The only practical, comprehensive cybersecurity event for the legal and compliance community.
John P. Carlin Partner
Paul, Weiss, Rifkind, Wharton & Garrison LLP
Former Assistant Attorney General, National Security Division U.S. Department of Justice
Trâm Phi General Counsel Databricks
Sam Singer Chief Counsel, Cyber Boeing
Miriam H. Wugmeister Partner Morrison Foerster LLP
February 28 & 29, 2024 • The Madison Hotel, Washington, DC
Join the legal and compliance community at this unprecedented conference on the most pressing, high stakes issues, including:
Angle-Right SEC Rules in Practice: Agency Expectations for Complying with the New Cyber Incident Breach Disclosure Rules –From Meeting the 4-Day Deadline and Beyond
Angle-Right Navigating the Complex Web of Federal, State and Foreign Laws and Regulations – and the Core Elements of a Global Cyber Compliance Program
Angle-Right Embedding Cybersecurity Into Your Critical Infrastructure Security and Resilience Policy: Concrete Examples and Lessons Learned
Angle-Right Case Study! Lessons from Weathering a Cyber Breach: Building a Resilient Cybersecurity Framework and Response Action Plan, and Working with the FBI
Angle-Right Generative AI and Cyber Risk Assessment and Mitigation: Evaluating How Your Organization is Vulnerable and How to Safeguard Against Artificial Intelligence Hacks
Supporting Sponsor
Associate Sponsors
With so much at stake, ensure your organization’s cyber program is fully incorporating (and reconciling) a complicated web of federal, state and international requirements. Assess whether or not your organization is equipped to satisfy SEC, FTC and more agencies’ expectations.
Join ACI’s National Conference on Cybersecurity Law & Compliance – the country’s only practical, comprehensive event for the legal and compliance community.
Angle-Right Q&A State Legislative Panel: Cyber and Privacy Updates
Angle-Right Global Compliance: Reconciling U.S. and International Regulations
Angle-Right In-House Perspectives: Updating and Implementing Your Cyber Risk Management Strategy for Meeting Agencies Expectations
Angle-Right Plaintiff Attorney Insights: Examining New, Emerging Litigation Trends
With conferences in the United States, Europe, Asia Pacific, and Latin America, the C5 Group of Companies: American Conference Institute, The Canadian Institute, and C5 Group, provides a diverse portfolio of conferences, events and roundtables devoted to providing business intelligence to senior decision makers responding to challenges around the world.
Don’t miss the opportunity to maximize participation or showcase your organization’s services and talent. For more information please contact us at: SponsorInfo@AmericanConference.com
Accreditation will be sought in those jurisdictions requested by the registrants which have continuing education requirements. This course is identified as nontransitional for the purposes of CLE accreditation.
ACI certifies this activity has been approved for CLE credit by the New York State Continuing Legal Education Board.
ACI certifies this activity has been approved for CLE credit by the State Bar of California.
ACI has a dedicated team which processes requests for state approval. Please note that event accreditation varies by state and ACI will make every effort to process your request.
Questions about CLE credits for your state? Visit our online CLE Help Center at www.AmericanConference.com/Accreditation/CLE/
Wednesday, December 6, 2023 • 1:00 PM – 2:00 PM EST
REGISTER NOW
John P. Carlin Partner
Paul, Weiss, Rifkind, Wharton & Garrison LLP
Former Assistant Attorney General, National Security Division, U.S. Department of Justice
Miriam H. Wugmeister Partner
Morrison Foerster LLP
Beginning December 18, 2023, the U.S. Securities and Exchange Commission (SEC) will require companies to disclose material cybersecurity incidents within four days, and adopt annual reporting regarding their cybersecurity risk management, strategy and governance. The new SEC rules will come into effect amid further requirements from other agencies and intensifying enforcement by the Federal Trade Commission (FTC).
Is your organization truly ready to meet the SEC’s new cybersecurity disclosure and reporting requirements?
On the heels of the rules coming into effect, attend this complimentary webinar to gain further clarity and actionable takeaways on high stakes issues, including:
• What is the SEC’s expectation for incident reporting within four days, and specifically the expectation for a Form 8-K and Form 10-K filing
• Defining a “material” cybersecurity incident as reaching a threshold reasonable investors consider important to their decision-making
• Updating initial reporting, and what is expected in follow-up reports
• Assessing the incident effects, remediation efforts, cyber insurance impacts, and estimated costs of a breach
CONFERENCE CO-CHAIRS
John P. Carlin
Partner, Paul, Weiss, Rifkind, Wharton & Garrison LLP
Former Assistant Attorney General, National Security Division U.S. Department of Justice
Trâm Phi
General Counsel Databricks
Sam Singer Chief Counsel Cyber Boeing
Miriam H. Wugmeister Partner Morrison Foerster LLP
Lauren Boas Hayes
Senior Advisor for Technology and Innovation
Cybersecurity and Infrastructure Security Agency (CISA)
Nikki R. Harding
Deputy Assistant Administrator of Compliance – Security Operations Transportation Security Administration (TSA)
Todd Hemmen
Cyber Technical Analytics and Operations Section, Cyber Division Federal Bureau of Investigation (FBI)
Dave Hirsch
Chief, Crypto Assets and Cyber Unit, Division of Enforcement
U.S. Securities and Exchange Commission
Kathy Konieczny
Assistant General Counsel for Energy Delivery and Resilience U.S. Department of Energy
Dr. David Mussington
Executive Assistant Director for Infrastructure Security Cybersecurity and Infrastructure Security Agency (CISA)
Jesse Sloman
Deputy Chief Cyber Officer for Operations State of New York, New York State Executive Chamber
Alejandro Rosenberg
Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
Christopher Terranova Senior Trial Counsel U.S. Department of Justice, Civil Division, Fraud Section
Bryan A. Vorndran Assistant Director, Cyber Division Federal Bureau of Investigation (FBI)
IN-HOUSE FACULTY
Joanna Baltes
Assistant General Counsel
Cybersecurity & Privacy Exelon
Benjamin Benhan
Privacy, Data Governance & Cybersecurity Attorney eBay
William Bracker
Senior Corporate Counsel, Privacy Cox Communications
Melissa Causey Chai
Cyber Product Development Lead AIG
Nadia Hoyte
Partner, National Practice Cyber Lead USI Insurance Services
Ali Karshan
Managing Director, General Counsel for Cybersecurity Citigroup Inc.
Benjamin Kastan
Senior Counsel for Data Protection and Cybersecurity Visa
Sandeep Kathuria
Assistant General Counsel (Cybersecurity and Government Contracts) L3Harris
Alexandria Lutz
Senior Corporate Counsel – Privacy Nordstrom Inc.
Laurie J. Mandell
Assistant Vice President, Cyber Claims, North America Financial Lines Chubb
Rachael Pashkevich Koontz
Senior Corporate Counsel, Cybersecurity Compliance T-Mobile
Richard Peterson
Senior Corporate Counsel, Security & Trust Cisco
Johnathan Rudy Senior Counsel, Cybersecurity, Data Protection, Privacy, TransUnion
Kimberly Udovic Vice President, Assistant General Counsel, Regulatory Toyota Motor North America Inc.
Emily Voorheis VP & Corporate Counsel, Law Department Marriott International
Igor Volovich Vice President of Compliance Strategy Qmulos
Joseph Whitehead Senior Corporate Counsel, Information Security, Government Contracts, Operations Northrop Grumman Corporation
Julie K. Bracker Partner Bracker & Marcus LLC
Charu Chandrasekhar Partner, Debevoise & Plimpton Former, Assistant Regional Director, Division of Enforcement U.S. Securities and Exchange Commission
Elizabeth R. Dill Partner Mullen Coughlin LLC
Brian Lichter Vice President Stroz Friedberg
Stephen Lilley Partner, Cybersecurity & Data Privacy Mayer Brown LLP
Colman McCarthy Partner
Shook Hardy & Bacon LLP
Lynn Neils Partner Foley Hoag LLP
Paul Otto Partner, Privacy and Cybersecurity Hogan Lovells US LLP
James J. Pizzirusso Partner Hausfeld LLP
Sabita J. Soneji Partner
Tycko Zavareei LLP
Lisa J. Sotto Partner
Hunton Andrews Kurth LLP
Julia Tama Partner Venable LLP
Daniel S. Wolf Director of Cybersecurity Services Venable LLP
There are approximately 11 states with a comprehensive cyber and data privacy law, including California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana and Texas. Plus, in 2022-2023, 16 states introduced privacy bills to address concerns, including biometric identifiers and health data.
This session will provide a roadmap to the different privacy and cybersecurity laws across the country and a status report on their expected implementation, comment periods and proposal stages.
In addition to speaker-prepared reference materials, attendees will also benefit from smaller-group discussion and extended Q&A.
Topics will include:
• California: California Consumer Privacy Act (2018)
• Colorado: Colorado Privacy Act (CPA) (2021)
• Connecticut: Senate Bill – An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy (2023)
• New York State: Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)(2020)
• Texas: Texas Data Privacy and Security Act (2023)
• Virginia: Virginia Consumer Data Protection Act (VCDPA)
Benjamin Kastan
Senior Counsel for Data Protection and Cybersecurity Visa
Alexandria Lutz
Senior Corporate Counsel – Privacy Nordstrom Inc.
Colman McCarthy Partner Shook Hardy & Bacon LLP
B1:30–5:00 (Registration Opens 1:00 p.m.)
Document Swap: A Practical Guide to Cyber and Incident Response Policies and Crisis Management
Ensure your cyber incident response policy is covering all the necessary components. During this interactive session, delegates will work through policy drafts, discussing their strengths and weaknesses, and grey areas. Policies will be evaluated based on whether they are realistic, attainable and compliant.
• Policies for information security, including defining access management, who has access to information, which information, and under what circumstances
• Mapping your data breach management plan and Incident Response Plan
• Defining technical teams in charge of patch management and maintenance
• Policies for Employee Devices, Acceptable Use and Security Policy
• Delineating device security measures, including prohibited applications on personal devices
How would you and your organization respond to a cyber breach? Join this interactive segment with hypothetical scenarios to work through expected and lesser-known scenarios, actions and outcomes.
• Recognizing and shutting down a cyber attack
• Determining the severity of the breach
• Identifying the source of the breach
• Examining the logical flow of events for incident response
• Actualizing the flow of communication and decision-making at each stage
• Analyzing the strategies and motivations of threat actors
• Understanding the role of government agents in a ransomware investigation, including investigating threats to national security
• Communicating with victims and cooperating with authorities, including subpoenas and search warrants
William Bracker
Senior Corporate Counsel, Privacy Cox Communications
Johnathan Rudy
Senior Counsel, Cybersecurity, Data Protection, Privacy, TransUnion
Elizabeth R. Dill Partner Mullen Coughlin LLC
7:30 Registration & Breakfast
John P. Carlin Partner, Paul, Weiss, Rifkind, WhartoN & Garrison LLP
Former Assistant Attorney General, National Security Division U.S. Department of Justice
Morrison Foerster LLP
Dave Hirsch
Chief, Crypto Assets and Cyber Unit, Division of Enforcement U.S. Securities and Exchange Commission
9:45 SEC RULES IN PRACTICE: Expectations and Compliance with the New Cyber Disclosure Rules for Meeting the 4-Day Deadline and Beyond
Under the SEC’s newly adopted cybersecurity risk management rules, public companies are now required to disclose a cyber breach publicly and within four days.
This session will unpack the practical implications of the rules and key missteps to avoid:
• SEC’s expectations for incident reporting within four days, and specifically the expectation for a Form 8-K and Form 10-K filing
• Updating initial reports, and what is expected in follow-up reports
• Defining a “material” cybersecurity incident as reaching a threshold reasonable investors consider important to their decision-making
• Assessing the incident effects, remediation efforts, cyber insurance impacts, and estimated costs of a breach
Joanna Baltes Assistant General Counsel Cybersecurity & Privacy Exelon
Ali Karshan Managing Director, General Counsel for Cybersecurity Citigroup Inc.
Charu Chandrasekhar Partner
Debevoise & Plimpton
Former, Assistant Regional Director, Division of Enforcement U.S. Securities and Exchange Commission
This session will examine how cyber should be incorporated into critical infrastructure security and resilience policy. The current policy covers 16 critical infrastructure sectors which are considered vital to US security, national economic security and national public health or safety.
• Defining critical infrastructure, how it applies to different sectors and how it may be redefined under updated policy
• Examining CISA’s role to support state and industry partners
• Identifying essential workers needed to maintain services and functions for American’s daily functions
• Hypothesizing potentially debilitating national security, economic, public health or safety consequences of a cyber breach and safeguarding against this possibility
• Examining reporting requirements following a breach
Nikki R. Harding Deputy Assistant Administrator of Compliance – Security Operations Transportation Security Administration (TSA)
Kathy Konieczny Assistant General Counsel for Energy Delivery and Resilience U.S. Department of Energy
Sam Singer Chief Counsel, Cyber Boeing
Joseph Whitehead
Senior Corporate Counsel, Information Security, Government Contracts, Operations Northrop Grumman Corporation
Dr. David Mussington Executive Assistant Director for Infrastructure Security
Cybersecurity and Infrastructure Security Agency (CISA)
Hear directly from leading counsel who have advised on some of the most significant cyber breaches and delve into the critical – and unexpected – steps that were taken to identify, communicate and repair the breach damage.
• Communicating with the FBI, including timelines
• Examining the hack tactics, trends and how vulnerabilities are being exploited
• Reviewing timelines of a breach and lessons learned
John P. Carlin
Partner, Paul, Weiss, Rifkind, WhartoN & Garrison LLP
Former Assistant Attorney General, National Security Division U.S. Department of Justice
Lisa J. Sotto Partner Hunton Andrews Kurth LLP
Bryan A. Vorndran
Assistant Director, Cyber Division Federal Bureau of Investigation (FBI)
• Developing a cybersecurity risk management strategy to identify material risks, assess potential impacts, and detail efforts to manage them
• Establishing and documenting cybersecurity policies and procedures and reviewing annually
• Disclosing whether a company has designated a cybersecurity expert at the board level
• Reporting when a board member, board committee, or other governance body within the company has oversight of cybersecurity
• Considering cyber expertise when assembling the board of directors
• Incorporating cybersecurity disclosure into proxy statements and annual reports
Hear directly from state legislative representatives as they discuss how cybersecurity measures are being incorporated into state laws. Discuss how state laws work in concert with federal laws and regulations and where there are gaps. Join this an interactive Q&A session.
Sandeep Kathuria Assistant General Counsel (Cybersecurity and Government Contracts)
L3Harris
Richard Peterson Senior Corporate Counsel, Security & Trust Cisco
Kimberly Udovic Vice President, Assistant General Counsel, Regulatory Toyota Motor North America Inc.
Igor Volovich Vice President of Compliance Strategy Qmulos
Daniel S. Wolf Director of Cybersecurity Services Venable LLP
Jesse Sloman Deputy Chief Cyber Officer for Operations State of New York, New York State Executive Chamber
Lauren Boas Hayes Senior Advisor for Technology and Innovation Cybersecurity and Infrastructure Security Agency (CISA)
Brian Lichter Vice President Stroz Friedberg
7:30 Registration Opens
John P. Carlin
Partner, Paul, Weiss, Rifkind, Wharton & Garrison LLP
Former Assistant Attorney General, National Security Division U.S. Department of Justice
Miriam H. Wugmeister Partner
Morrison Foerster LLP
Sam Singer Chief Counsel Cyber Boeing
Trâm Phi General Counsel Databricks
Enjoy breakfast and join this highly anticipated, early riser session! Examine how the surge in Generative Artificial Intelligence usage is affecting cybersecurity and national security. Ensure that you are up-to-speed on the emergence of deep fakes being used to trick employees, and how generative AI is being used to sift through line codes to find organizational vulnerabilities. Learn how to safeguard against emerging AI risks as you update your cyber program.
• Examining how AI will interpret malicious actors versus imbedded bias
• Using AI red and blue teams to determine weaknesses in your system
• Debating the dangers of using generative AI as part of a cybersecurity system, including incorrect information
• The False Claims Act and qui tam enforcement, including discussion of early cases under the Department of Justice’s Cyberfraud Initiative
• Investigation into OpenAI, creator of ChatGPT, and the potential that the chatbot has caused consumer harm through data collection
• First time enforcement action under FTC’s Health Breach Notification Rule, with a look at GoodRx Holdings Inc.
• Putting health-app companies “on notice” to protect consumer data privacy, with a look at the Amazon acquisition of One Medical
• Settlement with Easy Healthcare Corporation
10:30 Networking Break
User-Alt
Benjamin Benhan Privacy, Data Governance & Cybersecurity Attorney eBay
Stephen Lilley Partner, Cybersecurity & Data Privacy Mayer Brown LLP
Julie K. Bracker Partner Bracker & Marcus LLC
Alejandro Rosenberg Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
Julia Tama Partner Venable LLP
Christopher Terranova Senior Trial Counsel U.S. Department of Justice, Civil Division, Fraud Section
Through a review of real-life and hypothetical cases, audience members will benefit from concrete examples of how to navigate the question of paying ransomware-and the risks and aftermath.
• The pros and cons of paying ransomware
• Making the right call: Key factors guiding the decision to pay ransomware-or not
• Analyzing the strategies and motivations threat actors use for a ransomware attack
• The role of government agents in a ransomware investigation, including investigating threats to national security
• Communicating with victims, including voluntary cooperation, subpoenas and search warrants
Miriam H. Wugmeister Partner Morrison & Foerster PPL
Melissa Causey Chai Cyber Product Development Lead AIG
Todd Hemmen Cyber Technical Analytics and Operations Section, Cyber Division Federal Bureau of Investigation (FBI)
Under the New SEC Rules–and
Delegates are invited to join this dynamic session to work through hypothetical scenarios and a debate between speakers on what is “material” in the context of a breach. Via our anonymous audience polling system, audience members will be able to ick the winner!
• Determining what is a “material” breach under Form 8-K standards for a cyber incident
• Defining what is an “incident” and whether it needs to be reported and to whom
• Determining how much to disclose, what is material to the breach, and the Affirmative Disclosure Rule
• Who determines what is material within your organization and the process and criteria for assessing what is material
• Determining whether a shareholder would consider the incident important in making an investment decision
• When to “start the clock” for complying with the SEC reporting deadlines
• Mapping communication standards within the company and to stakeholders
• What is privileged information that cannot be disclosed
• What constitutes disclosing the whole breach, and what are grey areas
• What can emerge during discovery and potentially lead to litigation
• Regulatory implications of not providing a full disclosure
12:30 Networking Luncheon
Lynn Neils Partner Foley Hoag LLP
Paul Otto Partner, Privacy and Cybersecurity Hogan Lovells US LLP
1:45 Cyber Compliance Program Benchmarking Session—from Organizational Structure to Reporting and More
• What is the industry standard, and what are reasonably good cybersecurity standards
• Implementing a compliance program and keeping up with annual reporting standards
• Organizational structure, working effectively with cross-functional teams including compliance, legal and tech departments
Rachael Pashkevich Koontz Senior Corporate Counsel, Cybersecurity Compliance T-Mobile
Emily Voorheis VP & Corporate Counsel, Law Department Marriott International
• Developments in Standing in Data Privacy Cases
• Developments in Damages in Data Privacy Cases
• Healthcare Ransomware Attacks and Resulting Class Actions
• Settlements in Data Breach Class Actions
James
Sabita
• Analyzing the impact of cyber insurance on your business
• Reviewing the types of disclaimers that are now being used – what is and is not covered
• Examining how insurance claims are being handled
• How is a cyber insurance claim different than other claims
• What is covered under the scope of Indemnity?
• Coverage of ransomware paid by the customer
• Costs of investigating and remediating the breach
• Regulatory fines as a result of a cyber incident - and the impact on insurance coverage
Laurie
C5 celebrates 40 years of excellence! We are thrilled to have provided exceptional conference experiences globally with our outstanding team, speakers, sponsors, partners, and attendees. To mark this milestone, we're launching a new logo which represents our commitment to innovation, growth, and excellence, represented by the five Cs of C5: Current, Connected, Customer-Centric, Conscientious, and Committed.
Looking back on 40 years, we are grateful for our achievements—hosting global conferences, uniting industry leaders, and supporting business growth. However, we are not done yet! We are committed to pushing boundaries and creating impactful experiences and we're excited for the next 40 years of success.
Venable is a firm of trusted advisors serving businesses, organizations, and individuals in many of the most important aspects of their work. Our
virtually every industry and all areas of regulatory and government affairs, corporate and business law, intellectual property, and complex litigation.
delivering services around the world, we help clients connect quickly and effectively to the experience and insights key
