Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Similar documents
The Evolving Threat to Corporate Cyber & Data Security

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Cyber Risks in the Boardroom Conference

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Cybersecurity and Data Protection Developments

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Healthcare HIPAA and Cybersecurity Update

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Why you should adopt the NIST Cybersecurity Framework

Business continuity management and cyber resiliency

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cybersecurity and the Board of Directors

Incident Response and Cybersecurity: A View from the Boardroom

Emerging Issues: Cybersecurity. Directors College 2015

Data Privacy & Protection

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Bringing Cybersecurity to the Boardroom Bret Arsenault

01.0 Policy Responsibilities and Oversight

Vulnerability Assessments and Penetration Testing

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Managing Cybersecurity Risk

Turning Risk into Advantage

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

locuz.com SOC Services

Are we breached? Deloitte's Cyber Threat Hunting

Cyber Security Program

Financial Regulations, Enforcement & Cybersecurity

Cyber Risks, Coverage, and the Board of Directors.

The Impact of Cybersecurity, Data Privacy and Social Media

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

MNsure Privacy Program Strategic Plan FY

Cybersecurity Assessment Tool

DHS Cybersecurity: Services for State and Local Officials. February 2017

People risk. Capital risk. Technology risk

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity Auditing in an Unsecure World

GUIDANCE NOTE ON CYBERSECURITY

Security and Privacy Governance Program Guidelines

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Data Breach Preparation and Response. April 21, 2017

NERC Staff Organization Chart Budget 2019

Cybersecurity in Higher Ed

CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?

Headline Verdana Bold

Rethinking Information Security Risk Management CRM002

NYDFS Cybersecurity Regulations

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

NERC Staff Organization Chart Budget 2018

Cybersecurity Session IIA Conference 2018

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

NERC Staff Organization Chart Budget 2019

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Regulating Cyber: the UK s plans for the NIS Directive

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

ACM Retreat - Today s Topics:

Investigating Insider Threats

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Effective Cyber Incident Response in Insurance Companies

THE POWER OF TECH-SAVVY BOARDS:

Canada Life Cyber Security Statement 2018

NERC Staff Organization Chart

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Avanade s Approach to Client Data Protection

Hacking and Cyber Espionage

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Cyber Security Incident Response Fighting Fire with Fire

Credit Card Data Compromise: Incident Response Plan

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

BHConsulting. Your trusted cybersecurity partner

Must Have Items for Your Cybersecurity or IT Budget in 2018

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Standard for Security of Information Technology Resources

Demonstrating Compliance in the Financial Services Industry with Veriato

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Mastering Data Privacy, Social Media, & Cyber Law

DATA BREACH NUTS AND BOLTS

Transcription:

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation Enforcement Actions (e.g. FTC, SEC) 2

Cybersecurity Risk Environment Risks & Vulnerabilities Mitigants Cyber Risk Management & Oversight Employees External Cyber Attack Insider Threats (Intentional or Inadvertent) Third Party Service Providers Organization s Critical Services, Networks, & Data Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 3

Legal Framework: Directors Duty of Care Corporate Law Duty of Care, Loyalty, and Good Faith Business Judgment Rule: Act on an informed basis to oversee and manage risks Cybersecurity Information and Reporting: Basic knowledge of technical landscape, risks, response plan Other considerations, including: Applicability of authorizing statutes and financial regulation e.g., FDIC, Fed, and OCC - Relevant expectations and guidance. 4

The Context for Becoming (and Staying) Informed Enterprise Wide Risk Management: Cybersecurity as part of enterprisewide risk management Cyber Risk Implications: Understand the legal, operational, and financial implications of cyber risks related to organization s mission Access Expertise: Access to cybersecurity expertise, regular discussions, and updates Require a Framework: Expectations that management establishes an enterprise-wide risk management framework with staffing and budget Risk Decisions: Accept, mitigate, transfer 5

Director Oversight of Cybersecurity Questions to Ask Enterprise Wide Risk Management How frequently are health checks completed by auditors. Cyber risk implications: What are the top five risks the organization has related to cybersecurity, what are the critical data/systems? How are employees made aware of their roles? What types of connections does my firm have (and how are they managed)? What risks are associated with third party providers; how are they managed? What is the data breach, what is the incident response plan (and is it robust enough)? Has institution tested recovery of critical systems (i.e. resiliency)? What data breach laws apply? What major cyber attack attempts have been made against the organization? Does the organization gather, analyze, and leverage threat and vulnerability information from multiple sources? 6

Director Oversight of Cybersecurity Questions to Ask Require a Framework* Does the organization use a security framework? How is security governance managed within the organization? Does the budget align with similarly situated entities? Accessing Expertise How often do we meet with Chief Security Officer? What reports are provided on the cyber events and trends? Has management established relationships with appropriate national and local authorities who are responsible for cybersecurity or cyber-crime responses? Risk decisions What risks were avoided and accepted? Is cyber insurance an option and if so sufficient? *For example, written security standards and practices covering the identification and classification of data, where and how data is stored, access to data, anticipated exposure, and breach response protocol 7

On-going Practices to Support Director Oversight Well informed and knowledgeable about, and act in a deliberate manner in the oversight of, the organization s cybersecurity program. Appoint one or more qualified officers to be responsible for the organization s cybersecurity program Preserve and cultivate expertise of one or more IT/cyber-savvy board member(s) (identify director(s) monitor and report to the board on cybersecurity matters) Have access to, and leverage as needed, internal and/or external cybersecurity expertise Be aware of best practices and leading industry standards Engage internal and/or external auditors to assess the organization s program from time-to-time Review, discuss, and be periodically updated on the organization s cybersecurity program 8

Authorizes organizations to engage in activities to combat cyber threats: Sharing of information related to cyber threats (but generally no personal information; use of information is limited) Monitoring information systems Conducting defensive measure (but not hack backs) Protections under the Act Liability protections Sharing protections (e.g., not subject to FOIA, no anti-trust violations for sharing) Current Sunset: December 18, 2025 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback