October 24, Mitigating Legal and Business Risks of Cyber Breaches

Transcription

1 October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches

2 AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1

3 Introductions 2

4 Introductions To Be Confirmed Title of Company To Be Confirmed Title of Company R. Jason Straight Senior Vice President, Chief Privacy Officer of UnitedLex 3

5 Cyber security and digitized information threats overview CYBER THREAT LANDSCAPE 4

6 CYBER THREAT LANDSCAPE Trends and Developments Cyber security has reached the top of the list of enterprise risks 5

7 CYBER THREAT LANDSCAPE Trends and Developments 6

8 CYBER THREAT LANDSCAPE Trends and Developments Gap between offense and defense is growing despite huge investments by defenders Percent of breaches with timelines of days or less 100% Time to Compromise 75% 50% 25% Time to Discovery SOURCE: 2014 Verizon Data Breach Investigations Report

9 CYBER THREAT LANDSCAPE Trends and Developments

10 CYBER THREAT LANDSCAPE Trends and Developments Large companies now in state of continuous incident response ALERT! ALERT! ALERT! 9

11 CYBER THREAT LANDSCAPE Threat Actor Overview Accidental Data Compromise Negligent & Malicious Insiders State Sponsored Attackers Hacktivist Groups Organized Crime Syndicates Lone-Wolf Hackers Number of Breaches per threat actor over time 10 SOURCE: 2014 Verizon Data Breach Investigations Report

12 CYBER THREAT LANDSCAPE Trends and Developments Traditional perimeter defenses still necessary but no longer sufficient insider vulnerabilities are often overlooked Types of Data Breaches Experienced in Past 24 Months 11 SOURCE: Ponemon Institute, The Post Breach Boom, Feb. 2013

13 CYBER THREAT LANDSCAPE Trends and Developments Security industry moving from prevention to pre-emption focus relying on threat analytics and behavioral monitoring Collaboration across risk, compliance, legal, business units and IT Improved detection techniques Multiple layers of analytics and visualization Faster reaction to emerging threats 12 SOURCE: Gartner, Reality Check on Big Data Analytics for Cybersecurity and Fraud IDC, Raising on the Executive Agenda: Fraud Waste and Abuse in Healthcare and Financial Services

14 CYBER THREAT LANDSCAPE Types of Damages Brand damage Customer churn Business interruption Legal liability Regulatory Issues 13

15 CYBER THREAT LANDSCAPE Threat Vector Overview Hacking Attacks MA LWAR E Social Engineering Third Party Exposures 14

16 CYBER THREAT LANDSCAPE Hacking Attacks Opportunistic Attacks Estimated that 75% of attacks are opportunistic triggered by detection of vulnerability Includes incidents involving stolen devices Notification obligations may be triggered even absent affirmative evidence of malicious intent or actual exposure Targeted Attacks State-Sponsored Organized Crime Hacktivists 15

17 CYBER THREAT LANDSCAPE Social Engineering Spear Phishing 16

18 CYBER THREAT LANDSCAPE Third Party Exposures Source: Computerworld, IDG News Service, Feb 27, 2013 Source: DataBreach Today, June 13, 2014 Source: Krebs on Security, Feb 5,

19 CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach SOURCE: Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer International Business Times The Target Breach By the numbers KrebsOnSecurity 18

20 CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach At least 100 lawsuits filed against Target in various state and federal courts Common causes of action brought against Target Negligence Breach of contract Breach of fiduciary duty Invasion of privacy Consumer fraud and deceptive business practices Violation of numerous state and federal statutes Common theories of damages caused by the breach Fraudulent charges Credit monitoring fees Identity theft Lost wages Damaged credit scores Anxiety over financial well-being Losses by financial institutions (replacing debit/credit cards, closing accounts, reversing fraudulent charges, lost interest/transaction fees) 19

21 CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach Congressional Inquiry Document Request 1. All written policies... relating to threat monitoring, network security All documentation... detailing the funds spent and persons employed on the network security of systems serving Target stores All correspondence, analyses, reports, or any other communications relating to... information security systems implicated in this breach. 4. Please detail whether Target was previously aware of any potential vulnerabilities to... systems implicated in this breach. 20

22 CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach 21

23 CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach Target Breach: Tallying the Fallout Transaction at Target fell 3-4% compared to previous year while other retailers report strong results 46% drop in profits in Q4 2013, Target lays off 475 Target CIO resigns Target CEO resigns 100+ lawsuits Direct costs relating to breach response and remediation (including legal fees) estimated to be as high as $1B Insurance coverage only $100M 22

24 Cyber security and digitized information threats overview CYBER RISK MITIGATION STRATEGIES 23

25 Not just an IT problem 24

26 Drivers of Business Risks Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. NIST Special Publication Risk Threat Vulnerabilities Impact

27 Spending is driven by a historical IT-Centric focus versus a holistic business-centric approach to enterprise cyber risk management. Risk Threat Vulnerabilities Impact Traditionally the security investment in technology and services has focused on controlling and reacting to vulnerabilities. We estimate that >75% of historical IT security spend is here. 26

28 Engaging parties beyond IT 27

29 Focusing on Business Risks Key legal and business stakeholders should help IT address simple but critical questions. 28

30 Convergence of Cyber Security and Legal Functions Potential Breach = Potential Legal Liability/Regulatory Inquiry 29

31 Convergence of Cyber Security and Legal Functions Cyber due diligence M&A transactions and vendor screening 30

32 Effective Collaboration between legal and IT Tips for fostering effective communication between legal and IT functions 31

33 Effective Collaboration between legal and IT The privilege question in both incident response and risk assessment contexts 32

34 Effective Collaboration between legal and IT Involving legal in making traditional IT decisions that impact risk 33

35 Cloud Computing and IT Outsourcing Questions and Concerns 34

36 Conclusions and Q&A 35

37 BIOGRAPHY R. Jason Straight Senior Vice President, Chief Privacy Officer Jason has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Prior to joining UnitedLex, Jason held numerous leadership positions at a leading global investigations and cyber security company, most recently as a managing director in the cyber investigations practice. Jason began his career as an attorney at Fried, Frank, Harris, Shriver & Jacobsen in New York. As a recognized domain expert and Certified Information Privacy Professional (CIPP), Jason is a frequent speaker and author on topics relating to data privacy, cyber security, data breach response and computer forensics. 36