horizons FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence:

Size: px
Start display at page:

Download "horizons FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence:"

Transcription

1 horizons A publication by RubinBrown LLP Cyber Security: The New Priority Spring 2014 FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence: Often Overlooked but Vital to Deal Success PLUS > Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally Be Here > Outsourced Accounting: Paving the Way for Success in Our Economic Climate

2 TABLE OF CONTENTS horizons A publication by RubinBrown LLP Chairman James G. Castellano, CPA, CGMA Managing Partner John F. Herber, Jr., CPA, CGMA Denver Office Managing Partner Gregory P. Osborn, CPA Kansas City Office Managing Partner Todd R. Pleimann, CPA Editor Dawn M. Martin Art Director Jen Chapman Horizons, a publication of RubinBrown LLP, is designed to provide general information regarding the subject matters covered. Although prepared by professionals, its contents should not be construed as the rendering of advice regarding specific situations. If accounting, legal or other expert assistance is needed, consult with your professional business advisor. Please call RubinBrown with any questions (contact information is located on the back cover). Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein. Readers should not act upon information presented without individual professional consultation. SPRING 2014 Features 1 RubinBrown News Welcome from the Managing Partner Chairman s Corner Protect Your Organization with Cyber Resilience BIG Problems with Small DATA Information Technology Due Diligence: Often Overlooked but Vital to Deal Success Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally be Here Outsourced Accounting: Paving the Way for Success in Our Economic Climate Timely Reminders Industry-Specific Articles 33 colleges & universities Cyber Security Risks for Universities New risk factors and creating a control system to protect a university s assets and data. 36 gaming Regulating Online Gaming: A Focus on Security A look at regulation from the first three states to legalize online gaming. 40 professional services Safeguarding Electronic Health Records & Law Firm Security: Steps to Protect Your Firm Safeguard protected health information; plus protect firm and client information at organization, technical and physical levels. 45 manufacturing & distribution Cyber Security in the Supply Chain The risk of protecting information that exists with suppliers. 48 life sciences Protecting Intellectual Property Identifying IP inventory and mitigating IP risks. 52 public sector Data Analysis: A Resilient Approach to Control Spending Using data analysis to impact the bottom line. 55 real estate Positive News for the Historic Tax Credit Industry Much anticipated Revenue Procedure establishes a safe harbor. 58 not-for-profit An Update on Not-For- Profit Financial Reporting Senior project manager covers FASB s NFP Financial Reporting Initiative. 62 construction Succession Planning: An Introduction for Construction Companies Building value, grooming a successor, transferring ownership, and other considerations for succession planning. 66 transportation & dealerships Simple Steps to Increase Profitability for Transportation Companies & Auto Dealers Tips to ensure you fully maximize profitability with your current revenue stream.

3 WELCOME FROM THE MANAGING PARTNER The Latest Trend: Cyber Security Start-Ups Recent high-profile cyber security attacks like the data breach at Target have spurred an investment boom in cyber security companies. Research group PrivCo reports that early-stage funding for the cyber security sector soared almost 60% in Researchers expect that 2014 will bring more start-ups, along with subsequent transaction activity as security problems continue to increase, in tandem with our growing awareness of them. There s no doubt that cybercrime is on the rise. Cisco Systems Inc. reports that cybercrime was up 14% in 2013 from the year before. Even more frightening are the statistics on loss and occurrence. Poneman Institute reports that the cost of cybercrime has increased 26% since 2012 and further predicts that 3 out of 4 companies will be targeted by malicious web applications in this year alone. John F. Herber Jr., CPA, CGMA Managing Partner While heavily covered in the media, cybercrime is a serious business issue that threatens all of us no matter what our size. This is why we chose the topic of cyber security as our theme for this issue. This is one of the largest issues of Horizons RubinBrown has ever published. There s a lot of information to report on the topic of cyber security. And we hope that you glean some thoughtprovoking information and ideas from our research and writing. In addition to several great feature articles on cyber resilience, big data, and IT due diligence, we have also included articles that focus on cybercrimes effect on several industries. Check out the cyber articles related to colleges and universities, gaming, life sciences, professional services and manufacturing & distribution. I would welcome your feedback on ways we can continue to serve you as thought leaders in business as well as deliver totally satisfied clients. Please me directly at Pleasant reading, page 1

4 RUBINBROWN NEWS RubinBrown Publishes First Audit Quality Report In January 2014, RubinBrown published its first-ever audit quality report. Audit quality reporting is intended to foster greater confidence in the audit process by assisting financial statement users, audit committee members and other stakeholders in understanding how an audit firm s management and operations support the performance of high quality audits. The Public Company Accounting Oversight Board (PCAOB), which regulates the audits of public companies, is currently developing a concept release regarding audit quality reporting and audit quality indicators. The concept release is expected to provide a definition of audit quality and include an audit quality framework. Additionally, there will be 25 to 30 potential audit quality indicators identified. Finally, there will be discussion of potential uses of the audit quality indicators. You may access the report at RubinBrown Partner Amy Altholz Named Woman To Watch Amy Altholz, CPA, partner and vice chair of RubinBrown s Not- For-Profit Services Group, was recently honored as one of the Missouri Society of Certified Public Accountants (MSCPA) Women to Watch. The MSCPA Women to Watch Awards recognize women in accounting who have made significant contributions to the profession and development of women in their communities. RubinBrown Partner Steven Harris Named 2014 Young Leader Steven Harris, CPA, partner-in-charge of RubinBrown s Entrepreneurial Services Group was named one of the St. Louis American s 2014 Young Leaders. The Young Leader Awards identify and honor committed, compassionate, generous professionals making a positive impact in the community. RubinBrown Managing Partner John Herber Named to AICPA Governing Council John Herber, Jr., CPA, CGMA, managing partner of RubinBrown, was nominated to the American Institute of Certified Public Accountants Council as an at-large member. The appointment is for a three-year term on the council. Herber also currently serves as chairman of the AICPA s Professional Liability Insurance Program Committee. page 2 horizons Spring 2014

5 RubinBrown Team Member Recognized with AICPA Elijah Watt Sells Award RubinBrown team member, Nathan Hutson, CPA, was recently presented with the 2013 Elijah Watt Sells Award from the American Institute of Certified Public Accountants. The award recognizes the individuals with a cumulative score above across all four sections of the computerized Uniform CPA Examination. RubinBrown Partner Sharon Latimer Named To 2014 Class of Influential Women Sharon Latimer, CPA, partner in RubinBrown s Assurance Services Group, was named to KC Business magazine s 2014 Class of Influential Women. The publication s influential women honorees are recognized as those who inspire and mentor others, create opportunities for their organizations and give back to their communities. RubinBrown Kansas City Managing Partner Todd Pleimann Named to Kansas City Chamber of Commerce Todd Pleimann, CPA, managing partner of RubinBrown s Kansas City office, was recently elected to The Greater Kansas City Chamber of Commerce Board of Directors. The Greater Kansas City Chamber of Commerce is a membership organization representing more than 2,500 companies and 300,000 employees across the Kansas City region. RubinBrown Recent Talent Additions Partners Jeff Cunningham, joined RubinBrown as a partner in its Real Estate Services and Assurance Services Group in the Denver office. Jeff s expertise lies in working with clients that develop and rehabilitate multi-family housing using traditional financing, lowincome housing and historic tax credits and federal and state backed loans. Jeff Naeger is a new partner in the Tax Services Group in St. Louis. Jeff specializes in providing federal and state tax consulting, state and local taxation, and mergers and acquisitions services to clients in a number of industries including manufacturing, healthcare and natural resources. page 3

6 RUBINBROWN NEWS RubinBrown Recent Talent Additions Partners (continued) Rhonda Sparlin joined the Denver office as a partner in the State and Local Tax Services Group. Rhonda is an expert in consulting with businesses on issues related to multistate income, franchise and indirect tax issues. She serves clients in the manufacturing, retail, technology, healthcare, service, software, mining and utility industries. Sunti (Sunny) Wathanacharoen joined RubinBrown s Kansas City office as a partner in its Business Advisory Services Group. Sunny s experience managing consulting services spans various industries such as financial services/institutions, government, healthcare, manufacturing, professional services, retail, technology and telecommunications. Managers Brenda Buhrmester is a new manager in RubinBrown s Tax Services Group in Kansas City. With more than 18 years of experience, she primarily serves professional service organizations with tax consulting and compliance services. RubinBrown recently added Mark Breakfield as a manager in its Wealth Management Services Group in St. Louis. Mark specializes in tax planning and consulting, estate and retirement planning and gift tax planning services for clients. Timothy Kennedy joined RubinBrown s St. Louis office as a manager in RubinBrown s Real Estate Services Group, specializing in new markets, low-income housing and historic rehabilitation tax credits. Suzy Kimbrough recently joined the Kansas City office as a manager in the Tax Services Group. With more than 20 years of public accounting experience, she primarily provides tax and consulting services to businesses and individuals. Jason McAdamis joined the St. Louis office s Federal Tax Services Group as a manager. He provides comprehensive tax services for companies of all sizes in a variety of industries, including professional services and manufacturing and distribution. Rachel Parkes is a manager in RubinBrown s Tax Services Group in Kansas City. She has more than ten years of accounting experience. Rachel works with clients in various industries including construction, gaming and manufacturing and distribution. A new manager in the St. Louis office s State and Local Tax Services Group, Shawndel Rose provides clients with all phases of state and local tax compliance, consulting and planning services. Aisha White is a new manager in the State and Local Tax Group in St. Louis. With more than 13 years of accounting experience, she primarily provides tax services to a wide array of clients. page 4 horizons Spring 2014

7 MARK YOUR CALENDARS Denver RubinBrown Center November 6, 2014 Ethics Seminar Kansas City Doubletree Hotel November 11, 2014 St. Louis Donald Danforth Plant Science Center 8-10 a.m a.m. November 12, a.m. Year-End Accounting & Tax Update Denver RubinBrown Center December 10, a.m. Kansas City Doubletree Hotel December 11, a.m. St. Louis Donald Danforth Plant Science Center December 9, a.m. For Upcoming RubinBrown Seminars Glean insight into the latest tax legislation. Learn more about how new accounting rules will affect your business. Find out how your organization can benefit from business strategies and innovative ideas. Throughout the year, RubinBrown is an excellent source for learning and insight. SEC Update Denver St. Louis RubinBrown Center RubinBrown Center January 7, 2015 January 6, a.m a.m. Not-For-Profit Update Denver RubinBrown Center January 28, a.m. Kansas City Doubletree Hotel January 27, a.m. St. Louis Donald Danforth Plant Science Center January 22, a.m. Registration will be available 5 weeks prior to each event at Public Sector Seminar Denver RubinBrown Center February 6, a.m.-5 p.m. Kansas City Doubletree Hotel February 3, a.m.-12 p.m. St. Louis RubinBrown Center January 29, a.m.-12 p.m.

8 CHAIRMAN'S CORNER The Stakes Have Changed Today with Cybercrime by Jim Castellano, CPA, CGMA Remember when computers operated on punch cards a portable computer was as big as a suitcase and its screen the size of a 4 by 6 picture frame portable phones consisted of a heavy unit with a handset tethered to it with a spiral cord? Remember when crime involving theft only involved physical property or currency? What happened? What happened is that the incredible explosion in technological advancements continued to change our world in ways we could not even imagine just a decade ago. Jim Castellano, CPA, CGMA Chairman With the wonderful advances in technology also came ingenious techniques to steal valuable information by using the technology in devious ways. Hence, the emergence of an entirely new type of criminal engaged in cybercrime. The topic of cyber security is high on the agenda of most audit committees today and should be high on the agendas of management of most organizations. An effective enterprise risk management process can highlight the numerous areas vulnerable to those anonymous and sophisticated criminals intent on theft or destruction. The American Institute of CPAs (AICPA) recently published a paper titled The Top 5 Cybercrimes. The paper is intended to assist CPAs in public practice as well as in business and industry to understand the nature of each crime, the manner in which it is committed and remedial steps that can be taken. The paper can be found on AICPA s website at or viewed at the link in the sidebar to the right. page 6 horizons Spring 2014

9 29 Least-access privileges is a security concept that grants a person the least amount of access to systems, technologies and data needed to perform his/her duties or that first grants a person no access but then adds privileges to provide access only to needed information. 8 Cybersource Corporation is a worldwide ecommerce payment-management company. It publishes annual, statistics-based online fraud reports. At cybersource.com. 9 IC3 is the Internet Crime Complaint Center, sponsored by the National White Collar Crime Center, the Bureau of Justice Assistance and the FBI. It accepts complaints from the public regarding Internet-related crimes and scams. At ic3.gov. 10 IBM publishes a security report titled Trend and Risk Report. The March 2012 report was used as a source for this paper. 11 SANS has a global scope, with a focus on information security (InfoSec). It has a certification, Global Information Assurance Certification (GIAC), related to InfoSec. SANS s services and resources are generally free to the public. 12 Computer Emergency Response Team (CERT) is a partnership between Homeland Security and public and private sectors with the objective of coordinating responses to security threats. At cert.org. 13 Computer Security Institute (CSI), for information security professionals, provides an annual survey of cybercrime, CSI Computer Crime & Security Survey, since about At gocsi.com. 14 Ponemon Institute conducts independent research on privacy, data protection and information security policy. It has one of the best cybercrime studies, its annual Cost of Cyber Crime Study. The second study was published in August At ponemon.org. 15 The state of Florida has a department, Secure Florida, that focuses on cybersecurity. It published Florida Cyber-Security Manual in The Florida Department of Law Enforcement, Florida Cybersecurity Institute and Secure Florida contributed to the manual. At secureflorida.org. 30 Verizon s 2009 Data Breach Investigations Report. At securityblog.verizonbusiness.com. The top 5 cybercrimes discussed include: THE TOP 5 CYBERCRIMES Tax-refund fraud Corporate account takeover Identity theft Theft of sensitive data Theft of intellectual property While no precautions can provide absolute protection, you can begin to protect yourself and your organization from cybercrime by taking some or all of the following actions: Institute an internal audit function in your organization Conduct risk management sessions to identify and rank the risks affecting you Audit your privacy and security policies and controls Use data analytics to identify unusual transactions in your records Consider the value of cyber security insurance coverage to recover financial losses that might arise from cybercrime We hope you find the articles in this issue of Horizons, written by our practice leaders, to be useful as you contemplate the range of cyber risks facing your organization. GENERAL REMEDIATION STRATEGIES FOR THE TOP 5 CYBERCRIMES 87 % A Verizon study of 600 incidents of security breaches over a five-year period reveals that in 87 percent of cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident. CPAs need to make timely, informed decisions about the effective controls that can prevent cybercrimes from occurring, and detect, at its earliest stage, a crime that already has occurred. Equally important is CPAs adeptness at responding to and correcting a security breach and cybercrime that has occurred. SECURITY AUDITS AND CONTROLS A Computer Security Institute (CSI) survey ranked internal cybersecurity audits as the strongest weapon in preventing and detecting cybersecurity vulnerabilities. An effective internal security audit identifies cybersecurity risks and assesses the severity of each type of risk. For optimal results, clients should ask their CPA to audit their privacy and security policies and controls. Following the audit, preventive controls for the major risks that were identified need to be instituted. Three strategies that can help management develop those controls are: TOP 5 CYBERCRIMES October 2013 Tax-refund Fraud Timely and proactively patching vulnerabilities, including INCIDENT RESPONSE PLAN vulnerable software. One useful correction remediation, although not Using least-access privileges 29 and other sound logical access controls preventive, is to develop an incident response plan. The to help remediate crimes perpetrated internally. For external threats, plan would require employees with the necessary level of sound perimeter controls such as firewalls and Intrusion Detection knowledge, and serving in key positions within the entity, Systems (IDS) are critical to protection. to answer the following questions relating to the top five Monitoring systems, technologies and access, cybercrimes such as identified various logs in this white paper: created by technologies for those activities, with associated controls varying based on the threat level (also a detection strategy). Which of these crimes are potential risks? BUSINESS INSURANCE What risks would follow from each crime? In an age of financially motivated cybercrimes, How every should entity we should respond have to each of these crimes? sufficient business insurance coverage to recover any financial losses. Executive management team members, especially How would the CFO, we fully must recover from each of these crimes? evaluate the entity s insurance coverage to ensure that it could recover estimated losses from any cybercrime. The manner in which an entity responds to a cybercrime provides valuable insight into its possible vulnerabilities Reviewing coverage should be done on a reasonable and preventive periodic steps basis. that could have been taken before Leaders also might consider enlisting service the providers crime occurred. that offer cleanup and restore functions after certain crimes have been committed. A Verizon study of 600 incidents of security breaches over a five-year period reveals that in 87 percent of cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident. Thus, a good place to start BEFORE a breach occurs is reasonable security controls as defined by the information security profession as best practices or principles. 30 Remediation measures and controls that apply to one THE cybercrime TOP 5 CYBERCRIMES often apply equally 11 well to others, which results in multiple cybercrimes being addressed with a single countermeasure. This further supports the position that measures and controls taken by entities once a cybercrime occurs are the same measures and controls that should have been in place before the breach Corporate Account Takeover Identity Theft Theft of Sensitive Data Theft of Intellectual Property A broad range of reports and authoritative sources were analyzed to separate vectors and tools from the actual cybercrimes. The sources include the AICPA, Cybersource Corporation, 8 Internet Crime Complaint Center (IC3), 9 IBM, 10 SANS, 11 Computer Emergency Response Team (CERT), 12 Computer Security Institute (CSI), 13 Ponemon Institute, 14 Microsoft, Verizon and Secure Florida. 15 Once the cybercrimes were identified, they were ranked in the following order by relevance to CPAs in public practice and business and industry. THE TOP 5 CYBERCRIMES 5 THE TOP 5 CYBERCRIMES 12 Of course, please consider us a resource as you explore the opportunities to protect yourself from these 21st century risks. You may view AICPA s paper at For information about proactively addressing cybercrime, contact Audrey Katcher at or page 7

10 FEATURE Protect Your Organization With Cyber Resilience by Audrey Katcher, CPA, CISA, CITP & Randall Hahn, CPA, CISA Assess the Risks STEP STEP Monitor & Report STEP With increasing cybercrime, entities need to turn their cyber security concerns into cyber resilience strategies Develop a Plan STEP Communicate the Plan STEP Define Responsibilities

11 T-Mobile, Electronic Arts (EA), British Broadcasting Channel (BBC), Federal Election Commission, Target These companies are all not only well known but also share another common attribute. All five entities had recent cyber attacks. And they re not alone. Cyber attacks have become an everyday reality in our modern economy, with the average loss per incident exceeding $5,000,000, according to the Poneman Institute. Cyber security is an issue vital to all entities. In today s environment, the question of becoming a victim to a cyber security attack is no longer if but when. While the threat of a cyber security attack has become almost inevitable, the risks associated with it can be managed through an effective cyber resilience plan. Throughout this entire issue of RubinBrown s Horizons, you will read the many ways cyber attacks are impacting various industries as well as what organizations are doing to mitigate their exposure. > Cyber security refers to analysis, warning, information sharing, vulnerability reduction, risk mitigation and recovery efforts for networked information systems. ~ World Economic Forum This article focuses on providing an overview of cyber security in today s environment and the five key steps to building a cyber resilience plan. Overview of Cyber Attacks and Cyber Resilience Today, cyber attacks pose the element of surprise, and nearly each new attack is more innovative and sophisticated. Attacks are impacting more than just an entity s technology; they affect financial, reputational and stakeholder value. The strain of a cyber attack can impact all stages of an entity s supply chain, from vendor to customer. Attacks are becoming more difficult to develop mitigation strategies for as the interconnectivity of entities continues to increase and attack techniques evolve. > Cyber resilience is defined as the ability of systems and organizations to withstand cyber events. ~ World Economic Forum Additionally, the current spending for cyber security is predominately limited to investment in firewalls and virus protection software. Companies are finding that in addition to these investments, it s just as important to have cyber resilience plans. Entities need to link the investment in cyber security to the potential consequences they face. Businesses today should incorporate consideration for preservation of reputation, impact on customers and consequences from attacks. page 9

12 FEATURE In summary, these components are the basic tenants of what is known as cyber resilience: Security Preservation of reputation Customer impact Consequences A cyber resilience plan incorporates an understanding of modern attacks, a plan > 57% of respondents expect to experience a security breach within the next year, yet only 20% regularly communicate with management about threats. ~ Poneman Institute for defending/defeating those attacks and potential responses to those attacks. Cyber resilience plans are critical for entities of all sizes and can be adopted through the following five key steps. Step One: Assess the Risks The first step to developing a cyber resilience plan is to consider the business risk. What loss can the entity live with? Since budgetary spending on security is often limited, entities must identify the risks they face and then prioritize those risks to identify which ones are their greatest concerns. Keep in mind that the greatest risk may be your reputation and not the dollars directly associated with an individual attack. The thought process evolves from thinking about what type of protection to provide to all of the operations and assets to what are our most important assets and how do we protect them. Entities move from thinking about what are the inputs we need for a security plan, to what are the outcomes, or consequences, that we can live with and then how do we balance those risks with our limited resources. Step Two: Develop a Plan Once the priority assets have been identified, develop a plan to protect against the threats on those assets. The mindset should be of one moving beyond the minimal preventive and defensive controls needed for compliance standards, to how can resources be effectively aligned to protect an entity s assets. As the effects of a cyber attack can impact all aspects of the supply chain, there needs to be a plan that strikes a balance between addressing concerns around security and not unnecessarily constraining the means by which business needs to be conducted. page 10 horizons Spring 2014

13 The plan needs to be flexible to allow quick responses to attacks and the consequences from those attacks. To do this, cross-functional teams from varying business disciplines should develop and test the plans. The team should also ensure everyone is prepared to respond quickly and communicate with all affected stakeholders in the case of an incident arising. Step Three: Define Responsibility for Maintaining Security and for Responding A recovery plan must be flexible so it can adapt to a variety of attacks, while also being specific, comprehensive, and most importantly, achievable by those within the organization. In the plan, two primary responsibilities should be assigned to leaders with authority and support. These responsibilities are for: Maintaining the security Leading the response Define your Cyber Resilience Team 1. Executives To provide governance as well as a conduit to the audit committee and board level questions 2. Internal Audit To be an independent resource to report on the processes supporting cyber security and resilience 3. Communications To provide broad communication, including public relations management Avoid Apathy With Your Cyber Security Strategies by Jack Zaloudek, Lecturer and Program Director Information Management & Masters in Cyber Security Management, Washington University in St. Louis Since cyber security is all about risk management, it is essential that the risk strategy be managed throughout the organization. It is the responsibility of the c-suite to ensure that the strategy is: Understood by the employees of the firm The employees have the tools and training to implement the strategy Executives monitor the execution and absorption of the daily action plans necessary to make the employee awareness campaign a muscle memory response at every level of the business It is very easy for one of the common killers of a good plan apathy to set in. Apathy can affect the senior level of leadership, but can also be experienced by the employees who will revert back to the status quo after the initial push and training is past. Strong leadership and monitoring for lapses in following the policies and procedures are essential watchdog elements to counteracting cyber security malaise and apathy. It will not happen here is not a suitable organizational response. 4. Insurance To ensure clarity in the policies 5. Legal To advise and monitor on current regulatory and other legal insights 6. Technology To be a liaison and ensure an on-call technical response team is under contract 7. Finance To enable transparency in the cost page 11

14 FEATURE 8. Human Resources To ensure employees and those who may leave the company are managed 9. Supply Chain To ensure vendors have signed a commitment to cyber security with your company The leaders should ensure testing of the plan allows regular re-evaluation of both the prioritized assets and the actions needed to protect those priority assets as the security landscape evolves. This activity will help validate the security and the responsiveness. Step Four: Communicate the Plan Executive Level Executive level direction and support is essential. Cyber resilience plans require executive buy-in, collaboration from different levels within the entity and coordination with vendors and customers. When preparing your cyber resilience plan, consider: There are no answers which provide 100% assurance It is not a question of if an attack or incident will occur, but a question of when > Only 31% of U.S. entities have cyber insurance policies. ~ Experian Information Solutions, Inc. There is a direct relationship between response time and the exposure to operations, finances and reputation In summary, communication of the plan, relevant updates, as well as what is driving these updates should be delivered to leadership and the board regularly. Step Five: Monitor and Report Moving forward, entities should continue to monitor the evolution of their cyber resilience plan. They should communicate to stakeholders, both internally and externally, monitoring results and changes to the direction of the plan. page 12 horizons Spring 2014

15 Why Act Now? The costs and frequency of breaches are rising exponentially. The qualitative costs include loss of customer trust, reputation and stakeholder value > 44% of all small businesses surveyed have been a cyber-attack victim. ~ National Small Business Association The quantitative costs average $188 per record, with an average of over 28,000 records compromised per incident, resulting in a total average incident cost of $5,264,000 (Poneman Institute) Do not assume that your business or one of your subsidiaries is not at risk: CNN reports nearly half of the data breaches that Verizon recorded in 2012 took place in entities with less than 1,000 employees. Symantec, a leading computer security firm, reported that 31% of all attacks in 2012 targeted businesses with less than 250 employees and attacks were up 81% over RubinBrown s Business Advisory Services Group RubinBrown s greatest asset is the thought leadership of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies. Michael T. Lewis, CFA St. Louis Partner-In-Charge Business Advisory Services Group Sunti Wathanacharoen Kansas City Partner Business Advisory Services Group Audrey Katcher, CPA, CISA, CITP St. Louis Partner Business Advisory Services Group Matt Wester, CPA, CFE Denver Partner Business Advisory Services Group page 13

16 FEATURE BIG Problems with Small DATA by Josh Leesmann

17 A Google search of big data will return about 12.7 million results. You will be quickly inundated with an endless list of vendors and software claiming to provide the solution to all of your big data needs. However, the marketing blitz may be slightly misleading as more pressing data challenges often fall into the camp of small data. That is to say, many of us may not be effective creators and consumers of information that can fit neatly within the realm of common spreadsheet software. We are most often held back by a lack of a methodological approach to the way we capture, store, analyze and access this small data. Currently, Excel is the data tool of choice. Approximately 95% of U.S. companies use Excel in their operating environments. Further, 50% of Excel files are relied upon for critical business decisions. The fact that this software is so prolific throughout the U.S. economy is not, on its face, a problem. The issue is that there is no method to the madness. The average Excel file lives on for 5 years and is edited by an average of 12 professionals. Such a long-lived, dynamic instrument warrants a rigorous review and control environment to mitigate the impact of errors. For some additional reading on the potential impact of such errors, you can peruse the Horror Stories compiled by the European Spreadsheet Risks Interest Group at The appropriate Excel environment can be created if we first think of it as a data manipulation tool. Think of Excel users as coders or software engineers. If you open and create Excel documents, you can technically be referred to as an Excel coder. This is a subtle distinction, but an important one. It is made more obvious when we juxtapose the control environment of a typical software engineer and the control environment of an Excel user. Software engineers often develop centralized controls and establish strict segregations of duties, monitoring the software s development at every stage of its life cycle. Technically, we can leverage the methods and controls implemented by developers to mitigate the potential errors we make in Excel. A good place to start with error mitigation and file control would be to have the Excel coders provide some metadata about their files. Have them create a road map and document their work in Excel, including any changes made after its initial creation. Further steps can be taken to clean up the actual work in Excel to increase the computational efficiency of the file and make it easier to review and understand. Excel coders can reduce the amount of embedded cross worksheet linking. For example: DO NOT sum items from other worksheets using a formula such as: =Sheet1!A1+Sheet2!A2+Sheet3!A3 DO pull the information into individual cells in the current worksheet so that you can use the following code, =A1+A2+A3 page 15

18 FEATURE Another word to the wise, do not create embedded if statements. For example: DO NOT use a formula such as: =if(a1=a2, Yes,if(B1=B2, No, Error )) DO break it up into two individual statements, such as: =if(a1=a2, Yes, No ) and =if(b1=b2, Yes, No ) Another great hint is to use Excel s functions. For example: DO NOT use a formula such as: =A1+A2+A3 DO use =sum(a1:a3) As a final note, be sure to add self-checking formulas that confirm the results of your work. There are currently researchers working with Excel add-ins that can help remind us to clean up our files. (Check out the free download of BumbleBee under 2013 publications at The growing complexities ushered in by the era of big data are going to dictate that companies add rigor to their data collection, storage and analysis processes. Excel is not immune to this. It is easy to focus on the more complex software and data systems, but very few organizations leverage any software as much as Excel. Although big data issues are most certainly on the horizon for many companies, we (95% of U.S. companies) may be better served to focus on the bigger problem of harnessing and controlling the small data. Source: Felienne Hermans presentation, Spreadsheets: The Dark Matter of IT. RubinBrown s Business Advisory Services Group RubinBrown s greatest asset is the thought leadership of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies. Michael T. Lewis, CFA St. Louis Partner-In-Charge Business Advisory Services Group Matt Wester, CPA, CFE Denver Partner Business Advisory Services Group Sunti Wathanacharoen Kansas City Partner Business Advisory Services Group page 16 horizons Spring 2014

19 HIRING Accounting and Business Professionals? ABACUS Recruiting, an affiliate of RubinBrown, can help. Our specialty includes both permanent and temporary placement in the following areas: Accounting/Financial Management Bookkeeping Administrative Marketing Operations Information Technology ABACUS Recruiting s reputation for quality service stems from our industry knowledge, commitment to personalized service, confidentiality and dedication to maintaining the most ethical standards in the recruiting industry. Having successfully placed financial and business professionals in positions at Fortune 1000 companies, regional businesses and entrepreneurial firms, ABACUS Recruiting has become one of the most respected names in our industry. Whether you are a company in search of high caliber professionals or a candidate searching for a job change, ABACUS Recruiting is uniquely qualified to assist you. Tamara Tucker President Paul Iadevito Recruiting Manager Visit us at ABACUS RECRUITING IS AN AFFILIATE OF RUBINBROWN LLP

20 FEATURE page 18 horizons Spring 2014

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Managing business risk

Managing business risk Managing business risk What senior managers need to know about business continuity bell.ca/businesscontinuity Information and Communications Technology (ICT) has become more vital than ever to the success

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Cybersecurity y Managing g the Risks

Cybersecurity y Managing g the Risks Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

IT Insights. Managing Third Party Technology Risk

IT Insights. Managing Third Party Technology Risk IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate

More information

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am 1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing

More information

IT Security Management 100 Success Secrets

IT Security Management 100 Success Secrets IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management

More information

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT) INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015

More information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for

More information

Specializing in Broker Dealer firms since 1996

Specializing in Broker Dealer firms since 1996 Specializing in Broker Dealer firms since 1996 Serving Broker Dealers & Professional Securities Industry Firms 21860 Burbank Blvd, Suite 150 Woodland Hills, CA 91367 Phone: (818) 657-0288 Fax: (818) 657-0299

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

CYBERSECURITY INVESTIGATIONS

CYBERSECURITY INVESTIGATIONS CYBERSECURITY INVESTIGATIONS Planning & Best Practices May 4, 2016 Lanny Morrow, EnCE Managing Consultant lmorrow@bkd.com Cy Sturdivant, CISA Managing Consultant csturdivant@bkd.com Michal Ploskonka, CPA

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively

More information

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue. Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Cybersecurity and the Threat to Your Company

Cybersecurity and the Threat to Your Company Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September

More information

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives. Security solutions To support your business objectives Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives. For an On Demand Business, security

More information

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP 2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Essentials to Building a Winning Business Case for Tax Technology

Essentials to Building a Winning Business Case for Tax Technology Essentials to Building a Winning Business Case for Tax Technology The complexity of the tax function continues to evolve beyond manual and time-consuming processes. Technology has been essential in managing

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

IFIAR 2015 Member Profile - PCAOB

IFIAR 2015 Member Profile - PCAOB Jurisdiction United States of America (USA) 1. Organization Insert the name of the Organization, both in the local language and in English: Public Company Accounting Oversight Board ( PCAOB ) Include relevant

More information

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat

More information

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title

More information

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

What Data? I m A Trucking Company!

What Data? I m A Trucking Company! What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West

More information

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Authored by Neeraj Sahni and Tim Stapleton Neeraj Sahni is Director, Insurance Channel at Kroll Cyber Investigations

More information

Supporting Effective Compliance Programs

Supporting Effective Compliance Programs October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,

More information

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP 2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Effective IT Risk Management for Small Businesses

Effective IT Risk Management for Small Businesses Effective IT Risk Management for Small Businesses A Small Business Gets Some Lessons in IT Risk Management Although large and publicly traded companies often get the most attention, small, private, entrepreneurial

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Achieving Cyber Resilience. By Garin Pace, Anthony Shapella and Greg Vernaci

Achieving Cyber Resilience. By Garin Pace, Anthony Shapella and Greg Vernaci Achieving Cyber Resilience By Garin Pace, Anthony Shapella and Greg Vernaci Cyber security has become the single most important risk to company Boards of Directors around the world. This is not a surprise

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical

More information

WRITTEN TESTIMONY OF

WRITTEN TESTIMONY OF WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

More information

Assessing the strength of your security operating model

Assessing the strength of your security operating model www.pwc.com Assessing the strength of your security operating model May 2014 Assessing the strength of your security operating model Retail stores, software companies, the U.S. Federal Reserve it seems

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Chairman Johnson, Ranking Member Carper, and Members of the committee: UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

More information

Healthcare Security: Improving Network Defenses While Serving Patients

Healthcare Security: Improving Network Defenses While Serving Patients White Paper Healthcare Security: Improving Network Defenses While Serving Patients What You Will Learn Safeguarding the privacy of patient information is critical for healthcare providers. However, Cisco

More information

Internet Reputation Management Guide. Building a Roadmap for Continued Success

Internet Reputation Management Guide. Building a Roadmap for Continued Success Internet Reputation Management Guide Building a Roadmap for Continued Success About BrandProtect BrandProtect is the leader in multi-channel Internet threat monitoring and risk mitigation. The company

More information

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel May 5th, 2015 10:00-11:30 a.m. Hyatt Regency, Indian Wells, CA Thank you all for welcoming me. It

More information

Third-Party Risk Management for Life Sciences Companies

Third-Party Risk Management for Life Sciences Companies April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath

More information

Protecting against cyber threats and security breaches

Protecting against cyber threats and security breaches Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Security and Privacy Trends 2014

Security and Privacy Trends 2014 2014 Agenda Today s cyber threats 3 You could be under cyber attack now! Improve 6 Awareness of cyber threats propels improvements Expand 11 Leading practices to combat cyber threats Innovate 20 To survive,

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

State of Security Survey GLOBAL FINDINGS

State of Security Survey GLOBAL FINDINGS 2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding

More information

Defining Issues. Implementing the Forthcoming Revenue Recognition Standard. February 2014, No. 14-9

Defining Issues. Implementing the Forthcoming Revenue Recognition Standard. February 2014, No. 14-9 Defining Issues February 2014, No. 14-9 Implementing the Forthcoming Revenue Recognition Standard Advanced planning will provide companies with the flexibility to spread the work of implementing the new

More information

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS. www.fic.gov.bc.ca

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS. www.fic.gov.bc.ca Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship

More information

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

A NEW APPROACH TO CYBER SECURITY

A NEW APPROACH TO CYBER SECURITY A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively

More information

Cyber Threats: Exposures and Breach Costs

Cyber Threats: Exposures and Breach Costs Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

More information

Healthcare Internal Audit: In a Time of Transition

Healthcare Internal Audit: In a Time of Transition The 2015 State of the Internal Audit Profession Study Healthcare Internal Audit: In a Time of Transition The healthcare industry in the United States is facing many challenges with the enactment of legislation

More information

Chapter 2 Highlights: M&A and Compliance With The Sarbanes-Oxley Act of 2002

Chapter 2 Highlights: M&A and Compliance With The Sarbanes-Oxley Act of 2002 Chapter 2 Highlights: M&A and Compliance With The Sarbanes-Oxley Act of 2002 Excerpted From The Complete Guide to Mergers And Acquisitions: Process Tools To Support M&A Integration At Every Level Second

More information

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate

More information

The Dow Chemical Company. statement for the record. David E. Kepler. before

The Dow Chemical Company. statement for the record. David E. Kepler. before The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee

More information

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications

More information

Cyber Security: Confronting the Threat

Cyber Security: Confronting the Threat 09 Cyber Security: Confronting the Threat Cyber Security: Confronting the Threat 09 In Short Cyber Threat Awareness and Preparedness Active Testing Likelihood of Attack Privacy Breaches 9% 67% Only 9%

More information

Examining the Evolving Cyber Insurance Marketplace

Examining the Evolving Cyber Insurance Marketplace Prepared Testimony and Statement for the Record of Ola Sage Founder and CEO e-management Hearing on Examining the Evolving Cyber Insurance Marketplace Before the Senate Committee on Commerce, Science,

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and

More information

OCIE Technology Controls Program

OCIE Technology Controls Program OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

Time Is Not On Our Side!

Time Is Not On Our Side! An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting

More information

Cisco SAFE: A Security Reference Architecture

Cisco SAFE: A Security Reference Architecture Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

More information

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS PREPARING FOR ADVANCED CYBER THREATS Cyber attacks are evolving faster than organizations

More information