Choosing Wisely Your Third Parties - AGC · pharmaceutical manufacturing, military) or high profile...

“Seyfarth Shaw” refers to Seyfarth Shaw LLP (an Illinois limited liability partnership). Seyfarth Shaw LLP

Choosing Wisely Your Third PartiesThese are the folks who can leave you “Holding the Bag” for Cybersecurity

©2017 Seyfarth Shaw LLP. All rights reserved. Private and Confidential

Agenda

01 Sources of Obligation (and Liability)?

02 So What To Do?

03 How Does This Impact My Deals

04 Tips To Deal With Cybersecurity

05 Contracts, Contracts, and Contracts



Sources of Obligation (and thus Liability)

Cybersecurity Liability – Where does it Come From?

• The Usual “Big Three”– Regulation– Contract– Common Law (Tort)

• It is More than Just Data Now– Data assets are often more valuable than the physical assets– Access to Systems is Now a Risk Access & Control System Compromise (Ocean’s 11) Integrated Buildings (What *can* I do with an elevator?)

– Cybersecurity Now Protects People – Not Just Data


The Big Three

• Regulation– Federal Information Security Modernization Act (“FISMA”)– State Information Security Requirements (mini-FISMA)– Procurement Regulations (FARs)

• Contracts– If Your Client is Subject to the Above…– Standard Market Practice Around IP & Confidentiality Clauses

• Tort– Negligence is always an Issue– So what is the “standard of care”?


Federal Information Security Modernization Act44 USC § 3544 et seq.

• General Law on Information Security for US Government– Builds on several earlier laws– Applies to ALL Federal Agencies– Implements information security requirements for ALL systems

that maintain, process, or can access federal data

• Standards Based Requirements– Mandates National Institute of Standards & Technology (NIST) Develop Specific InfoSec Standards for Compliance Continuously Revise Based on Threat Environment


FISMA Now Getting A Lot of Attention

• Government’s Biggest Cyber Problem Will Be Contractors’ Big Opportunity, Report Says, NextGov.com, April 26, 2017

• Survey: Americans Want Government To Do More On Cybersecurity, CivSourceOnline.com, April 10, 2017

• Cybersecurity, Agile Development Top of Mind at 2017 NASCIOMidyear Conference, govtech.com, April 24, 2017

• Agencies Adopt New Cybersecurity Tools In The Post-Snowden Era, FedTechMagazine.com, May, 2, 2017


But What Does This Mean For Me?

• If a Federal Agency: Simple – Comply

• Direct Contractors with Federal Agency– FISMA Includes Contractors - 44 USC

§3544(a)(1)(A) Requirements Must Be In Contract NIST Standards Are Preferred

– Agency Procurement Standards Federal Acquisition Regulation; Basic Safeguarding of

Contractor Information Systems, 81 FR 30439 (June 15, 2016)

The Closer Call - Subcontractors or Federal Grant Recipients


If There Are Federal Dollars, Expect To Comply

• Operating a “Program or Service” For The Feds (contractual privity)

– See FAR 52.204-21(a) basic 15 element test for “reasonable safeguarding”- Does not address standards for cloud computing- Does not include standards for commercial off the shelf items

• Taking Federal Dollars Under a Grant– Federal Transit Administration (e.g. tunnels, bridges, roads, airports) Circular 4220.1F Implicates Grantees, Not Just Contractors

– National Institutes of Health NOT-OD-08-032 applies NIST to Grantees, not just contractors

NIST Standards also imposed by Agency Fiat


That Was Regulation – Now Contracts

• Owners/Developers Agreements– Obliged to “flow down” FISMA obligations– Even without contract language, obligations are still there

• Vendors– They have risk too… Protect Platform Avoid Malware Protect source code and Trade Secrets

• Confidentiality Clauses– As most data is digital, a Confidentiality Clause is likely a security

clause


D&O Liability

• Director Fiduciary Duty– Cal. Corp. Code §309(a) - Duty of CareA director shall perform the duties of a director, including duties as a member of any committee of the board upon which the director may serve, in good faith, in a manner such director believes to be in the best interests of the corporation and its shareholders and with such care, including reasonable inquiry, as an ordinarily prudent person in a like position would use under similar circumstances.

– In re Caremark, 698 A.2d 959 (Del. Ch. 1996)“…an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

©2013 Seyfarth Shaw LLP 11 |

D&O Liability (Cont.)

• Baca v. Crown, 2010 U.S. Dist. LEXIS 84724, 25-26 (D. Ariz. Jan. 8, 2010)– utter failure to implement any reporting or information system or controls; or – having implemented such a system or controls, consciously failed to monitor or oversee its

operations thus disabling themselves from being informed of risks or problems requiring their attention

• These are not responsibilities of just the IT department

• “Best Interest” = No Injury

©2013 Seyfarth Shaw LLP 12 |

“Standard of Care”

• Even without the other Two, there is always Negligence

• “Reasonably Foreseeable Injury”– 178,000 Hits on a Google News Search for “Security Breach”– 5 Million Records per day (http://breachlevelindex.com/)

It isn’t “Are you a Victim?” It’s “Do you *know* you’re a Victim?”

• “Reasonable Care”– Standards– Risk Assessment (know what the risk is – and how to mitigate)


http://breachlevelindex.com/

How much is enough?

• Similar to evolution of ethics rules post-Enron and Sarbanes-Oxley

- Board level reporting and senior management focus with process mapping to identify risks and certification of compliance with cyber risk management plan

- Becomes a cultural issue in which everyone is responsible to discover and disclose

- Annual training on security program with each employee attesting to compliance

• Best practice will evolve quickly• Subcontractor due diligence will be a challenge

14

Professional Standard of Care for Designers and Construction Managers

• Evolving performance specifications for control systems, security systems, etc. will continue to fall on design-build “black box” specialty contractors

• Integration and procurement risk on the Designer of Record and CM-Agents will remain

• Will try to protect themselves with full function performance testing standards will evolve with third party certifications is likely destination

15


What Is the Standard?

Cyber Risk Factors & Exposures in Construction

• Risks associated with building certain process or control intensive projects (e.g., water supply, rail transit, power, hospitals, refineries, pharmaceutical manufacturing, military) or high profile projects that attract international hackers and terrorist attacks (e.g., smart cities and airports)

• Increasing utilization of the “cloud” exposes contractors to liability ranging from data security, network outages, and delays to the project

• Hackers destroy or encrypt data or manipulate systems and processes to harm people and damage property

• Construction delays and lost business income due to an internal network interruption or having to replace non-compliant equipment during late stages of construction

• Rogue employee attacking your systems or stealing protected information

• Confidential third party information and employee databases residing on servers

• Increasingly shared networks with BIM/Integrated Delivery. Targets are weak vendors with poor networks.

“Compliance” in Security

18

Confidentiality v. Performance

Perfect security results in nothing being done

Security as Continuum

19

Four Core Components of Effective Strategy

• Business risk assessment – 1) determine which data is most critical and attractive to hackers and regulatory/contract requirements and 2)what behaviors trying to protect against

• Enabling set of capabilities (10-20 indicia of resiliency)

• Target state of protection/resiliency

• Specific set of initiatives, including crisis plans

20

Source: James Kaplan, McKinsey & CoThe Cyber Risk Handbook, J. Wiley & Sons, Jan. 2017

Cyber Security Performance Management System

• Measuring progress against initiatives – Gantt chart with milestones with specific activities, resources, and dependencies

• Measuring capabilities – score each indicator• Measuring protection – gap analysis showing what assets are

important, where they are, and how they should be protected (e.g., level of encryption, level of authentication, frequency of validation)

• Still only as good as the weakest link – trusted insiders without a security culture

• It’s like safety – you are never done, have to be constantly vigilant, and empower everyone to question the legitimacy of a request or practice

21

Challenges and Pitfalls

• Cyber security is not just an IT issue; it’s an enterprise risk to the balance sheet that auditors and directors are being forced to escalate

• Challenge: Measuring performance – escalating threats, new technologies, and evolving operational practices

• Pitfalls:- Irrelevant metrics- Lagging indicators and backward looking compliance approach- Assuming more controls are better- Too much subjectivity- Focus on IT performance, rather than enterprise resilience

22

Source: James Kaplan, McKinsey & CoThe Cyber Risk Handbook, J. Wiley & Sons, Jan. 2017

The Usual Security (Suspects)

• Encrypting all removable media • Employing full disk or partition/container based encryption for laptops

and mobile devices;• Disabling copy/paste and download functionality • Ensuring content filtering and block data sharing, webmail and

IM/chat • Ensuring that all data transmissions over the internet are sent

securely • Monitoring of the corporate email system based on confidential

content and destination• Enforcing two-factor authentication for remote connectivity• Patching critical/high risk vulnerabilities in a timely manner • Conducting application and network penetration tests

23

Knowledge Domains

• Access Control• Awareness & Training• Audit & Accountability• Configuration Management• Identification & Authentication• Incident Response• Maintenance• Media Protection• Personnel • Physical Security• Risk Assessment• Security assessment• Systems & Communications Protection• Systems & Information Integrity


FISMA - Again

• Federal Requirements are a Good Measure

• NIST Standards used as basis for other requirements– HIPAA– Financial Safeguards (Reg. S-P)– Critical Infrastructure– Federal IT Resources


But there are Others


Project Risk vs. Enterprise Risk

Internal resiliency of each individual project stakeholders is not sufficient for construction, which becomes shared external riskA project risk assessment should be conducted at the planning stages

with the designers, operators, and potential technology providers to identify risks, risk owners, and establish objectives

Each technology component with a significant life or property safety risk should have a cyber capabilities specification (e.g., protection/resiliency requirements)(probably NIST 53 or 171)

The integrated system design should have a gap analysis by a cyber risk expert as soon as reasonable before construction begins

Operating procedures should be drafted to mitigate risksResiliency testing, designed around the risk assessment and operating

procedures, should be performed on the completed system before it is put into operation

27

Emerging Best Practice Frameworks & Standards

• Unless required by contract or regulation, the best approach is to combine several frameworks to best match need and tailored to objectives and risk profile- ISO 27000:2013 (information security equivalent to ISO 9000)- COBIT 5 (IT governance risk management for external audit)- NIST SP800 (developing a framework for infrastructure)- ISF (UK) (broader than ISO and complies with UK standards)- SANS Top 20 (based on top 20 list; good starting point for hygiene)- IT-CMF:ISM (aims to become the gold standard)- WEF-CRF (aimed at boards with approach to calculating risk)- ENISA (aimed at critical infrastructure protection)- CSA (smart city guidelines for IoT)

28

So Now What Do We Do?


Due Diligence on Vendors

• Basic Requirements – Rep & Warranty or Audit?– Business Risk Assessment Conducted – Applicable Standard (e.g., NIST “compliant” vs. “certified”)– Results of Periodic Assessments (compliance is a *state*)– Training– Continuity/Disaster Recovery Plans and Incident Response Plans

• Subcontractor Obligations– Must comply with contractor’s obligations– Subcontractor certification/prequalification will be imperative


• Information Security Obligations– NIST Standards as compliance

benchmark– Usual “triumvirate” of “Procedural,

Technical, and Administrative” safeguards

– Don’t rely on just the Confidentiality Clause

– Potential Alternatives to NIST But need to make sure cover NIST

control “families”– Don’t forget Risk Assessment,

Notice of Breach, and other affirmative obligations

Contract Drafting


• Audit Obligations– Audit Rights– Third Party Certifications– Prime audit rights may be need also

• Incident Response– Affirmative Obligations for Notice– Timing– Resolution timeframes

• Indemnifications– Triggers around “regulatory

violations”– Watch out for liability caps

Contract Drafting


Insurance Risk Transfer

Property Damage and Bodily Injury –Evolving marketplaceTheft of First Party Intellectual PropertyLoss of Sales Due to Reputational HarmTheft of monies or securities

Covered

Third Party Claims alleging financial loss for failure to protect their Designs, Trade Secrets, and other forms of Intellectual PropertyFirst Party Breach Response Expenses including: Forensics, Legal Guidance, Notification, Credit Monitoring, PR, and Call Center Services.

Not Covered

Where is the industry headed?

• Cost of Risk is going up because risk is going up• Software/Cloud Services vendors and IT consultants not real

risk transfer• Understanding and charging for balance sheet risk• Potential captive solutions• Enterprise cyber reinsurance and systems failure insurance as

comprehensive solutions• Risks of Smart Cities and Smart Developments (“IoT”)

34

Thank You


Choosing Wisely Your Third Parties - AGC · pharmaceutical manufacturing, military) or high profile...

Documents

Transcript of Choosing Wisely Your Third Parties - AGC · pharmaceutical manufacturing, military) or high profile...