Managing Cybersecurity Risk

Similar documents
Cyber Risks in the Boardroom Conference

The Evolving Threat to Corporate Cyber & Data Security

Data Breach Preparation and Response. April 21, 2017

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Cybersecurity in Higher Ed

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Cyber Insurance: What is your bank doing to manage risk? presented by

The Impact of Cybersecurity, Data Privacy and Social Media

Data Privacy & Protection

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Bringing Cybersecurity to the Boardroom Bret Arsenault

Mastering Data Privacy, Social Media, & Cyber Law

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Accountability for Corporate Cybersecurity

GLBA, information security and incident response a compliance perspective

SECURITY & PRIVACY DOCUMENTATION

Incident Response and Cybersecurity: A View from the Boardroom

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Effective Cyber Incident Response in Insurance Companies

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Cybersecurity The Evolving Landscape

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Cybersecurity It Matters to SMB

Security Breach Notification Reflections on the U.S. Experience

Healthcare HIPAA and Cybersecurity Update

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Rethinking Information Security Risk Management CRM002

Hacking and Cyber Espionage

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Building a Privacy Management Program

CipherCloud CASB+ Connector for ServiceNow

Understanding the Impact of Data Privacy January 2012

Information Security Policy

Employee Security Awareness Training Program

Jeff Wilbur VP Marketing Iconix

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

HIPAA Privacy, Security and Breach Notification

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

01.0 Policy Responsibilities and Oversight

Data Privacy Breach Policy and Procedure

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Putting It All Together:

Breaches and Remediation

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Security and Privacy Governance Program Guidelines

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

CYBER RISK MANAGEMENT

This Webcast Will Begin Shortly

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Red Flags/Identity Theft Prevention Policy: Purpose

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

Breach Notification Assessment Tool

What is Penetration Testing?

2017 Annual Meeting of Members and Board of Directors Meeting

Security Audit What Why

Sage Data Security Services Directory

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

EU General Data Protection Regulation (GDPR) Achieving compliance

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

2017 RIMS CYBER SURVEY

Top Five Privacy and Data Security Issues for Nonprofit Organizations

The Data Breach: How to Stay Defensible Before, During & After the Incident

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

UTAH VALLEY UNIVERSITY Policies and Procedures

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

LCU Privacy Breach Response Plan

NERC Staff Organization Chart Budget

GRC SURVEY RESULT Please indicate your profession

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

BHConsulting. Your trusted cybersecurity partner

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Higher Education Privacy Update

InfoSec Risks from the Front Lines

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Upcoming PIPEDA Changes What is changing and what to do about it

Financial Regulations, Enforcement & Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Keeping It Under Wraps: Personally Identifiable Information (PII)

How to Prepare a Response to Cyber Attack for a Multinational Company.

INFORMATION SECURITY POLICY

Transcription:

Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for Management Assessing cybersecurity risk Implementing sustainable governance to manage risk 1

Cybersecurity: The Current Legal and Regulatory Environment Breaches are an Emerging and Increasing Risk Ponemon Institute, Cost of Data Breach Study (June 2016) $4M average cost of data breach $158 average cost per record 2

Data Breach Patterns and Trends (from California Data Breach Report, 2016) Most common causes of recent breaches: Cyberattacks (hackers/malware) Theft or loss of unencrypted data on electronic devices Errors by insiders Failure to shred documents/wipe devices Giving unauthorized employees access to data Data Breach Patterns and Trends (from California Data Breach Report, 2016) Most likely data types: Social Security Numbers (just under half of all breaches) Medical information (19 percent) 3

Potential Consequences of a Breach Data breach investigation and incident response costs Reputational harm Financial harm Investigations by regulators (SEC, FTC, state AGs offices) Consumer class action lawsuits Shareholder lawsuits Cybersecurity: The FTC View The touchstone of the Commission s approach to data security is reasonableness: a company s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. FTC, Commission Statement Marking the FTC s 50th Data Security Settlement January 31, 2014 4

Cybersecurity: The FTC View In June 2015, the FTC released Start with Security: 10 lessons about data security derived from 50+ enforcement actions. Start with security. Secure remote access to your network. Control access to data sensibly. Require secure passwords and authentication. Store sensitive personal data securely and protect it during transmission. Segment your network and monitor who is trying to get in and out. Apply sound security practices when developing new products. Make sure your service providers implement reasonable security measures. Put procedures in place to keep security current and address vulnerabilities that may arise. Secure paper, physical media, and devices. Cybersecurity: The SEC View Cybersecurity Guidance, April 2015 Consider periodic data security assessments Create strategy to address cybersecurity threats Implement strategy through written policies and employee trainings Consider educating customers about how to reduce cybersecurity threats to their user accounts SEC Commissioner Luis Aguilar: Given the significant cyberattacks that are occurring... ensuring the adequacy of a company s cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities. 5

Cybersecurity: Assessing Risk and Implementing Effective Governance Fundamental Governance Issues Will cybersecurity risk be overseen directly by the Board or a Committee? How knowledgeable are Board members on cybersecurity matters? What should be reported, when, to whom and how? What are the expectations and budgetary constraints for spending on cybersecurity? 6

What Should Boards Consider? Do we have effective oversight of cybersecurity? Do we have internal and external teams to deal with a breach (communications, forensic, regulatory, legal)? What do our disclosures say? Do we have adequate cyberliability insurance? Are we frequently assessing cybersecurity issues? Assessing Cybersecurity Risk Technical controls (e.g., NIST Cybersecurity Framework, PCI DSS compliance) Data mapping Frequent monitoring through privacy and cybersecurity risk assessments 7

Key Data Security Practices Periodic cybersecurity risk assessments Design and implement written policies and procedures to safeguard data Monitor and secure network access Require secure passwords and multifactor authentication Use strong encryption Manage third parties handling of data, require strong security controls Train employees on data security issues Design incident response plan and test incident response plan via tabletop exercise Building Sustainable Cybersecurity Governance Information security policies Other internal policies and procedures Security awareness within company Accountability across the organization 8

Takeaways Breaches are a continuous and escalating issue There must be oversight from the Board and management in ensuring accountability across the organization Organizations must design and implement technical, administrative, and physical controls to effectively manage cybersecurity risk Thank You Maureen Brundage Andy Roth +1 212 479 6740 aroth@cooley.com 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback