Cybersecurity and Nonprofit

Similar documents
Cybersecurity The Evolving Landscape

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Attack: Is Your Business at Risk?

DeMystifying Data Breaches and Information Security Compliance

2017 RIMS CYBER SURVEY

The Impact of Cybersecurity, Data Privacy and Social Media

The Data Breach: How to Stay Defensible Before, During & After the Incident

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cybersecurity and Hospitals: A Board Perspective

Defending Our Digital Density.

Cybersecurity in Higher Ed

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber Risks in the Boardroom Conference

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Hacking and Cyber Espionage

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Executive Insights. Protecting data, securing systems

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

The Cyber War on Small Business

How will cyber risk management affect tomorrow's business?

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

June 2 nd, 2016 Security Awareness

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Altitude Software. Data Protection Heading 2018

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Legal Considerations and Case Studies

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Cyber-Threats and Countermeasures in Financial Sector

You ve Been Hacked Now What? Incident Response Tabletop Exercise

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Cybersecurity Today Avoid Becoming a News Headline

The Evolving Threat to Corporate Cyber & Data Security

THE MARRIOTT DATA BREACH

Addressing the elephant in the operating room: a look at medical device security programs

General Data Protection Regulation (GDPR)

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

This Webcast Will Begin Shortly

The Role of the Data Protection Officer

Cyber Security Incident Response Fighting Fire with Fire

Jeff Wilbur VP Marketing Iconix

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Business continuity management and cyber resiliency

Electronic Communication of Personal Health Information

What to do if your business is the victim of a data or security breach?

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

It s Not If But When: How to Build Your Cyber Incident Response Plan

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Legal Aspects of Cybersecurity

Cyber Due Diligence: Understanding the New Normal in Corporate Risk

Cyber Risk for. Small and Medium-Sized Enterprises (SMEs)

What It Takes to be a CISO in 2017

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

HEALTH CARE AND CYBER SECURITY:

Security Breaches: How to Prepare and Respond

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Hot Topics in Privacy

Hot Topics in Privacy

Keep the Door Open for Users and Closed to Hackers

ID Theft and Data Breach Mitigation

GDPR: A QUICK OVERVIEW

Managing Cybersecurity Risk

Preparing for a Breach October 14, 2016

mhealth SECURITY: STATS AND SOLUTIONS

PULSE TAKING THE PHYSICIAN S

Cyber Security Issues

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

Sage Data Security Services Directory

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Background FAST FACTS

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

Service Provider View of Cyber Security. July 2017

Why you MUST protect your customer data

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

A practical guide to IT security

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Nine Steps to Smart Security for Small Businesses

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

2017 THALES DATA THREAT REPORT

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

It s still very important that you take some steps to help keep up security when you re online:

Transcription:

Cybersecurity and Nonprofit

2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer

3 3 Cybersecurity and Nonprofit Terminology Cyber: Having to do with a computer or computing system IoT (Internet of Things): Any device that can be addressed (connected) to the internet Threat: Any circumstance or event with the potential to cause harm to an information system Threat Actor: Bad guy Threat Vector: Modus Operandi Vulnerability: Any condition that creates susceptibility of the information system to a threat Exploit: The successful execution of a threat via a present vulnerability Risk: A relative measure based on the likelihood of an exploit (combination of threat and vulnerability) and the resulting impact of the adverse event on the organization

4 4 Cybersecurity and Nonprofit Cyber by the numbers 4.16 Billion = Internet users globally, with over 345 Million in North America (1) 10,323,848,439 = Since 2005, the number of breached records REPORTED in the USA (2) 11,176,988 total in 2016 (2) 1,931,816,163 total in 2017 (2) 263,851,278 total in 2018 2 (as of April 27, 2018) 8042= Since 2005 the number of data breaches REPORTED in the USA (2) 812 data breaches in 2016 (2) 587 data breaches in 2017 (2) 201 data breaches in 2018 (as of April 27, 2018) 1. www.internetworldstats.com/stats.htm Estimated Internet Users is 4,156,932,140 as of December 31, 2017 2. www.privacyrights.org/data-breaches

5 5 Cybersecurity and Nonprofit Cyber by the numbers Year Records Breaches 2005 55,101,241 136 2006 68,580,749 482 2007 140,683,184 453 2008 130,782,100 355 2009 251,576,624 271 2010 140,920,913 802 2011 447,910,188 789 2012 298,559,924 882 2013 155,398,160 852 2014 1,308,560,110 878 2015 510,284,542 542 2016 4,619,627,058 812 2017 1,931,816,163 587 2018 263,851,278 201 WannaCry: Over 200,000 victims 3,000 in the US Over 350,000 computers infected Numbers reflect only the original attack from May 12-15, 2017 These are only the KNOWN (reported) numbers. Post incident forensics may cause record counts to change or be updated. 10,323,652,234 8,042 Based on data sourced from www.privacyrights.org/data-breaches

6 6 Cybersecurity and Nonprofit Cyber by the numbers Type Industry Records Breaches BSR Retail/Merchant 698,539,430 608 BSF Financial/Insurance 633,365,763 743 GOV Gov't/Military 227,407,542 773 MED Healthcare 228,512,903 3957 BSO Business-Other 8,505,749,212 1030 EDU Educational 25,143,120 815 NGO Nonprofit 4,934,264 116 All Years (2005 to present) by Industry Based on data sourced from www.privacyrights.org/data-breaches 10,323,652,234 8042

7 7 Cybersecurity and Nonprofit Implications for Nonprofit But We only know the numbers (breaches, records, incidents, etc.) that are reported. There are legal obligations to report compromised: o Personally Identifiable Information (PII) o Protected Health Information (PHI) o Payment Card Information (PCI) What other data might be at risk? Business and financial documents Legal documents Internal communications Network infrastructure Sensitive information and personal life details

8 8 Cybersecurity and Nonprofit Complicating the problem Thinking I don t have credit card information, I m not a target Cybersecurity can be an afterthought or not even considered Small, overworked teams IT staff not trained in information security Stagnant controls for the organization Lack of awareness of where technology is used and the data being held Lack of preparedness when an incident occurs Limited funds and resources for investing in technology, let alone security.

9 9 Cybersecurity and Nonprofit What is changing? Emerging threats: Business interruption o DDoS (Distributed Denial of Service) Ransomware Supply chain interruption Espionage (state sponsored and corporate) Destructive malware Old threats still exist Regulatory landscape changing EU s GDPR (General Data Protection Regulation) US laws updating and changing Other countries are developing and or adopting privacy and cyber regulations.

10 Cybersecurity and Nonprofit GDPR EU s GDPR (General Data Protection Regulation) Individual Rights Right to access Right to erasure (aka Right to forget) Data portability Consent Other Key Components: Sanctions Data protection by design and by default Records of processing activities

11 Potential Cyber Threats What are the primary threats? At the center Stationary device theft Hacking Portable/mobile workers Physical theft/loss Hacking Unintended disclosure People Stolen credentials Social engineering o Phishing, etc.

1 12 Potential Cyber Threats What are the primary threats? IoT and advances in technologies are increasing exposure Process Interruption/Disruption Property Damage Bodily Injury Hacking Often a back door Many organizations are unaware of just what is connected

1 13 Who is Exploiting these Threats Who are the bad actors The Face of a Hacker example Targeted vs. crime of opportunity Very organized business General Categories : Criminals o Organized crime o Thieves Insiders Competitors Hacktivists Nation states o Espionage o Sabotage

1 14 Insurance and How it Helps Why do I need insurance, I m a Nonprofit? According to the Kroll Global Fraud Risk Report 2017: Construction, Engineering and Infrastructure 67% of respondents affected by security incident in past year 83% of respondents affected by internet fraud in past year 93% of respondents affected by cyber incidents in past year The construction sector posted the greatest yearover year increase in internet fraud incidents Source: Kroll Global Fraud Risk Report 2017

1 15 Insurance and How it Helps How does insurance work into the cyber threat? It is not possible to be 100% secure from a cyber-attack, however, there are a number of measures companies can take to reduce their risk and minimize consequences and recovery time. Protection Pre-Breach Protection Post Breach Protection Traditional IT Security NIST Framework: Identify, Protect and Detect NIST Framework: Respond and Recover Insurance

1 16 Insurance and How it Helps I ve had a breach, what is this going to cost me? Legal Liability Class action litigation Suits from Customers and Vendors Regulatory Fines and Penalties HIPAA, FTC, GLBA Forensics Type of data taken, how much, which databases/applications were compromised Notification Costs Printing, postage or other communications to customers Credit monitoring services Call center services Crisis Management Costs Legal, public relations or other service fees Advertising or related communications to restore reputation Business Interruption Losses Loss of Income Costs to Recreate Lost or Stolen Data Extra Expenses Reputational Damage Loss of customers Decreased shareholder value Source: Ponemon Institute 2017 Cost of Data Breach Study $3.62 million is the worldwide average total cost of a data breach $141 is the average cost per lost or stolen record 27.7% is the likelihood of a recurring material data breach over the next two years

17 Insurance and How it Helps What Insurance products are available from Zurich? Zurich Basic Security & Privacy Policy Zurich Broad Security & Privacy Policy Zurich Umbrella Part D: Cyber for Construction Liability Regulatory Proceedings Privacy Breach Costs Liability / Regulatory Proceedings Internet Media Privacy Breach Costs Business Income Loss Dependent Business Income Loss Digital Asset Replacement Expense Cyber Extortion Threat and Reward Payments Liability Regulatory Proceedings Privacy Breach Costs Attaches to umbrella but is primary cyber coverage

1 18 Insurance and How it Helps How does insurance work You purchase Cyber Insurance Zurich claims team works with you to ensure the best optimization of your insurance policy Post-Bind access to Risk Engineering and other Services Zurich Claims Team can assist response if needed You suffer a Privacy or Security Event You access your breach coach and respond to the event (depends on type of event)

1 19 Insurance and How it helps Steps to a healthy cyber security and insurance program Understand the specific threats to your company, both immediate and long term reputation, data held, supply chain, business interruption Evaluate current and future needs (including technology, training and insurance) Ensure all employees and management have an understanding of cyber risk and treats your company faces. Promote a cyber-risk management culture and thoughtfulness Seek expert help to ensure your priorities are recognized Culture Understand Threats Insurance

2 20 Scenario #1 Ransomware attack in 2018 Shut down 2,000 computers Cleanup bill is currently up to $1.5 Million dollars and they have only recovered 80% to where they were pre-attack (as of 60 days post attack). This is for clean up and recovery ONLY. No legal fees or fines included

2 21 Scenario #2 2016 found a virus in an organizations system Virus originally was released back in 2011 Not destructive inherently, it blocked certain security websites and exfiltrated data (in general not targeting any particular type) Cost : $2,500,000 dollars

2 22 Key Takeaways Accept that you have something that is valued by others and that you are a target, regardless of your size Promote a cyber-risk management culture and thoughtfulness Know what you are protecting Keep up with patching Encrypt whenever possible Control access, especially privileged access Expect and prepare for a cyber event Understand your insurance coverage IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER

23 Thank You! The information in this publication was compiled by The Zurich Services Corporation from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Risk Engineering services are provided by The Zurich Services Corporation. 2017 The Zurich Services Corporation. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback