and Harvard Business School.
Topics: • How does the Cybersecurity Act of 2015 affect your company? • What should be reported to the board, when and by whom? • Does the board need members with specific tech and cyber expertise? • Should the board have a committee focused on IT and cyber security? • Is your board prepared for a cyber incident?
Cybersecurity Act of 2015 Section 104 of S.754 is titled “Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats .” The act specifically permits network operators to take three kinds of steps “for cybersecurity purposes.” 1. Network operators can monitor; 2. They can operate defensive measures; 3. They can share information with others. The first two of these powers can be outsourced, too. With “written consent,” a network operator can allow another entity to monitor its network and operate defensive measures on its behalf. How does the Act affect your company?
What should be reported to the board, when and by whom? • Do we have the right aptitude and education to address our IT security oversight needs? • Who should report to the board on Cybersecurity? • When should the board be alerted? • How should the Board be engaged in the company’s Crisis Management Plan? • How often should the board discuss and be updated?
Cybersecurity Concerns • Board & C-Suite Conversations should include – Process – how are decisions made? – Decision making authority – who owns it? – Access points – what are all the access points into the company – Review of external suppliers, outsourcers – whose systems are you dependent on – who holds keys to the kingdom? • B2B companies are not taking cyber seriously enough due to the predominate public focus on loss of customer/consumer data • Infrastructure and manufacturing systems integrity are risks that many companies are not considering • General lack of digital world and social media knowledge among most board members
Does the board need members with specific tech and cyber expertise? • Where should governance of cyber security responsibility reside on the board? – Audit committee? – Risk committee? – Full board? • What level of technology expertise is expected or required of a board member today? • Should the board have a committee focused on IT and cyber security?
Is your board prepared for a cyber incident? Controls 1. Governance oversight Prevention 2. Risk Assessment 3. Vendor management Incident 1. Identify stakeholders 2. Who makes what decisions Response 3. Engage outside resources early 4. Diligent progress and resolution
Resources The Society’s page, “CYBERSECURITY/DATA PRIVACY”, is wealth of information: • http://www.governanceprofessionals.org/currenttopiclandingpages/cybersecurity “How does the Cybersecurity Act of 2015 change the Internet surveillance laws?” by Orin Kerr : • https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015- change-the-internet-surveillance-laws/ A good resource for breach facts and other pertinent information: • https://blackopspartners.com/the-top-12-security-breach-facts-every-c-level-exec-and-board-member-must-know/ Sidley: “Board Oversight of Cybersecurity Risks”: • http://www.sidley.com/~/media/files/newsinsights/publications/2014/03/board-oversight-of-cybersecurity- risks/files/view-article/fileattachment/board-oversight-of-cybersecurity-risks--march-2014.pdf “CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK”, IIARF Research Report: • https://www.theiia.org/bookstore/downloads/freetoall/5036.dl_GRC%20Cyber%20Security%20Research%20Report.pdf “Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom”: • https://www.kpmg.com/BM/en/IssuesAndInsights/ArticlesPublications/Documents/Advisory/2015Documents/Cyber- Security-and-Board-Oversight.pdf “Cyber Security: Five Leadership Issues Worthy of Board and Executive Attention”: • http://www.russellreynolds.com/insights/thought-leadership/Documents/Cyber%20Security%20- %20Five%20Leadership%20Issues%20Worthy%20of%20Board%20and%20Executive%20Attention.pdf CBE: “12 Cyber Security Questions Every Board Should Ask”: • http://info.boardevaluations.com/12-cyber-security-questions DENTONS: “Are You Doing Enough to Prevent Cyber Attacks?” • http://www.dentons.com/en/insights/alerts/2013/june/17/are-you-doing-enough-to-prevent-cyber-attacks
Additional support information
Internet traffic by search volume Surface web < 6% Peer-2-peer < 60% Deep web < 30%
Director Cybersecurity Checklist Perform an annual board legal vulnerability assessment by a leading specialized cyber law firm. Perform biannual data breach exercises with the entire C-level. Perform annual board cyber vulnerability assessments facilitated by a leading specialized cyber firm. Perform a company-wide transformation to data-centric security with emphasis on insider threat. Require cybersecurity updates at each board meeting separately by CIO, CISO and Risk executive. Place a cybersecurity director on the board or have a leading unbiased firm act as an advisor to the board. Source: BLACKOPS Partners Corporation
Do’s and don’ts of the internet • Do verify the email address of the sender. • Learn to right click and verify. • Don’t click on a link that you did not expect to receive. • If you have a “wipe my phone” option, do turn it on. • When in doubt call the email originator. • Use a password that is considered highly secure. It should be random, at least 8 characters and not of importance to you. • Don’t share your password. • Do use different passwords on different sites. • Do set the lock feature on your phone and tablet.
Recommend
More recommend