TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Similar documents
NYDFS Cybersecurity Regulations

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Impact of Cybersecurity, Data Privacy and Social Media

HIPAA Privacy, Security and Breach Notification

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cyber Security Program

Cyber Risks in the Boardroom Conference

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

GDPR: A QUICK OVERVIEW

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Cybersecurity The Evolving Landscape

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Department of Management Services REQUEST FOR INFORMATION

EY s Data Privacy Services. January 2019

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Information Security Incident Response Plan

Information Security Incident Response Plan

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

The Evolving Threat to Corporate Cyber & Data Security

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Jeff Wilbur VP Marketing Iconix

2017 RIMS CYBER SURVEY

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CYBER RISK MANAGEMENT

Cybersecurity in Higher Ed

The HIPAA Omnibus Rule

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Upcoming PIPEDA Changes What is changing and what to do about it

Data Breach Preparation and Response. April 21, 2017

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Security Incident Response Fighting Fire with Fire

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Security and Privacy Governance Program Guidelines

Protecting your next investment: The importance of cybersecurity due diligence

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Hacking and Cyber Espionage

Orlando, FL September 23-27, Your School Has Been Breached Now What? Cyber Incident Simulation Exercise

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Big data privacy in Australia

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Cyber Risks, Coverage, and the Board of Directors.

Member of the County or municipal emergency management organization

Addressing the elephant in the operating room: a look at medical device security programs

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Credit Card Data Compromise: Incident Response Plan

It s Not If But When: How to Build Your Cyber Incident Response Plan

Business continuity management and cyber resiliency

Rethinking Information Security Risk Management CRM002

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Cybersecurity: Federalism as Defense-in-Depth

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

What It Takes to be a CISO in 2017

Emerging Technologies The risks they pose to your organisations

Cybersecurity and Nonprofit

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

HPH SCC CYBERSECURITY WORKING GROUP

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Privacy Breach Policy

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Incident Response and Cybersecurity: A View from the Boardroom

Cyber Security Law --- Are you ready?

Avanade s Approach to Client Data Protection

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Financial Regulations, Enforcement & Cybersecurity

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

CYBER INSURANCE: MANAGING THE RISK

Security Breach Notification Reflections on the U.S. Experience

NY DFS Cybersecurity Regulations August 8, 2017

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Department of Homeland Security Updates

Cyber Attack: Is Your Business at Risk?

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

INTELLIGENCE DRIVEN GRC FOR SECURITY

falanx Cyber ISO 27001: How and why your organisation should get certified

Cyber Crime Seminar 8 December 2015

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

MNsure Privacy Program Strategic Plan FY

Managing Cybersecurity Risk

EU General Data Protection Regulation (GDPR) Achieving compliance

BHConsulting. Your trusted cybersecurity partner

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Transcription:

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

GEORGE SOCHA - MODERATOR Managing Director, BDO MEET THE PRESENTERS PATRICK J. BURKE Senior Counsel, Seyfarth Shaw IAN LEWIS Director, BDO RACHEL MILLER Vice President, Legal Affairs, Technology, HBO

AGENDA I. COSTS OF CYBER INCIDENTS II. PERSPECTIVES FROM IT III. PERSPECTIVES FROM LEGAL IV. Q&A

COSTS OF CYBER INCIDENTS

A CYBER INCIDENT OCCURRED. WHAT ARE THE COSTS? REPUTATIONAL HARM COSTS OF CYBER INCIDENTS Loss of intellectual property or records fundamental to the viability of the business/organization Business interruption costs Loss of revenue OPPORTUNITY COST ( FUTURE BUSINESS AND TALENT, INDEFINABLE) Increased cyber insurance cost IT Infrastructure restoration costs Hardware / Software replacement costs Cybersecurity costs related to securing data and the network Information security hardware, software and services Compliance with HIPPA, PII and PCI standards Regulatory scrutiny and adverse action Civil liability and class action suits Fines and sanctions Ponemon Institute / IBM study 2016 cost of a breech per record Average: $158 (Healthcare $355, Retail $172, Transport :$129)

A CYBER INCIDENT RESPONSE : A MULTI DISCIPLINE CORPORATE RESPONSE WILL BE REQUIRED Information Security Internal Communications COSTS OF CYBER INCIDENTS Information Technology Legal Risk Human Resources Finance Government Relations C-Suite and Board Continuity of Operations Compliance Security/Investigations Audit Logistics, Transportation Public Relations

NEW PRESIDENTIAL CYBER DIRECTIVE / PPD-41 Presidential Policy Directive / PPD-41 issued 7/26/2016. COSTS OF CYBER INCIDENTS To provide greater clarity about the Federal government s role in a major cyber incident Designated lead agencies for government action, broken into three categories: 1. Responding to the threat ( Investigation - FBI and Cyber Task Force) 2. Protecting the organization s assets and restoring operations (DHS) 3. Intelligence gathering and analysis ( CTIIC - for government) Principles to guide the government s response to a cyber incident, emphasizing the importance of shared responsibility and coordination. Unified Coordination Group (UCG) A shared framework for evaluating and assigning a level of severity to a cyber incident ( Severity Schema) Victim of a breach is a victim of crime Cooperation and information sharing with the private sector is essential to defending the nation against cyber threats

COSTS OF CYBER INCIDENTS PPD-41 SEVERITY SCHEMA

CYBERSECURITY PRE- & POST-INCIDENT RESOURCES Independent Risk Assessment Incident Response COSTS OF CYBER INCIDENTS Remediation Implementation Penetration Testing Social Engineering Testing Network Architecture Containment Mitigation Recovery Continuity of Business Operations Cost Optimization Technology Optimization Employee Training Strategic Board Advisory Services Incident Response Planning Cyber Insurance Review and Purchase Assistance Investigation Forensics Vulnerability Assessment Government Relations Strategic and Board Advisory Services Media and Legal Digital Asset Valuation Data Mapping Network Mapping

PERSPECTIVES FROM IT

IMPORTANT ASPECTS OF A MATURE GOVERNANCE PROGRAM LESSONS LEARNED PERSPECTIVES FROM IT Things will happen when you least expect Be prepared Respond appropriately Make sure the right people are engaged Communicate, communicate, communicate

MUST HAVES PERSPECTIVES FROM IT STRATEGY TACTICAL PLANS TO RESPOND COMMUNICATION PLAN POST BREACH ACTIVITIES (CLASS ACTION LAW SUITS, ETC.)

ESSENTIALS IN BUILDING A GOOD COMMUNICATION PROTOCOL WITH IT, SECURITY AND LEGAL PERSPECTIVES FROM IT IT/IS, Privacy and Legal must all be tied to the hip A Crisis Management Plan must be developed. Create response teams that need to be engaged during the different levels of an event Legal plays the most critical role in an enterprise when responding to an event Executive leadership needs to buy in to the program if it is to be successful

WHAT DOES IT NEED FROM LEGAL PERSPECTIVES FROM IT Guidance and advice for the CISO and CRO/CCO Review and approve response and communications plans Work with IT to effectively comply with regulators requests during an event Weigh on potential impact to organization e.g., If electronic protected health information (ephi) is impacted.legal must weigh in on the level of impact to the company - based on the type of data that was breached

PERSPECTIVES FROM LEGAL

BUILDING A PRIVACY COMPLIANCE CULTURE PERSPECTIVES FROM LEGAL Where or how to start? Building relationships among the key stakeholders Step 1: Internal Due Diligence Ask questions and learn everything you can about the data that your company is collecting What are we collecting? What is our authorization to collect it? Why are we collecting it and how is it being used? Is our use consistent with the permission that the data subject has presumably provided when it was first disclosed? How does the data move and flow to where?, from where? How long do we retain it?

BUILDING A PRIVACY COMPLIANCE CULTURE PERSPECTIVES FROM LEGAL Step 2: Armed with the knowledge obtained from Step 1, explain what data privacy is and why its important Data Privacy is the appropriate use of data as determined by cultural norms The EU views data privacy as a fundamental human right whereas in the United States Privacy is often viewed as a consumer protection right. Data Privacy is a matter of cultural respect as much as it is a matter of legal compliance Step 3: Recognize that certain messages will resonate more clearly with different constituencies and tailor your message accordingly Executives, Sales, Marketing - Data Privacy compliance has a customer impact aspect. It s a fundamental component of maintaining customer trust and customer intimacy that has both legal consequences and business consequences Information Technology Data Privacy compliance has an IT efficiency aspect. It can help the IT Dept. be more efficient by establishing data retention limitations and by facilitating the movement of Personal Data in the EU to servers in the U.S. Insurance & Risk Management Data Privacy compliance has an insurance and risk management aspect involving significant new costs and expenses

HOW TO BUILD AN INCIDENT RESPONSE TEAM PERSPECTIVES FROM LEGAL Communicate the benefits of an Incident Response Plan and an Incident Response Team 2016 Ponemon Cost of Data Breach Study The most important thing a company can do to lower the cost of a data breach is have an IR Plan and an IR Team Second most important thing is use encryption EU General Data Protection Regulation 72 hour notification rule - An IR Team will likely increase the probability of compliance with the requirement to notify the applicable EU Supervisory Authority within 72 hours An IR Team following a pre-existing IR Plan will likely reduce confusion, reduce internal conflict and save time Federal Acquisition 72 hour notification requirements DFAR 252.204-7012 Safeguarding of unclassified controlled technology obligation to report an incident within 72 hours

RECRUIT THE TEAM PERSPECTIVES FROM LEGAL A data security Incident is a business problem and not just a technical issue Senior Executive In-House Counsel External Counsel Information Technology Corporate Communications Customer Support/ Customer Care Insurance and Risk Management Select a Team Leader!

DRAFT AN INCIDENT RESPONSE (IR) PLAN PERSPECTIVES FROM LEGAL Create an initial plan. Invite potential IR Team members to the planning sessions An Initial IR Plan provides structure and purpose for the IR Team Categorize the incidents to which the Plan will apply Establish incident severity categories and corresponding levels of deployment Establish Incident Response team membership that corresponds to different types of Security Incidents If a security incident involves employee data add HR to the team Establish pre-determined roles, responsibilities and authorizations Reduce confusion, internal conflict and save time

LESSONS LEARNED PERSPECTIVES FROM LEGAL Insurance & Risk Management are great allies Insurance carriers want to see IR Plans and IR Teams in place Internal Privacy Due Diligence is really important Keep probing and asking questions - don t be surprised when you find new information or information that doesn t correlate with your previous understanding Recognize that the development of a Privacy Culture requires constant vigilance and constant internal training Employees come and go New initiatives are commenced, and new data is collected Incident response teams need mock drills Mock Drills make it real for everyone and help to reinforce the whole idea of a Privacy Compliance culture

QUESTIONS?

Thank you! Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback