CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Size: px
Start display at page:

Download "CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016"

Transcription

1 CLE Alabama Banking Law Update Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016 Best Practices on Managing Cyber-Security Risks J.T. Malatesta III and Sarah S. Glover Maynard Cooper & Gale PC Birmingham

2 Best Practices on Managing Cybersecurity Risks J.T. Malatesta Sarah Glover Cybersecurity Practice Group February 19, 2016 Maynard, Cooper & Gale, P.C th Avenue North 2400 Regions/Harbert Plaza Birmingham, Alabama (205) Overview of the Risk Regulatory Risk Legal Risk Financial Risk Malatesta & Glover - 1

3 Data Breach Costs Ponemon Institute 2015 Cost of Data Breach Study: United States Avg. cost per record = $217 Avg. cost per record = $217 Regulatory Priority Malatesta & Glover - 2

4 Recent Regulatory Guidance Alabama State Banking Department Cybersecurity Risk Management Memorandum (Jan. 2016) SEC Cybersecurity Examination Initiative (Sept. 2015) FFIEC Cybersecurity Assessment Tool (July 2015) DOJ Best Practices for Incident Response (Apr. 2015) FFIEC Cybersecurity Priorities (Mar. 2015) FINRA Report on Cybersecurity Practices (Feb. 2015) FFIEC Cybersecurity Assessment General Observations (Nov. 2014) Malatesta & Glover - 3

5 Key Themes Regulatory Focus: Corporate Governance Risk Assessment Security Safeguards Incident Response Planning Vendor Management Security Awareness Training Information Sharing Cyber Insurance CORPORATE GOVERNANCE Malatesta & Glover - 4

6 Corporate Governance Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber-risk also must be considered as part of a board s overall risk oversight...ensuring the adequacy of a company s cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities...boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own risk. - Luis A. Aguilar, Commissioner of the SEC (June 10, 2014). Corporate Governance Boards should play a leadership role in overseeing firms cybersecurity efforts. -Report on Cybersecurity Preparedness, FINRA (Feb. 2015) We are to move cybersecurity from the server room to the board room by ensuring that our bank directors are aware of the tremendous risks posed by cybersecurity issues. -Mark Moylan, FDIC Deputy Director of Operational Risk (Aug. 2015) Malatesta & Glover - 5

7 Corporate Governance Routinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture. Strong governance includes clearly defined roles and responsibilities that assign accountability to identify, assess, and manage cybersecurity risks across the financial institution...financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities so they may evaluate risk and respond accordingly. - FFIEC Cybersecurity Assessment General Observations, Nov. 3, Corporate Governance General Risk Management Delegation of Oversight Frequency of Briefings Resources Risk Assessments Products and Services Technologies Connectivity Risks Cybersecurity Controls Policies and Procedures Internal Controls Data Classification Malatesta & Glover - 6

8 Corporate Governance Threat Awareness and Collaboration Current Threat Landscape Internal Awareness/Employee Training External Information Gathering/ Sharing Third Party and Vendor Relationships Cyber Due Diligence Contractual Relationships Oversight Cybersecurity Incident Management and Response Response plan Escalation of Events Notification to External Parties Cyber Insurance Palkon v. Holmes (D. N.J. Oct. 20, 2014) After Wyndham s Board of Directors refused to bring a lawsuit on the company s behalf following the data breach, Plaintiff, who owned Wyndham shares at the time of the breach, brought a shareholder derivative suit. The lawsuit was dismissed; the Court held that the Board s decision not to bring a lawsuit did not violate the business judgment rule. Factors: The Board discussed cyber-attacks, Wyndham s cybersecurity policies, and proposed cybersecurity enhancements at 14 Board meetings between Oct and Aug Audit Committee reviewed the same matters at 16 different meetings during that period. As part of its investigation into the data breach, the Board hired tech firms to investigate each breach and issue recommendations on enhancing security, which the company began implementing following the second and third breaches. Malatesta & Glover - 7

9 INCIDENT RESPONSE PLANNING What would you do if an employee reports to you that 10,000 customer records are currently posted on Google? Malatesta & Glover - 8

10 Incident Response Planning Documenting the procedures used for incident detection and response and providing detailed metrics on cyber incidents will inform management and the board and supports the timely escalation and decision making in the event of cyber attacks. -FFIEC Cybersecurity Assessment General Observations, Nov. 3, Incident Response Planning A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs...having well-established plans and procedures in place for managing and responding to a cyber intrusion or attack is a critical first step toward preparing an organization to weather a cyber incident. -DOJ Best Practices for Victim Response and Reporting of Cyber Incidents (Apr. 2015) Malatesta & Glover - 9

11 Incident Response Planning Most important factor in decreasing the cost of a data breach. Without it: Inconsistent messaging and treatment of the breach Failure to inform the right personnel Failure to meet statutory deadlines or other legal requirements Heightened regulatory scrutiny Increased litigation risk Incident Response Planning 1. C-Suite Buy-In 2. Identify Personnel 3. Determine Scope 4. Draft the Plan 5. Test the Plan Malatesta & Glover - 10

12 VENDOR MANAGEMENT Vendor Management It is abundantly clear that, in many respects, a firm s level of cybersecurity is only as good as the cybersecurity of its vendors. -Benjamin Lawsky, New York State Department of Financial Services Superintendent, Oct. 21, Malatesta & Glover - 11

13 Vendor Management Third-party cybersecurity risk was listed as the number one concern facing the financial services industry in But, only 62% of financial institutions surveyed by the New York Department of Financial Services in 2014 reported that they evaluate the security risk presented by their vendors. Third-party involvement increases the cost of handling a data breach by nearly $30 a record. Vendor Management Key examples of regulatory guidance: Federal Reserve SR 13-19: Guidance on Managing Outsourcing Risk OCC Bulletin : Third Party Relationships Risk Management Guidance FDIC FIL : Guidance for Managing Third-Party Risk Summary: Adopt risk management processes commensurate with the level of risk and complexity of the bank s third-party relationships. Ensure comprehensive risk management and oversight of third-party relationships involving critical activities. Implement an effective risk management process throughout the life cycle of the relationship. Malatesta & Glover - 12

14 Federal Reserve SR 13-19: Guidance on Managing Outsourcing Risk Discuss potential risks arising from service provider relationships Outline expectations for the board of directors and senior management. Provide a framework and processes for effectively manage third-party risks: Risk assessments Due diligence and selection of service providers Contract provisions and considerations Incentive compensation review Oversight and monitoring of service providers Business continuity and contingency plans OCC Bulletin Adopt risk management processes commensurate with the level of risk and complexity of its thirdparty relationships Ensure comprehensive risk management and oversight of third-party relationships involving critical activities. Implement an effective risk management process throughout the life cycle of the relationship that includes: plans that outline the bank s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party; proper due diligence in selecting a third party; written contracts that outline the rights and responsibilities of all parties; ongoing monitoring of the third party s activities and performance; contingency plans for terminating the relationship in an effective manner; clear roles and responsibilities for overseeing and managing the relationship and risk management process; documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and independent reviews that allow bank management to determine that the bank s process aligns with its strategy and effectively manages risks. Malatesta & Glover - 13

15 FDIC FIL Ensure that appropriate procedures are in place, considering the complexity and risk potential for each of its third-party relationships implement an effective risk management process containing four main elements: (1) risk assessment, (2) due diligence in selecting a third party, (3) contract structuring and review, and (4) oversight Specific guidance on technology outsourcing: FIL FIL Vendor Management Phase I: Due Diligence Phase II: Contract Negotiation Phase III: Ongoing Monitoring Malatesta & Glover - 14

16 OTHER RISK MITIGATION STRATEGIES Other Risk Mitigation Strategies Security Awareness Training Patch Management/Software Updates Cyber Insurance Information-Sharing (FS-ISAC) Malatesta & Glover - 15

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation

More information

The Evolving Threat to Corporate Cyber & Data Security

The Evolving Threat to Corporate Cyber & Data Security The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 1 http://blogs.wsj.com/law/2015/12/09/employee error leading cause of data breaches

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

Managing Cybersecurity Risk

Managing Cybersecurity Risk Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for

More information

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices Multifamily and Cybersecurity: The Threat Landscape and Best Practices By CHRISTOPHER G. CWALINA, ESQ., KAYLEE A. COX, ESQ. and THOMAS H. BENTZ, JR., ESQ. HOLLAND & KNIGHT Overview Cyber policy is critical

More information

Emerging Issues: Cybersecurity. Directors College 2015

Emerging Issues: Cybersecurity. Directors College 2015 Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity

More information

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance

More information

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

10 Cybersecurity Questions for Bank CEOs and the Board of Directors 4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary

More information

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact? June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing

More information

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks By Richard A. Blunk (Thermopylae Ventures, LLC) and Apprameya Iyengar (Morrison Cohen LLP) The SEC has continued

More information

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015 Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda Introductions / Administrative Cybersecurity risk legal landscape Cyber threats Legal risks in the aftermath of a

More information

Cybersecurity Assessment Tool

Cybersecurity Assessment Tool FederalDepasitlnsuranceCarparation ~~d 1~~i 5yreet ~lw,uuashinyoon, D.C.2d42~-990 Financial Institution Letter FIL-28-2015 JUIy 2, 2015 Cybersecurity Assessment Tool Summary: The FDIC, in coordination

More information

Financial Regulations, Enforcement & Cybersecurity

Financial Regulations, Enforcement & Cybersecurity Financial Regulations, Enforcement & Cybersecurity Elizabeth P. Gray May 16, 2017 Copyright 2017 by Willkie Farr & Gallagher LLP. All Rights Reserved. These course materials may not be reproduced or disseminated

More information

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information

More information

FDIC InTREx What Documentation Are You Expected to Have?

FDIC InTREx What Documentation Are You Expected to Have? FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Incident Response and Cybersecurity: A View from the Boardroom

Incident Response and Cybersecurity: A View from the Boardroom IT, Privacy & Data Security Webinar Incident Response and Cybersecurity: A View from the Boardroom Gerard M. Stegmaier, Reed Smith Partner IT, Privacy & Data Security Samuel F. Cullari, Reed Smith Counsel

More information

Cybersecurity and Data Protection Developments

Cybersecurity and Data Protection Developments Cybersecurity and Data Protection Developments Nathan Taylor March 8, 2017 NY2 786488 MORRISON & FOERSTER LLP 2017 mofo.com Regulatory Themes 2 A Developing Regulatory Environment 2016 2017 March CFPB

More information

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City 1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the

More information

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action 2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Casie D. Collignon Partner Denver 303.764.4037 ccollignon@bakerlaw.com

More information

2018 MIDWEST LEGAL CONFERENCE ON PRIVACY AND DATA SECURITY Advising the Board of Directors on Privacy and Data Security Melissa Krasnow, Partner, VLP

2018 MIDWEST LEGAL CONFERENCE ON PRIVACY AND DATA SECURITY Advising the Board of Directors on Privacy and Data Security Melissa Krasnow, Partner, VLP 2018 MIDWEST LEGAL CONFERENCE ON PRIVACY AND DATA SECURITY Advising the Board of Directors on Privacy and Data Security Melissa Krasnow, Partner, VLP Law Group LLP, mkrasnow@vlplawgroup.com Mark Abbott,

More information

Data Breach Preparation and Response. April 21, 2017

Data Breach Preparation and Response. April 21, 2017 Data Breach Preparation and Response April 21, 2017 King & Spalding Data, Privacy & Security King & Spalding s 60 plus lawyer Data, Privacy & Security ( DPS ) Practice is best known for: Experienced crisis

More information

Cybersecurity Auditing in an Unsecure World

Cybersecurity Auditing in an Unsecure World About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity

More information

NYDFS Cybersecurity Regulations

NYDFS Cybersecurity Regulations SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy

More information

SEC Issues Updated Guidance on Cybersecurity Disclosure

SEC Issues Updated Guidance on Cybersecurity Disclosure February 27, 2018 SEC Issues Updated Guidance on Cybersecurity Disclosure On February 21, 2018, the Securities and Exchange Commission (the SEC ) issued an interpretive release providing Commission-level

More information

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0 P.O. Box 212 Philip D. Murphy, Governor 300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ 08625-0212 www.tech.nj.gov STATE OF NEW JERSEY TECHNOLOGY CIRCULAR Enterprise Information

More information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18 Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

Turning Risk into Advantage

Turning Risk into Advantage Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview

More information

NW NATURAL CYBER SECURITY 2016.JUNE.16

NW NATURAL CYBER SECURITY 2016.JUNE.16 NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING

More information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative

More information

Information Technology Branch Organization of Cyber Security Technical Standard

Information Technology Branch Organization of Cyber Security Technical Standard Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:

More information

CYBER RISK MANAGEMENT

CYBER RISK MANAGEMENT CYBER RISK MANAGEMENT AND BEST PRACTICES Heather Fields, JD, CHC, CCEP (414) 298-8166 hfields@reinhartlaw.com 1000 North Water Street, Suite 1700, Milwaukee, WI 53202 www.reinhartlaw.com 0 Agenda Role

More information

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,

More information

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain

More information

NY DFS Cybersecurity Regulations August 8, 2017

NY DFS Cybersecurity Regulations August 8, 2017 NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter

More information

Third-Party Cyber Risk Management Webinar May 23, 2017

Third-Party Cyber Risk Management Webinar May 23, 2017 Third-Party Cyber Risk Management Webinar May 23, 2017 Today s speakers Nikole Davenport Senior Manager Deloitte & Touche LLP Nikole is a senior manager in Deloitte s Cyber Risk Services practice, specializing

More information

Data Privacy & Protection

Data Privacy & Protection Data Privacy & Protection March 10, 2016 Data Breach Notification and Cybersecurity Developments in 2016 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US This

More information

Effective Cyber Incident Response in Insurance Companies

Effective Cyber Incident Response in Insurance Companies August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

Putting It All Together:

Putting It All Together: Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,

More information

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:

More information

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016 CLIENT ALERT: Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016 August 4, 2016 Author: Hillard M. Sterling, Esq. I. SUMMARY Cybersecurity has taken center stage

More information

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry

More information

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.

More information

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight Cybersecurity- A Regulatory Perspective Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight 1 Cybersecurity Issues Executive Order 13636 Key Areas of Focus Cyber

More information

GLBA, information security and incident response a compliance perspective

GLBA, information security and incident response a compliance perspective GLBA, information security and incident response a compliance perspective Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving

More information

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco

More information

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC APPROVAL AUTHORITY: President, CHSi GARY G. PALMER /s/ OPR: Director, Information Security NUMBER: ISSUED: VERSION: APRIL 2015 2 THOMAS P. DELAINE JR. /s/ 1.0

More information

MNsure Privacy Program Strategic Plan FY

MNsure Privacy Program Strategic Plan FY MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term

More information

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product

More information

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by

More information

Interpreting the FFIEC Cybersecurity Assessment Tool

Interpreting the FFIEC Cybersecurity Assessment Tool Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity

More information

Cybersecurity and the Board of Directors

Cybersecurity and the Board of Directors Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education

More information

Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m. Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased

More information

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties Thursday, October 5, 2017 Presented by: Gerrit Nel, Senior Manager, Cyber Security, KPMG Sunny Handa, Partner, Montreal Cathy Beagan Flood,

More information

National Policy and Guiding Principles

National Policy and Guiding Principles National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework

More information

Table of Contents. Sample

Table of Contents. Sample TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...

More information

Defending Our Digital Density.

Defending Our Digital Density. New Jersey Cybersecurity & Communications Integration Cell Defending Our Digital Density. @NJCybersecurity www.cyber.nj.gov NJCCIC@cyber.nj.gov The New Jersey Cybersecurity & Communications Integration

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

SFC strengthens internet trading regulatory controls

SFC strengthens internet trading regulatory controls SFC strengthens internet trading regulatory controls November 2017 Internet trading What needs to be done now? For many investors, online and mobile internet trading is now an everyday interaction with

More information

Protecting your data. EY s approach to data privacy and information security

Protecting your data. EY s approach to data privacy and information security Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share

More information

Bringing Cybersecurity to the Boardroom Bret Arsenault

Bringing Cybersecurity to the Boardroom Bret Arsenault SESSION ID: CXO-T11 Bringing Cybersecurity to the Boardroom Bret Arsenault Corporate Vice President & CISO Microsoft Security has Transcended from to a an 3 How Microsoft Approaches Security Reinventproductivity

More information

Compliance Program Assessment Overview of Findings. Report to the Audit and Risk Committee of the Teachers Retirement Board June 8, 2016

Compliance Program Assessment Overview of Findings. Report to the Audit and Risk Committee of the Teachers Retirement Board June 8, 2016 Compliance Program Assessment Overview of Findings Report to the Audit and Risk Committee of the Teachers Retirement Board June 8, 2016 Kaplan & Walker LLP 2 Law firm specializing in counseling organizations

More information

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015 Critical Security Controls COL Stef Horvath MNARNG Oct 21, 2015 Agenda Security Controls the Good, the Bad, the Ugly Emerging Security Controls Critical Security Controls Methodology and Contributors Supporting

More information

Cybersecurity in Higher Ed

Cybersecurity in Higher Ed Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,

More information

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT

More information

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity Building a Business Case for Cyber Threat Intelligence 5Reasons Your Organization Needs a Risk-Based 5Approach to Cybersecurity 5 Reasons for a Risk-Based Approach to Cybersecurity The Bad Guys are Winning

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:

More information

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose: STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Certified Information Security Manager (CISM) Course Overview

Certified Information Security Manager (CISM) Course Overview Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,

More information

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private

More information

Global Statement of Business Continuity

Global Statement of Business Continuity Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program

More information

GUIDANCE NOTE ON CYBERSECURITY

GUIDANCE NOTE ON CYBERSECURITY GUIDANCE NOTE ON CYBERSECURITY AUGUST 2017 GUIDANCE NOTE ON CYBERSECURITY PART I Preliminary 1.1 Title 1.2 Authorization 1.3 Application 1.4 Definitions PART II Statement of Policy 2.1 Purpose 2.2 Scope

More information

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017 2017 IT Examination Preparedness Iowa Bankers 2017 Technology Conference October 24, 2017 1 Disclaimer Materials designed to give general information on the specific subjects covered and are educational

More information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.

More information

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services NYS DFS Cybersecurity Requirements Stephen Head Senior Manager Risk Advisory Services December 5, 2017 About Me Stephen W. Head Mr. Head is a Senior Manager with Experis Finance, and has over thirty-five

More information

Security and Privacy Governance Program Guidelines

Security and Privacy Governance Program Guidelines Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by

More information

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along 2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management Today s Speakers Olivia Munro Senior Marketing Specialist Eze Castle Integration Bob Shaw Director, Technical Architecture Eze Castle

More information

It s Not If But When: How to Build Your Cyber Incident Response Plan

It s Not If But When: How to Build Your Cyber Incident Response Plan CYBER SECURITY USA It s Not If But When: How to Build Your Cyber Incident Response Plan Lucie Hayward, Managing Consultant Michael Quinn, Associate Managing Director each day seems to bring news of yet

More information

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value

More information

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced

More information

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity

More information

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com

More information

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination

More information

Version 1/2018. GDPR Processor Security Controls

Version 1/2018. GDPR Processor Security Controls Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in

More information

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening

More information

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m. Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m. Cybersecurity is a top priority for the financial services industry. Firms dedicate significant resources every

More information

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.ca Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:

More information

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017 DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.

More information

Lakeshore Technical College Official Policy

Lakeshore Technical College Official Policy Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest? Data Privacy According to statistics provided by the Data Breach Level Index, hackers and thieves are stealing more than 227,000 personal records per hour as of 2017, generally targeting customer information

More information

Medical Device Cybersecurity: FDA Perspective

Medical Device Cybersecurity: FDA Perspective Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

Welcome to Today s Web Seminar!

Welcome to Today s Web Seminar! Welcome to Today s Web Seminar! December 12, 2014 1:00 PM ET Hosted By: MODERATOR: PENNY CROSMAN Editor in Chief, Bank Technology News Technology Editor, American Banker newspaper In her roles at BTN and

More information

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m. Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important

More information