CYBER RISK MANAGEMENT AND BEST PRACTICES Heather Fields, JD, CHC, CCEP (414) 298-8166 hfields@reinhartlaw.com 1000 North Water Street, Suite 1700, Milwaukee, WI 53202 www.reinhartlaw.com 0 Agenda Role of the Board Role of the C-Suite 1
Equifax: What we all want to avoid 2 Lessons Learned: Prepare, Prepare, Prepare Combination of inadequate security risk management and lack of comprehensive and timely response Security issues arose with Equifax's website that offered consumers credit monitoring Tweeted a link to a fake website 13 times Used a less secure content management system than what is industry recommended Response plan Initially only offered credit monitoring if consumers waived the right to sue (Equifax has since removed the language) 3
Cyber Risk Management : Role of the Board 4 Three Tasks for the Board 1. Have an Informed View and a Vision 2. Train and Educate 3. Ensure Ongoing Reporting to Enable Oversight 5
Task 1 Have an Informed View and a Vision 6 Creating an Informed View and Vision Evaluate your current data security program Decide what your ideal data security program looks like Plan for how to get there 7
Evaluating Your Current Program Directors don t need to be technologists to play an effective role in cyber risk oversight but every board can take the opportunity to improve the effectiveness of their cyber oversight practices. Peter Gleason, NACD President Know the following: 87% cybersecurity Number of board members and C-level executives who said they lack confidence in their companies level of 1 What is your threat/risk profile? What controls are in place now? Do you have a planned incident response? What does that look like? What is your insurance profile? 1 EY's 19th Global Information Security Survey 2016-17. 8 Resourcing: Who Can Help? Internal resources IT department Chief Information Security Officer or Chief Information Officer Human Resources Board member with IT experience External resources Managed Security Service Providers (MSSPs) Penetration testers or forensic consultants Lawyers Cyber Strategy Advisors Industry groups 9
Develop an Action Plan What steps need to be taken Who should be involved What is your timeline Who will ensure the plan stays on track 10 Task 2 Train and Educate 11
Training and Education Onboard training should include cybersecurity training Board members should receive cybersecurity training annually Training should be industry focused and specific to the company Training should be both general and specific to board position The NACD reports only 41 % of surveyed boards review cyber risk as a full board 12 Task 3 Ensure Ongoing Reporting to Enable Oversight 13
Ensure Ongoing Reporting to Enable Oversight Consider dashboards Have a special reporting process or framework Board involvement in the incident response and action plans Periodic reviews of management's assessment of cybersecurity risks 14 Cyber Risk Management : Role of the C-Suite 15
Six Cyber Steps for the C-Suite 1. Develop a culture of security 2. Embed cybersecurity into overall enterprise risk management 3. Engage the Human Resources department 4. Evaluate insurance policies periodically 5. Institute contracting and vendor management controls 6. Reassess and test incident response plan on routine basis 16 Cyber Security Starts at the Keyboard Employees should receive cyber security training upon hire and annually thereafter All employees should receive notice when the procedures or policies are updated Must have well understood and publicized reporting procedures Penetration tests can help train employees on what to watch for Regularly talk to employees about cyber security Take all employee reports and questions seriously 17
Embed Cybersecurity into General Risk Management Security risk management must be part of existing organizational governance, leadership and operational structures Governance: board, compliance committee, operational committees Leadership: general counsel, CEO, CIO/CTO, CFO, COO, CISO, compliance officer, risk manager Operational Divisions/Departments: finance, billing, purchasing, HR, PR/communications, gov't relations, clinical research, medical staff, CIN/ACO, payroll Risk Management should: Define and oversee ongoing cybersecurity risk management Monitor breach and cybersecurity risk trends and measure risk management execution Evaluate effectiveness of cybersecurity breach response and technology risk management 18 Engage Human Resources HR can help ensure that: Employees are following and implementing security policies Every employee receives appropriate security training Communication between all departments fosters a culture of cybersecurity 19
Evaluate Insurance Policies Review policies and understand exactly what is covered Policies tend to define breach incident differently Review the policy with the information security team Does it cover external breaches only? Internal? What are the exceptions? Realize that the norms are being established Update coverage to reflect new business lines and changes in your IT security profile 20 Institute Contracting Standards Contracting parties should consider seeking additional protections beyond the legal framework requirements Security provisions should be based on the parties' business relationship and extent of use and disclosure of data Scope of services may merit separate data security agreement (e.g., hosting services) Ensure you know what your current contracts require of you Evaluate whether any contract provisions shift cyber liability BUT, contractual protections do not equate to a vendor management program
Vendor Management Identify your organization's full scope of dependencies on thirdparty service providers or vendors that collect, access, process, disclose, transmit, or host sensitive or confidential data Management of contracts involving or affecting sensitive or regulated data should be centralized, risk-based, and involve a multi-disciplinary review process Develop formal privacy and data security vendor management processes, such as: Vendor due diligence process Vendor oversight and contract enforcement Maintain vendor contact information and ensure key vendors are represented and included as part of incident response team 22 Reassess and Test Incident Response Plan Plan Must: Be tailored to your risk Assign responsibility for investigational response Reflect various and current notification requirements State, Federal and International Consider intangible costs (customers and reputational harm) Be tested 23
Summary The Board Should: Have an informed view and vision Train and educate Ensure ongoing reporting to enable oversight Executives Should: Develop a culture of security Embed cybersecurity into overall enterprise risk management Engage HR Evaluate insurance policies Institute contracting and vendor management controls Reassess and test incident response plan 24 Questions? Thank you!