How to Prepare for New Corporate Cybersecurity Risks

President Obama's February 12 cybersecurity executive order titled “Improving Critical Infrastructure Cybersecurity” is aimed at owners and operators of critical infrastructure, such as power plants, natural gas and electric transmission and distribution systems, telecommunications, healthcare providers, major transportation operators, and other facilities that touch upon every segment of the U.S. economy.

The executive order directs federal agencies to improve cybersecurity for critical infrastructure by building a "framework" of voluntary cybersecurity standards. The framework will be based on existing standards and industry best practices. The executive order also directs the Department of Homeland Security (DHS) to share federal cyber intelligence reports of cyber threats with private industry. To accomplish this information sharing, the DHS will issue "Imminent Target Notices" and "Catastrophic Target Notices" to alert companies that they are the target of an imminent attack or that an attack on the company is expected to cause catastrophic damage regionally or nationally.

The same day as it issued the executive order, the White House also issued Presidential Policy Directive/PPD-21 that goes into further detail about the White House cybersecurity policy. However, the executive order and PPD-21 raise many significant questions and create serious challenges for critical infrastructure recipients of the federal cyber intelligence reports. Also, there could be significant changes to existing cyber incident and corporate reporting obligations that need to be considered, particularly for public companies in light of the Securities and Exchange Commission's Division of Corporate Finance "Disclosure Guidance" on cybersecurity.

This program will address the issues that will arise from implementation of the executive order and PPD-21, including:

• imminent and catastrophic threat notices
• recipient responsibilities and potential liabilities
• information sharing and disclosure obligations
• incidence response and recovery
• practical guidance
• financial risks
• insurance considerations

Speakers

Stephen J. Humes | Public Policy & Regulation Partner, Holland & Knight

Steven B. Roosa | Partner and Co-Chair of the Cybersecurity and Privacy Team, Holland & Knight

Richard Raysman | Technology and Intellectual Property Partner, Holland & Knight

Barnaby Page | Esq. and Director Breach Services, General Dynamics Fidelis Cybersecurity Solutions

Roland L. Trope | Partner, Trope and Schramm LLP; Adjunct Professor, Department of Law, U.S. Military Academy at West Point; ABA Cybersecurity Legal Task Force, Cybersecurity Subcommittee Co-Chair