IIB s Risk Management and Regulatory Examination / Compliance Seminar
|
|
- Stanley Lang
- 5 years ago
- Views:
Transcription
1 IIB s Risk Management and Regulatory Examination / Compliance Seminar Cybersecurity: Regulatory Developments and Industry Practices Presented at: CUNY Graduate Center October 25, :00 a.m. 10:15 a.m. Moderator: Walter J. Mix III, Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Panelists: Melissa Hall, Of Counsel, Morgan, Lewis and Bockius, LLP James Talbot, Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP Mike Hartigan, New York Chief Information Security Officer Credit Agricole - Corporate and Investment Bank BRG (Berkeley Research Group) 550 South Hope Street, Suite 2150, Los Angeles, CA Website:
2 Cybersecurity Attack Map.ipviking.com 2
3 Overview Moderator Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Cybersecurity Some Keys to Success Cybersecurity: Regulatory Developments and Industry Practices DFS s Cybersecurity Proposal and Cybersecurity Incident Response Plans Third Party Cybersecurity Regulatory Developments 3
4 Cybersecurity Some Keys to Success Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Patchwork of Cyber Guidance / Home-Host Country Issues? How Cybersecurity Relates to ERM / Corporate Governance Litigation Example 4
5 Multiple Sources of Guidance What is the Primary Operational Risk Banks Face? Panama Papers Takeaways SWIFT Incident Bangladesh Incident Guidance From FFIEC, DFS, EU, NACHA, New Fed / OCC / FDIC Overlap or Complimentary? Home / Host Countries 5
6 Some Issues to Consider Corporate Governance / Board Management Roles Risk Assessment Outsourcing Vendor Management Latest Security / Penetration Testing Cybersecurity Program Properly Tailored? 3 Lines of Defense Monitoring Audit Proper Staffing Training Tailored Post Event Plan, Actual Response and Management Examination Reports Phishing of Your Employees What is OOBA? Multi-Factor Authentication? 6
7 ERM and Cybersecurity Issues to Consider Does Your Risk Assessment Address Risk / Risk Profile? Independently Developed? Best Practices? Measurable? Quality of Reports to Board / Management Multi-Disciplinary Team FFIEC Assessment Tool-Baseline, Evolving, Intermediate, Advanced and Innovative Risk Governance / Board Level: Engaged, Formalized, Ongoing Communication and Training Risk Management Tailored to Risk Profile People: Executive Team Awareness, Threat Recognition, Training, Accountability, Multi-disciplinary Team and Contingency Plans Process: Fully Integrated within ERM Framework, Measurement / Monitoring and Continuous Improvement/Changing Requirements Technology: Centralized, Monitoring, Threat Alerts and IT Investments Vendor Management 7
8 Litigation A Hypothetical Litigation Scenario When Your Bank has been Sued? Not Us! Commercially Reasonable Basis An Ounce of Prevention 8
9 Panelist Melissa Hall Of Counsel, Morgan, Lewis and Bockius, LLP Cybersecurity: Regulatory Developments and Industry Practices 9
10 CYBERSECURITY: REGULATORY DEVELOPMENTS AND INDUSTRY PRACTICES Melissa R. H. Hall IIB Seminar on Risk Management and Regulatory Examination/Compliance Issues October 25, Morgan, Lewis & Bockius LLP
11 CYBERSECURITY AND PAYMENT SYSTEMS
12 Increased Cybersecurity Incidents Cause Increased Regulatory Concerns In response to the SWIFT attacks, FFIEC released its Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks Encourages financial institutions to review their risk management practices and controls, including authentication, authorization, fraud detection, and response management systems Directs financial institutions to rely on the guidance in the FFIEC IT Examination Handbook and any guidance from payment system providers OCC has identified cybersecurity as the primary operational risk for banks. OCC s Semiannual Risk Perspective outlines the various areas of risk and concern. FFIEC s Cybersecurity Assessment Tool Still voluntary! 12
13 Malware and Compromised Credentials SWIFT attacks were not an attack on the SWIFT network itself A combination of malware and compromised access credentials allowed the thieves to access the system Social engineering, phishing, etc. are a real and ongoing concern Hard to eliminate human error FFIEC identified malware and compromised credentials as meriting particular focus by financial institutions cybersecurity risk assessments Issued joint statements in
14 FRB s Secure Payments Task Force Part of the FRB s overall faster payments initiative Has noted that there is no universally accepted way to verify identity of payment systems participants Secure Payments Task Force is considering possible solutions, including identity management practices, sharing of fraud and cyber-threat information, and ways to analyze data Report is expected sometime in
15 Don t Forget About Other Participants in Payment Systems Credit card networks and NACHA also lead cybersecurity efforts Payment Card Industry Data Security Standard (PCI DSS) EMV chip credit card NACHA s ACH Risk Management Strategy 15
16 INTERAGENCY ENHANCED CYBER RISK MANAGEMENT STANDARDS
17 Interagency Enhanced Cyber Risk Management Standards ANPR Hot off the presses! Released October 19, 2016 by the FDIC, OCC and FRB Would established enhanced cyber risk management standards for the largest and most interconnected entities, as well as for services that these entities receive from third parties. Would apply to depository institutions and depository institution holding companies with total consolidated assets of $50 billion; U.S. operations of foreign banking organization with total U.S. assets of $50 billion or more, financial market infrastructure companies and nonbank financial companies supervised by the FRB. ANPR presents 39 questions on which the agencies are seeking comment. 17
18 Interagency Enhanced Cyber Risk Management Standards ANPR More stringent standards on systems that are critical to the functioning of the financial sectors ( sector-critical systems ) Seeking comment on what systems should be sector-critical systems Proposed 2 hour recovery time objective (RTO) for sector-critical systems Divides enhanced cyber risk standards into 5 categories: Cyber risk governance Cyber risk management Internal dependency management External dependency management Incident response, cyber resilience and situational awareness 18
19 Some Proposed Requirements Cyber risk governance would implement standards similar to governance standards for large, complex financial institutions e.g., board-level oversight and written governance plans, accountability of senior management, oversight independent from business lines, etc. Cyber risk management would be an independent function reporting to chief risk officer or board of directors, and internal audits would need to assess cyber risk management Internal dependency management would include an inventory of all business assets on an enterprise-wide basis prioritized according to the assets criticality to the business functions they support, the firm s mission, and the financial sector 19
20 5 Categories of Cyber Risk Management External dependency management would include having the ability to monitor in real time all external dependencies and trusted connection that support an entity s cyber risk management strategy Covered entities would need to develop effective incident response and cyber resilience governance, strategies and capacities that enable them to anticipate, withstand, and rapidly recover from disruptions caused by cyber events, including establishing an enterprise-wide cyber resilience and incident response programs Cyber resilience would require secure, offline storage of critical records, as well establishing plans to transfer functions to another entity or service provider if the entity or service provider subject to a cyber incident is unable to perform Situational awareness would require ongoing threat monitoring and threat intelligence gathering 20
21 Some Takeaways Cybersecurity isn t going away as a business or regulatory issue Banking regulators and other participants in the payment system are active in oversight and management of cybersecurity issues Pay attention to the regulatory guidance out there FFIEC, FDIC, OCC, Federal Reserve, credit card network rules, NACHA rules Ensure you have a cybersecurity risk assessment plan that is appropriately scaled to your level of risk and is dynamic enough to adapt to changes in cybersecurity threats Don t forget about cyber resiliency Consider submitting comments to the ANPR Agencies are considering whether to issue regulations, guidance, or something else 21
22 Melissa R. H. Hall Washington, DC Melissa R. H. Hall represents US and overseas banks, nonbank financial services companies, investors in financial services, and technology companies in regulatory and corporate matters. She advises them on a wide range of state and federal financial regulatory laws and regulations. She provides counsel on financial regulatory compliance and enforcement, including state and federal licensing requirements, consumer financial products and compliance, payment systems, corporate and transactional matters, financial institution investment and acquisition, and the development of new financial services products. 22
23 Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing Boston Brussels Chicago Dallas Dubai Frankfurt Hartford Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Santa Monica Shanghai Silicon Valley Singapore Tokyo Washington, DC Wilmington 23
24 THANK YOU This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising Morgan, Lewis & Bockius LLP 24
25 Panelist James Talbot Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP DFS s Cybersecurity Proposal Cybersecurity Incident Response Plans 25
26 DFS s Cybersecurity Proposal October 25, 2016 Presented by: Jamie Talbot Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / London Los Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / Seoul Shanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington DFS s Cybersecurity Proposal 26 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
27 Overview of DFS Proposal Stated goal: Set minimum standards while preserving flexibility Requirement: Create a Cybersecurity Program Risk assessment Defensive infrastructure Detect, respond to and recover from incidents Meet other regulatory reporting requirements DFS s Cybersecurity Proposal 27 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
28 Covered Entities and Nonpublic Information Covered Entities Individuals or entities operating under a license or similar authorization under NY banking, insurance or financial services laws» Some exceptions for smaller entities Nonpublic Information Information about individuals received or generated in course of financial services relationship (GLBA) Information about an individual s health received or generated in the course of a health care relationship (HIPAA) Information that can be used to distinguish or trace an individual s identity (linked or linkable to the individual) Information that, if disclosed or tampered with, could have a material adverse impact on operations, business or security DFS s Cybersecurity Proposal 28 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
29 Cybersecurity Policy Written Cybersecurity Policy Information security Business continuity Data governance Access controls System and application development security Vendor management Incident response plan DFS s Cybersecurity Proposal 29 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
30 Staffing, Reporting and Technical Requirements Chief Information Security Officer Security personnel (with training) Reporting By CISO to Board (bi-annual) By Board or senior officers to DFS (annual certification of compliance) Specific technical requirements Multifactor authentication for access to internal systems Monitor web access patterns Encryption in transit and at rest DFS s Cybersecurity Proposal 30 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
31 Additional DFS Requirements Security testing Penetration testing (annually) Vulnerability assessment (quarterly) Risk Assessment (annually) Limit and monitor access to information Audit trail Access and Reconstruction Limit data retention DFS s Cybersecurity Proposal 31 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
32 Breach Notification Notice to DFS superintendent of any cybersecurity event that: has a reasonable likelihood of materially affecting normal operations OR affects nonpublic information If any other regulator was notified, notify DFS 72 hour deadline Unsuccessful attacks can be cybersecurity events DFS s Cybersecurity Proposal 32 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
33 Problems with Breach Notification Can an unsuccessful attack ever give rise to a reasonable likelihood of materially affecting the normal operation of the business? Does an unsuccessful attack that would have affected nonpublic information have to be reported? Even if no material impact? What if the company isn t sure of the effect within the 72 hour deadline? Not just personally identifiable information No exception for law enforcement requests End result: far more reporting DFS s Cybersecurity Proposal 33 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
34 Haven t We Seen this Movie? Echoes of existing laws, regulatory guidance and industry best practice GLBA, HIPAA, NIST, FTC, FFIEC guidance, PCI requirements, etc. Few conflicts with existing laws DFS s Cybersecurity Proposal 34 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
35 Differences from Existing Requirements Obligations, not guidance Expanded scope Non-HIPAA entities must now meet HIPAA-like standards Nonpublic information broadened not just PII Linked or linkable Additional internal reporting Certification Specific staffing requirements Broader notification requirements DFS s Cybersecurity Proposal 35 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
36 Industry Concerns Additional costs and compliance burdens Compliance certification Reporting One-size-fits-all Many already doing much of this Company is both victim of attack and liability target Tension for reporting More to come? DFS s Cybersecurity Proposal 36 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
37 Key Dates November 12, 2016 Comment period closes January 1, 2017 Regulation takes effect June 30, 2017 Compliance grace period expires January 15, st annual compliance certification DFS s Cybersecurity Proposal 37 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
38 Cybersecurity Incident Response Plans October 25, 2016 Presented by: Jamie Talbot Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / London Los Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / Seoul Shanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington DFS s Cybersecurity Proposal 38 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
39 As soon as a cyberattack hits, everyone s IQ drops 50 points. Cybersecurity Incident Response Plans 39 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
40 Incident Response Plans: No Longer Just a Good Idea DFS requirement (proposed) Response clock is accelerating Privacy advocates and activists Insurance plans Delay may increase liability Cybersecurity Incident Response Plans 40 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
41 72 Hours is Not Much Time Detect activity Identify activity as an incident Determine how to stop the incident Determine impact What was accessed What was copied Source Review legal requirements Who needs to be notified? Prepare and submit formal notification Cybersecurity Incident Response Plans 41 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
42 Don t Delay! When a cyberattack hits, companies cannot waste time figuring out: What to do Who should be involved Who should make decisions What external parties (regulators, customer, etc.) should be contacted What is the state of the law Scrambling to figure out the team and an action plan once an incident occurs is inefficient and dramatically increases the risk of a misstep Cybersecurity Incident Response Plans 42 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
43 Establishing a Rapid Response Team Identify team members and project lead IT, legal, security, PR/communications, HR, risk management, corporate management, government relations Outside counsel Create a playbook of how incidents will be handled Determine how incidents will be identified Prioritize and classify the incident Establish protocols to determine who should be notified Establish protocols to mitigate and remediate Establish protocols for how incidents will be documented Include logistical information» Backup contacts» Communication channels Cybersecurity Incident Response Plans 43 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
44 DFS Required Contents of Plan Per the DFS Proposal, plan MUST address the following: Internal processes for responding to an incident (including unsuccessful attacks) Goals of the plan Definition of clear roles, responsibilities and levels of decision-making authority External and internal communications and information sharing Remediation of any identified weaknesses in IT systems and controls Documentation and reporting regarding incidents and related incident response activities Evaluation and revision of the plan following an incident Cybersecurity Incident Response Plans 44 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
45 Panelist Mike Hartigan New York Chief Information Security Officer Credit Agricole Corporate and Investment Bank Third Party Cybersecurity Regulatory Developments 45
46 ANNUAL SEMINAR ON RISK MANAGEMENT AND REGULATORY EXAMINATION/COMPLIANCE ISSUES Third Party Cyber Security Regulatory Developments Mike Hartigan October 25 th, 2016
47 Third Party Cyber Security Assessment Agenda Page 47 Cyber Security: Regulatory Developments and Industry Practices
48 Cyber Security Assessment within the Third Party Program Page 48 Cyber Security: Regulatory Developments and Industry Practices
49 Step 1 - Third Party Program Scoping & Risk Classification Page 49 Cyber Security: Regulatory Developments and Industry Practices
50 Step 2 - Conducting the TSP Cyber Security Assessment Page 50 Cyber Security: Regulatory Developments and Industry Practices
51 Step 3 - Residual Risk Management Page 51 Cyber Security: Regulatory Developments and Industry Practices
52 Third Party Service Provider Risk Assessment Considerations Page 52 Cyber Security: Regulatory Developments and Industry Practices
53 Third Party Service Provider FFIEC & DFS Regulatory Developments Page 53 Cyber Security: Regulatory Developments and Industry Practices
54 Regulatory Cyber Security Landscape Page 54 Cyber Security: Regulatory Developments and Industry Practices
55 Questions Page 55 Cyber Security: Regulatory Developments and Industry Practices
56 Appendix - DFS Cyber Security Requirement Page 56 Cyber Security: Regulatory Developments and Industry Practices
57 Conclusion Thank You! Questions? 57
NYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationHOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA
HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh November 27, 2018 2018 Morgan, Lewis & Bockius 2017 Morgan, Lewis & Bockius Contents News from the Russian
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationThird-Party Cyber Risk Management Webinar May 23, 2017
Third-Party Cyber Risk Management Webinar May 23, 2017 Today s speakers Nikole Davenport Senior Manager Deloitte & Touche LLP Nikole is a senior manager in Deloitte s Cyber Risk Services practice, specializing
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationWHAT SECTION 215A OF THE FEDERAL POWER ACT MEANS FOR ELECTRIC UTILITIES. Stephen M. Spina J. Daniel Skees Arjun P. Ramadevanahalli December 17, 2015
WHAT SECTION 215A OF THE FEDERAL POWER ACT MEANS FOR ELECTRIC UTILITIES Stephen M. Spina J. Daniel Skees Arjun P. Ramadevanahalli December 17, 2015 2015 Morgan, Lewis & Bockius LLP Agenda Introduction:
More informationThe Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches
The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches Edward McNicholas Global Co-Leader, Privacy, Data Security and Information Law Sidley Austin LLP The cyber threat is one of the most
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationHeadline Verdana Bold
Headline Verdana Bold Federal Banking Agencies Issue Proposal on Cyber Risk Management Standards Standards would require largest institutions to enhance operational resilience October 2016 Executive summary
More informationCybersecurity and Data Protection Developments
Cybersecurity and Data Protection Developments Nathan Taylor March 8, 2017 NY2 786488 MORRISON & FOERSTER LLP 2017 mofo.com Regulatory Themes 2 A Developing Regulatory Environment 2016 2017 March CFPB
More information2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action
2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Casie D. Collignon Partner Denver 303.764.4037 ccollignon@bakerlaw.com
More informationDealing with Security and Security Breaches
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Dealing with Security and Security Breaches
More informationNew York DFS Cybersecurity Regulation:
New York DFS Cybersecurity Regulation: Countdown to the August 28 Compliance Deadline Presented by: Craig Hoffman, Melinda McLellan & Jonathan Forman Moderated by: Carol Van Cleef July 27, 2017 Craig A.
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationNY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO
NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT
More informationFinancial Regulations, Enforcement & Cybersecurity
Financial Regulations, Enforcement & Cybersecurity Elizabeth P. Gray May 16, 2017 Copyright 2017 by Willkie Farr & Gallagher LLP. All Rights Reserved. These course materials may not be reproduced or disseminated
More informationAssociation of Corporate Counsel
Type in document reference # if needed Privacy protection in a Globalized World Association of Corporate Counsel New York, 24 March 2015 1 The plan Bringing out the main cross-border privacy issues for
More informationNYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services
NYS DFS Cybersecurity Requirements Stephen Head Senior Manager Risk Advisory Services December 5, 2017 About Me Stephen W. Head Mr. Head is a Senior Manager with Experis Finance, and has over thirty-five
More informationThe Impact of Cybersecurity, Data Privacy and Social Media
Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationCloud Computing - Reaping the Benefits and Avoiding the Pitfalls. Stuart James & Delizia Diaz. Intellectual Property & Technology Webinar
Intellectual Property & Technology Webinar Cloud Computing - Reaping the Benefits and Avoiding the Pitfalls Stuart James & Delizia Diaz 37 Offices in 18 Countries Birmingham Wednesday, 11 July 2012 Speakers
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationSWIFT Customer Security Programme
www.pwc.ch/cybersecurity SWIFT Customer Security Programme Mandatory controls: what you have to do to protect your local SWIFT infrastructures SWIFT Customer Security Programme (CSP) The growing number
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationGDPR and digital advertising: Strategies and best practices for implementing GDPR compliance
IP, Tech & Data GDPR and digital advertising: Strategies and best practices for implementing GDPR compliance Presented by: Gerard M. Stegmaier, Partner, Washington, D.C. October 17, 2018 What is GDPR,
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More informationCybersecurity requirements for financial services companies
Cybersecurity requirements for financial services companies Overview of the finalized Cybersecurity Requirements from the New York State Department of Financial Services (DFS) February 2017 Overview This
More informationCYBER THREATS, ACTIVE DEFENSE, AND THE BUSINESS AND LEGAL IMPACTS. October 20, Robert Silvers
CYBER THREATS, ACTIVE DEFENSE, AND THE BUSINESS AND LEGAL IMPACTS October 20, 2017 Robert Silvers +1 202 551 1216 robertsilvers@paulhastings.com Haiyan Tang +86 21 6103 2722 haiyantang@paulhastings.com
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh Brian Zimbler
HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh Brian Zimbler November 14, 2017 2017 Morgan, Lewis & Bockius Contents Year in review: new laws, initiatives
More informationGLBA, information security and incident response a compliance perspective
GLBA, information security and incident response a compliance perspective Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving
More informationHealthcare HIPAA and Cybersecurity Update
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity
More informationMitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment
Mitigating Risk with Ongoing Cybersecurity Risk Assessment Scott Moser CISO Caesars Entertainment CSO50 Presentation Caesars Entertainment Cybersecurity Risk Management Scott Moser Chief Information Security
More informationDATA BREACH NUTS AND BOLTS
DATA BREACH NUTS AND BOLTS Your Company Has Been Hacked Now What? January 20, 2016 Universal City, California Sponsored by Hogan Lovells Moderator: Stephanie Yonekura, Hogan Lovells #IHCC16 Panelists:
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationData Privacy & Protection
Data Privacy & Protection March 10, 2016 Data Breach Notification and Cybersecurity Developments in 2016 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US This
More informationISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015
ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015 Agenda Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A 2 Presenters
More information2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager
2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationEffective Cyber Incident Response in Insurance Companies
August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationAnatomy of a Data Breach: A Practical Guide for Small Law Departments
Anatomy of a Data Breach: A Practical Guide for Small Law Departments Judy Branzelle is the Chief Legal Officer and General Counsel for Goodwill Industries International, Inc. where she has been employed
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program
More informationThe Evolving Threat to Corporate Cyber & Data Security
The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 1 http://blogs.wsj.com/law/2015/12/09/employee error leading cause of data breaches
More informationAnticipating the wider business impact of a cyber breach in the health care industry
Anticipating the wider business impact of a cyber breach in the health care industry John Gelinne, Director Cyber Risk Services Deloitte & Touche LLP jgelinne@deloitte.com commodore_22 Hector Calzada,
More informationAligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy
Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy Orus Dearman, Director, Business Advisory Services, Grant Thornton Johanna Terronez, Senior Manager, Business Advisory
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationInstitute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee
More informationChief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.
Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased
More informationSteps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.
Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important
More informationCybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security
Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the
More informationRIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015
www.pwc.com RIMS Perk Session 2015 - Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015 Los Angeles RIMS Agenda Introductions What is Cybersecurity? Crown jewels The bad
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationHacking and Cyber Espionage
Hacking and Cyber Espionage September 19, 2013 Prophylactic and Post-Breach Concerns for In-House Counsel Raymond O. Aghaian, McKenna Long & Aldridge LLP Elizabeth (Beth) Ferrell, McKenna Long & Aldridge
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationSECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives
SECURING THE UK S DIGITAL PROSPERITY Enabling the joint delivery of the National Cyber Security Strategy's objectives 02 November 2016 2 SECURING THE UK S DIGITAL PROSPERITY SECURING THE UK S DIGITAL PROSPERITY
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda Rise in Data Breaches Effects of Increase in Cybersecurity Threats Cybersecurity Framework
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationCYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?
CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack? IDENTIFY PROTECT Senior Management and Board- Level Cyber Risk Consultation Cybersecurity Risk Assessment Cybersecurity Program
More information2018 Morgan, Lewis & Bockius LLP
CYBERSECURITY, PERSONAL DATA PROTECTION, AND INTERNET REGULATION IN RUSSIA Ksenia Andreeva, Anastasia Dergacheva, Vasilisa Strizh, Brian Zimbler May 22, 2018 2018 Morgan, Lewis & Bockius LLP Content Data
More informationPeer Collaboration The Next Best Practice for Third Party Risk Management
SESSION ID: GRM-F02 Peer Collaboration The Next Best Practice for Third Party Risk Management Robin M. Slade EVP & COO The Santa Fe Group & Shared Assessments Program Introduction Q: How do we achieve
More informationOn the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches
On the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches An incident response orchestration platform tailored to GDPR breach management needs Publication Date: 24 Oct 2018
More informationMapping Cyber-Protections to Regulatory Requirements for Fintech
SESSION ID: PGR-R03 Mapping Cyber-Protections to Regulatory Requirements for Fintech Jonathan Fairtlough Managing Director Kroll, Cyber Security & Investigations Paul Haswell Partner Pinsent Masons, Risk
More informationInfoSec Risks from the Front Lines
InfoSec Risks from the Front Lines Adam Brand, Protiviti Orange County IIA Seminar Who I Am Adam Brand IT Security Services Some Incident Response Experience Lead Breach Detection Audits @adamrbrand Who
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationWhat to do if your business is the victim of a data or security breach?
What to do if your business is the victim of a data or security breach? Introduction The following information is intended to help you decide how to start preparing for and some of the steps you will want
More information2017 Data Security Incident Response Report. Be Compromise Ready: Go Back to the Basics
2017 Data Security Incident Response Report Be Compromise Ready: Go Back to the Basics May 9, 2017 Contact Information Theodore J. Kobus, III Leader, Privacy and Data Protection Practice New York 212.271.1504
More informationMastering Data Privacy, Social Media, & Cyber Law
Mastering Data Privacy, Social Media, & Cyber Law Data Breach Notification and Cybersecurity Developments Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US 1 State
More informationCyber Risks, Coverage, and the Board of Directors.
Cyber Risks, Coverage, and the Board of Directors PCI Northeastern General Counsel Seminar September 19-20, 2016 Vincent J. Vitkowsky Seiger Gfeller Laurie LLP vvitkowsky@sgllawgroup.com CYBER RISKS and
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationPost-Secondary Institution Data-Security Overview and Requirements
Post-Secondary Institution Data-Security Overview and Tiina K.O. Rodrigue, EdDc, CISSP, CISM, PMP, CSM, CEA, ITIL, ISC2 Compliance Mapper, A+ Senior Advisor Cybersecurity - 2017 Agenda Who needs to worry
More informationProtect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP
Protect Your Institution with Effective Cybersecurity Governance 1 Your presenter Mike Cullen, Senior Manager, Baker Tilly CISA, CISSP, CIPP/US > Leads the firm s Higher Education Technology Risk Services
More informationIncident Response and Cybersecurity: A View from the Boardroom
IT, Privacy & Data Security Webinar Incident Response and Cybersecurity: A View from the Boardroom Gerard M. Stegmaier, Reed Smith Partner IT, Privacy & Data Security Samuel F. Cullari, Reed Smith Counsel
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationTackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud
Tackling Cybersecurity with Data Analytics Identifying and combatting cyber fraud San Antonio IIA iheartaudit Conference February 24, 2017 What We ll Cover + Current threat landscape + Common security
More informationCybersecurity: Federalism as Defense-in-Depth
SESSION ID: Law-W08 Cybersecurity: Federalism as Defense-in-Depth MODERATOR: Gregory von Lehmen Special Assistant to the President, Cybersecurity University of Maryland University College (UMUC) PANELISTS:
More informationWhat To Do When Your Data Winds Up Where It Shouldn t
What To Do When Your Data Winds Up Where It Shouldn t Don M. Blumenthal Defcon 16 Las Vegas, Nevada August 9, 2008 Disclaimer Opinions expressed are my own and intended for informational purposes. They
More information