Cyber Risks in the Boardroom Conference

Similar documents
Hacking and Cyber Espionage

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Data Breach Preparation and Response. April 21, 2017

Managing Cybersecurity Risk

Oracle Data Cloud ( ODC ) Inbound Security Policies

Putting It All Together:

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

The Impact of Cybersecurity, Data Privacy and Social Media

Incident Response and Cybersecurity: A View from the Boardroom

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cybersecurity Auditing in an Unsecure World

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

NYDFS Cybersecurity Regulations

The Evolving Threat to Corporate Cyber & Data Security

Subject: University Information Technology Resource Security Policy: OUTDATED

PTLGateway Data Breach Policy

Cyber Security Issues

Canada Life Cyber Security Statement 2018

DeMystifying Data Breaches and Information Security Compliance

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

CYBER RISK MANAGEMENT

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

GLBA, information security and incident response a compliance perspective

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

2017 RIMS CYBER SURVEY

Effective Cyber Incident Response in Insurance Companies

Information Security Policy

Employee Security Awareness Training Program

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Cyber Risks, Coverage, and the Board of Directors.

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Top Five Privacy and Data Security Issues for Nonprofit Organizations

PROPOSED INTERPRETIVE NOTICE

CYBER INSURANCE: MANAGING THE RISK

Cybersecurity The Evolving Landscape

Incident Response Services

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

UTAH VALLEY UNIVERSITY Policies and Procedures

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

Cyber Insurance: What is your bank doing to manage risk? presented by

Cybersecurity in Higher Ed

Cybersecurity, safety and resilience - Airline perspective

DATA BREACH NUTS AND BOLTS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SOC for cybersecurity

Governance Ideas Exchange

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity and Data Privacy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cyber Security Incident Response Fighting Fire with Fire

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

CYBER SECURITY AND MITIGATING RISKS

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

CYBER RISK MANAGEMENT SERVICES Is Your Company Prepared for a Cyber Attack?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Security Incident Response Plan

What to do if your business is the victim of a data or security breach?

ADIENT VENDOR SECURITY STANDARD

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

LCU Privacy Breach Response Plan

FDIC InTREx What Documentation Are You Expected to Have?

Credit Card Data Compromise: Incident Response Plan

Security Takes Center Stage

Getting Your Privacy House in Order

What It Takes to be a CISO in 2017

Is Your Compliance Strategy Putting Your Business at Risk?

Sage Data Security Services Directory

Information Security Incident Response Plan

Security Breach Notification Reflections on the U.S. Experience

Cyber Security Program

Lakeshore Technical College Official Policy

Leading Authority Doug Kaminski On 3 Key Ways To Protect Your IP. #FearlessLaw on High Performance Counsel

Cybersecurity and Nonprofit

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

locuz.com SOC Services

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Red Flags/Identity Theft Prevention Policy: Purpose

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Transcription:

Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat Environment June 12, 2015 1

Table of Contents Overview 3 Governance 6 Assessing Your Company s Vulnerabilities and Risks 9 Mitigating Cybersecurity Risk 16 Response to Breach 23 2

Overview 3

Overview A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the respondents during 2014, an increase of more than 48% over 2013 Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013 The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013 Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015 4

Overview (continued) Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S. The most costly breaches, however, are malicious in nature Being prepared to handle a data breach properly may reduce the costs related to an incident significantly Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015 5

Governance 6

Governance Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs 7

Governance Depending on your company s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company s security preparations The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review The board may consider it appropriate to meet with external advisors in the course of its oversight (continued) 8

Assessing Your Company s Vulnerabilities and Risks 9

Assessing Your Company s Vulnerabilities and Risks: Assessment Framework How should your company assess risk? Periodic self-assessment by an identified group of employees, overseen by an identified supervisor or committee of supervisors Client reviews and audits Governmental or regulatory reviews and audits Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry Use of external advisers Penetration/vulnerability testing 10

Assessing Your Company s Vulnerabilities and Risks: Information to Protect Identify the kinds of sensitive information that your company holds Personal data of clients and employees (such as credit card data or financial or health-related information) Trade secrets Other commercially valuable or proprietary information Market-sensitive information, such as information on company results and/or potential transactions Other client information 11

Assessing Your Company s Vulnerabilities and Risks: Systems Assess the risks posed by your company s IT profile Cloud storage Mobile devices Distributed systems Third-party interconnection Physical security 12

Assessing Your Company s Vulnerabilities and Risks: Systems (continued) Consider the nature of the threats to which your company is exposed Theft of your company s information Theft of others information Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks) Harassment, hactivism and public exposure 13

Assessing Your Company s Vulnerabilities and Risks: Threat Environment Employees, whether through malice, negligence or inadvertence Vendors and others with system access Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups Physical intruders 14

Assessing Your Company s Vulnerabilities and Risks: Protection Obligations Identify the obligations to which your company is subject regarding how information is to be protected Legal and regulatory (federal, state, international) Contractual Professional (e.g., lawyers ethical duties) 15

Mitigating Cybersecurity Risk 16

Mitigating Cybersecurity Risk: Security Policy Your company should have a comprehensive security policy intended to address the threats it faces The policy must comply with all applicable legal, contractual and professional requirements The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan 17

Mitigating Cybersecurity Risk: Employees Your company should establish measures to manage and mitigate the risks employees create Screening and background checks at hiring Continued monitoring during employment Requirements that employees review and confirm that they understand and will comply with the company s security policy Ongoing training in security awareness and risk mitigation 18

Mitigating Cybersecurity Risk: Technical Controls Your company should implement up-to-date technical controls to address cybersecurity risks Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces Identify attempts to hack into the company s systems and attempts to access information that users are not authorized to see Identify unauthorized communications into and out of the company s network 19

Mitigating Cybersecurity Risk: Security Considerations Evaluation of security considerations relating to employees Passwords Use of personal devices and other non-firm devices Use of public networks Ability to write on transportable media Ability to download external programs onto the company s network or onto company devices Physical security of IT systems 20

Mitigating Cybersecurity Risk: Contractors and Vendors Address threats posed by contractors and vendors They must understand your company s security requirements and agree to comply with them Your company should review their cybersecurity vulnerabilities and their potential impact on your company Your company s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject 21

Mitigating Cybersecurity Risk: Insurance Assess your company s position regarding cybersecurity insurance Confirm that your policies cover losses from data breaches, as many general liability policies may not Consider specific cybersecurity coverage in addition to your general liability coverage Secure the correct amount of coverage 22

Response to Breach 23

Response to Breach: Response Team There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it Identify the company personnel who will be on the team to handle the incident response Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management Specific responsibilities and leadership should be assigned in advance 24

Response to Breach: Response Team (continued) Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice 25

Response to Breach: Communications Strategy Your company s goal should be to control external messaging, not react to it It may be preferable to volunteer disclosure before it is legally required Monitor media, including blogs and social media, for what others may be saying Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement 26

Response to Breach: Notice Obligations Identify in advance all applicable notification requirements State notification laws for personal data Specific federal notification requirements (HIPAA, GLB) SEC and stock exchange requirements for public companies Legal obligations from jurisdictions outside the U.S. Contractual requirements Professional requirements, if applicable 27

Response to Breach: Notice Recipients Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them Law enforcement and DHS Regulators Customers and clients Contractual counterparties, vendors, contractors and other partners Public filings 28

Response to Breach: Outside Support Identify in advance outside advisers to assist with breach response and integrate them into response planning Technical advisers, including forensic consultants Legal advisers Public relations Government relations Credit monitoring services, if applicable Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback