Speaker Profile Abhishek Agarwal, CIPP/US: Security & Privacy Leader at Kraft Foods Manage compliance programs to safeguard consumer, customers and employee information. Responsible for protecting brand image and reputational risk Past Experience: Financial Institutions: JPMorgan Chase & HSBC Consulting: The Limited Brands, Metlife, Roche, Amex, William Communications, Hospira, Komatsu, Wellpoint, Microsoft, SAP, Cigna, Westward Pharma, Conair, Express Scripts, Coface
Agenda History of breaches and incidents Impact of revenue due to breach Key drivers for protecting brands in cyberspace Key elements of brand protection program Case Study Take Away: Do s and Don ts
History of breaches & incidents - Reported 562,943,732 records containing PII have been stolen since 2005. Over 3,241 reported data breaches have taken place. The average cost of record per breach is $212. Through 2016, the financial impact of cybercrime will grow 10 percent per year due to the continuing discovery of new vulnerabilities. Source: http://www.privacyrights.org/data-breach
History of breaches & incidents - Unreported Company Hacking Incident Potential Impact Coca Cola Lost acquisition of China Huiyuan Juice Group (1886) after intruders stole confidential about the deal. The company wouldn t discuss security matters and said to make disclosures in public filings. BG Group Plc Lost geological maps, drilling records and sensitive deals. Released a one-sentence risk factor in its regulatory filings: Information security breaches may also result in the loss of BG Group s commercially sensitive data. ArcelorMittal Executive lost confidential PowerPoint's and emails about business in China were stolen. Referenced the possibility of such a threat in its regulatory filings. Chesapeake Energy Investment banking details about natural gas leases that were up for sale. Reputational Risk Financial Risk Legal Risk Technology Risk Reputational Risk Financial Risk Loss of Business Loss of Reputation Loss of revenue due to loss of business Loss of Reputation Loss of revenue due to loss of business Source: http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
Impact on Revenue Company Year Revenue Impact Number of Records Stolen Global Payments 2012 $84.4 million USD 1.4 million payment cards Sony 2011 $1.25 billion USD 10 million credit cards Epsilon 2011 $465 million USD 60 million emails addresses RSA 2010 $66 million USD 65 thousand customers Heartland Payments 2008 $140 million USD 100 million credit cards TJ Max 2006 $200 million USD 45 million customers records Source: http://www.networkworld.com/news/2012/072712-global-payments-data-breach-cost-261204.html Source: http://online.wsj.com/article/sb10001424052748703859304576307664174667924.html Source: http://www.eweek.com/c/a/security/epsilon-data-breach-to-cost-billions-in-worstcase-scenario-459480/ Source: http://www.informationweek.com/security/attacks/rsa-securid-breach-cost-66-million/231002833 Source: http://online.wsj.com/article/sb10001424052702304778304576375911873193624.html Source: http://online.wsj.com/article/sb10001424127887323374504578220052106443158.html
Fine Imposed Company Compliance Fines Imposed Global Payments PCI $35.9 M USD Sony U.K. ICO $250,000 USD Epsilon -- Not Available RSA -- Not Available Heartland Payments PCI $12.5 M USD TJ Max PCI $40.9 M USD EU DPA fines of up to one million Euros or two per cent of annual revenue for a data breach. SEC guidance ask publically traded companies to reporting cyber security risks in their annual report.
Impact on Revenue : Case Study Sony The cost of 2010 earthquake to Sony was $2.3 B. Cost of breach to Sony varies from $5.6 to 24.5 B. The immediate impact of the earthquake on Sony s share price (-19 percent) about the same as the impact to the general economy (-18 percent), but both recovered about 50 percent of the loss by March. The data breach, on the other hand, caused a sustained 12 percent loss in Sony s share price the equivalent of $3.6 billion in market capitalization. To put in perspective, Cost of Toyota Motor Corporation s unintended acceleration crisis in 2010 for 8 million Camry was $2 billion and impact on its share price fell only 8.5 percent. So either the markets were irrational in their evaluation of the impact of the PSN data breach or the operational impact was more severe than the impact of Toyota s crisis on a revenue percentage basis. Evaluating events based on share price is admittedly imperfect, but the key message is clear: The PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan. Source: Limiting the Impact of Data Breaches The Case of the Sony PlayStation Network. Author: Alessandro Gazzini and Matthew W. Holt
Key drivers for protecting brands SEC Guidance SEC has provided guidance to publicly traded corporations to report cyber incidents; and the adequacy of preventative actions taken to reduce cyber security risks. Reputational Risk DJSI Sustainability index and Corporate Governance requires adequate data security and privacy controls over consumer information. Compliance with Audit Commitment to audit to improve the privacy and security posture over the PII and thus reduce regulatory, brand, and/or reputational risks.
Media channels connecting to Cyberspace Multiple technology media channels available to manage and deliver consistent, seamless, and contextual brand experiences. Syndicated Content Brand Properties Promotions Brand Communities Mobile Content Management Digital Asset Management Leveraged Digital Marketing Solutions Social / Community Marketing & Campaign Management Digital Analytics Consumer Data Management ecommerce Search Web Hosting Security & Compliance Collaboration & Workflow Components & Web Services
Problem statement Breaches are impacting the bottom line of organizations. Increasing fines imposed by regulatory bodies. However, lack of self regulations. Companies are not reporting breach activities. Technology landscape is evolving quickly with mobility, cloud computing, social media and data analytics. How do companies protect their brands in cyberspace while reaching out to consumers with technology media channels?
Key elements of brand protection program Ensure cyber media presence have reasonable information security controls to minimize the risk and impact of hacking that negatively impacts business results that includes revenue, reputation risk, regulatory compliance risk. Inventory Management Brand Assessment Reporting & Remediation Governance E-Discovery Domains & IPs Classification Centralized, Standardized Website Assessment Continuous Monitoring Management Dashboards Reporting Remediation Approach Findings & Remediation's Inventory Management Third Party Service Provider
Risk based approach Risk rank the digital media inventory based privacy regulations, technology standards and business purpose.
Brand Assessment Targets the assessment for top 10 security threats and vulnerabilities. Standardize set of checks based on the technology platform. Ensure key privacy components are covered through the assessments, including, data collection, use limitation, notice and choice, security safeguards and access to data. Ensure the gaps identified in security assessment are remediated or accepted in a timely fashion.
Dashboard and Reporting Report brands security and privacy health index. Brands by revenue per region with brand protection cost savings.
16 PROTECTING BRANDS IN CYBERSPACE Governance model 3 rd party service providers supporting infrastructure. Agencies and marketing services follow policies. Maintain global digital inventory centrally. Establish a framework based on global privacy regulations. Establish a centralize program to achieve standardization.
Program maturity Establish the maturity model to effectively manage budget and compliance. Reflect the cost savings and opportunity to stakeholders. Authentication Authorization Encryption Encryption Data Protection Access Controls Threat & Vulnerabilities Threat & Vulnerabilities Firewall Anti Virus Access Controls Threat & Vulnerabilities Data Protection Access Controls Threat & Vulnerabilities Threat & Vulnerabilities Governance Governance Governance Governance Security & Privacy Controls Maturity Year 1 Year 2 Year 3 Year 4 Year 5
High Risks Areas: 3 rd Party Risk, Privacy, Merger, Acquisitions & Divestitures PROTECTING BRANDS IN CYBERSPACE Case Study Company Profile: Industry: CPG organization with focus on Marketing and Supply Chain Revenue: 20 billion USD Information profile: 10+ brands with over 500 millions in revenue 90+ brands with over 100 millions in revenue 10+ million consumer records 5000+ third party service providers, business partners & agencies
Case Study Privacy & Security Posture: More than 7000 domains Over 750 websites, mobile sites and social media Privacy & Security Risks: Domain registrations & inventory management Risk ranked inventory based on privacy regulations and technology platforms Consistent privacy policy, statement, notices Governance model over third party service providers Corporate policy on website development Establish security baseline
Case Study Source: https://www.trustwave.com/global-security-report
Take Away Identify the revenue generating brands: Read Organization's Annual Report. Identify Stakeholders: CMO, CFO, CCO, CIO. Understand the technology strategy: Align with CIO, CTO. Develop a risk based strategy: Protect High Risk first. Set up the expectations: Say when breach will happen, not if breach happens. Finally, Keep it Simple.
QUESTIONS