CYBER RISK MANAGEMENT

Similar documents
Putting It All Together:

Cyber Risks in the Boardroom Conference

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

2017 RIMS CYBER SURVEY

TECHNICALLY CHALLENGED BY CYBERSECURITY RISK MANAGEMENT?

NERC Staff Organization Chart Budget 2019

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Security and Privacy Governance Program Guidelines

NERC Staff Organization Chart Budget 2018

NERC Staff Organization Chart Budget 2019

Data Breach Preparation and Response. April 21, 2017

The Evolving Threat to Corporate Cyber & Data Security

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

MNsure Privacy Program Strategic Plan FY

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Incident Response and Cybersecurity: A View from the Boardroom

Information Security Incident Response Plan

Information Security Incident Response Plan

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Cybersecurity Cheat Sheet for the Board of Directors

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

NERC Staff Organization Chart Budget 2017

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Department of Management Services REQUEST FOR INFORMATION

Managing Cybersecurity Risk

NERC Staff Organization Chart Budget 2017

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Not Just Another Day of HIPAA

Credit Card Data Compromise: Incident Response Plan

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

The Impact of Cybersecurity, Data Privacy and Social Media

THE POWER OF TECH-SAVVY BOARDS:

What It Takes to be a CISO in 2017

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cybersecurity and the Board of Directors

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cyber Insurance: What is your bank doing to manage risk? presented by

Oracle Data Cloud ( ODC ) Inbound Security Policies

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Cyber Risks, Coverage, and the Board of Directors.

a publication of the health care compliance association MARCH 2018

The HIPAA Omnibus Rule

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

NERC Staff Organization Chart

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

The Relationship Between HIPAA Compliance and Business Associates

NYDFS Cybersecurity Regulations

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

HPE DATA PRIVACY AND SECURITY

building a security culture to counter emerging cybersecurity threats

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

DeMystifying Data Breaches and Information Security Compliance

Larry Clinton President & CEO (703)

Master Information Security Policy & Procedures [Organization / Project Name]

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

PTLGateway Data Breach Policy

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Cybersecurity in Higher Ed

Cyber Attack: Is Your Business at Risk?

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

The GDPR Are you ready?

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

New York DFS Cybersecurity Regulation:

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

GUIDANCE NOTE ON CYBERSECURITY

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

2017 Data Security Incident Response Report. Be Compromise Ready: Go Back to the Basics

How your board can be effective in overseeing cyber risk

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Clarity on Cyber Security. Media conference 29 May 2018

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Cybersecurity 2016 Survey Summary Report of Survey Results

Structuring Security for Success

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Avanade s Approach to Client Data Protection

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

NERC Staff Organization Chart 2015 Budget

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Regulation P & GLBA Training

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Forensics and Active Protection

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Transcription:

CYBER RISK MANAGEMENT AND BEST PRACTICES Heather Fields, JD, CHC, CCEP (414) 298-8166 hfields@reinhartlaw.com 1000 North Water Street, Suite 1700, Milwaukee, WI 53202 www.reinhartlaw.com 0 Agenda Role of the Board Role of the C-Suite 1

Equifax: What we all want to avoid 2 Lessons Learned: Prepare, Prepare, Prepare Combination of inadequate security risk management and lack of comprehensive and timely response Security issues arose with Equifax's website that offered consumers credit monitoring Tweeted a link to a fake website 13 times Used a less secure content management system than what is industry recommended Response plan Initially only offered credit monitoring if consumers waived the right to sue (Equifax has since removed the language) 3

Cyber Risk Management : Role of the Board 4 Three Tasks for the Board 1. Have an Informed View and a Vision 2. Train and Educate 3. Ensure Ongoing Reporting to Enable Oversight 5

Task 1 Have an Informed View and a Vision 6 Creating an Informed View and Vision Evaluate your current data security program Decide what your ideal data security program looks like Plan for how to get there 7

Evaluating Your Current Program Directors don t need to be technologists to play an effective role in cyber risk oversight but every board can take the opportunity to improve the effectiveness of their cyber oversight practices. Peter Gleason, NACD President Know the following: 87% cybersecurity Number of board members and C-level executives who said they lack confidence in their companies level of 1 What is your threat/risk profile? What controls are in place now? Do you have a planned incident response? What does that look like? What is your insurance profile? 1 EY's 19th Global Information Security Survey 2016-17. 8 Resourcing: Who Can Help? Internal resources IT department Chief Information Security Officer or Chief Information Officer Human Resources Board member with IT experience External resources Managed Security Service Providers (MSSPs) Penetration testers or forensic consultants Lawyers Cyber Strategy Advisors Industry groups 9

Develop an Action Plan What steps need to be taken Who should be involved What is your timeline Who will ensure the plan stays on track 10 Task 2 Train and Educate 11

Training and Education Onboard training should include cybersecurity training Board members should receive cybersecurity training annually Training should be industry focused and specific to the company Training should be both general and specific to board position The NACD reports only 41 % of surveyed boards review cyber risk as a full board 12 Task 3 Ensure Ongoing Reporting to Enable Oversight 13

Ensure Ongoing Reporting to Enable Oversight Consider dashboards Have a special reporting process or framework Board involvement in the incident response and action plans Periodic reviews of management's assessment of cybersecurity risks 14 Cyber Risk Management : Role of the C-Suite 15

Six Cyber Steps for the C-Suite 1. Develop a culture of security 2. Embed cybersecurity into overall enterprise risk management 3. Engage the Human Resources department 4. Evaluate insurance policies periodically 5. Institute contracting and vendor management controls 6. Reassess and test incident response plan on routine basis 16 Cyber Security Starts at the Keyboard Employees should receive cyber security training upon hire and annually thereafter All employees should receive notice when the procedures or policies are updated Must have well understood and publicized reporting procedures Penetration tests can help train employees on what to watch for Regularly talk to employees about cyber security Take all employee reports and questions seriously 17

Embed Cybersecurity into General Risk Management Security risk management must be part of existing organizational governance, leadership and operational structures Governance: board, compliance committee, operational committees Leadership: general counsel, CEO, CIO/CTO, CFO, COO, CISO, compliance officer, risk manager Operational Divisions/Departments: finance, billing, purchasing, HR, PR/communications, gov't relations, clinical research, medical staff, CIN/ACO, payroll Risk Management should: Define and oversee ongoing cybersecurity risk management Monitor breach and cybersecurity risk trends and measure risk management execution Evaluate effectiveness of cybersecurity breach response and technology risk management 18 Engage Human Resources HR can help ensure that: Employees are following and implementing security policies Every employee receives appropriate security training Communication between all departments fosters a culture of cybersecurity 19

Evaluate Insurance Policies Review policies and understand exactly what is covered Policies tend to define breach incident differently Review the policy with the information security team Does it cover external breaches only? Internal? What are the exceptions? Realize that the norms are being established Update coverage to reflect new business lines and changes in your IT security profile 20 Institute Contracting Standards Contracting parties should consider seeking additional protections beyond the legal framework requirements Security provisions should be based on the parties' business relationship and extent of use and disclosure of data Scope of services may merit separate data security agreement (e.g., hosting services) Ensure you know what your current contracts require of you Evaluate whether any contract provisions shift cyber liability BUT, contractual protections do not equate to a vendor management program

Vendor Management Identify your organization's full scope of dependencies on thirdparty service providers or vendors that collect, access, process, disclose, transmit, or host sensitive or confidential data Management of contracts involving or affecting sensitive or regulated data should be centralized, risk-based, and involve a multi-disciplinary review process Develop formal privacy and data security vendor management processes, such as: Vendor due diligence process Vendor oversight and contract enforcement Maintain vendor contact information and ensure key vendors are represented and included as part of incident response team 22 Reassess and Test Incident Response Plan Plan Must: Be tailored to your risk Assign responsibility for investigational response Reflect various and current notification requirements State, Federal and International Consider intangible costs (customers and reputational harm) Be tested 23

Summary The Board Should: Have an informed view and vision Train and educate Ensure ongoing reporting to enable oversight Executives Should: Develop a culture of security Embed cybersecurity into overall enterprise risk management Engage HR Evaluate insurance policies Institute contracting and vendor management controls Reassess and test incident response plan 24 Questions? Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback