The Shared Assessments Program - All Rights Reserved 2
|
|
- Molly Cobb
- 8 years ago
- Views:
Transcription
1 The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015
2 Abstract As regulators increase pressure on financial institutions to ensure their third party risk management programs meet new regulations and guidelines, including those for cybersecurity, many banks are more closely scrutinizing third party provider handling of sensitive information to ensure objective and compliant oversight of their vendors. 1 Additional pressure is being placed globally on third party controls as criminals increasingly use malicious intrusions and cyber attacks to target third party service providers as a means of accessing confidential client data. 2 Law firms now find themselves in an environment of increasing scrutiny, with demands from a regulatory viewpoint, that law firms provide the same security controls as any other service provider that has access to confidential information or systems. The traditional framework in which law firms have been treated as trusted third party providers that intrinsically employ attorney client privilege to prevent disclosure of confidential information was developed when protecting privileged information went no further than being discreet in conversations and scrupulously maintaining paper files. Today, protecting confidential client information means developing and maintaining robust IT and cybersecurity controls to prevent unintentional or unauthorized access to data, metadata, and document records. This paper focuses on: (1) the issues law firms are facing as they adapt to providing a secure IT environment that meets increasingly stringent third party risk assessment requirements; and (2) solution building efforts to establish robust industry-wide program recommendations regarding management of IT security, data, resiliency, and privacy risk. Issue Landscape The recent scrutiny of the risks associated with the information and communications technology supply chain was initiated by federal regulators during the mortgage crisis in 2008, with state agencies quickly in tow. This increased level of inspection is evident in the repeated statements since that time by the Office of the Comptroller of the Currency, Federal Financial Institutions Examination Council Chair and Federal Reserve System Board of Governors declaring the importance of addressing information outsourcing security risks because of the threat they pose to the health of the overall financial system, as well as to national security. Additionally, Security and Exchange Commission 2014 roundtable discussions and Federal Trade Commission and Department of Justice policy statements have all focused on cyber threat assessments internally, as well as those in vendor relationships. 3 New York State s Department of Financial Services (DFS) exemplifies the expansion of this effort in answer both to regulatory requirements and ongoing increases in ever more refined cyber attacks. Beginning in 2014, DFS undertook two surveys of a total of 190 financial institutions due diligence processes, including the institutions policies and procedures governing third party relationships and the steps taken to adhere to third party stakeholder concerns as issued in the National Institute of Standards and Technology (NIST) 2014 Framework for Improving Critical Infrastructure Cybersecurity. The DFS May 2015 report states that law firms are sometimes excluded from being considered high-risk third party vendors, as demonstrated through some banking organizations having exemptions from their customary due diligence for individual consultants and professional service providers (e.g., legal counsel). 4 Concerns focus on law firms particularly due to the large volume and recurring access to sensitive data these firms are afforded, making them a unique and under-controlled critical access point for malware incursions for the financial institutions that engage them. 5 Financial institution arrangements with law firms offer ongoing opportunities to access institutional and industry-wide information assets which include: market-moving merger and acquisition details; confidential, intellectual property and sensitive data (CIPS), such as valuable trade secrets and processes; and sensitive customer information and metadata, such as personally identifiable information (PII), credit card data, and protected health information (PHI). This issue extends to the growing concern regarding security of the physical and virtual locations of data, including information stored on mobile devices and the Cloud. 1 Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal; New York and Federal Regulators Increasingly Focus Attention on Cybersecurity in the Financial Sector. Gibson Dunn Publications. October 27, Gibson, Dunn & Crutcher LLP. 2 Keller, B. Why Law Firms Should be Concerned About Third Party Risk. Prevalent, Inc National Exam Program Risk Alert. Security & Exchange Commission Office of Compliance Inspections & Exams Cybersecurity Initiative. April 15, 2014; DOJ Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Federal Trade Commission Press Release. April 10, 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal. 2
3 Outsourcing institutions are just beginning to demand that their vendors carry the same level of risk management as their own institutional programs require. In the DFS reports, fewer than half the banks reported requiring onsite assessment for their third party vendors. Just 36% require information security requirements to be extended to their vendors. And 30% of those banks surveyed do not require their third party vendors to notify them of a breach or other cybersecurity incident. 6 This indicates that current policies and procedures of outsourcing institutions do not yet adequately emphasize appropriate data privacy and security requirements (DPSR) and the necessary specifics regarding third party IT data security programs and information systems policy and internal/external breach notifications. Developing more appropriate policies is especially critical in the wake of source breaches, distributed denial of service (DDOS) attacks, and third party bots, which are becoming increasingly more prevalent. Therefore, law firms will be required in the very near future to use current bank practices as the norm for their security protections as banks increase their scrutiny of outsourced service providers to better align with risks and regulatory expectations. Issue Size and Scope Risks are significant within the legal provider landscape, where unauthorized access to client data has serious consequences. Firms are coming to the realization that their vulnerability to hackers is of concern in their relationships with outsourcing institutions. 7 At least 80 of the 100 biggest firms (by revenue) in the US have been hacked since 2011, including a firm targeted by hackers in connection with a trade dispute with China. 8 Issues of regulatory compliance and data security become a significant area of concern in law firm settings where breakdowns or even a lack of controls are reported throughout the data path, especially in smaller and midsize law firms, where staff routinely share login accounts, passwords, and physical access to filing cabinets. 9 Oftentimes, these third party firms also have cybersecurity gaps that arise from varying levels of IT capability and maturity, personnel client support role rotation, and outsourced ediscovery functions and shared or managed IT services. These arrangements present unique challenges that can lead to serious security and privacy concerns, many times leaving the law firms susceptible to risk of unauthorized access. The scale of the issue is demonstrated in American Bar Association reports that show 14% of firms surveyed experienced a security breach. While confidentiality, data control and ownership, ethics and vendor reputation all take high rank on concerns by lawyers polled, 22% of firms take no precautionary measures at all trending upward since The ABA studies further report surprise and significant concern over the lack of due diligence in the legal profession surrounding the use of technology and consumer Cloud services. Ninety four percent of firms laptop users and 90% of smartphone users apply only the bare minimum in security. Stronger security, such as drive encryption and asset tagging and management in the event loss or theft, are used just 15% of the time. Less than 60% of firms polled have controls on document/records management and less than half have policies on acceptable computer use, retention, or Internet use. No breach trends were reported by firm size, indicating the vulnerability across the board for firms. However, larger firms are considered an even greater risk for compromise due to the exposure of data and records to more employees, metadata, and technology. 10 In practice, regulatory compliance was shown to be ranked lowest of the factors driving information security spending among law firms. 11 Protection of confidentiality appears to take precedence over the other aspects of data security, such as integrity and availability of data. 12 As a result, in the current environment the following can take place: Unauthorized access to or even removal of sensitive and personally identifiable information by trusted or contracted staff, including maintenance and custodial personnel. Loss of intellectual property through loss of a laptop, USB drive, or other mobile device. Data leakage via insecure systems or through mobile systems that don t containerize or segregate work from personal systems. Call data breach through movement of call centers to a less expensive but less secure venue. Compromise of in house or fourth party document, data, and metadata repositories that are accessed and managed as part of outsourced IT and/or ediscovery processes. 6 Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Conte, A. Unprepared Law Firms Vulnerable to Hackers. September 13, Trib Total Media. 8 Hansen, S. Cyber Attacks Upend Attorney-Client Privilege: Security experts say law firms are perfect targets for hackers. March 19, Bloomberg Business. 9 ABA 2014 Tech Report. American Bar Association Legal Technology Resource Center Legal Technology Survey Report. Six Volumes. American Bar Association Legal Technology Resource Center Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April ABA Legal Technology Resource Center website
4 In recognition of the scope of this problem, DFS is undertaking a third survey to evaluate the cybersecurity of third party vendors. Further, in light of its findings DFS anticipates strengthening regulations regarding cybersecurity for outsourced vendors serving financial institutions as part of their effort to reduce the risk of backdoor hacker access to bank client data. In this climate, it is increasingly evident that for banks to effectively address both regulatory issues and the issue of criminals targeting third party law firm service providers as a means of accessing confidential financial industry data, that banks industry-wide will increasingly require their law firms to have robust security controls similar to what the financial institutions are being held to for security and compliance. From a privacy perspective, vendors will be held to the provisions contained in Massachusetts 201 CMR one of the most stringent privacy laws in the nation. Recommendations: Identifying & Addressing Gaps To meet the emerging challenges surrounding due diligence, firms can begin to advance their understanding and build best practices for their own risk management programs. This is in keeping with the ABA s Model Rules, as well as contract and regulatory obligations for protecting client data. 13 It has already become more prevalent in the financial industry that any vendor not meeting an outsourcing organization s minimum requirements will no longer be engaged for services. Therefore, it is essential to begin constructing a culture of accountability that includes trust building and onsite verification of documented controls that address the concerns of protection of confidentiality, integrity, availability of data, and industry regulatory compliance requirements. Shared Assessments recommends working collaboratively to convene stakeholders in roundtable discussions that evaluate security postures among industry members and law firm vendors. An examination of the risks associated with the information and communications technology supply chain would include both internal and external vulnerabilities, such as information systems policies and procedures and malicious threats and the implications of each in terms of impact from compromised data. This would supplement the valuable information garnered so far regarding threats, exposure, and cost of improvements in cybersecurity programs and breaches in the third party legal provider environment. Once these stakeholders have identified common issues and concerns as part of the solution building process and gained an understanding that risk management is not a competitive issue, these organizations could work together to develop best practices and processes and implement these on a broad basis. This type of solution building can include the type of peer-driven information sharing organizations that have helped the banking industry to improve IT data, security, privacy and resiliency oversight, or side-by-side work with financial institutions in cross industry associations to develop best practices, tools, and processes. These strategies are currently lacking in the legal profession, which would benefit through increased awareness of newly identified threats. Specifics to which legal service provider risk management controls can respond include risk for detection, prevention, and mitigation resource levels that address fully any problems identified and the repercussions in case of breach. 14 As a form of guidance to begin discussions, the following areas have been identified: Documented reasonable and appropriate administrative and physical safeguards regarding classification and management of data, metadata, and records transfer, archiving, alteration, destruction, automated access testing, and monitoring diagnosis and verification. Evidence of an established risk management program. Clear rules for information sharing. Specifications regarding exactly where business that touches sensitive data takes place, including where data (including Cloud data) is hosted. Lifecycle management regarding capacity to track data throughout its flight, with restriction on use of portable devices/media. Protection (e.g., strong encryption) for stored data at rest, particularly on portable drives. Cyber risk insurance coverage at the vendor level. Criminal, professional, and academic background checks on anyone with authorized or potential access to data. Prior request for intent to move data to new sub-vendors (fourth parties) or specification of no movement allowed. Notification on any breach in a timely manner (within a specified time frame). Information security training, education, and awareness programs for vendor staff. Vendor staff and contractors covered under non-disclosure and confidentiality agreements. Requirements at agreement termination for return of assets or documented purge/delete/destroy. 13 ABA ethics Model Rules 1.1 and 1.6 mandate that attorneys take competent and reasonable measures to safeguard information relating to clients 14 Service Providers: Consumer Financial Protection Bureau Bulletin Consumer Financial Protection Bureau. April 13,
5 Requirements for limiting access to institution related data and case files to only those who need to access the data to perform their job duties (e.g., principle of least privilege), including those conducting compliance audits. Additionally, law firms should understand that they shoulder the responsibility for vetting the IT security, data, and privacy risks associated with their vendors and any fourth party coming in contact with the firm s data. Return on Investment By using a security framework that identifies specific areas for governance process maturity improvements, both law firms and outsourcing institutions can make well-informed, cost-effective decisions and more effectively manage vendor-related risks. Law firms of all sizes are just beginning to recognize the benefits of responding to client demands for security and are doing so, in part, by obtaining onsite audit and penetration testing. While building staff competence and data hosting components is labor and infrastructure intensive, such investment is required for any firm wishing to remain in service to the financial services industry. If robust information security and privacy controls are not already in house, the initial price tag is high for mid-size and smaller firms. Collaboration among industry leaders to establish best practices controls and make recommendations, where applicable, regarding facilities management, basic monitoring, physical and abstract infrastructure security and enterprise integration is expected to create efficiencies and cost savings for law firms that will help offset development costs within a given firm. Some law firms already enlist outside auditors and face examination by client compliance and audit staff. With investments in technology, updates to key infrastructure components, and software upgrades that are coupled with professional development awareness and process training for staff, firms can further minimize risk and improve the reputation of law firms throughout the industry as they set the new standard for appropriate and effective controls. The addition of improved detection, prevention, and mitigation resources will make cybersecurity insurance more cost effective. Firms that cannot or will not meet industry-developed recommendations must closely consider the possible ramifications. With the average cost of data breach reaching $3.5 million per incident there is no sound reason for law firms not to implement and operate security controls over the access and handling of data. 15 A firm needs to be able to demonstrate compliance with regulatory and contractual obligations making the ability to document thoroughly and report on processes paramount. An independent assessment report that holistically reviews a firm s security and privacy posture within a more robust framework will be a valuable tool for negotiations for law firms wishing to engage with banking and other regulated sectors. Conclusion As law firms have become increasingly tempting targets for hacking and similar data theft and regulatory concerns are driving banks specifically to revise their due diligence and monitoring of third party law firm providers, it is essential that sound controls be developed and documented along with provisions for recourse. Working collaboratively to create efficiencies would help build an industry-driven set of controls, procedures, and processes that address all aspects of the emerging regulations and cybersecurity threats to build effective assessment regimes, such as task workflow, security awareness training, onsite assessments of controls and system audits, and authentication and access controls. Once established, this information would help construct a replicable process for evaluating client vendor relationship that employs governance modeling in a framework that contains all the elements critical to a successful program. A high level incentive and return on investment to undertake such security and privacy control improvements lies in the knowledge that firms which adhere to generally accepted security best practices will be those engaged or re-engaged by financial institutions which must adhere to the marketplace demands for appropriate and effective controls. About the Shared Assessments Program The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program 15 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis. Ponemon Institute. May 5,
6 Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group ( a strategic consulting company based in Santa Fe, New Mexico. On the web at sharedassessments.org. 6
White Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationSecurity Overview. BlackBerry Corporate Infrastructure
Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationNew York State Department of Financial Services. Report on Cyber Security in the Insurance Sector
New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial
More informationPanel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices
Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationData Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com
Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationBuilding Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper
Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program A Shared Assessments Briefing Paper Abstract Just 43% of incident management professionals report their
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationCyberSecurity for Law Firms
CyberSecurity for Law Firms Cracking the Cyber Code: Recent Headlines, Reinforcing the Need and Response Planning July 16, 2013 Making the Case Matthew Magner Senior Underwriting Officer Chubb & Son, a
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationAnatomy of a Privacy and Data Breach
Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationThe Practical Realities of Cybersecurity
& present The Practical Realities of Cybersecurity Best practices for crafting policies and procedures to protect your company Andrew Morentz, Member Telecommunications Law Professionals PLLC email amorentz@telecomlawpros.com
More informationHow To Protect Your Data From Theft
Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationMANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS
MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationCyber Security Issues - Brief Business Report
Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationNew York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers
New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationDUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)
DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Managing risk associated with third-party outsourcing
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationCyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?
Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationEnsuring Cloud Security Using Cloud Control Matrix
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationCYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES. second edition
CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES second edition The information provided in this document is presented as a courtesy to be used for informational purposes only.
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationBest Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP
Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationXerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationData Breaches and Trade Secrets: What to Do When Your Client Gets Hacked
Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked R. Mark Halligan, FisherBroyles, LLP Andreas Kaltsounis, Stroz Friedberg Amy L. Carlson, Stoel Rives LLP Moderated by David A. Bateman,
More informationCyber Security Management
Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationCybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013
Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,
More information2H 2015 SHADOW DATA REPORT
2H 20 SHADOW DATA REPORT Shadow Data Defined: All potentially risky data exposures lurking in cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared. Shadow
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More information93% of large organisations and 76% of small businesses
innersecurity INFORMATION SECURITY Information Security Services 93% of large organisations and 76% of small businesses suffered security breaches in the last year. * Cyber attackers were the main cause.
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More information