The Impact of Cybersecurity, Data Privacy and Social Media

Similar documents
Security Takes Center Stage

Cyber Risks in the Boardroom Conference

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cybersecurity in Higher Ed

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Hacking and Cyber Espionage

DeMystifying Data Breaches and Information Security Compliance

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Security: Public Contracts and the Cloud

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cybersecurity and Nonprofit

Putting It All Together:

Cybersecurity Auditing in an Unsecure World

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Data Breach Preparation and Response. April 21, 2017

Managing Cybersecurity Risk

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Cyber Insurance: What is your bank doing to manage risk? presented by

Cybersecurity The Evolving Landscape

NYDFS Cybersecurity Regulations

CCISO Blueprint v1. EC-Council

Incident Response Services

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

GDPR is coming in less than 2 months Are you ready?

What to do if your business is the victim of a data or security breach?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Mastering Data Privacy, Social Media, & Cyber Law

01.0 Policy Responsibilities and Oversight

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Incident Response and Cybersecurity: A View from the Boardroom

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Information Security Incident Response Plan

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

How to Prepare a Response to Cyber Attack for a Multinational Company.

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

INTELLIGENCE DRIVEN GRC FOR SECURITY

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

University of Pittsburgh Security Assessment Questionnaire (v1.7)

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Jeff Wilbur VP Marketing Iconix

Defending Our Digital Density.

Credit Card Data Compromise: Incident Response Plan

GLBA, information security and incident response a compliance perspective

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

You ve Been Hacked Now What? Incident Response Tabletop Exercise

2017 Annual Meeting of Members and Board of Directors Meeting

Cyber Security Program

The Evolving Threat to Corporate Cyber & Data Security

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Information Security Incident Response Plan

Cyber Risk in the Marine Transportation System

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Legal Considerations and Case Studies

Security Breaches: How to Prepare and Respond

It s Not If But When: How to Build Your Cyber Incident Response Plan

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

A View from Inside: Perspectives of In-House Counsel Responsible for Addressing Cyber and Data Privacy Issues

Technology Risk Management and Information Security A Practical Workshop

Data Compromise Notice Procedure Summary and Guide

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Data Breach Trends: What Local Government Lawyers Need to Know

Entertaining & Effective Security Awareness Training

Cybersecurity Today Avoid Becoming a News Headline

Data Privacy & Protection

Cyber Threat Landscape April 2013

Altius IT Policy Collection Compliance and Standards Matrix

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?

Altius IT Policy Collection Compliance and Standards Matrix

Member of the County or municipal emergency management organization

EU General Data Protection Regulation (GDPR) Achieving compliance

DATA BREACH NUTS AND BOLTS

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Breaches and Remediation

SFC strengthens internet trading regulatory controls

What To Do When Your Data Winds Up Where It Shouldn t

Sage Data Security Services Directory

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Avanade s Approach to Client Data Protection

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Data Privacy and Cybersecurity

Transcription:

Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus A. Christian i Burt M. Fealing Chief Executive Officer William Hill US Partner Mayer Brown LLP Executive Vice President, General Counsel and Secretary Southwire Company

Joseph M. Asher Chief Executive Officer William Hill US Marcus A. Christian Partner Mayer Brown LLP Burt M. Fealing Executive Vice President, General Counsel and Secretary Southwire Company 2

Topics The Risk Formula Risk Realized Making the Case for Action Implementing a Written Information Security Program (WISP) Implementing an Effective Incident Response Capacity Proactive Engagement gg with Law Enforcement Organizations and ISAOs 3

The Risk Formula 4

The Risk Formula Risk = Threat x Vulnerability x Cost Threat is the frequency of a potentially adverse event. Vulnerability is the likelihood that a particular threat will impact an organization. Cost (Consequence) is the total cost of the impact of a particular threat. 5

Risk Realized Adverse Events Occur 6

Risk Realized Adverse Events Occur 7

Risk Realized Impact Varies Among Victims PII or PHI theft Ransomware DoS Corporate account takeover Cyber espionage Corporate identity theft Sabotage Payment card theft 8

Risk Realized Relative Priorities Vary Damage to reputation/brand Loss of proprietary information Economic damage Government/regulatory action Business continuity it Litigation Board of directors concerns Executive liability Preservation of lawyer client privilege Shareholder activity Media coverage 9

Making the Case Securing the Authority, Support and Resources to Reduce Cybersecurity Risk 10

Making the Case The Legal Landscape Federal and state laws establish various frameworks that companies must comply with or may adopt as best practices. Federal Trade Commission Act Gramm Leach Bliley Act HIPAA State data breach notification and data security laws Best practices, frameworks and industry standards d (e.g., PCI DSS, NIST, ISO) 11

Making the Case Enforcement Actions and Lawsuits 12

Making the Case The Business Case for Cybersecurity What is the projected impact of improving cybersecurity on profitability from research and development? What is the expected financial lbenefit of improved cybersecurity on market share over the next three years? How will reducing cybersecurity risk enable the company to preserve its pricing or operational advantages over competitors? How much will bolstering cybersecurity enhance the company s ability to track, analyze and predict customers preferences and demands? 13

Implementing a Written Information Security Program Reducing Risk by Decreasing Vulnerability and Costs 14

Implementing a Written Information Security Program Legal g Requirements Federal statutes (e.g., Gramm Leach Bliley Act, HIPAA) State statutes (e.g., Massachusetts, Oregon) Settlements with regulators Business agreements Other requirements (e.g., COPPA Safe Harbor) Judicial protective orders Administrative, technical and physical safeguards 15

Implementing a Written Information Security Program Selected Elements* Regular cybersecurity audits Regular risk assessments Adoption of risk management standards Employee training Tracking of employee training Training effectiveness *The specific elements of a WISP will depend upon the organization, its business and its regulators, among other factors. 16 Disciplinary measures Encryption of PII and/or PHI Maintenance and transport of records containing PII and/or PHI Physical security of records containingpiiand/or and/or PHI Monitoring program performance

Implementing a Written Information Security Program Selected Elements (cont.) Password security Third party access to systems Access control Need to know access Document retention Media destruction Portable devices Internet privacy policy System access control BYOD Regular system mapping Regular data mapping Data classification Password complexity Regular updates 17

Implementing a Written Information Security Program Potential Pitfalls Lack of executive support Failing to implement a written program Including elements that will not be enforced Inadequate updating Selective enforcement Failing to break down silos 18

Implementing an Effective Incident Response Capacity Reducing Risk by Mitigating the Impact of an Incident 19

Implementing an Effective Incident Response Capacity The Written Plan A written computer security incident response plan ensures that business priorities guide the response function. This plan should: Clearlystate goals and objectives; Categorize incidents to which the plan applies; Establish incident severity categories and corresponding levels of deployment; Identify response team members and their respective roles; and Provide a structure that enables agile decision making by the response team. The plan must be regularly assessed and revised as necessary to reflect new assets, business activities or technologies. 20

Implementing an Effective Incident Response Capacity The Written Plan (cont.) Every computer security incident response plan will be tailored to a specific company s unique needs, but generally they all should include certain key elements: Incident detection, notification, analysis and forensics; Response actions, including containment, remediation and recovery; Communications; Procedures to capture lessons learned; and Identification of necessary documents and key legal requirements. 21

Implementing an Effective Incident Response Capacity The Team EXTERNAL SUPPORT Software and Hardware Vendors EXTERNAL TEAM INTERNAL TEAM Industry Working Groups Internet Service Providers Outside Counsel Information Technology & Security Corporate Counsel and Compliance Communications Business Management Other: Customer Care; HR; Physical Security; Investor Relations Forensics Expertise Insurance Providers Crisis Communications Specialist Law Enforcement Other Government Agencies 22

Implementing an Effective Incident Response Capacity Resources To facilitate your team s work, you will need to assure that it has the logistical support to operate when your information, technological and even physical security might be compromised. Consider maintaining: Dedicated clean laptops that can be used to record investigation activities iti and others that t can be used to connect to a compromised network without putting further information or assets (other than the laptop) at risk; Secure communications; A war room; and A call center to interface with customers and employees as the incident develops. 23

Implementing an Effective Incident Response Capacity Training and Practice Training and practice ensure that the effort and resources expended to prepare for a computer security incident are deployed efficiently andeffectively when itcounts counts. Regular tabletop exercises (e.g., twice a year) help keep the computer security incident response plan and the team s skills and relationships up to date. Employee training can demonstrate institutional commitment to cybersecurity in post incident litigation. 24

Implementing an Effective Incident Response Capacity Potential Pitfalls Lack of leadership sponsorship Staleness of plan Incompleteness of investigation or remediation Inadequate training Unclear chain of command or authority 25

Proactive Engagement with Law Enforcement Organizations and ISAOs Reducing Risk by Working Against Threat Actors and Mitigating Costs 26

Proactive Engagement with Law Enforcement and Information Sharing and Analysis Organizations (ISAOs) Reducing threats from criminal organizations and nation states will require concerted efforts by policy makers, companies and industry associations. Meaningful concerted action among large numbers of entities normally develops slowly and can be inefficient. Companies are taking action against external threat actors, individually and collectively. The passage of the Cybersecurity Information Sharing Act of 2015 should lead to increased threat information sharing. 27

Proactive Engagement with Law Enforcement Selected Benefits Establishing contacts within law enforcement agencies Building rapport with law enforcement agencies before a crisis occurs Conducting a necessary action to reduce the number and impactof threat actors Increasing awareness of threats, trends and best practices Demonstrating ti commitment t to cybersecurity in a way that t regulators view favorably 28

Proactive Engagement with Law Enforcement Selected Statutes Used in Cybercrime Prosecutions Computer Fraud and Abuse Act of 1986 Aggravated Identity Theft Wire Fraud Statute Economic Espionage Act Electronic Communications Privacy Act Stored Communications Act 29

Proactive Engagement with ISAOs Selected Benefits Reducing the number of threat actors by providing better intelligence to law enforcement agencies Enabling organizations to prevent more cyber attacks directed d at them through awareness of exploits Improving entities abilities to obtain defensive measures effective against specific attacks Improvingcompanies abilities to detect attacks Allowing businesses to respond to information security incidents earlier more effectively 30

QUESTIONS 31

Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback