Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the importance of cybersecurity in terms of risk to insurers and cybersecurity s role in future examinations. Differentiate between cybersecurity providers, including their product and service offerings. Identify the NIST Cybersecurity Framework s 5 main domain areas along with practical applications. Identify cybersecurity red flags in examinations and when outside assistance is appropriate. All Rights Reserved 1
Agenda Part I The Importance of Cybersecurity What do Cybersecurity Firms Actually Do? Part II NIST Cybersecurity Framework Overview w/ Good & Bad Real Life Examples Part III NAIC Thoughts on Cybersecurity The Ideal Role for Examiners Red Flags for Examiners Part I The Importance of Cybersecurity All Rights Reserved 2
Why is Cybersecurity Important? According to National Institute of Standards and Technology (NIST): Cybersecurity events can have significant financial implications Can result in administrative costs to enhance cybersecurity Can result in significant legal settlements (e.g. paying for identify theft protection, investigation expenses, regulator fines, etc.) Can harm an organization s ability to innovate (if not implemented correctly) Why is Cybersecurity Important? According to NIST (cont.): Can also have significant implications for policyholders The national and economic security of the United States depends on reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation s security, economy, and public safety and health at risk. All Rights Reserved 3
Exam Enhancements NAIC used NIST to enhance Exam Handbook guidance: Narrative procedures (2015 & 2016) Questionnaire enhancements (2015 & 2016) Work program enhancements (2015) Conclusions Memorandum (2016) Training enhancements (2016 Webinar) Types of Security Firms What security firms actually do can be difficult to understand we get it At a high level, security firms generally provide either: Technology & Security Tools Services All Rights Reserved 4
Technology & Security Tools Firms like Palo Alto Networks, Tenable and others focus on creating tools or appliances that detect / block threats or otherwise help security professionals do their jobs well Examples include: Firewalls Intrusion Protection Systems Intrusion Detection Systems Scanners Log Collectors Endpoint Detection Service Providers Service providers focus less on developing technology and more on expertise with strategy, people and processes Two Main Types: Managed Services: Manage IT or services on behalf of clients Highly-focused, specialized, value-added staff augmentation Usually 24x7 and long-term contracts Advisory Firms: Provide specialized ad-hoc strategic assistance to clients both proactively and reactively All Rights Reserved 5
Managed Services Providers Managed services providers offer front line support for a variety of security responsibilities: Security Monitoring Incident Response Tool Management (Firewalls, etc.) Vulnerability Identification and Management Various other Services Also known as security operations centers (SOCs), they offer differing levels of client integration and are similar to air traffic controllers for security operations Security Operations Center All Rights Reserved 6
Advisory Advisory firms can provide a broad or very narrowly tailored set of security services, generally including the following: THREAT & VULNERABILITY MANAGEMENT Penetration Testing Network & Applications Social Engineering Testing & Security Awareness Training Vulnerability Assessments GOVERNANCE, RISK & COMPLIANCE Security Strategy Policy Creation / Documentation Audits & Assessments Risk Assessments, Security Frameworks, Various Audits DIGITAL FORENSICS & INCIDENT RESPONSE Digital Forensics Incident Response Part II NIST Cybersecurity Framework Overview All Rights Reserved 7
NIST Cybersecurity Framework Overview & Components 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. How does the insurer assess, monitor, and manage its cybersecurity exposure? All Rights Reserved 8
Identify Best Practices Complete Asset Management Full catalog of physical and logical assets and there relationships Cybersecurity Roles and Responsibilities Well Defined Policies, Processes, and Procedures Robust Risk Management Process Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. How does the insurer use physical and logical access controls to safeguard information? What role does employee training play in the insurer s security program? All Rights Reserved 9
Protect Done Badly Poor Visibility Technology is selectively or improperly deployed Social Engineering Testing Removing CEO / CFO / VIPs from testing sample or tipping off organization to the test! Executive Sponsorship Not prioritizing information security Protect Best Practices 1. Access Control Multifactor Authentication 2. Awareness and Training Continuous training program combined with real assessments of employee skills and behavior 3. Data Security Encryption in motion and at rest Data Loss Prevention (DLP) Integrity Checking (i.e. Tripwire) 4. Information Protection Processes and Procedures Backups Configuration Change Control Continuous Improvement All Rights Reserved 10
Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Does the insurer have a process or program in place to ensure detection of cybersecurity incidents? Detect Red Flags Lack of Consistent Monitoring No internal or external team in charge of monitoring threats or responding to incidents Incident management processes should be consistent, repeatable and sustainable Alert Backlog Many breaches (Target) have resulted not from a new breed of malware, but from ignoring the alert from the security tool that detected it Lack of Tuning / Use A lot of security tools are dramatically underutilized due to a lack of qualified engineers, proper configuration settings, unfamiliarity or all of the above Today s security tools generally do a good job greater gains can be made in squeezing out efficiencies vs. chasing shiny new security tools A low or non-existent level of reporting / alert activity across certain appliances can signify problems All Rights Reserved 11
Detect Best Practices Anomalies & Events are Monitored 24x7 Logs are configured and aggregated Correlation of events Alerting Action and resolution is documented and communication to key stakeholders Vulnerability scans are performed regularly Continuous improvement of Protect processes Penetration Testing Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. How would the organization contain and mitigate a cybersecurity incident? Does the organization have a process in place to learn from incidents? All Rights Reserved 12
Respond Case Studies Recovered Laptops CFO Embezzlement Ransomware Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. How will the organization manage its reputation following an incident? All Rights Reserved 13
Recover Best Practices Recovery Planning An incident response plan includes detailed recovery processes Improvement Identify real areas for change that remediate the actual security gaps that caused an incident Spear phishing was the cause? Invest in security awareness training and testing Communication The entire organization (not just IT) needs to respond to an incident cohesively all customer touchpoints: PR, marketing, in-store, regulatory, sales, etc. Honesty and transparency are the best policies Part III All Rights Reserved 14
Future Cybersecurity Enhancements When the Cybersecurity Model Law is passed (if?) the IT Examination Working Group will consider if further Handbook revisions are needed. Model Law, in its current form, would set a number of Information Security Program requirements Future Cybersecurity Enhancements The Handbook may also be enhanced as: Regulators identify best practices both through: Breach investigations Discussions with other regulators (e.g. Federal/International counterparts) Routine financial exams The NIST Framework is updated (in process) Other third-party publications identify best practices (e.g. Verizon Data Breach Investigations Report, etc.) All Rights Reserved 15
What Should Insurers Be Doing? There are lots of approaches to what makes a good security program. Insurers should have some discretion based on their size, but generally should include a mix of the following: Adopt a relevant, guiding information security control framework and adhere to it: NIST, SSAE16, ISO, HIPAA, CIS, etc. Perform regular risk and control security assessments Conduct internal and external penetration testing - network and applications Have a robust incident response policy and processes Conduct security awareness training and test its effectiveness regularly Have 24x7 security monitoring in place (internal or outsourced) Have a CIO / CISO and a dedicated security team (internal or outsourced) Conduct regular vulnerability scanning and patching Recognizing Red Flags in Exams Not conducting regular assessments or penetration / vulnerability testing (internally or third-party) Frequency of testing / scanning does not equate to insurer size or budget Not adopting a guiding security framework like NIST / ISO or even something custom or homegrown People, systems, applications taken out of scope during testing or assessments Lack of officers dedicated to security and / or privacy (sizedependent) Alerts from security tools are completely or infrequently monitored and / or actioned Lacking an incident response plan and / or its testing All Rights Reserved 16
Prioritizing Insurers for Greater Focus It s OK to have different expectations for insurers of varying size Anthem vs. Buffalo Municipal Workers Life Insurers that could be worth a closer look: Have experienced a breach previously Combining operations with another carrier (e.g. merger / acquisition) Large policy volume Nature of operations and underlying data (health or cyber insurance vs automotive) Relying Upon Third Party Security Reports Examiners sometimes encounter third-party IT security reports However, these reports can be difficult to understand, interpret and challenge especially for non-it people Third-party reports have the most value when the goal, scope, and outcome of the report is understood Attestation vs. Assessments Example: PCI Assessment All Rights Reserved 17
When to Raise Your Hand Just like assistance on certain actuary or reinsurance topics, it s OK to consider help from outside IT security experts Lack of security expertise for assessments Evaluation of third-party reports Ensuring operational effectiveness of controls by performing penetration testing, vulnerability assessments, etc. Investigation / follow-up on any areas of concern that might require a deeper technical skillset (i.e. forensics) IT security firms do this work everyday and can efficiently and quickly perform assessments and determine the validity /reliability of third-party reports Q&A All Rights Reserved 18
Thank You! Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security All Rights Reserved 19