1 THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED
2 THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat Landscape 10 Step 1: Preparing For A Breach CONTENTS 14 Step 2: Dealing With A Breach 16 Step 3: Regrouping After A Breach 18 Conclusion 19 A Checklist For Directors And Executives
3 THE CYBER SECURITY PLAYBOOK 3 A rash of recent high-profile data breaches among well-known companies has drawn attention to the critical role that corporate directors play in cyber security. Boards are increasingly involved in assessing the risk, improving the security profile of the companies they advise, and managing the consequences of a breach. But as directors are quickly learning, there s no one-sizefits-all playbook for dealing with serious data breaches. Every incident and every organization is unique. INTRODUCTION Still, there are important steps boards can and should take to prepare for and respond effectively to cyber attacks. Consider this guide a starting point. It draws on our extensive experience helping companies prepare for and combat cyber attacks. And it provides some best practices to follow for directors and top executives thrust into the new and unfamiliar role of security leaders. This guide is designed to help you forge an action plan to follow before, during, and after a breach. The goal: better, protect your company s most valuable assets and minimize the damage to the company and its reputation when a breach occurs. INTRODUCTION CHANGING ROLES, CHANGING THREAT LANDSCAPE PREPARING FOR A BREACH
5 THE CYBER SECURITY PLAYBOOK 5 Expectations about the board s responsibilities for cyber security are changing as attacks become more prevalent and public disclosures become more common. Security breaches are no longer just possible. They are inevitable. That s because attackers tactics change faster than security teams can adapt to them. More than a third of auditors surveyed in a 2014 study said their boards were minimally involved in cyber security preparedness, and nearly 15% weren t sure about their board s involvement (see Figure 1). 1 But more than two-thirds agree that boards perception of cyber risk has increased or was already at a high level (see Figure 2). 2 RESPONSE COUNT Actively Involved 14.1% 267 Involved 34.9% 662 Minimally Involved 36.1% 686 Not answered 14.9% 283 RESPONSE Has been at a high level Increased significantly 8.5% 18.7% COUNT Increased 40.8% % Decreased 38 Figure 1: How involved was the board during the last fiscal year regarding a specific action or request on cyber security preparedness? MINIMALLY INVOLVED 36.1% Figure 2: How would you characterize the board s perception of cybersecurity risks over the last one to two years? INCREASED 40.8% Decreased significantly 1.1% 20 No change 28.9% The Institute of Internal Auditors Research Foundation. Cybersecurity: What the Board of Directors Needs to Ask. 2 Ibid. Not answered 45 Source: The Institute of Internal Auditors Research Foundation
6 THE CYBER SECURITY PLAYBOOK 6 THE AVERAGE ANNUAL COST OF CYBER-CRIME IN 2014 GLOBALLY THE AVERAGE ANNUAL COST OF CYBER CRIME IN 2014 FOR U.S. ALONE $6 million 9% from 2013 $12.7million 10% from 2013 While attackers have to succeed once, security teams must be right 100% of the time. That objective is unrealistic. But the board can help companies match their security posture to the risks they face. There s got to be a standard of care, and a board essentially wants to make sure that they re going to meet that standard of care, says FireEye President Kevin Mandia. That standard of care varies by industry be it health care, government, financial services, or utilities. Within those categories, different rules and standards apply. The federal Health Insurance Portability and Accountability Act (HIPAA) governs how healthcare firms handle patient data, for example. And the Payment Card Industry (PCI) standard applies to credit card issuers, banks and other such firms. These standards evolve as new threats and security technologies emerge. A bigger financial impact When security breaches happen, they have a larger financial impact on victims than they have had in the past. The average annual cost of cyber crime to a sample of global companies in 2014 was $6 million, according to a Ponemon Institute report. 3 That s a 9% jump from in For the U.S. alone, the average annual cost hit $12.7 million in That s up 10% from in There s got to be a standard of care, and a board essentially wants to make sure that they re going to meet that standard of care. KEVIN MANDIA President, FireEye Inc. 3 Ponemon Institute Cost of Cyber Crime Study: United States.
7 THE CYBER SECURITY PLAYBOOK 7 The costs rose because the attacks grew more sophisticated and took longer to resolve, Ponemon found. In 2014, the average time it took to contain a cyber attack was 31 days at an average cost of $639,462. That was up 23% from the $509,665 to remediate an incident that lasted 27 days a year earlier. In other words, time is money THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS: 27 days THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS: 31 days AVERAGE COST: $509,665 AVERAGE COST: $639,462 23%
8 THE CYBER SECURITY PLAYBOOK 8 Companies sought to increase security by acquiring the following technology, in order of most expensive to least: Security incident and event management (SIEM) systems Intrusion prevention systems (IPS) Application security testing Enterprise governance, risk management and compliance (GRC) tools Breached companies risk financial and customer data along with damage to their network and other IT infrastructure. Also vulnerable are intellectual property, bid data, legal strategies, and information about potential mergers and acquisitions. Companies in certain sectors also face fines for not complying with security rules. While calculating the direct cost of a breach is difficult enough, it can also impose indirect costs. That can include damaging companies reputations and souring customer loyalty. If a major retail chain suffers a breach and customer credit card data is exposed, the business could lose money if customers no longer shop there. In another situation, a health insurer could suffer a customer backlash if a breach exposed personal medical information. A higher standard of care Directors also face increased liability for how they act or fail to act during a breach. Some recent high profile breaches have prompted lawsuits against directors for fiduciary duty breaches and calls to remove them from boards. The increased risk and impact of security breaches is prompting more boards to change their governance structure to improve accountability. While most boards already have an audit committee usually made up of the best and most experienced directors it may not be fully capable of addressing the specific risk of a cyber attack. Many companies create a privacy and security committee to go beyond the scope of a typical audit committee by including more tech-savvy members.
9 THE CYBER SECURITY PLAYBOOK 9 FIVE GUIDING PRINCIPLES 3 Boards should have adequate access to cyber security expertise, and discussions about cyber risk management should be given regular time on the board meeting agenda. The National Association of Corporate Directors (NACD) recommends five guiding principles for what a board response plan should address. Directors need to understand and approach cyber security as an enterprise-wide risk-management issue, not just an IT issue. 1 4 Directors should make sure that management establishes an enterprisewide risk management framework with adequate staffing and budget. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 2 5 The board and management should identify which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. Source: Cyber-Risk Oversight Executive Summary, Director s Handbook Series 2014 Edition
10 THE CYBER SECURITY PLAYBOOK 10 PREPARING FOR A BREACH
11 THE CYBER SECURITY PLAYBOOK 11 Preparing for a breach should be a part of the daily security routine of a company. The board must be sure that the company continually monitors its networks and systems for signs of a breach. The company should draw up a detailed incident response plan for the board to review, outlining who does what when an attack is detected. Among other things, the incident response plan should designate a person or persons in the company to serve as the liaison between the company and the board the chief information security officer (CISO), for example. And the company should frequently test the plan and address any problems that arise. The NIST Security Framework Directors are elected to advise the company in all facets of business operation financial, strategic, legal, regulatory, and more. They apply principles based on their wisdom, experience, and ethics. As boards contemplate their expanding role in cyber security, they should consider additional principles. The NIST Cyber Security Framework, established in 2014 by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce, is a useful guide. While most companies are not required to observe the NIST Cybersecurity Framework, industry leaders regard it as an important template for directors and executives to embrace. Directors apply principles based on their wisdom, experience, and ethics. As boards contemplate their expanding role in cyber security, they should consider additional principles.
12 THE CYBER SECURITY PLAYBOOK 12 IDENTIFY FIVE KEY CAPABILITIES OF THE NIST FRAMEWORK RECOVER NIST Security Framework PROTECT RESPOND DETECT IDENTIFY PROTECT DETECT RESPOND RECOVER The company, with guidance from the board, should develop the understanding to manage the cyber security risk to systems, assets, data, and capabilities. This would address issues such as risk assessment, asset management, and governance. Develop and implement the appropriate safeguards to ensure delivery of services. This would include measures such as access control, data security, training, processes, and procedures. Develop and implement the appropriate systems to identify the occurrence of a cyber security event as soon as possible, preferably before others see it. This kind of vigilance depends on continuous monitoring and detection processes. Develop and carry out the appropriate actions to take once a cyber security event is underway. These include response planning, communications, analysis, mitigation, and other improvements. Develop and carry out the appropriate activities to restore any capabilities or services that were impaired due to a cyber security event. The focus should be to maintain resilience for the network and protect it from further attacks.
13 THE CYBER SECURITY PLAYBOOK 13 Creating a privacy and security committee To help protect against cyber security risks, consider creating a privacy and security committee. Give it responsibility for protecting the privacy of corporate and customer data on the network and securing it from intruders. The committee tasked with cyber security should make sure the company is spending the right amount of money on security technology including solutions built for advanced threats. Creating a committee dedicated to privacy and security demonstrates to the outside world that you take cyber security seriously. It creates accountability. And in the event of a security incident, it shows you are paying attention to it. But a privacy and security committee may not be the right answer for all companies. Many firms already have an IT or IT governance committee. In those cases, cyber security may be handled by that body rather than going through the time and expense of forming yet another committee. Regardless of the committee structure, the chief point of interaction between the board and the company when it comes to security but by no means the only one should be the CISO. The board is responsible for defining the company s risk posture. The CISO should tell the board what he or she is doing to maintain this risk posture. The board may also want to engage a third party from time to time to look for hidden vulnerabilities or even active compromises lurking in the company s environment. These outside assessments can serve as an extra check on the CISO s work. If your company doesn t have a CISO, the CIO would be the next most logical position to handle these duties. Making the right investments In another example of increased corporate attention to cyber threats, more and more public companies in the U.S. are identifying cyber threats as a risk factor in their 10-K filings with the SEC. The SEC also requires that boards disclose material cyber security risks in their 10-Ks while leaving it up to the board how to define which risks are material. The committee tasked with cyber security should make sure the company is spending the right amount of money on security technology including solutions built for advanced threats. But even the strongest security won t prevent all breaches. That s why your company may also want to consider cyber insurance. Directors and officers (D&O) insurance protects directors and officers from personal liability for their corporate actions. But today, that insurance also needs to protect them from additional liability associated with a cyber attack. Companies should carefully examine D&O policy language for exclusions for cyber attacks. And they should understand that D&O coverage doesn t protect the company itself from breach liability. That means the company must decide what additional insurance it needs for cyber losses and what losses it can absorb on its own.
14 THE CYBER SECURITY PLAYBOOK 14
15 THE CYBER SECURITY PLAYBOOK 15 Attackers routinely compromise companies despite their sustained and responsible investments in security. When hit, companies need to have a plan in place to guide their response. Each incident is unique. The board plays a crucial role in overseeing a company s response to a security incident especially the communication strategy. The board can sometimes act as a conduit for information between different groups within the company and external stakeholders including customers, partners, and regulators. In 69% of the incidents we responded to last year, the targeted company learned about the breach from a third party, such as law enforcement or a partner. The reality is that keeping knowledge of the breach inside your company is seldom possible these days. Boards need a communication strategy in place before they face an incident. Dealing with disclosure In the wake of a breach, companies have to determine whether they are subject to laws requiring them to disclose the incident. Many U.S. states and several foreign countries have laws that require breach disclosure, depending on the industry and the type of data compromised. Most companies will consult their board before disclosing the incident. The key for the company is not to assume facts it cannot verify. Disclose only what you know. In some cases, companies have been too quick to disclose information, in the interest of openness, only to have those facts contradicted when more information came out later. While the media and customers often want answers immediately, a full investigation may take weeks or months. Some facts can often be disclosed safely early on in an investigation. Other facts take more time to confirm. The most basic facts that victims typically disclose are things such as the earliest signs of compromise or when an attacker first gained access to your environment. As you uncover the scope and length of a compromise, you can begin to provide other details, such as the number of customers affected or potential data lost. These details should emerge from the solid facts your investigators uncover. The board plays a crucial role in overseeing a company s response to a security incident especially the communication strategy. Every situation is unique Once legal notification obligations are met, your approach to disclosure can also depend on who you are. For high profile companies with a sizable social media presence think Facebook or Google the urgency of acknowledging a breach may be greater than for an auto parts supplier that may be able to take more time to disclose the incident. Work closely with your legal counsel to make sure your disclosures comply with applicable law. And work with your public relations team to communicate with customers and partners in a way that helps minimize any backlash.
16 THE CYBER SECURITY PLAYBOOK 16
17 THE CYBER SECURITY PLAYBOOK 17 Once the company has resolved the breach and kicked out the attackers, executives and the board move on to damage control both literally and figuratively. The security team will usually remove any malware, reimage infected systems, and consider ways to strengthen the company s defenses. Your counsel should be involved in the remediation efforts as well to ensure that the company preserves evidence and properly preserves records and other information that may be required in a lawsuit. Bolstering your defenses The company will need to update its security programs and processes based on lessons learned during the breach. This might include an outside assessment of the security program. The board should also be involved in reviewing the incident and the response much like an NFL team replays video of last Sunday s game to see where the company made mistakes. The review should determine whether the company made the right investments in security and took the right security posture. The goal of the remediation effort is to repair and reinforce your IT Infrastructure so that breaching the network in the same way again is much more difficult. Damage control not just for systems Damage control also extends to repairing the company s reputation with its customers, partners, regulators, and the media. When a breach happens, shareholders and outside observers will call the company to account leaving no distinction between directors and executives. Both must communicate professionally and with candor to reassure the public. The company needs to explain how it is improving its security posture to prevent the breach from reoccurring. Work with your counsel and public relations team to ensure your public statements are consistent, accurate, and properly timed. While measuring the impact of a breach on a company s reputation can be hard to quantify, we get some indication of it from the Ponemon Institute s U.S Cost of Cyber Crime Study cited earlier. Ponemon states that the average customer churn rate after a breach rose 15% over the previous year. The churn rate refers to the number of new customers a company gains versus the number it loses in a given period. That s what makes a company s response to a breach so important. When attackers steal credit card numbers or personally identifiable information (PII), companies often try to win back customers trust by offering a year of free credit monitoring to mitigate any possible damage. As a gesture of goodwill, one U.S. retailer briefly also gave customers a 10% discount on any purchases made after it suffered a breach. 4 4 Target. A Message from CEO Gregg Steinhafel about Target s Payment Card Issues. December 2013.
18 THE CYBER SECURITY PLAYBOOK 18 Over the last year or so, cyber security has become a board-level issue. In the past, companies that complied with the applicable rules could withstand public scrutiny when they suffered a breach. That is no longer the case. Investors and regulators are holding corporations and their boards to a higher standard. Where money and secrets go, attackers quickly follow. As companies get more connected to their customers and their partners, they have created new opportunities for attackers to compromise their systems and steal valuable data. The role of directors is to protect shareholder interests. Cyber security breaches threaten those interests today as never before, forcing the issue into the boardroom whether or not directors want it there. Fortunately, there are reasonable steps and best practices that directors can adopt before, during, and after a breach to ensure they fulfill their responsibilities to protect their companies and their shareholders. To learn more about how your board and top executives can help prepare for, respond to, and rebound from cyber breaches, visit
19 THE CYBER SECURITY PLAYBOOK 19 A CHECKLIST FOR DIRECTORS
20 THE CYBER SECURITY PLAYBOOK 20 BEFORE AN INCIDENT Stay current on the latest threats and cyber security best practices. Research, design, and deploy security technology. Consider access control, data security, training, processes, and procedures. Ensure the response plan covers communications, analysis, mitigation, and other critical tasks. Discuss with counsel whether you should disclose cyber security risk factors in the company s SEC 10-K filings, if public. Designate a board committee tasked with cyber security responsibilities. Establish links between board and C-level executives, especially CIO and CISO. Develop and deploy the appropriate systems to identify a cyber security event as soon as possible. Run practice drills to test the plan and revise it as needed. Obtain liability insurance specifically covering cyber security risk for directors and officers as well as for the corporation. Identify the firm s security posture and the risks to the company. Assess the company s systems, assets, data, and capabilities. And identify risks unique to your industry. Create an incident response plan that lays out who reports to whom. Build in contingencies in case some people are unavailable at the time of an incident. Establish a recovery plan to restore any capabilities or services impaired by a breach and to protect the company from further attacks. To limit the company s liability in certain kinds of attacks, consider cyber security vendors certified by U.S. Department of Homeland Security s SAFETY ( Support Anti-Terrorism By Fostering Effective Technologies ) Act.
21 THE CYBER SECURITY PLAYBOOK 21 DURING AN INCIDENT Oversee an incident response. Serve as a conduit between incident responders within the company and external stakeholders including customers, partners, and regulators. Understand that news of the incident usually comes to the company from outsiders, such as law enforcement or partner companies. Keeping the event under wraps is no longer very likely. Work closely with your legal counsel and public relations team to advise C-level executives about how to disclose incident details, especially to news media. Don t disclose facts until they ve been verified. Stay in touch with your response team to assist as needed during response and through remediation.
22 THE CYBER SECURITY PLAYBOOK 22 AFTER AN INCIDENT After a breach has been repaired, intruders ejected, and systems restored, assist in damage control to fix the company s infrastructure and reputation. Review incident response to assess how it went. Identify weaknesses in equipment, systems, and procedures to determine where to make improvements. With guidance from your legal counsel, determine how to make customers whole if their data was exposed or stolen. Consider offering free credit monitoring, issuing new account numbers, and so on. Identify the churn rate the number of customers who left versus the number of new customers acquired. Counsel can advise as to any consumer remedies required by law. Disclaimer: The information presented here is not meant to constitute legal advice. Every situation is unique; this guide is not a substitute for experienced legal counsel or cyber security expertise. FireEye strongly recommends consulting legal and security professionals when mapping out a cyber defense strategy and responding to incidents.
23 To learn more about how your board and top executives can help prepare for, respond to, and rebound from cyber breaches, visit FireEye, Inc McCarthy Blvd. Milpitas, CA FIREEYE ( ) FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. EB.CSP.EN-US091105
What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape Contents Introduction 2 Many SMBs Are Unaware Of Threats 3 Many SMBs Are Exposed To Threats 5 Recommendations
1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers
White Paper Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks A Guide for CIOs, CFOs, and CISOs White Paper Contents The Problem 3 Why You Should Care 4 What You Can Do About It
CYBER INSURANCE: A GROWING IMPERATIVE WHAT IT IS AND WHY YOU SHOULD CONSIDER IT W H I T E PA P E R EXECUTIVE SUMMARY CYBER CRIME IS A GROWTH INDUSTRY. THE RETURNS ARE HIGH AND THE RISKS TO THE CRIMINALS
WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
CFO Changing the CFO Mindset on Cybersecurity What CFOs don t know can hurt their bottom line Despite increasing cybersecurity involvement, too many CFOs still lack the cyber-savvy necessary to get ahead
the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and
Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.
An Executive Brief for Network Security Investments Implementing network security resilience is one of the few things that you can do that will: Protect company brand value Decrease operational costs Preserve
7 th Annual Information Security Summit The Executive Forum Information Security Management Overview June 4, 2015 Copyright 2015. Citadel Information Group. All Rights Reserved. 2 Establishing Leadership.
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
Cloud Computing Contract Clauses Management Advisory Report Report Number SM-MA-14-005-DR April 30, 2014 Highlights The 13 cloud computing contracts did not address information accessibility and data security
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis Paul A. Ferrillo March 2015 The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost Benefit Analysis Until
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
Cyber Security Risk Management For November 6, 2014 Jim Halpert Co-Chair Global Privacy & Security Practice email@example.com Trends Point of Sale Attacks Malware Skimming Industrial Control Systems
Your texte here. Collateral Effects of Cyberwar by Ilia Kolochenko for Geneva Information Security Day 9 th of October 2015 Quick Facts and Numbers About Cybersecurity In 2014 the annual cost of global
Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
2015 www.bdo.com For more information on BDO USA s service offerings to this industry vertical, please contact one of the regional service leaders below: TIM CLACKETT Los Angeles 310-557-8201 / firstname.lastname@example.org
cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
White Paper Healthcare Security: Improving Network Defenses While Serving Patients What You Will Learn Safeguarding the privacy of patient information is critical for healthcare providers. However, Cisco
Jefferson Glassie, FASAE Whiteford, Taylor & Preston 2 * 3 PII = An individuals first name and last name or first initial and last name in combination with any one or more of the following data elements
The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
Page 1 of 6 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 email@example.com How GCs And Boards Can Brace For The Cybersecurity
Cyber Security: Not if, but when... Gerry Stegmaier Partner, Privacy and Data Security, Goodwin Procter Paul Luehr Managing Director & Chief Privacy Officer, Stroz Friedberg June 2015 Costs of Data Breaches
Building a strong business continuity plan Protect your clients and firm with a well-planned business continuity plan A solid business continuity plan (BCP) is about more than simply staying in compliance.
30-SECOND SUMMARY As intelligent, interconnected devices become more widely available and increasingly host high-value information like a hospital patient s medical records the intrusion points for cyber
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Authored by Neeraj Sahni and Tim Stapleton Neeraj Sahni is Director, Insurance Channel at Kroll Cyber Investigations
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
S P E C I A L R E P O R T The Numbers Game: An in-depth look at alert management in Europe security Reimagined Contents Introduction 3 Executive Summary 4 IT Security Spending 5 Alert Management 6 Managing
www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
Cybersecurity Legal Landscape Bonnie Harrington Executive Counsel EHS and Product Safety & Cybersecurity GE Energy Management Imagination at work. What are you trying to secure against Cyber Attack? Personally
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You By: Emilio Cividanes, Venable LLP Partner and Co-Chair Regulatory Practice Group Paul Luehr, Stroz Friedberg Managing Director
SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES 2 On June 3, 2009, Plante & Moran attended the Midwest Technology Leaders (MTL) Conference, an event that brings together
6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney firstname.lastname@example.org K&L Gates LLP State Street