Cyber Risk Management for Government Contractors Its Not Just Ones and Zeros Anymore. How Changes to HSAR, FAR and DFARS will Impact Your Business

Transcription

1 Cyber Risk Management for Government Contractors Its Not Just Ones and Zeros Anymore How Changes to HSAR, FAR and DFARS will Impact Your Business

2 Today s Participants Emile Monette - Moderator General Services Administration - Senior Advisor for Resilience and Cybersecurity in GSA's Office of Mission Assurance Carter Schoenberg President & CEO - HEMISPHERE Cyber Risk Management Felicia Thorpe Government and Cyber Risk Insurance Consultant AH&T Insurance Steve Britt Partner - Berenzweig Leonard LLP Director of Corporate and Technology Law Terrence O Connor Partner - Berenzweig Leonard LLP

3 Background on How These New Rules Developed February 2013 POTUS EO Improving Critical Infrastructure Cybersecurity November 2013 DoD/GSA publish final report to the White House November 2013 DFAR amends requirements with 51 controls taken from NIST SP February 2014 NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Q ALLIANT II and ENCORE III Cyber Risk Mitigation Plans March 2015 Homeland Security Acquisition Regulation Modifications April 2015 OPM breach December 2015 DFARS amended to require all government contractors within scope to adhere to NIST SP by December 31, 2017

4 Today s Challenges How will USG define protected information? How do you protect yourself within the government requirements? How do you protect yourself outside of those requirements? How can small or medium size Government Contractors address the costs associated with complying? Who can provide essential independent assessments in accordance with the USG requirements?

5 What is Undervalued in Business Today? These areas of business operations represent the greatest exposure to financial devastation when left unaddressed.

6 Who s Paying For It? Costs to adhere can likely be included in G&A but not fringe In some instances, USG may provide an option to subsidize post-award Ultimately a Zero-Sum Game USG acknowledges these new requirements will push up the value of each procurement Example RFP R ABC old ICE of $1,000, without new ICE + $25, or more = $1.025M

7 What is required by NIST SP and how is FAR/DFARS impacted? Controls taken from NIST SP800-53r4 Technical Operational Managerial Required disclosure of what controls are not met and a Plan of Actions and Milestones (POA&Ms) Pertains to your corporate environment in addition to the goods and services provided the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver - POTUS EO13636

8 What Constitutes Protected Data? Agreement to the condition of providing cyber security that meets all the standards of any sensitive data and information could subject a contractor to risks under the False Claims Act (FCA). Sanction for FCA violations include civil penalties up to $11,000 per violation, as well as other damages. Technical specifications/diagrams/topologies PIV/CAC data Internal FOUO documents shared between USG and Contractor eqip Access s regarding USG systems, personnel, projects USG discretion

9 Mitigating Risk Exposure addresses what USG is looking for but does not negate civil liability No requirements for cyber risk insurance No requirement for pentest No requirement for assessing data spillage Does not address breach notification requirements that are unique in 47 States Does not adequately address 3 rd party risk (your business partners) Creates another check box environment Directly tied to 3 rd Party

10 CONTEXT: The Cybersecurity Landscape Sector specific laws and general authority HIPAA (Health Insurance Portability & Accountability Act) SEC FCC DoD DHS State Data Breach Statutes (47) No exclusion for federal contractors. Protected information varies (access codes, biometric, medical) Triggers/remedies vary (# records, AG notice, private lawsuits)

11 Recent and Expected Regulations NIST SP is standard - all DoD solicitations and contracts involving Covered Defense Information must include Compliance clause ( ) and Safeguarding clause ( ) and flow down to all subcontracts involving CDI. CDI: controlled technical information, operationally critical, export control or identified information required to be safeguarded by law, regulation or policies (e.g., privacy, proprietary business). Soon, NIST will likely become the standard for civilian solicitations and contracts.

12 DoD requirements: Notify DoD w/in 30 days of award if/how you don t comply with NIST Meet as soon as practicable but NLT Realize your bid constitutes your self-certification of compliance by Report any Cyber Incidents directly to DoD and to higher tier contractor Flow down the clauses to subcontractors handling CDI Prepare for a future audit now minimize liability issues

13 Upon Cyber Incident, you must Identify compromised computers, data and accounts Determine if other network systems, data or accounts accessed Submit any malicious software discovered Preserve imaged systems / packet data for forensic audit DoD can release your proprietary information to outside forensic contractors, intelligence or law enforcement authorities or to national security participants Prepare for a future audit now avoid liability issues

14 What Do You Do First? Read your solicitations and contracts carefully You must identify what information and systems must be protected You must know where you fail NIST You must immediately begin to meet NIST You must be able to identify / respond to Cyber Incidents You must determine how to screen your subcontractors You must screen your supply chain for security

15 What Do You Do Next? Anticipate/articulate duties in teaming agreements Establish a Cybersecurity Risk Management Plan Don t forget State Data Breach standards (PII) Engage cybersecurity assessment / data breach forensic firms Evaluate best options for cybersecurity insurance to transfer risk and lower costs

16 How do Insurance Companies Define Cyber-Risk Exposures to harm/loss arising out of the use, loss of, or interaction with forms of media, data and activities that exist in the electronic or virtual world (tangible items can be covered). Cyber-risk insurance = risk transfer (insurance coverage) designed to be responsive to some of the exposures above.

17 Lines of Coverage Involved Cyber Coverage Dedicated Property Crime Commercial General Liability (CGL) Fiduciary Liability D&O Liability (D&O) KRE (Special Coverage) Errors & Omissions Liability (E&O) Umbrella

18 How is Cyber Insurance Priced? Determine the hazard grade Review controls in place Consider discretionary factors Evaluate individual risk exposure Understand the Limits Needed to Address the Exposures

19 I am Too Small to Target, Right? Percentage of Claims based on Known Number of Records Compromise as of 10/30/15 8% 2% 0 records 36% 54% records ,000 records 100,000+ records

20 Cyber Risk Management Pre-event services may include: Assistance with a cyber event plan Network monitoring Ethical hacking Network security audits, etc. Post-event services may include (1 st party expense): Crisis Management funds Breach coaching Triage advice Notification expenses

21 Post Event Services/First Party Expense Average Cost of First Party Expenses per breach: Legal fees $51,600 Forensics $185,600 as of 10/30/15 Notification &Call Center $81,600 Credit Monitoring $59,150 Crisis Management $44,500 Total for First Party Expenses = $422,450

22 What does a Comprehensive Risk Management Plan look like? IV&V with Legal Guidance technical and operational) (Leveraging proprietary assessment methodology to evaluate Policy Design and Implementation Legal Reviews and Cyber Risk Identification Teaming agreements Service Level Agreements Terms and Conditions Insurance Audit and Plan Design

23 Questions Carter Schoenberg President & CEO HEMISPHERE Cyber Risk Management Terrence O Connor Partner Berenzweig Leonard LLP Steve Britt, Partner Berenzweig Leonard LLP Felicia Thorpe Government and Cyber Risk Insurance Consultant AH&T Insurance Phone (703) Carter.Schoenberg@hemispherecybersec.com Phone (703) TOConnor@BerenzweigLaw.com Phone (703) sbritt@berenzweiglaw.com Phone (703) fthorpe@ahtins.com