The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Cyber Threats to Banks and Financial

Institutions: Regulatory Requirements

and Bank Examinations Leveraging FFIEC Cybersecurity Assessment, Navigating Board

of Director Risks and Third-Party Vendor Management

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

TUESDAY, APRIL 5, 2016

Jason M. Halper, Partner, Orrick Herrington & Sutcliffe, New York

Aravind Swaminathan, Partner, Orrick Herrington & Sutcliffe, Seattle

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-873-1442 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Cyber Threats to Banks and Financial Institutions: Regulatory Requirements

and Bank Examinations

Aravind Swaminathan (Seattle), Global Co-Chair Cybersecurity and Data Privacy Jason Halper (New York), Co-Chair Financial Institutions Litigation Practice

April 5, 2016

“There are only ‘two categories’ of companies affected

by trade secret theft – those that know they’ve been

compromised and those that don’t know yet.”

Former Attorney General Eric Holder

Scope of the Problem

6

World Economic Forum: Cyber is Top 5 Global Risk

Source: World Economic Forum Global Risks 2014

Privileged & Confidential

7

Knowing the Adversary

Threat Type Who and What

Organized Crime Organized crime rings targeting corporate data, such as personal information, health information, credit cards, for financial motives (e.g., Target)

Industrial Control System Attack

Targeted attack that seeks to disrupt the activities of large-scale companies or organizations, including industrial control systems (e.g., Stuxnet)

Insiders Employee or contractor using access to release or ex-filtrate information for personal, competitive, or financial gain (e.g., Wikileaks)

Threat Actors

Advanced Persistent Threat (APT)

Organized and state-funded groups methodically infiltrating the enterprise, often have maintained presence for months or even years (e.g., “Deep Panda”)

Hacktivism Highly visible attacks to advance “movements,” based on political, policy, religious views, to raise PR spotlight, embarrass, effect change (e.g., Anonymous)

9

Attack Targets

Source: Verizon 2015 Data Breach Investigations Report

“The top two industries affected are the same as previous years: Public and Financial Services.”

10

Attack Methodologies

Source: Verizon 2015 Data Breach Investigations Report

11

• Averages based on small breaches of 5,000 to 99,000 records

• Breaches >100,000 records were excluded because they would “skew” the results

Average Loss to Organization In 2012 In 2014

Average Total Cost

(direct and indirect expenses, e.g., forensic experts, outsourcing hotline, free credit monitoring, discounts, customer loss, diminished customer acquisition)

$5.5 million $6.5 million

Cost per compromised record $188/record $217/record

Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States

Average Loss to Organization

12

Regulatory Developments

Regulatory Landscape: Which Way Are They Coming From?

14

FFIEC Cybersecurity Assessment Tool

15

Inherent Risk Cybersecurity Maturity

Technologies and connection types Risk management and oversight

Delivery channels Controls

Online/Mobile products & technology svcs External dependency management

Organizational characteristics Incident management

External threats

Regulators explicitly using in bank examinations:

• Office of the Comptroller of Currency

• National Credit Union Association

November 9, 2015

Potential New NYDFS Cyber Security Regulation Requirements

• Required Policies and Procedures (e.g., data governance/classification, identity access management, incident response)

• Third Party Service Provider Management (e.g., multi-factor authentication, encryption, notification for cybersecurity incidents, indemnification, security audits, reps/warranties re InfoSec)

• Chief Information Security Officer

• Cybersecurity personnel and intelligence

• Annual penetration testing and quarterly vulnerability assessments

• Audit trails for privileged user access, protection of logs, etc.

• Notification to NYDFS if reasonably likely to materially affect operations or triggers NY state notice, board notification, NPHI or “private information”

NY Department of Financial Services

16

Other Regulatory Guidance on Cybersecurity

Overview of Key Elements from SEC/FINRA:*

Identification of Risks & Cybersecurity Governance

Documented information security policy

Establish cybersecurity roles and responsibilities

Periodic assessment of cybersecurity risks

Periodic assessment of physical security risks

Network mapping and inventory of technology resources

Cybersecurity insurance

Incorporate cybersecurity into BCP plan

Protection of Firm Network and Information

Employee training and written guidance

User access controls

Use of encryption

Change management procedures – test environment

Documented incident response plan

Audits of security policies

*SEC National Exam Program Alert, Vol. IV, Issue 4 “Cybersecurity Examination Sweep Summary” (Feb. 3. 2015)

FINRA, “Report on Cybersecurity Practices” (Feb. 2015)

Risks Associated with Vendors and other Third Parties

Cybersecurity assessment of vendors and third parties

Details of cybersecurity risk in third party contracts

Network segregation of third party access

Logging and control of third party access

Detection of Unauthorized Activity

Create baseline of network traffic and events

Event aggregation and correlation

Detection of events/intrusions, malicious code, unauthorized users and devices

Penetration testing and vulnerability scanning

Data loss prevention

17

Vendors can be the “weak link” (Target HVAC) – public entities rely on hundreds or even thousands of vendors for core operations/services

Proactive Risk Mitigation

» Pre-contract due diligence, calibrated to sensitivity level of data to be handled by vendor – e.g., vendor MUST have an IR Plan

» Contractual terms with appropriate risk shifting / allocation – e.g., will you require vendor to carry cyber insurance?

» Absolute clarity on definition of “breach” and mutual reporting and cost obligations in breach event

» Audit rights, ability to exercise such rights (e.g., questionnaires)

» Ongoing due diligence and willingness (ability) to terminate

Vendor Management

18

Employee and Customer/Client Training

19

Employee training is key

• Tailor to meet staff needs

• Interactive training with participation

• Index to past experiences and threat

intelligence

• Lather, rinse, repeat

Customer training emphasis (SEC)

• 65% of broker dealers offer provide

customers with information on

reducing cybersecurity risks

• 19% of advisers provide steps that

can reduce cybersecurity risks

Recent Enforcement

R.T. Jones, Investment Advisor (Sept. 22, 2015)

Rule 30(a) of Regulation S-P (“Safeguards Rule”) – written policies and procedures reasonably designed to: (1) insure security/confidentiality of customer records/info, (2) protect against anticipated threats or hazards to the security/integrity of customer records/info, (3) protect against unauthorized access to or use of customer records and information

Client PII (100,000 individuals) on 3rd party-hosted server, hacker gained full access/copy rights; no harm established

No reasonably designed safeguards: no risk assessments, encryption, firewalls, or incident response procedures

Censured + $75,000 civil penalty + remedial efforts

20

Recent Enforcement

Sterne Agee, Investment Advisor (May 22, 2015)

Rule 30(a) of Regulation S-P (“Safeguards Rule”);

NASD Conduct Rule 3010; FINRA Rule 2010

Client PII (+350,000 individuals) on unencrypted laptop left in a restroom and lost: account numbers, names, addresses, tax identification numbers; no harm established

Sterne’s written supervisory procedures (WSPs) not reasonably designed to safeguard; WSPs provided for many security measures, but not laptop encryption

Paper trail dates from March 2009 through June 2014 showing repeated discussion of, but failure to, implement encryption (see FINRA Regulatory Notice 05-49)

Censured + $225,000 civil penalty + remedial requirements 21

Recent Enforcement

22

Dwolla, Inc., Online Payment Processor (March 2, 2016)

Sections 1031(a) & 1036(a)(1) of Consumer Financial Protection Act;

Advertised 100% encryption, “bank-level hosting and security environment,” and “set[] new precedent for the industry for safety and security”

Failed:

to adopt and implement reasonable data security policies and procedures (or even comply with ones that it had adopted),

to conduct periodic security risk assessments, did not adequately train employees, and

to ensure that the software and applications it developed were secure.

No cybersecurity incident, data breach, or other specific consumer harm appears to have prompted CFPB’s investigation

$100,000 civil penalty + 5-year consent order

• Private class actions

» fast-and-furious: Anthem suits filed within 24 hours

» multi-district: Target, Home Depot

» multi-front: Schnucks Grocery vs. plaintiffs and insurers

» standing defense in question: Neiman Marcus

• Issuing Bank litigation in PCI/card breaches

• Contractual enforcement

» Payment Card Industry (PCI), credit card brand companies

» Customer claims via contracts, privacy policies, terms of use

• Suits against directors alleging breach of fiduciary duty

Civil Litigation

23

Cyber Governance

Privileged & Confidential

Cybersecurity Governance

Regulators say governance framework

is essential:

• To allocate adequate resources to

cybersecurity and set priorities

• To mitigate risks

• To lay groundwork to avoid or

reduce harms

• Must be supported by intelligent,

fact-based decision making

• Use cybersecurity frameworks (e.g.,

NIST)

• Bridge communication gaps

between cybersecurity experts and

executives

• Assess security through common

performance measurement tools

25

• Cyber or not, the Board’s fiduciary duties are the same:

− Duty of care

− Duty of loyalty (includes duty of good faith)

− Caremark standard

− Risk oversight function

Fiduciary Duties Under State Law

Privileged & Confidential

26

Sample Shareholder Derivative Cases

− Heartland Payment Systems (January 20, 2009): Malware on payment processing network, compromised potentially 100 million credit cards.

− Target Corporation (December 15, 2013): Network breach compromised potentially 110 million credit cards.

− Wyndham Worldwide Corporation: Three separate breaches that compromised 619,000 records, leading to FTC enforcement action for unfair and deceptive trade practices.

− The Home Depot, Inc. (September 3, 2014): Network breach compromised potentially 56 million credit cards

Allegations Against Directors

• Breach of fiduciary duty of care, loyalty, and good faith (Heartland, Target, Wyndham, Home Depot)

• Unjust enrichment (Heartland)

• Abuse of control (Heartland)

• Gross mismanagement (Heartland)

• Waste of corporate assets (Heartland, Target, Wyndham, Home Depot)

27

• Failed to implement and monitor effective cybersecurity program

• Failed to protect company assets and business by recklessly disregarding cybersecurity risks and ignoring “red flags”

• Failed to implement and maintain internal controls to protect customer or employee personal and financial information

• Failed to take reasonable steps to timely notify individuals that company’s information security system was breached

• Caused or allowed company to disseminate materially false and misleading statements to shareholders regarding incident

• Failed to implement controls or oversee cybersecurity program, resulting in a waste of corporate assets

• Made false or misleading cyber-risk disclosures in public filings

Typical Post-Breach Claims Against Directors

Privileged & Confidential

28

29 29

How to Protect Board Members

Protection Against Shareholder Claims for Breach of Duty

• Lay a foundation to use the “business judgment” rule to shield the board

from shareholder claims Business judgment rule is a presumption that, if directors acted in good faith, with

reasonable skill and prudence, and reasonable belief they were acting in corporation’s best

interests

Applies unless shareholders can show lack of business judgment or majority of board not

disinterested and independent

Directors may rely on cyber experts to enable them to exercise proper skill and prudence

(due care)

• Directors are protected by business judgment rule unless shareholders

allege (i) failure to implement a board-level oversight and reporting

system, or (ii) directors substantially disregarded cybersecurity reports

and red flags Directors must evaluate cybersecurity risks, with regular updates

Directors must implement effective continuous monitoring of systems

Directors must receive and consider periodic cybersecurity reporting

Directors must allocate adequate resources to address possible risks

Document all actions in board and committee packets, minutes and reports

• Ensure cybersecurity disclosures are not false or misleading in light of the

most current and evolving information, and include specific and relevant

warnings of evolving risks

Protecting the Board (con’t)

Protection Against Investor/SEC Claims for False/Misleading Statements

• Do: Make disclosures of what you do to address cybersecurity threats » We utilize intrusion threat detection and protection systems.

» We conduct regular internal and external cybersecurity assessments.

• Do not: Make statements about what threats you protect against or how your cybersecurity systems protect against threats » We have state-of-the-art intrusion protection systems that prevent individuals from

gaining access to our proprietary network without authorization.

• Do: Prepare risk disclosures that are specific, without disclosing key details about cybersecurity measures » We collect and maintain personal identifying information, such as credit card information,

that is collected via point-of-sale terminals across the globe. A malware attack on any point-of-sale terminal could result in loss of customer data and confidence in our ability to protect their information because of the data breach, resulting in an adverse impact on sales.

» We maintain valuable intellectual property on our computer networks, which, if accessed without authorization, could result in loss of revenue if that information is used to develop counterfeit information.

• Do: Prepare more generalized risk disclosures that supplement specific disclosures

30

Section 102(b)(7) Charter Provisions

• Delaware Gen. Corp. Law Sec. 102(b)(7) permits shareholders to

adopt a Charter provision that precludes monetary liability on part of

directors of Delaware companies for breaches of due care

• Prevalent among Delaware corporations

• Results in dismissal of claims seeking money damages from

directors for breaches of the duty of care, including in the

cybersecurity area

• Does not protect against breaches of the duty of loyalty or result in

dismissal of claims seeking injunctive or other equitable relief

• Query: Can a failure to adopt and implement reasonable

cybersecurity measures be considered a breach of loyalty/bad faith?

31

Best Practices for Board

• Direct implementation of cybersecurity plan that includes:

» Development of policies and procedures

» Regular updating of the security plan, policies and procedures

• Oversight of:

» Enforcement of cybersecurity plan’s policies and procedures

» Accountability for non-compliance; incentivize compliance

• Monitor effectiveness of:

» Internal Controls

» External Controls

• Allocate adequate resources for the identified risks and the plan for remediation

Privileged & Confidential

32

Internal and External Controls

• Internal Controls

» CISO (or similar) certification of compliance with cybersecurity polices and procedures

» Internal testing and validation of compliance

» Periodic reporting to Audit Committee

• External Controls

» Retain independent cybersecurity firm

» Conduct assessment of cybersecurity program/posture

» Use established framework for assessment and evaluation, such as National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure and/or FFIEC Tools

» Periodic reporting to Audit Committee

• Document Process Privileged & Confidential

33

Key Elements of Proactive Cybersecurity Program

• Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee

• Inventory of data and network assets subject to attack (e.g., data map or network map)

• Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic)

• Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., FS-ISAC)

• Certification to ISO/IEC standards, such as ISO/IEC 27001:013

• Encryption of sensitive data in-transit and at-rest, as appropriate . . . as the bare minimum of protective controls

Privileged & Confidential

34

Key Elements (cont’d)

• Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance

• Development of security breach incident response plan (IRP); periodically tabletop, refine, update

• Implementation of training programs for employees and security team on cybersecurity awareness and response

• Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk

• Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc.

Privileged & Confidential

35

DISCUSSION

Privileged & Confidential

Aravind Swaminathan

• Aravind Swaminathan is a global co-chair of the firm's Cybersecurity

& Data Privacy team, which is nationally ranked by The Legal 500

for "high-level practical experience and understanding of the law.”

• Aravind is an accomplished trial lawyer and former federal

prosecutor in the complex crimes unit. He has extensive experience

in cybersecurity and data breaches, government and internal

investigations, and privacy-related matters. Aravind advises clients

in proactive assessment and management of internal and external

cybersecurity risks, breach incident response planning, and

corporate governance related to cybersecurity.

• Aravind has directed dozens of internal data breach investigations

and incident response efforts, including incidents with national

security implications. He also represents companies and

organizations facing cybersecurity and privacy-oriented class action

litigation. Aravind is a sought-after speaker on cybersecurity issues,

including threat landscapes, mitigation strategies, incident response

plans, and threat management in mobile device ecosystems.

Orrick, Herrington &

Sutcliffe LLP

701 Fifth Avenue

Suite 5600

Seattle, WA 98104

(206) 839-4340

aswaminathan@orrick.com

38

Jason Halper

• Jason Halper is the co-chair of the Financial Institutions Litigation

Practice. Jason is a seasoned litigator and trial lawyer with more

than two decades of experience representing financial institutions,

Fortune 500 companies and other clients in high-stakes litigation

and regulatory matters. He is a member of the Trial Bar of the

Northern District of Illinois and has tried cases to jury verdict or

decision in federal and state courts, regulatory tribunals and

arbitrations.

• Jason represents public and private companies, underwriters,

lenders, professional firms, corporate directors and other individuals

in a variety of industries in securities, derivative, ERISA and RICO

class actions, SEC and stock exchange investigations and

arbitrations, internal investigations, suits claiming breaches of

fiduciary duty, insider trading or other misconduct by corporate

directors, substantial contract disputes, bankruptcy-related

proceedings, and litigation arising from M&A or other transactions

involving changes in or contests for corporate control in Delaware

Chancery Court and elsewhere.

• Jason is also an adjunct professor in corporate and securities law at

the University of Pennsylvania Law School, and a frequent speaker

and author.

Orrick, Herrington &

Sutcliffe LLP

51 West 52nd Street

New York, New York 10019

(212) 506-5133

jhalper@orrick.com

39