The Shared Assessments Program - All Rights Reserved 2

Save this PDF as:

Size: px
Start display at page:

Download "www.sharedassessments.org 2015 The Shared Assessments Program - All Rights Reserved 2"

Transcription

1 The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015

2 Abstract As regulators increase pressure on financial institutions to ensure their third party risk management programs meet new regulations and guidelines, including those for cybersecurity, many banks are more closely scrutinizing third party provider handling of sensitive information to ensure objective and compliant oversight of their vendors. 1 Additional pressure is being placed globally on third party controls as criminals increasingly use malicious intrusions and cyber attacks to target third party service providers as a means of accessing confidential client data. 2 Law firms now find themselves in an environment of increasing scrutiny, with demands from a regulatory viewpoint, that law firms provide the same security controls as any other service provider that has access to confidential information or systems. The traditional framework in which law firms have been treated as trusted third party providers that intrinsically employ attorney client privilege to prevent disclosure of confidential information was developed when protecting privileged information went no further than being discreet in conversations and scrupulously maintaining paper files. Today, protecting confidential client information means developing and maintaining robust IT and cybersecurity controls to prevent unintentional or unauthorized access to data, metadata, and document records. This paper focuses on: (1) the issues law firms are facing as they adapt to providing a secure IT environment that meets increasingly stringent third party risk assessment requirements; and (2) solution building efforts to establish robust industry-wide program recommendations regarding management of IT security, data, resiliency, and privacy risk. Issue Landscape The recent scrutiny of the risks associated with the information and communications technology supply chain was initiated by federal regulators during the mortgage crisis in 2008, with state agencies quickly in tow. This increased level of inspection is evident in the repeated statements since that time by the Office of the Comptroller of the Currency, Federal Financial Institutions Examination Council Chair and Federal Reserve System Board of Governors declaring the importance of addressing information outsourcing security risks because of the threat they pose to the health of the overall financial system, as well as to national security. Additionally, Security and Exchange Commission 2014 roundtable discussions and Federal Trade Commission and Department of Justice policy statements have all focused on cyber threat assessments internally, as well as those in vendor relationships. 3 New York State s Department of Financial Services (DFS) exemplifies the expansion of this effort in answer both to regulatory requirements and ongoing increases in ever more refined cyber attacks. Beginning in 2014, DFS undertook two surveys of a total of 190 financial institutions due diligence processes, including the institutions policies and procedures governing third party relationships and the steps taken to adhere to third party stakeholder concerns as issued in the National Institute of Standards and Technology (NIST) 2014 Framework for Improving Critical Infrastructure Cybersecurity. The DFS May 2015 report states that law firms are sometimes excluded from being considered high-risk third party vendors, as demonstrated through some banking organizations having exemptions from their customary due diligence for individual consultants and professional service providers (e.g., legal counsel). 4 Concerns focus on law firms particularly due to the large volume and recurring access to sensitive data these firms are afforded, making them a unique and under-controlled critical access point for malware incursions for the financial institutions that engage them. 5 Financial institution arrangements with law firms offer ongoing opportunities to access institutional and industry-wide information assets which include: market-moving merger and acquisition details; confidential, intellectual property and sensitive data (CIPS), such as valuable trade secrets and processes; and sensitive customer information and metadata, such as personally identifiable information (PII), credit card data, and protected health information (PHI). This issue extends to the growing concern regarding security of the physical and virtual locations of data, including information stored on mobile devices and the Cloud. 1 Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal; New York and Federal Regulators Increasingly Focus Attention on Cybersecurity in the Financial Sector. Gibson Dunn Publications. October 27, Gibson, Dunn & Crutcher LLP. 2 Keller, B. Why Law Firms Should be Concerned About Third Party Risk. Prevalent, Inc National Exam Program Risk Alert. Security & Exchange Commission Office of Compliance Inspections & Exams Cybersecurity Initiative. April 15, 2014; DOJ Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Federal Trade Commission Press Release. April 10, 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal. 2

3 Outsourcing institutions are just beginning to demand that their vendors carry the same level of risk management as their own institutional programs require. In the DFS reports, fewer than half the banks reported requiring onsite assessment for their third party vendors. Just 36% require information security requirements to be extended to their vendors. And 30% of those banks surveyed do not require their third party vendors to notify them of a breach or other cybersecurity incident. 6 This indicates that current policies and procedures of outsourcing institutions do not yet adequately emphasize appropriate data privacy and security requirements (DPSR) and the necessary specifics regarding third party IT data security programs and information systems policy and internal/external breach notifications. Developing more appropriate policies is especially critical in the wake of source breaches, distributed denial of service (DDOS) attacks, and third party bots, which are becoming increasingly more prevalent. Therefore, law firms will be required in the very near future to use current bank practices as the norm for their security protections as banks increase their scrutiny of outsourced service providers to better align with risks and regulatory expectations. Issue Size and Scope Risks are significant within the legal provider landscape, where unauthorized access to client data has serious consequences. Firms are coming to the realization that their vulnerability to hackers is of concern in their relationships with outsourcing institutions. 7 At least 80 of the 100 biggest firms (by revenue) in the US have been hacked since 2011, including a firm targeted by hackers in connection with a trade dispute with China. 8 Issues of regulatory compliance and data security become a significant area of concern in law firm settings where breakdowns or even a lack of controls are reported throughout the data path, especially in smaller and midsize law firms, where staff routinely share login accounts, passwords, and physical access to filing cabinets. 9 Oftentimes, these third party firms also have cybersecurity gaps that arise from varying levels of IT capability and maturity, personnel client support role rotation, and outsourced ediscovery functions and shared or managed IT services. These arrangements present unique challenges that can lead to serious security and privacy concerns, many times leaving the law firms susceptible to risk of unauthorized access. The scale of the issue is demonstrated in American Bar Association reports that show 14% of firms surveyed experienced a security breach. While confidentiality, data control and ownership, ethics and vendor reputation all take high rank on concerns by lawyers polled, 22% of firms take no precautionary measures at all trending upward since The ABA studies further report surprise and significant concern over the lack of due diligence in the legal profession surrounding the use of technology and consumer Cloud services. Ninety four percent of firms laptop users and 90% of smartphone users apply only the bare minimum in security. Stronger security, such as drive encryption and asset tagging and management in the event loss or theft, are used just 15% of the time. Less than 60% of firms polled have controls on document/records management and less than half have policies on acceptable computer use, retention, or Internet use. No breach trends were reported by firm size, indicating the vulnerability across the board for firms. However, larger firms are considered an even greater risk for compromise due to the exposure of data and records to more employees, metadata, and technology. 10 In practice, regulatory compliance was shown to be ranked lowest of the factors driving information security spending among law firms. 11 Protection of confidentiality appears to take precedence over the other aspects of data security, such as integrity and availability of data. 12 As a result, in the current environment the following can take place: Unauthorized access to or even removal of sensitive and personally identifiable information by trusted or contracted staff, including maintenance and custodial personnel. Loss of intellectual property through loss of a laptop, USB drive, or other mobile device. Data leakage via insecure systems or through mobile systems that don t containerize or segregate work from personal systems. Call data breach through movement of call centers to a less expensive but less secure venue. Compromise of in house or fourth party document, data, and metadata repositories that are accessed and managed as part of outsourced IT and/or ediscovery processes. 6 Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Conte, A. Unprepared Law Firms Vulnerable to Hackers. September 13, Trib Total Media. 8 Hansen, S. Cyber Attacks Upend Attorney-Client Privilege: Security experts say law firms are perfect targets for hackers. March 19, Bloomberg Business. 9 ABA 2014 Tech Report. American Bar Association Legal Technology Resource Center Legal Technology Survey Report. Six Volumes. American Bar Association Legal Technology Resource Center Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April ABA Legal Technology Resource Center website

4 In recognition of the scope of this problem, DFS is undertaking a third survey to evaluate the cybersecurity of third party vendors. Further, in light of its findings DFS anticipates strengthening regulations regarding cybersecurity for outsourced vendors serving financial institutions as part of their effort to reduce the risk of backdoor hacker access to bank client data. In this climate, it is increasingly evident that for banks to effectively address both regulatory issues and the issue of criminals targeting third party law firm service providers as a means of accessing confidential financial industry data, that banks industry-wide will increasingly require their law firms to have robust security controls similar to what the financial institutions are being held to for security and compliance. From a privacy perspective, vendors will be held to the provisions contained in Massachusetts 201 CMR one of the most stringent privacy laws in the nation. Recommendations: Identifying & Addressing Gaps To meet the emerging challenges surrounding due diligence, firms can begin to advance their understanding and build best practices for their own risk management programs. This is in keeping with the ABA s Model Rules, as well as contract and regulatory obligations for protecting client data. 13 It has already become more prevalent in the financial industry that any vendor not meeting an outsourcing organization s minimum requirements will no longer be engaged for services. Therefore, it is essential to begin constructing a culture of accountability that includes trust building and onsite verification of documented controls that address the concerns of protection of confidentiality, integrity, availability of data, and industry regulatory compliance requirements. Shared Assessments recommends working collaboratively to convene stakeholders in roundtable discussions that evaluate security postures among industry members and law firm vendors. An examination of the risks associated with the information and communications technology supply chain would include both internal and external vulnerabilities, such as information systems policies and procedures and malicious threats and the implications of each in terms of impact from compromised data. This would supplement the valuable information garnered so far regarding threats, exposure, and cost of improvements in cybersecurity programs and breaches in the third party legal provider environment. Once these stakeholders have identified common issues and concerns as part of the solution building process and gained an understanding that risk management is not a competitive issue, these organizations could work together to develop best practices and processes and implement these on a broad basis. This type of solution building can include the type of peer-driven information sharing organizations that have helped the banking industry to improve IT data, security, privacy and resiliency oversight, or side-by-side work with financial institutions in cross industry associations to develop best practices, tools, and processes. These strategies are currently lacking in the legal profession, which would benefit through increased awareness of newly identified threats. Specifics to which legal service provider risk management controls can respond include risk for detection, prevention, and mitigation resource levels that address fully any problems identified and the repercussions in case of breach. 14 As a form of guidance to begin discussions, the following areas have been identified: Documented reasonable and appropriate administrative and physical safeguards regarding classification and management of data, metadata, and records transfer, archiving, alteration, destruction, automated access testing, and monitoring diagnosis and verification. Evidence of an established risk management program. Clear rules for information sharing. Specifications regarding exactly where business that touches sensitive data takes place, including where data (including Cloud data) is hosted. Lifecycle management regarding capacity to track data throughout its flight, with restriction on use of portable devices/media. Protection (e.g., strong encryption) for stored data at rest, particularly on portable drives. Cyber risk insurance coverage at the vendor level. Criminal, professional, and academic background checks on anyone with authorized or potential access to data. Prior request for intent to move data to new sub-vendors (fourth parties) or specification of no movement allowed. Notification on any breach in a timely manner (within a specified time frame). Information security training, education, and awareness programs for vendor staff. Vendor staff and contractors covered under non-disclosure and confidentiality agreements. Requirements at agreement termination for return of assets or documented purge/delete/destroy. 13 ABA ethics Model Rules 1.1 and 1.6 mandate that attorneys take competent and reasonable measures to safeguard information relating to clients 14 Service Providers: Consumer Financial Protection Bureau Bulletin Consumer Financial Protection Bureau. April 13,

5 Requirements for limiting access to institution related data and case files to only those who need to access the data to perform their job duties (e.g., principle of least privilege), including those conducting compliance audits. Additionally, law firms should understand that they shoulder the responsibility for vetting the IT security, data, and privacy risks associated with their vendors and any fourth party coming in contact with the firm s data. Return on Investment By using a security framework that identifies specific areas for governance process maturity improvements, both law firms and outsourcing institutions can make well-informed, cost-effective decisions and more effectively manage vendor-related risks. Law firms of all sizes are just beginning to recognize the benefits of responding to client demands for security and are doing so, in part, by obtaining onsite audit and penetration testing. While building staff competence and data hosting components is labor and infrastructure intensive, such investment is required for any firm wishing to remain in service to the financial services industry. If robust information security and privacy controls are not already in house, the initial price tag is high for mid-size and smaller firms. Collaboration among industry leaders to establish best practices controls and make recommendations, where applicable, regarding facilities management, basic monitoring, physical and abstract infrastructure security and enterprise integration is expected to create efficiencies and cost savings for law firms that will help offset development costs within a given firm. Some law firms already enlist outside auditors and face examination by client compliance and audit staff. With investments in technology, updates to key infrastructure components, and software upgrades that are coupled with professional development awareness and process training for staff, firms can further minimize risk and improve the reputation of law firms throughout the industry as they set the new standard for appropriate and effective controls. The addition of improved detection, prevention, and mitigation resources will make cybersecurity insurance more cost effective. Firms that cannot or will not meet industry-developed recommendations must closely consider the possible ramifications. With the average cost of data breach reaching $3.5 million per incident there is no sound reason for law firms not to implement and operate security controls over the access and handling of data. 15 A firm needs to be able to demonstrate compliance with regulatory and contractual obligations making the ability to document thoroughly and report on processes paramount. An independent assessment report that holistically reviews a firm s security and privacy posture within a more robust framework will be a valuable tool for negotiations for law firms wishing to engage with banking and other regulated sectors. Conclusion As law firms have become increasingly tempting targets for hacking and similar data theft and regulatory concerns are driving banks specifically to revise their due diligence and monitoring of third party law firm providers, it is essential that sound controls be developed and documented along with provisions for recourse. Working collaboratively to create efficiencies would help build an industry-driven set of controls, procedures, and processes that address all aspects of the emerging regulations and cybersecurity threats to build effective assessment regimes, such as task workflow, security awareness training, onsite assessments of controls and system audits, and authentication and access controls. Once established, this information would help construct a replicable process for evaluating client vendor relationship that employs governance modeling in a framework that contains all the elements critical to a successful program. A high level incentive and return on investment to undertake such security and privacy control improvements lies in the knowledge that firms which adhere to generally accepted security best practices will be those engaged or re-engaged by financial institutions which must adhere to the marketplace demands for appropriate and effective controls. About the Shared Assessments Program The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program 15 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis. Ponemon Institute. May 5,

6 Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group ( a strategic consulting company based in Santa Fe, New Mexico. On the web at sharedassessments.org. 6

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

SEC Cybersecurity Findings May Establish De Facto Standard

SEC Cybersecurity Findings May Establish De Facto Standard Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.) Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of

More information

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What

More information

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper

Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program A Shared Assessments Briefing Paper Abstract Just 43% of incident management professionals report their

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Cybercrime and Regulatory Priorities for Cybersecurity

Cybercrime and Regulatory Priorities for Cybersecurity NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L

More information

CyberSecurity for Law Firms

CyberSecurity for Law Firms CyberSecurity for Law Firms Cracking the Cyber Code: Recent Headlines, Reinforcing the Need and Response Planning July 16, 2013 Making the Case Matthew Magner Senior Underwriting Officer Chubb & Son, a

More information

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on

More information

Anatomy of a Privacy and Data Breach

Anatomy of a Privacy and Data Breach Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

The Practical Realities of Cybersecurity

The Practical Realities of Cybersecurity & present The Practical Realities of Cybersecurity Best practices for crafting policies and procedures to protect your company Andrew Morentz, Member Telecommunications Law Professionals PLLC email amorentz@telecomlawpros.com

More information

Data Protection. Understanding the Effectiveness of a Data Protection Program. IIA: Almost Free Seminar. 21 June 2011

Data Protection. Understanding the Effectiveness of a Data Protection Program. IIA: Almost Free Seminar. 21 June 2011 Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson

More information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared

More information

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Cybersecurity Risks, Regulation, Remorse, and Ruin

Cybersecurity Risks, Regulation, Remorse, and Ruin Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross

More information

Reducing Cyber Risk in Your Organization

Reducing Cyber Risk in Your Organization Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015 Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Managing risk associated with third-party outsourcing

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Information Security Addressing Your Advanced Threats

Information Security Addressing Your Advanced Threats Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?

More information

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information

Compromises in Healthcare Privacy due to Data Breaches

Compromises in Healthcare Privacy due to Data Breaches Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Ensuring Cloud Security Using Cloud Control Matrix

Ensuring Cloud Security Using Cloud Control Matrix International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES. second edition

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES. second edition CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES second edition The information provided in this document is presented as a courtesy to be used for informational purposes only.

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Guide for the Role and Responsibilities of an Information Security Officer Within State Government Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities

More information

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked R. Mark Halligan, FisherBroyles, LLP Andreas Kaltsounis, Stroz Friedberg Amy L. Carlson, Stoel Rives LLP Moderated by David A. Bateman,

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

2H 2015 SHADOW DATA REPORT

2H 2015 SHADOW DATA REPORT 2H 20 SHADOW DATA REPORT Shadow Data Defined: All potentially risky data exposures lurking in cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared. Shadow

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration

More information

93% of large organisations and 76% of small businesses

93% of large organisations and 76% of small businesses innersecurity INFORMATION SECURITY Information Security Services 93% of large organisations and 76% of small businesses suffered security breaches in the last year. * Cyber attackers were the main cause.

More information

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information