Agenda
Flip through our conference brochure and discover what’s new this year.
Download Brochure
Pre-Conference Workshops
January 28, 2025
Guillermo S. ChristensenPartnerK&L Gates LLP
Day 1
January 29, 2025
Registration & Breakfast
Adam CohenSenior Director, Associate General Counsel for CybersecurityCapital One
Charu ChandrasekharPartnerDebevoise & Plimptonformer, Assistant Regional Director, Division of Enforcement and Chief, U.S. Securities and Exchange Commission
Joseph WhiteheadSenior Corporate Counsel, Cyber & PrivacyNorthrop Grumman Corporation
FIRESIDE CHAT
What May Be Eligible for a National Security Exceptions from the Four-Day SEC Deadline
Eun Young ChoiDeputy Assistant Attorney General, National Security DivisionU.S. Department of Justice
This session will discuss the circumstances under which the U.S. government will grant an exception for a cybersecurity disclosure filing beyond the four-day deadline. AT&T made a delayed disclosure filing, due to “national security and public safety concerns,” in July 2024
- Examining when and how the exception applies
- Exploring insights into the decision-making process
- How is AI being viewed as a risk and as a compliance tool
SEC Disclosure Rule and Materiality One-Year In: Trends in the Number and Types of Filings, Holding Statements and the Aftermath
David HirschPartnerMcGuireWoods LLPFormer Chief, Crypto Assets and Cyber Unit, Division of Enforcement
U.S. Securities and Exchange Commission
Jorge G. TenreiroDeputy Chief, Crypto Assets and Cyber Unit, Division of Enforcement U.S. Securities and Exchange Commission
Join this session for a one-year review and status report of how the SEC disclosure rule is working in practice, where are the growing pains and what can businesses learn from the first 12-months plus.
- Overview of what the government is seeing in terms of the number of filings, and trends in the numbers
- Examining whether companies are showing compliance, if this is sufficient, or where companies could be showing more fulsome reporting
- How many “holding statements” are being submitted to say that an incident has, without saying whether it is “material”
- How different industries have interpreted and applied the rule
- The required level of detail in reporting
Networking Break
New York State Department of Financial Services announced update cybersecurity regulations to enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats – touted as a “first in the nation”. The strategy is in addition to the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
Kimberly J. ShurSenior Vice President, Global Compliance Counsel & Privacy OfficerMarriott International Inc.
Marc RothenbergChief Legal Officer, Cybersecurity, Data Privacy, and AI LawPrudential Financial
Jocelyn J. HunterVice President & Deputy General CounselThe Home Depot
Hear directly from representatives who have experienced a cyber breach and delve into the critical – and unexpected – steps that were taken to identify, communicate and repair the breach damage.
- Communicating with the FBI including timelines
- Examining the hack tactics, trends and how vulnerabilities are being exploited
- Reviewing timelines of a breach and lessons learned
Networking Luncheon
Britt IdeBoard DirectorNorthWestern Energy,
PowerGEM LLC,
Technosylva
Brian LevineManaging Director, Cybersecurity & Data PrivacyEY-Parthenon
Sonita LontohBoard DirectorSunrun, TrueBlue; Advisor, Sway Ventures
John P. CarlinPartnerPaul, Weiss, Rifkind, Wharton & Garrison LLPFormer Assistant Attorney General, National Security Division, U.S. Department of Justice
Join this session to learn more about board member cyber security priorities, how best to communicate cyber concerns to board members, and how companies need to interact with the board in accordance with the SEC disclosure rules.
Amy Waller ApostolAssistant General Counsel, Cyber & Emerging Technologies Legal DepartmentLeidos
Joanna BaltesChief Cybersecurity Counsel, AmericasIBM
Adam CohenSenior Director, Associate General Counsel for CybersecurityCapital One
Monique FerraroCyber CounselHSB
- Assessing how a cyber incident will impact business from a macro lens
- Strategizing how the company will react to a cyber attack and ensuring policies are in place
- Implementing non-tech reliant redundancy systems, and showing you can switch providers
- Anticipating the impact on supply chains, vendors, partners and clients
- Assessing the damage: Determining if you can continue to provide service, pay employees and perform other critical business functions
- Implementing the necessary safeguards to protect from further damage and mitigate the risk of a future incident
- Updating your disaster analysis and recovery plan
- Strengthening your security safeguards and protocols
Networking Break
Communicating in a Crisis: Executing a Comprehensive Communication Plan and Controlling the Message to the Board, Employees, Media and Beyond
Ali KarshanGlobal Head of Information Security and Incident Response LegalTikTok
Christine RicciGeneral Counsel, Global Security & Digital TechnologyGE Aerospace
Kimberly PerettiPartner, Co-leader of the Privacy, Cyber & Data Strategy TeamAlston & Bird LLP
- Controlling the message internally and externally. What is being said to the government, to public, to the board to employees and to customers and clients
- Responding to the government reporting agencies in a timely and accurate fashion
- Proactively addressing what the hacker saying about your company to the media
- Getting the correct team of experts in front of the board to address questions
- Supporting employees who are being exploited by hackers
- Knowing what is and is not covered by insurance, including ransomware, property and political violence insurance
- Documenting events for reporting purposes
- Coordinating with law enforcement for the response and the mediation.
- Avoiding negative consequences of not communicating
- Exploring how company culture impacts crisis communication
Emily LoweSenior Vice President, Cyber Practice LeaderHudson Insurance Group
Monique FerraroCyber CounselHSB
- Delineating what insurance will and will not cover, including ransomware, property damage and political violence insurance
- Considering options when ransomware is excluded from insurance
- Identifying your company’s weak points and exposure, what insurance type is needed, and covering your assets.
- Calculating the cost of company exposure versus the affordability of insurance
- Demystifying formulaic language to understand what you are purchasing is formulated. It can be difficult to know what you are buying. Ex. If you have a cyber event that causes your company to have an event, such as a fire, your insurance can cover the fire, but not the computers.
- Involving insurance brokers in privileged legal counsel discussions
Closing Remarks for the Conference Co-Chairs
Day 2
January 30, 2025
Registration Opens
Charu ChandrasekharPartnerDebevoise & Plimptonformer, Assistant Regional Director, Division of Enforcement and Chief, U.S. Securities and Exchange Commission
Adam CohenSenior Director, Associate General Counsel for CybersecurityCapital One
Joseph WhiteheadSenior Corporate Counsel, Cyber & PrivacyNorthrop Grumman Corporation
Katherine Doty HannifordPartner, Privacy, Cyber & Data Strategy PracticeAlston & Bird LLP
- Examining the threat actor landscape, where are the threats, how are they manifesting, and what is the impact on companies and business
- Gauging the level and intensity of cyber attacks
- Lessons learned from recent cyber incidents including:
- Interactions with the hacking groups Scattered Spider and LockBit
- What are government agencies doing to combat cyber attackers
- Paying or not to paying ransomware, what considerations when a sanction is concerned
- Negotiating with hackers, best practices
EU CYBER COMPLIANCE
How to Satisfy DORA, NIS2 and More EU Requirements: Overcoming Hurdles to Implementation the U.S.
Siobhan GormanPartner, Cybersecurity, Data & Privacy Global Co-LeadBrunswick Group
Chris HaleSenior Director and Associate General Counsel for Cyber and National Security Cisco Systems
EU is leading the charge in cybersecurity and US companies need to be bracing for impact. This session will address current and incoming European legislation and regulations that will affect global businesses. NIS2, The Network and Information Security (NIS) Directive, comes into effect October 2024, introducing more detailed incident reporting requirements and timelines.
- Identifying which sectors and companies will be expected to comply, such as cloud services and critical infrastructure
- Outlining the reporting requirements
- Redesigning software to meet specification
- Reporting vulnerabilities in your software
DORA, the Digital Operational Resilience Act, will affect financial institutions and their technology suppliers as of January 2025.
- Reducing risk service providers and third-party vendors
- Meeting requirements for IT risk management and operational resiliency
AI Risk and Policy-and the Interplay with Cyber: Implementing AI Policy with a Risk Management Function
Lynn M. van BurenCounselSpire Global
David KesslerVice President & Associate General Counsel, IT & CybersecurityBAE Systems Inc.
Christine RicciGeneral Counsel, Global Security & Digital TechnologyGE Aerospace
Alejandro RosenbergAttorney, Division of Privacy and Identity ProtectionFederal Trade Commission
- Surveying how the different U.S. states are regulating Artificial Intelligence, what provisions are being included and how companies need to be thinking about incoming regulations.
- Defining what is and what is not Artificial Intelligence and the scope of your policy. Going beyond ChatGPT
- Examining what kind of Artificial Intelligence your company already has
- Estimating your company’s AI risk tolerance and whether it is appropriate for your business
- Creating a policy and guidelines
- Setting up an AI oversight program
- Implementing parameters, what are you allowing within you business, and options for opt-in, opt-out of AI when solutions are incorporated
- Knowing how your third-party providers are using AI and how that may expose your company to risk
- Examining the risk of becoming too dependent on a tool
Networking Break
Third Party Management
Vetting Third Party, Business Partner and Supply Chain Cyber Controls: Assessing Risks and Vulnerabilities
Jonathan GannonChief Cyber and Privacy Counsel, Chief Privacy OfficerGE Vernova
Viet C. TranSenior Director & Associate General Counsel, CybersecurityRTX Corporation
- Monitoring how your third-party providers are interacting with your data, what line of sight do they have, and what is in the contracts
- Benchmarking what is market standards for third-party contracts and what does a conservative contract include
- Identifying which regulations will apply, how they overlap or differ, and to what kind of vendor types
- Determining how deeply the security department going for risk assessment
- Evaluating vendors: how is IT team vetting and how is the legal team vetting a vendor
- Determining what is acceptable risk
- Onboarding new vendors and evaluating the risk
Critical Infrastructure Security and Resilience Policy: The Industry Requirements and the Current Status of the CIRCIA Rule
Terry KalkaDirectorDC3 DCISE
Sam SingerChief Counsel, CyberBoeing
The Cybersecurity and Infrastructure Security Agency (CISA) requires covered entities to report cyber incidents and ransomware payments under the Cyber Incident Reporting for Critical Infrastructure Act (2022) (CIRCIA). This session will examine how cyber should be incorporated into critical infrastructure security and resilience policy. The current policy covers 16 critical infrastructure sectors which are considered vital to US security, national economic security and national public health or safety.
- Adhering to CISA reporting timeframes
- Identifying which business categories are capture and defining critical infrastructure, how it applies to different sectors and how it may be redefined under updated policy
- Examining CISA’s role to support state and industry partners
- Identifying essential workers needed to maintain services and functions for American’s daily functions
- Hypothesizing potentially debilitating national security, economic, public health or safety consequences of a cyber breach and safeguarding against this possibility
- Examining reporting requirements following a breach
Networking Luncheon
Billee Elliott McAuliffeMember & Data Protection Practice Group LeaderLewis Rice LLC
Eric J. EllmanSenior Vice President, Public Policy and Legal AffairsConsumer Data Industry Association
Hear directly from state legislative representatives as they discuss how cybersecurity measures are being incorporated into state laws. Discuss how state laws work in concert with federal laws and regulations and where there are gaps. Join this an interactive Q&A session.
Striking Down the Chevron Doctrine: How the Supreme Court and Lower Courts Will Now Be Approaching Legal Interpretation—and the Impact on Cyber Compliance
Myriah V JaworskiMemberClark Hill PLC
The U.S. Supreme Court issued a landmark decision in Loper Bright Enterprises v. Raimondo (2024) overturning Chevron USA v. National Resources Defense Council (1984) and the federal judiciary’s standing practice of accepting a government agencies’ reasonable interpretations of ambiguous federal laws. This session will delve into what this precedent-setting decision will mean for government agencies regulating the emerging cyber space.
- Exploring the practical impact of the Supreme Court decision
- Calculating how much authority government agencies have in the eyes of the court
Networking Break
Alyson Weckstein TiegelAssistant General Counsel, CybersecurityWells Fargo Bank
Sandeep KathuriaSenior CounselIce Miller LLP
Crowdstrike Software Update
Not a cyberattack, but the July 2024 software update caused widespread concerns and business disruption.
- Defining what is considered a cyber incident, what is material and what is filed in the 8K
- Delineating fault when there is a business disruption, recouping costs and indemnification
- How is this treated under the cybersecurity rule
Change Healthcare and Optimum Attack
The healthcare technology company Change Healthcare experienced a cyberattack, affecting millions of customers, in February 2024.
SolarWinds and Lawsuit against CISO
The Security and Exchange Commission has charged the SolarWinds CISO with fraud and internal control failures relating to a cybersecurity risk.
- Exploring the extent of personal liability
- Testing how companies are presenting themselves as secure, and is the company doing what is advertised
ICBC Cyberattack
- Exploring business continuity in the midst of an attack and business resiliency
Microsoft GDPR Violation
A Microsoft-owned advertising company, Xandr, is accused of a EU privacy breach under General Data Protection Regulation (GDPR) rules.
- Controlling subsidiaries and the reputational risk
- Examining the EU GDPR complaint process and possible fines
David K. LietzSenior PartnerMilberg Coleman Bryson Phillips Grossman, LLC
Kenya ReddyAttorneyMorgan & Morgan Complex Litigation Group
- Approaching a lawsuit from the plaintiff’s perspective
- Examining what steps companies can take to minimize litigation action
- Exploring who owns data, who can access it, what is a transaction, and where liability may lie
- Ensuring your general counsel is in good standing
- Preparing and responding to litigation
- Clarifying where liability may be for an individual