Cyber for General Counsel Day 1
08:00 - 08:50 Registration & Coffee
08:50 - 09:00 Chair's Welcome
09:00 - 09:40 Keynote Address: EU Cyber Security Regulation in Europe
This Keynote will provide an update on European cyber regulation – with the year seeing landmark privacy rulings including the Right to Be Forgotten and data processing legislation at the top of many business agendas. However, Europe holds its breath for the crucial next 12-24 months as the EU decides on a major regulatory overhaul – here we discuss the impact of this overhaul on your business strategy.
09:40 - 10:20 Combatting Information Illiteracy in the Company
One of the most common complaints from business units around the IT team is the lack of understanding of terminology employed by the Information Security and IT department when it comes to discussing forward strategies for Cyber Security. In this 1 to 1 interview, we bring together a top CISO with a leading GC to discuss combatting the confusion of IT terminology and structure to allow for better collaboration between business functions.
10:20 - 11:00 Fulfilling Fiduciary Duty of Board and Management
In the event of a cybersecurity-related incident, there is a concern lawsuits might challenge whether the corporate board and management have met their fiduciary and statutory duty to safeguard the company’s stock price and assets. In this session we will look at the key issues with duty -
- Does the organization fully understand its cybersecurity risk profile and related legal obligations?
- Is a sufficiently skilled cybersecurity leadership team in place to support our organization’s risk profile and strategy?
- Is it a multi-disciplinary team involving the IT organization, physical security (since, for example, a cyber-attack or data breach can be facilitated by unauthorized physical access to key persons or
- assets), HR, enterprise risk, compliance, communications (for crisis response)—and legal?
- Are our resources allocated such that our highest-value assets are protected?
- Are cybersecurity measures and thinking embedded and integrated throughout the business?
11:00 - 11:30 Tech Demo & Networking Break
11:30 - 12:10 Achieving Regulatory Compliance – Getting through the hoops of DLP
Depending on an organization’s industry and geographic presence, a number of data security and privacy laws and regulations may apply to it, such as EU data security and data breach notification laws, as well at the to-soon-be-introduced DLP Regulation. With an effective regulatory compliance programme, organisations can avoid broader types of liability, and at the same time implement more effective cybersecurity measures in compliant framework.
- Assessing security-related regulatory compliance obligations.
- Assessing sufficiency and efficiency of existing regulatory compliance efforts and how to streamline as needed
- Ensuring training and preparation of incident response team to confirm that process followed is fully coordinated with (if not part of) cyber incident responses
12:10 - 12:50 Infusing Security Into the Firm’s DNA
Most data breaches involve some kind of human action or inaction. It’s important that firms take steps to minimise risk and exposure from “the human layer” by making every employee responsible in some way for the security of the entire firm. All General Counsel and staff need to understand the consequences of a data breach — to the firm and its clients — and the importance of recognizing and reporting warning signs to mitigate threats and minimize damages. The obvious solution is employee training — But who take this responsibility and how can GCs drive this forward within the business?
12:50 - 14:00 Tech Demo & Networking Lunch
14:00 - 14:40 Best Practice Focus: How to Address Disclosure Obligations and Appropriate Communications in light of a Cyber breach
Across the globe, there are various levels of guidance on the topic, with different jurisdictions requiring different levels of disclosure, dependent on the organization and its peer companies (in terms of industry, size and sophistication). This presentation will run through the various scenarios and routes to communication of data leaks.
- What size leak justifies notification?
- How far should an organization be escalating the issue?
- At what point is it recommended to make public statement?
Roundtable 114:40 - 15:20 Best Practice Roundtables
Roundtable 214:40 - 15:20 Best Practice Roundtables
Roundtable 314:40 - 15:20 Best Practice Roundtables
Roundtable 414:40 - 15:20 Best Practice Roundtables
15:20 - 15:50 Tech Demo & Networking Break
15:50 - 16:30 Panel Session: Regulators’ Perspectives
3 Key Regulators come together to give their perspective on the ways organisations can approach the threat of cyber attacks, and employ a robust legal framework to ensure that should a breach occur, the organsiation can stay ahead of their compliance requirements. With quick fire 20 minute presentations, follows but Q&A from the floor, this is the opportunity to clarify any grey areas in your organisations cyber security programme.
16:30 - 17:10 Best Practice Focus: The Financial Impact of an Event on Business Interruption, Supply Chain and Operational Risks
Following a data breach, significant costs arise from forensic investigations, lawsuits, data breach notification expenses, regulatory investigations, regulatory fines, lawyers and consultants, PR professionals, and remedial measures. In the blink of an eye, these costs can quickly exceed £5 million or even £50 million in the few weeks after a reported cyber breach.
- How involved should the IT and InfoSec professional be in developing risk strategies for breaches?
- How can you protect against reputational damage?
- Where does your role sit in terms of the decision making unit in regards to assessing the financial elements of a breach?