The Evolving Threat to Corporate Cyber & Data Security

Similar documents
Incident Response and Cybersecurity: A View from the Boardroom

Managing Cybersecurity Risk

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cyber Risks in the Boardroom Conference

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

2017 RIMS CYBER SURVEY

Cybersecurity Auditing in an Unsecure World

Sage Data Security Services Directory

Bringing Cybersecurity to the Boardroom Bret Arsenault

DATA BREACH NUTS AND BOLTS

Effective Cyber Incident Response in Insurance Companies

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Risks, Coverage, and the Board of Directors.

CYBER RISK MANAGEMENT

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

How to Establish Security & Privacy Due Diligence in the Cloud

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Jeff Wilbur VP Marketing Iconix

CyberEdge. End-to-End Cyber Risk Management Solutions

2018 MIDWEST LEGAL CONFERENCE ON PRIVACY AND DATA SECURITY Advising the Board of Directors on Privacy and Data Security Melissa Krasnow, Partner, VLP

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Cybersecurity and the Board of Directors

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

The Impact of Cybersecurity, Data Privacy and Social Media

Cybersecurity and Nonprofit

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Mastering Data Privacy, Social Media, & Cyber Law

Cyber Attack: Is Your Business at Risk?

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

NERC Staff Organization Chart Budget 2018

NYDFS Cybersecurity Regulations

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

NERC Staff Organization Chart Budget 2019

Cybersecurity in Higher Ed

CYBER INSURANCE: MANAGING THE RISK

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

NERC Staff Organization Chart Budget 2019

Hacking and Cyber Espionage

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

Data Privacy & Protection

DeMystifying Data Breaches and Information Security Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Rethinking Information Security Risk Management CRM002

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

NERC Staff Organization Chart Budget

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

BHConsulting. Your trusted cybersecurity partner

Putting It All Together:

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Leveraging Best Practices to Determine your Cyber Insurance Needs. Sector Conference, Toronto November 2017

The Role of the Data Protection Officer

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Cybersecurity The Evolving Landscape

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

How will cyber risk management affect tomorrow's business?

Cybersecurity: No Longer Just IT s Problem'

NERC Staff Organization Chart

SEC Issues Updated Guidance on Cybersecurity Disclosure

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Cybersecurity and Data Protection Developments

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Subject: University Information Technology Resource Security Policy: OUTDATED

Cybersecurity and Data Breach Issues AN OVERVIEW

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Data Breach Preparation and Response. April 21, 2017

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Changing the Game: An HPR Approach to Cyber CRM007

01.0 Policy Responsibilities and Oversight

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

NERC Staff Organization Chart Budget 2017

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Security and Privacy Governance Program Guidelines

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Credit Card Data Compromise: Incident Response Plan

Moving from Prevention to Detection March 2017

Global Statement of Business Continuity

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

NERC Staff Organization Chart Budget 2017

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

DUNS CAGE 5T5C3

Transcription:

The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 1 http://blogs.wsj.com/law/2015/12/09/employee error leading cause of data breaches new survey says/ http://www.acc.com/legalresources/resource.cfm?show=1416928 1

Data Breaches by Industry 2015 ACC Foundation: State of Cybersecurity Survey Key Findings In-House Counsel: Fighting the Good Fight Legal counsel Problem solvers Risk managers Relationship builders Budget minders Defenders of the universe 2

Boards that choose to ignore or minimize the importance of cybersecurity responsibility do so at their own peril. Luis Aguilar, SEC Commissioner (June 10, 2014) How Much Do I Need to Know? 1. Do I understand the nature of cyber threats as it applies to our company? 2. Do the board processes and structure support high quality dialogue on cyber issues? 3. What is our company doing to stay current as the cyber threat landscape evolves? 3

RISK = Threat X Vulnerability 4

What Is Your Security Framework? Cybersecurity Framework (NIST) HIPAA/HITECH PCI DSS ISO 27001 Etc.... What Do Regulators Request To See? Policies and procedures governing privacy and security. These must be consistent with laws if your organization is regulated Risk assessments conducted by the company over a several year period Risk mitigation plans and responses developed as a result of the risk assessments 5

What Do Regulators Request To See? cont d Evidence of: education and awareness training, including attendance logs vendor or business associate agreements in place regardless of whether third party caused breach disaster recovery and business continuity plans past security incident records Incident response plans and testing Fiduciary Duties of Directors Wyndham Palkon v. Holmes, No. 2:14 cv 01234 (D. N.J.) alleges board breach fiduciary duties by failing to ensure that the company and its subsidiaries implemented adequate information security policies, arguing the company failed to take reasonable steps to maintain their customers personal and financial information in a secure manner (case dismissed) Kulla v. Steinhafel, (Target Corporation), No. 2014 cv 00203 (D. Minn.) alleges board breached fiduciary duties by failing to maintain proper internal controls related to data security and misleading affected consumers about the scope of the breach after it occurred (case pending) Home Depot, No. 1:15 cv 02999 TWT (N.D. Ga.) directors were complacent leaving in place vulnerabilities that not only allowed hackers to enter the system undetected but permitted them to continue siphoning customer cardholder and personal data for almost five months without detection (case pending) 6

Case Study: Palkon v. Holmes Wyndham s board of directors discussed cyber attacks at 14 meetings during the relevant time frame Company s general counsel gave a presentation regarding the data breaches or data security at each meeting Audit committee discussed these issues during at least 16 meetings over the same time period Company had retained third party technology firms to investigate each breach and recommend enhancements to Wyndham s systems; the court reasoned that the board had conducted a reasonable investigation Board s quick response to the demand was not unreasonable, given that the FTC investigation filed a year earlier had enhanced the board s understanding of the issues raised in the demand Pragmatic Advice Conduct cybersecurity risk assessments across the entire organization at least annually 7

Get an Enterprise-Wide Perspective Subject Matter Experts Department Managers Department Employees Pragmatic Advice Identify and map out where information exists and get rid of what you don t need 8

Where Is Our Information? 1010100011 1001010011 0 1 1 0 1 0 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 1 0 0 1 1 0 1 1 0 0 0 1 0 0 1 Pragmatic Advice Assess your third-party vendors at least annually 9

Assess Your Vendors Practices Vendors Vendor Experts Legal Privacy Compliance YOUR COMPANY Risk 10

Best Practices Board Involvement Adequate time during board meetings to review and discuss cyber security issues; Quarterly, at minimum Full board engagement or dedicated committee At least one board member has specialized IT and/or cyber security knowledge Board understands how security resources are managed and monitored Assure there is direct reporting to C Suite on key security risks Assure appropriate insurance that has been reviewed by risk management and annually thereafter The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 22 11

Cyber Insurance Tip Sheet Don t be fooled - insurance underwriting is not lagging behind the cybersecurity race. When in doubt Read The Policy Cyber insurance policies have key distinctions: Determine whether your organization needs first- and/or thirdparty insurance Review liability limits closely Beware of exclusions Does your coverage include acts by third parties? Cyber insurance policies often have built-in support for risk management and data breach. Your insurer is usually an excellent resource in finding forensics teams, public relations, call centers, notifications, ID theft protection, and legal counsel. Beware of cybersecurity exclusions and other loopholes. Note, for example, Columbia Casualty v. Cottage Health System, 2:15-cv- 03432-DDP-AGR (M.D. Cal.). Insurer seeking declaration that Insurer not obligated to pay Cottage s settlement of a class action due to Cottage's failure to follow the minimum required cybersecurity practices that Cottage represented in its application for insurance. Cyber insurance policies coverages include: Litigation Regulatory Notification Crisis management Theft of policy holder data Forensic investigation costs Business interruption Extortion Credit monitoring Computer data loss and Media liability Privacy liability restoration A CGL policy is usually insufficient

Bibilography The State of Cybersecurity Report: An In-House Perspective. ACC Foundation. December 9, 2015. Available for purchase at http://www.acc.com/legalresources/resource.cfm?show=141692 3. Key Findings may be downloaded for free. Director s Handbook Series: Cyber Risk Oversight. National Association of Corporate Directors. 2014. Available* at https://www.nacdonline.org/resources/article.cfm?itemnumber= 10688. Cybersecurity: What the Board of Directors Needs to Ask. The Institute of Internal Auditors Research Foundation (IIARF). 2014. This publication was co-sponsored by Institute of Internal Auditors (IIA) and ISACA. Available* at http://www.isaca.org/knowledgecenter/research/researchdeliverables/pages/cybersecurity-whatthe-board-of-directors-needs-to-ask.aspx. 2015 Cost of Data Breach Study: United States. Ponemon Institute, May 2015. Available* at http://www-03.ibm.com/security/databreach/. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. National Institute of Standards and Technology (NIST). February 12, 2014. Referred to as the Cybersecurity Framework. Available at http://www.nist.gov/cyberframework/. The Cybersecurity Framework was released in response to President Obama s Executive Order 13636, titled Improving Critical Infrastructure Cybersecurity, which required NIST to develop a new voluntary framework of standards and best practices for cybersecurity. * These resources are available free of charge, but registration is required prior to download.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback