Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

Similar documents
Cyber Risks in the Boardroom Conference

Data Breach Preparation and Response. April 21, 2017

LCU Privacy Breach Response Plan

Checklist: Credit Union Information Security and Privacy Policies

The Impact of Cybersecurity, Data Privacy and Social Media

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Dealing with Security and Security Breaches

CANADIAN TIRE PRIVACY CHARTER

Canada s Anti-Spam Law ( CASL ): It s the Law on July 1, 2014 questions for directors to ask

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Hacking and Cyber Espionage

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

HIPAA Privacy, Security and Breach Notification

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Privacy Law Doing Business In Canada

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations

Upcoming PIPEDA Changes What is changing and what to do about it

The GDPR Are you ready?

The Evolving Threat to Corporate Cyber & Data Security

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

DATA BREACH NUTS AND BOLTS

Effective Cyber Incident Response in Insurance Companies

Cybersecurity Auditing in an Unsecure World

NY DFS Cybersecurity Regulations August 8, 2017

Cyber Security Program

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Incident Response and Cybersecurity: A View from the Boardroom

It s Not If But When: How to Build Your Cyber Incident Response Plan

Keeping It Under Wraps: Personally Identifiable Information (PII)

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Financial Regulations, Enforcement & Cybersecurity

How will cyber risk management affect tomorrow's business?

2017 RIMS CYBER SURVEY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Are we breached? Deloitte's Cyber Threat Hunting

Marketing Law in Canada Has Changed... Are You Ready?

CYBER RESILIENCE & INCIDENT RESPONSE

The Data Breach: How to Stay Defensible Before, During & After the Incident

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Regulation P & GLBA Training

Bored with Your Board s Involvement with Privacy/Security Program?

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

CYBER INSURANCE: MANAGING THE RISK

Canada Life Cyber Security Statement 2018

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Cyber Attack: Is Your Business at Risk?

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Lakeshore Technical College Official Policy

Building a Privacy Management Program

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

GDPR: A QUICK OVERVIEW

Cybersecurity and Nonprofit

Cyber Security Incident Response Fighting Fire with Fire

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

PTLGateway Data Breach Policy

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

What to do if your business is the victim of a data or security breach?

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

CyberEdge. End-to-End Cyber Risk Management Solutions

HEALTH CARE AND CYBER SECURITY:

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Cybersecurity The Evolving Landscape

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Privacy Breach Response and Reporting

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Legal Considerations and Case Studies

ADIENT VENDOR SECURITY STANDARD

Cyber Insurance: What is your bank doing to manage risk? presented by

Clarity on Cyber Security. Media conference 29 May 2018

Protecting your next investment: The importance of cybersecurity due diligence

Electronic Communication of Personal Health Information

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity in Higher Ed

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Forensics and Active Protection

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Incident Response Services

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

Red Flags/Identity Theft Prevention Policy: Purpose

Putting It All Together:

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

General Data Protection Regulation (GDPR)

Transcription:

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties Thursday, October 5, 2017 Presented by: Gerrit Nel, Senior Manager, Cyber Security, KPMG Sunny Handa, Partner, Montreal Cathy Beagan Flood, Partner, Toronto de Lobe Lederman, Associate, Calgary

Cyber Security Threat Landscape (Data Breaches) Gerrit Nel, Senior Manager, Cyber Security October 5, 2017

Agenda Threat Landscape (focus on data breaches) Cyber Defensible Position (manage threat risk and impact of breaches) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 3

Cyber Security Threat Landscape Incidents vs Breaches We hear and talk a lot about Cyber Security incidents and breaches. What is the difference? Let s do some definitions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosure - not just potential exposure - of data to an unauthorized party. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 4

Cyber Security Threat Landscape Global Study on Data Breaches Ponemon Institute 2017 Cost of Data Breach Study 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 5

Cyber Security Threat Landscape Mega Breaches and Attack Types IBM IBM X-Force Threat Intelligence Index 2017 March 2017 IBM X-Force Threat Intelligence Index 2017 March 2017 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 6

Cyber Security Threat Landscape Mega Breaches and Attack Types - Verizon Verizon 2017 Data Breach Investigation Report (10 th Edition) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 7

Cyber Security Threat Landscape Notable Recent Data Breaches 2017 - Canada third in reported data breaches so far this year Canada National Bank of Canada: Sep 2017; A website error may have exposed the personal information of nearly 400 of its customers, including their names, birthdates, phone number and email address. Globally Alberta Full House Lotter: (Jan/Feb 2017; multiple breaches, over 23,000 customers effected, PII, Credit card records) WestJet: (July 29, 2017; PII - Profile data from Customer Rewards Program) Cowboys Casino: (June 2017; Patrons info, year earlier massive attack (6.5 GB) revealing customer payouts, tracking of gambling habits, elite members list). Alberta Medical Association: (May 16, 2017; Data breach of AMA members and staff data; Virus infection (May 2017, advising effected individuals on how to sign up for Equifax Premium Credit monitoring services, now questioned if further effected by the Equifax breach). University of Alberta: (Nov 23, 2016; Over 3,000 students notified of potential privacy breach; virus infections stole user-id and passwords, leading to unauthorized access of systems). Ashley Madison: July 2015. (July 2017, agreed to pay $11.2 million to settle U.S. litigation over the 2015 data breach that exposed personal details of millions of users). Deloitte: Sep 25, 2017; Targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients. Equifax: May, 2017; An unknown group successfully breached Equifax's online services by exploiting a vulnerability in their web servers. More than 143 million people s credit history and PII was exposed. Equifax Inc. has been providing regular updates about its privacy breach to the Office of the Information and Privacy Commissioner. The number of affected Albertans, if any, is not known at this time. Equifax Inc. and Equifax Canada have committed to notifying all Canadians affected in writing as soon as possible. The company will also offer free credit monitoring to affected individuals. Target: 2013: Retail giant Target agreed in May 2017 to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into a massive data breach in late 2013. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 8

Cyber Security Threat Landscape The Threat Actors Resourcefulness refers to the Threat Actor s access to resources, characterized in terms of three levels of decreasing resourcefulness: Unconstrained: (3) those whose financial resources for cyber-attacks are measured in multiple millions and/or who have significant human resources and can dedicate them to discovering or creating sophisticated vulnerabilities in systems; Constrained: (2) those whose financial resources for cyber are measured in millions of dollars and/or can develop their own tools to exploit publically known vulnerabilities as well as discovering new vulnerabilities; Limited: (1) those attackers whose financial resources for cyber are measured in several thousands of dollars and/or who rely on others to develop the malicious code. Verizon 2017 Data Breach Investigation Report (10 th Edition) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 9

Cyber Defensible Position The need for a Cyber Defensible Position We define a Cyber Defensible Position as a posture that you have implemented, given your organization's Cyber security risks and threats, to significantly reduce the impact should a Cyber security breach occur. In the event of a breach, a good Cyber Defensible Position can provide: A reduction in the likelihood of fines from regulators or Government bodies; A reduction in the backlash from customers or business partners who may otherwise take their business elsewhere; A reduction in the impact to share price and the reaction to this from shareholders; Less attention paid to your breach by the media; and Overall protection of your reputation. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 10

Cyber Defensible Position Establish a Cyber Defensible Position There are a number of steps to take for achieving a good Cyber Defensible Position. The following figure takes each of these in turn and summarizes the typical inputs, phase, status output and usual actions to take: Board Question Step Defensible Position Status KPMG Cyber Services Framework 1. What are the new cybersecurity threats and risks and how do they affect our organization? 2. Is our organization s cybersecurity program ready to meet the challenges of today s (and tomorrow s) cyber threat landscape? Risk Assessment Capability Assessment and Security Testing None Defined PREPARE Helps clients understand their vulnerabilities and improve their preparedness against cyber attack. 3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in cyber security? Cyber Security Strategy and Program Plan Created PROTECT Helps clients design and implement their cyber defence infrastructure. Execute and verify progress (ongoing) Achieved DETECT & RESPOND Helps clients respond to and investigate cyber attacks. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 11

Thank you Gerrit Nel Senior Manager, Cyber Security 403.691.7904 gerritnel@kpmg.ca

Directors and Officers Obligations and Liability Presented by: Sunny Handa

Duty of Care Section 21 of Canada Business Corporations Act (CBCA) Directors and officers must exercise the care, diligence and skill a reasonably prudent person would in comparable circumstances Equivalent requirement under provincial corporate law statutes Possible shareholder litigation against directors and officers for failing to properly discharge their duties D&O Insurance likely to limit or exclude cyber risk coverage

Steps Directors and Officers can take Establish enterprise-wide information security team Prepare data map and data risk analysis Provide cybersecurity awareness training Develop vendor management program Develop incident response plan Conduct incident response drill Assess cyber liability insurance

Response Plan

Things to consider when developing Response Plan Be prepared to act Retain experts Consider notification obligations and risks Ensure communications strategy minimizes litigation risks Manage employee communications Maintain privilege

Ways to reduce cost of a breach $255 Cost of data breach per record $24 Reduction per record Incident response team $15 Reduction per record Employee training $11 Reduction per record Board-level involvement

Statutory Data Breach Reporting Requirements Alberta s PIPA vs. PIPEDA Presented by: de Lobe Lederman

Data Breach Reporting AB only CDN jurisdiction where data breach reporting is mandatory Changing soon PIPEDA recently amended Breach reporting soon to be mandatory under PIPEDA as well

When/How to Report a Breach? Under PIPA When? Real risk of significant harm How? Set out under the regs. Under PIPEDA When? Real risk of significant harm (again) How? Set out under regs. (currently being finalized) How to report is likely to be quite similar under PIPEDA as it is under PIPA

Notice to Commissioner Notice Must Include Description of breach PIPA PIPED A Date of breach Personal info involved in breach Assessment of risk of harm to affected individuals Estimate of individuals at risk of significant harm Steps taken by organization to reduce risk of harm Steps taken by organization to notify affected individuals Contact info of person who can answer Q s on breach

Notice to Affected Individuals Notice Must Include Description of breach PIPA PIPED A Date of breach Personal info involved in breach Steps taken by organization to reduce risk of harm Steps individual could take to reduce risk of harm Info about individual s right to file a complaint Contact info of person who can answer Q s on breach Toll free # or email address for info on breach

Possible Issues Under PIPEDA Notice to individuals info about right to file complaint Potential to encourage complaints/lawsuits? Record retention Orgs. need to keep/maintain record of every breach of security safeguards Maintain such records for 2 years (per regulations) Not just records of breaches causing real risk of significant harm even broader Risk of an offence under PIPEDA for failure to comply? Impact on class actions? Producible to show pattern of breaches/carelessness?

Mitigating Reputational and Litigation Risks Presented by: Cathy Beagan Flood

Case Study: Target and Home Depot Why Home Depot is not the next Target CNN Money Stockswatch, Sept. 22, 2014

Crisis Management Lessons Get in front Release official statement early Modify pre-drafted statements Don t say more than you know Consult with counsel

Crisis Management Lessons (cont d) Keep consistency in mind One spokesperson handles all inquiries Consider retaining a PR firm

Protecting Privilege Investigation work product is privileged if created at direction of legal counsel Pre-existing documents not privileged

What Should the Notice Say? Litigation Considerations Saying too much can be as problematic as too little Describe facts in a manner consistent with level of certainty that they are accurate Content should be informed by a reasonable assessment of risks to affected individuals Careful consideration should be given to which steps the notice recommends that the individual take Be careful not to include too much personal information in the notice (or use a compromised system to deliver it)

The Litigation Threat Landscape Tort of intrusion upon seclusion Tort of public disclosure of private facts Negligence Breach of confidence Breach of contract Unjust enrichment/waiver of tort Vicarious liability for conduct of employees

Risk Mitigation Checklist Pre-Breach Post-Breach Develop formal information governance structure Act promptly Establish enterprise-wide information security team Follow incident response plan Prepare data-flow map and data risk analysis Engage experts Develop incident response plan Investigate and contain the breach Provide privacy and security awareness training Maintain privilege Develop vendor management program Consider notification obligations Conduct incident response drill Ensure communications strategy minimizes litigation risks Assess cyber liability insurance Manage employee communications Limit collection and retention of personal information Conduct regular audits

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback