Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Transcription

1 Cyber Risk and Third Party Risk Management Lisa Murphy First Horizon National Corporation

2 The Cyber Risks Third Party Breach Advance Persistent Threat

3 The Headlines Goodwill Names Vendor in Breach C&K Systems Identified as Third Party Hit by Malware September 9, 2014 CVS Investigates Credit Card Breach At Its Online Photo Service JUL 17, 2015 US Navy breach highlights third-party cyber risk 25 Nov 2016 Hackers hijack Twitter accounts.third-party analytics tool to blame March 15, 2017

4 The Statistics 63% of data breaches linked to third party 1 87% of respondents have faced a disruptive incident with third parties in the last 2-3 years 2 Half of respondents (49%) confirm their organization experienced a data breach by one of their vendors 3

5 The Statistics Data breaches caused by third party involvement.increased the per capita cost of data breach 4

6 The Strategic Imperative Strategic issue for Company and Board Data breaches and data breach costs growing Digital assets growing rapidly Third Party relationships growing Regulatory environment M&A activity Reputational Risk

7 The Plan Identify key data assets, security risks, gaps and priorities Embed third party risk management into your cyber security strategy Develop and test breach response plan

8 RESPONSE

9 Breach Response Not if, but when response is critical How can it happen to us? What s the worst thing that can happen? What s at risk? Source? Business impact? Mitigation strategies?

10 Breach Response Your response plan Confidence in your response plan? Have you tested your response plan? Communication plan for employees, customers, shareholders, regulators, others? Predetermined response partners?

11 Breach Response Third parties response plans Addressed in contract? Notification to you of their breach? Are 4 th and 5 th parties required to notify you? Coordination of response activities?

12 Breach Response How we think about breach response Plan must be comprehensive and executable Communication is critical TEST, TEST, TEST

13 DATA

14 Data What data do you have? Most sensitive data? Where is the data on your network? What data do you share? Where is the shared data stored? Which third parties do you share data with? Which third parties connect to your network?

15 Data Security Does your security policy cover all data? Do you know the privacy & security policies and practices of your third parties? 4 th & 5 th parties? Compliance what laws/regulations apply? Controls yours? theirs?

16 Data Security How do you think about emerging technology? Mobile Cloud Internet of Things (IoT) Digital currency Blockchain Artificial Intelligence Robotics

17 Data Security How we think about data security How can they get in? How can we limit damage while inside? How can they get data out?

18 TPRM

19 TPRM Did you review the correct vendor? Data security? Does your vendor review the security of other vendors (4 th party, 5 th party) it uses? Does the vendor have periodic vulnerability testing?

20 TPRM Special exposure considerations Data aggregator? Cloud based vendor? Foreign based vendor? Concentration - same vendor? Concentration - systemic vendor?

21 TPRM Key control elements IT Security Controls Training Business Continuity Incident Response Active Management/Monitoring Cyber Insurance

22 TPRM How we think about TPRM There is no one size fits all TPRM must be risk based, comprehensive, agile, scalable, and uniform Continuous, ongoing monitoring capabilities are important

23 The Summary Digital assets, third party relationships, data breaches and regulatory scrutiny are growing Effective management of cyber security, including Data Security, TPRM and Breach Response, is a strategic imperative

24 Questions?

25 About Lisa Murphy SVP, Operational Risk/Corporate Insurance First Horizon National Corporation (FHN) Assets: $28 Billion; Employees: 4,300 First Tennessee Bank FTN Financial

26 The Sources 1 Soha Third Party Advisory Group survey, Deloitte Third Party Governance and Risk Management, Global Survey Data Risk in the Third-Party Ecosystem sponsored by BuckleySandler LLP & Treliant Risk Advisors LLC and conducted by Ponemon Institute LLC, April Ponemon 2016 Cost of Data Breach Study: Global Analysis 4