Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat Environment Working Document from “Cyber Risks in the Boardroom Conference” June 12, 2015

2 Copyright ©2015 Sullivan & Cromwell LLP Table of Contents Overview3 Governance6 Assessing Your Company’s Vulnerabilities and Risks9 Mitigating Cybersecurity Risk16 Response to Breach23

Overview

4 Copyright ©2015 Sullivan & Cromwell LLP Overview A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the respondents during 2014, an increase of more than 48% over 2013 Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013 The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013 Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015

5 Copyright ©2015 Sullivan & Cromwell LLP Overview Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S. The most costly breaches, however, are malicious in nature Being prepared to handle a data breach properly may reduce the costs related to an incident significantly Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015

Governance

7 Copyright ©2015 Sullivan & Cromwell LLP Governance Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs

8 Copyright ©2015 Sullivan & Cromwell LLP Governance Depending on your company’s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company’s security preparations The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review The board may consider it appropriate to meet with external advisors in the course of its oversight

Assessing Your Company’s Vulnerabilities and Risks

10 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Assessment Framework How should your company assess risk? Periodic self-assessment by an identified group of employees, overseen by an identified supervisor or committee of supervisors Client reviews and audits Governmental or regulatory reviews and audits Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry Use of external advisers Penetration/vulnerability testing

11 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Information to Protect Identify the kinds of sensitive information that your company holds Personal data of clients and employees (such as credit card data or financial or health-related information) Trade secrets Other commercially valuable or proprietary information Market-sensitive information, such as information on company results and/or potential transactions Other client information

12 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Systems Assess the risks posed by your company’s IT profile Cloud storage Mobile devices Distributed systems Third-party interconnection Physical security

13 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Systems Consider the nature of the threats to which your company is exposed Theft of your company’s information Theft of others’ information Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks) Harassment, hactivism and public exposure

14 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Threat Environment Employees, whether through malice, negligence or inadvertence Vendors and others with system access Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups Physical intruders

15 Copyright ©2015 Sullivan & Cromwell LLP Assessing Your Company’s Vulnerabilities and Risks: Protection Obligations Identify the obligations to which your company is subject regarding how information is to be protected Legal and regulatory (federal, state, international) Contractual Professional (e.g., lawyers’ ethical duties)

Mitigating Cybersecurity Risk

17 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Security Policy Your company should have a comprehensive security policy intended to address the threats it faces The policy must comply with all applicable legal, contractual and professional requirements The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan

18 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Employees Your company should establish measures to manage and mitigate the risks employees create Screening and background checks at hiring Continued monitoring during employment Requirements that employees review and confirm that they understand and will comply with the company’s security policy Ongoing training in security awareness and risk mitigation

19 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Technical Controls Your company should implement up-to-date technical controls to address cybersecurity risks Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces Identify attempts to hack into the company’s systems and attempts to access information that users are not authorized to see Identify unauthorized communications into and out of the company’s network

20 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Security Considerations Evaluation of security considerations relating to employees Passwords Use of personal devices and other non-firm devices Use of public networks Ability to write on transportable media Ability to download external programs onto the company’s network or onto company devices Physical security of IT systems

21 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Contractors and Vendors Address threats posed by contractors and vendors They must understand your company’s security requirements and agree to comply with them Your company should review their cybersecurity vulnerabilities and their potential impact on your company Your company’s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject

22 Copyright ©2015 Sullivan & Cromwell LLP Mitigating Cybersecurity Risk: Insurance Assess your company’s position regarding cybersecurity insurance Confirm that your policies cover losses from data breaches, as many general liability policies may not Consider specific cybersecurity coverage in addition to your general liability coverage Secure the correct amount of coverage

Response to Breach

24 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Response Team There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it Identify the company personnel who will be on the team to handle the incident response Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management Specific responsibilities and leadership should be assigned in advance

25 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Response Team Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice

26 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Communications Strategy Your company’s goal should be to control external messaging, not react to it It may be preferable to volunteer disclosure before it is legally required Monitor media, including blogs and social media, for what others may be saying Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement

27 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Notice Obligations Identify in advance all applicable notification requirements State notification laws for personal data Specific federal notification requirements (HIPAA, GLB) SEC and stock exchange requirements for public companies Legal obligations from jurisdictions outside the U.S. Contractual requirements Professional requirements, if applicable

28 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Notice Recipients Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them Law enforcement and DHS Regulators Customers and clients Contractual counterparties, vendors, contractors and other partners Public filings

29 Copyright ©2015 Sullivan & Cromwell LLP Response to Breach: Outside Support Identify in advance outside advisers to assist with breach response and integrate them into response planning Technical advisers, including forensic consultants Legal advisers Public relations Government relations Credit monitoring services, if applicable Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations