Regulatory and Market Imperatives Place Cyber Security High on Carrier Agendas

Size: px
Start display at page:

Download "Regulatory and Market Imperatives Place Cyber Security High on Carrier Agendas"

Transcription

1 Regulatory and Market Imperatives Place Cyber Security High on Agendas Written by Scott Corzine // Managing Director, Risk Practice, FTI Consulting, Inc. Insurance carriers, with their large repositories of high-value personally identifiable information (PII), are increasingly threatened by cyber-attacks from bad actors globally. Such attacks could have an immense impact, affecting not only the carriers, but also their insureds, and even rippling through customer supply chains. The potential damage from such threats is underscored by the impact of recent attacks on large companies in numerous sectors, including retail, financial, entertainment, and health insurance, as well as a U.S. government agency. Such attacks have the potential to embarrass management, place valuable relationships at risk, result in employment terminations, and influence governments. Such successful attacks have increased the urgency for insurers to be prepared and have prompted State and Federal government legislatures and agencies, as well as many security related organizations to up the ante for companies to improve their cyber-security preparedness. For example, following the recent cyber security breach of a large health insurance company, members of the National Association of Insurance Commissioners (NAIC) are calling for a multistate examination of the company and its subsidiaries. These government and regulatory entities recognize that the recent attacks may spawn copycats and actions by other individuals and organizations motivated to extract revenge for any number of grievances. The industrial destruction motives of cyber attackers threaten critical systems and supply chains of many key industries such as the financial, manufacturing, processing, and critical infrastructure sectors. Executive Summary As the frequency and severity of highprofile cyber-attacks escalate, Federal and State governments are imposing regulations that require organizations to demonstrate better preparedness and resilience in the event of a cyber-attack. At the same time, the media is increasing public awareness and cyber-security organizations are providing improved tools and methodologies that can help companies meet their cyber-security requirements. Included in this article are insights and guidelines for addressing these requirements and putting organizations on a path toward better preparedness and resilience to a cyber attack. While many threats are external, we must not lose sight of the fact that a significant portion of cyber security breaches occur from inside the organization. According to the Online Trust Alliance, a non-profit focused on enhancing online trust, for the first six months of 2014, only 40 percent of data breaches involving the loss of PII were caused by external intrusions, while 29 percent were caused either accidentally or maliciously by employees. The Online Trust Alliance cited lack of internal controls, lost or stolen devices and documents, as well as social engineering and fraud as the main factors. Copyright 2015 Originally Published March 10, P a g e

2 In the most recent Corporate Board Member/FTI Consulting, Inc. Law and Boardroom Study, approximately 50 percent of polled directors and general counsels named data security as their number one legal and risk management concern. This percentage may rise as high-profile attacks increase and as compliance to cyber regulatory requirements take hold. InformationWeek reports that, while sixty percent of reporting organizations have increased their security spending by onethird many security managers still don t think that s enough. To better deal with the increase in cyber threats, regulators are expanding the scope of their cyber security requirements as well as their compliance enforcement. Regulators are increasingly holding insurers accountable for their own internal cyber-security measures in order to better protect policyholders. Insurers maintain significant data that is potentially desirable for cyber thieves rate, commission and loss information, litigation records, insureds private data, proprietary risk and analytical models, and actuarial processes and algorithms. Dependence on outside partners and third party service providers additionally opens insurers to the cyber-vulnerabilities of these outsourced contractors. Predictably, regulators are starting to compel improvements in cyber security through new rules requiring insurers to implement comprehensive cyber security programs. The NAIC stated on January 29 that it plans to propose guidance for insurance examiners reviewing companies' risk management practices for cyber security risks. Additionally, the NAIC is considering collecting detailed information from insurers writing cyber security coverage to learn more about the market. The Department of Homeland Security's National Protection and Programs Directorate has also been discussing a cyber incident data repository with the insurance industry to create a warehouse of cyber risk actuarial data and consequence-oriented analytics needed to grow the cyber security insurance market. New York State Department of Financial Services on December 10, 2014 announced that it will take measures that help in-state insurers strengthen their cyber security defenses and will begin assessments to determine the degree of preparedness and compliance. The NY DFS IT/cybersecurity examinations will address corporate governance around cyber security; resources, protection, testing and monitoring; cyber insurance; the management of issues related to achieving cyber security preparedness; and integration of information security into business continuity and IT disaster recovery plans. The New York regulation will likely lead to similar regulations in other states and similar national requirements. The Federal Financial Institutions Examination Council is reported to be reviewing and updating its guidance on cyber-security to keep up with changing risks. On December 11, 2014, the Commodity Futures Trading Commission informed a Senate panel that it will begin focusing on cybersecurity in compliance exams. The Office of the Comptroller of the Currency has added cyber-security to bank exams, and the SEC plans scrutiny of all investment advisors for business continuity plans ( transition plans ) to prepare for recovery after operational disruptions. A consistent underpinning of virtually all of these evolving regulations is the specific deadlines for reporting data breaches to authorities and affected customers, and the explicit penalties for non-disclosure. Copyright 2015 Originally Published March 10, P a g e

3 In addition, security organizations are stepping up as well. ISO/IEC (called Information technology security techniques guidelines for cybersecurity ) is a new standard that addresses the cyber-risk created by the fragmentation of the operational and regulatory requirements placed on the multiple owners of the information, hardware and networks which companies depend on to manage their complex businesses. ISACA formerly the Information Systems Audit and Control Association, an international professional association focused on IT governance - has released the European Cybersecurity Implementation Series to provide practical implementation guidance that is aligned with European requirements and good practice in cyber-security. In their quest to achieve cyber-security resilience, insurers have a dual responsibility they must address the cyber security of their own organization as well as the cyber security of the customers they insure. While insurers must address these new regulations and standards, their own financial models and loss control systems should compel them to increasingly take into account their cyber-security underwriting and policy language and the security practices of those customers insured by them. Insurers must challenge their own organizations to become cyber-resilient and also encourage their insureds to do the same. The former is a financial, regulatory and reputational imperative. The latter is a financial risk management imperative, since it addresses the performance of an insurer s cyber security policy portfolio, the cyber risk accumulation in the portfolio, and the claims for which they may be liable should their insureds be attacked. In assessing an insurers cyber-security resilience, regulators are sure to take into account the strength of underwriting underlying the insurer s cyber security policy portfolio. This by default will include an assessment of the limits, exclusions, and deductibles on the policies and the strength of cyber-security resilience plans of the insureds. To effectively address the myriad cyber security issues and meet regulatory requirements while taking advantage of existing risk management initiatives, the author has outlined seven key points that insurers should consider. These steps are designed to move the organization forward toward a more robust and mature cyber security capability. View cyber security as an organizational issue, not simply as a technical issue. The pervasive nature of the impacts from recent data breaches suggests that everyone in the affected companies as well as other stakeholders had a vested interest in risk management. This means that everyone in the organization should be security-aware and play a role in security measures, thus helping to create a culture of risk awareness, avoidance, mitigation and recovery. To foster broader understanding and involvement, we have found it beneficial to build on existing risk management infrastructure and programs. Insurers, as well as many of their customers typically have multiple risk management programs underway, such as Enterprise Risk, ORSA, Sarbanes-Oxley, and Dodd-Frank. Correlating the risk management components within these programs creates a unified organizational focus that enables effective execution of the remaining six risk management requirements and moves the organization on a path toward a high level of cyber security maturity. Copyright 2015 Originally Published March 10, P a g e

4 Obtain access to trusted third party resources As discussed previously, a good portion of cyber breaches result from employees inside the organization. For this and for reasons related to objectivity, developing an effective cyber security program requires use of outside resources with the expertise to assess threat vulnerabilities and develop mitigation requirements independent of conflicts of interest and unencumbered by internal politics or other potentially compromising factors. In addition, use of trusted third party resources can help accelerate development and implementation of cyber security improvements. Adhere to governance and compliance doctrines. All risk management programs require a set of policies, procedures, and controls that establish a framework for accomplishing program objectives while adhering to overarching company business principles and objectives. Accordingly, cyber security initiatives would function within this framework, with each having their own specific requirements. As an example, a primary focus would include those policies, procedures and controls related to information privacy. Understand and document your definition of risk appetite. Essentially, risk appetite is the level of risk an organization is willing to accept in order to achieve its business objectives before it needs to take measures to reduce the risk. Accordingly, without a risk appetite statement, there is no basis for understanding or managing risk, which is the primary reason that regulators require a well-defined risk appetite statement and review such statements early on in their examinations. Developing a risk appetite statement, although simple in concept, requires significant knowledge of the business and specific expertise in the disciplines of risk management. As the cornerstone of risk management, defining risk appetite is a board responsibility, typically accomplished in cooperation with the chief risk officer or third party expert. In the cyber risk world, however, many Boards may not have the technical confidence or knowledge to properly address this policy and oversight responsibility without the help of strong independent expertise. Perform a threat, vulnerability and impact assessment. Cyber security assessments address the information security domains that impact the confidentiality, integrity and availability of the organization s information, such as systems, web servers, application servers, firewall, routers, VPN tunnels and end point access. Assessments include the appropriate types of tools and methodologies such as vulnerability assessments and various levels of security scans and penetration testing to first stress-test the technical and policy elements of cyber-security. The second part of the assessments identifies the information at risk. What is the data and what does it look like? Where is it stored? Who generates it? What devices are involved? How is the data classified? These questions are answered, not by interviewing only the CTO, CIO, or CISO, but also by interviewing executives in legal, compliance, operations, marketing, finance, investments, claims, and account management. The combination of these answers provides insights regarding what information has value; the operational and financial impact of impairment or loss of that information; and guidance on steps needed to protect it. Copyright 2015 Originally Published March 10, P a g e

5 The third part of the assessments should include an examination of the organization s cyber insurance policy to help decision makers understand if coverages are adequate and effectively aligned with the organization s remaining cyber risks, and if limits, retentions, and exclusions are appropriate. Does the cost of appropriate coverage make sense or should the company self-insure? The sometimes complex wording of cyber insurance policies can quickly change even for insurance companies as cyberinsurance underwriters learn more. Slight wording changes can have significant impact on policy elements often adverse to the interests of the policyholder. To achieve the utmost objectivity, this examination should be conducted by an outside third party insurance expert. Assessments are documented in a formal report that provides findings, considerations and recommendations, along with an order-of-magnitude cost range to correct the most egregious exposures, and recommendations for changes to the cyber insurance policy. Develop mitigation programs. Deciding which exposures, vulnerabilities, and risks to mitigate requires a cost/benefit analysis, resource determination, funding, and decision making, including whether to selfinsure or purchase insurance. This process results in development of a mitigation strategy. Funds (possibly significant), must be budgeted for the people, contractors, IT equipment and infrastructure, space, and other requirements that may be necessary to execute the strategy. Some of the findings may require immediate investment, necessitating C-suite, Executive Committee, or Board approval of extraordinary funds. In such cases, decisions should not be delayed by normal budgeting cycles or other formal structures. This approval process may be expedited by knowledge of the financial and reputational liability potential faced by directors and officers for significant breaches. Prepare a Cyber Incident Response Plan (CIRP) - The CIRP documents how the organization will respond to a breach in a planned and effective way. The CIRP can stand alone or be part of the organization s Comprehensive Emergency/Crisis Plan. The CIRP is designed to ensure that cyber-security incidents are managed in a way that limits impact, gains stakeholder confidence in the organization s capacity to handle incidents, and reduces the time and cost-to-recovery. The CIRP takes into account management s understanding of cyber risks related to their critical information infrastructure and data, the depth and limitations of their risk mitigation plan; and how their insurance policies respond to incidents and losses. Accordingly, the CIRP documents the company s framework for response. The declaration section establishes goals for the plan, documents authorities, and puts the plan into managerial, organizational and legal perspective. It uses the National Institute of Standards and Technology definition of a cyberincident to trigger the plan, and defines who in the organization is responsible for invoking the plan. Once the plan is triggered, the response team, including previously identified third party resources, kick into action to mitigate and remediate problems and negative impact. Lesson learned by the actions and results of the response team are documented for assessment to improve future capabilities. The CIRP should be formally reviewed and adopted by the Board, and exercised at least once every year in a workshop or tabletop exercise involving inside and outside members of the response team, to ensure that team members know their roles and the organization gets it right. Copyright 2015 Originally Published March 10, P a g e

6 Adopting this comprehensive approach to cyber risk management should help insurers sustain financial viability and meet regulatory compliance requirements. Insurers should likewise require some level of this approach from their cyber-insureds in order to promote a culture of risk awareness, reduce the chance of a disastrous breach, and avoid paying costly claims that could have been avoided or minimized. Preparing A Comprehensive Cyber Incident Response Plan Development of a comprehensive cyber incident response plan (CIRP) flows from completion of the threat, vulnerability and impact assessment and preparation of the mitigation plan, which together help determine which exposures, vulnerabilities, and risks to mitigate and the funding required to achieve mitigation objectives. The CIRP is a confidential document that contains four main sections: Introduction and Organization, Resources and Authorizations, Response and Mitigation, and Remediation and Post Incident Review. The CIRP may be available as a web interactive document or as a PDF via the web, or other physical delivery method. Introduction and Organization The Introduction provides an overview of the need for cyber security plans; describes the contents and scope of the plan; provides guidelines for using the plan; and identifies the leadership with principal responsibility for maintaining the plan. This section also provides an organization graphic for quickly identifying the interrelationship of the team members and their associated roles. Resources and Authorizations This section is essentially a resource library that identifies each team member (and backups), their roles, responsibilities and decision rights, and their contact information; identifies the various physical and information assets (including data classifications) to be protected; identifies third party resources that are prearranged to be involved in mitigation, response and recovery, including stakeholder and media communications; and the tools and aids used by the response team in fulfilling their responsibilities. Response The response section is triggered by a cyber incident as defined by the National Institute of Standards and Technology. This section describes the response policies, procedures, practices, and specific playbooks to be carried out by team members to a breach of each data classification maintained by the organization. This is because the response objectives, stakeholder communications, crisis management, type of impact, damage level, regulatory response, and recovery times may vary widely, based on the type of data impacted. The cyber response team is ideally patterned after the Incident Command System (ICS) that is standard in emergency response plans. Copyright 2015 Originally Published March 10, P a g e

7 The CIRP Response section provides a toolbox of policies, specific actions, and playbooks of procedures that define responsibility for every aspect of the response starting with who monitors the IT environment and alerts the team when there is suspicious activity. Outside third party experts should play important roles in action assignments, such as forensic investigations, legal, insurance, and crisis communications and media management. Each of these trusted outside experts should be identified in the plan and even retained in advance, or their services provided for and budgeted in advance, as part of the plan. Foreseeable expenses associated with the breach should be pre-authorized at various threshold levels, so valuable time is not wasted seeking budget approval through normal channels, when fast response is required. Foreseeable expenses associated with the breach should be preauthorized at various threshold levels, so valuable time is not wasted seeking budget approval through normal channels, when fast response is required. Remediation and Post Incident Review After the incident is contained, the remediation section of the CIRP should document a formal process to identify lessons learned what went wrong and why, and what are the failure recommendations for limiting a recurrence? Remediation is about organizational improvement, rather than blame and punishment. The objective is to help restore stakeholder confidence in the capacity and ability of the company to prepare and respond to the next cyber-incident, because loss of that confidence can result in reductions in market capitalization and aggressive scrutiny from regulators, partners and customers. Outside third party experts previously identified in the Response section should play important roles in post-breach action assignments, addressing the follow-up and documentation requirements related to the action items identified in the Response section. As stated earlier, the CIRP should be formally reviewed and adopted by the Board, and exercised at least once every year in a workshop or tabletop exercise involving inside and outside members of the response team, to ensure that the organization gets it right and team members know their roles. The CIRP will result in a thorough, carefully considered framework for organizational response to the inevitable cyber security incident. Well prepared companies may still sustain damage but will be resilient enough to recover and move forward. Poorly prepared companies will be more extensively damaged, and could even fail, if the breach is significant and the damage extensive enough. The views expressed in this piece are those of the author and are not necessarily the views of FTI Consulting, its management, its subsidiaries, affiliates or other professionals. Scott Corzine is a Managing Director in the FTI Consulting Insurance Practice and co-heads the Risk Consulting group. Mr. Corzine is considered an expert in operational resilience, business continuity management, and emergency and crisis management. Mr. Corzine has led engagements including business continuity, disaster recovery and emergency and crisis management on projects conducted in 23 states and overseas for Fortune 500 and mid-market companies in numerous industry sectors, institutions of higher education, large public school districts, federal and state government agencies, and not-for-profits. Mr. Corzine authored a definitive guidebook and software development tool on business continuity planning in the airport sector for the Transportation Research Board of the National Academy of Sciences ACRP Report 93: Operational and Business Continuity Planning for Prolonged Airport Disruptions Copyright 2015 Originally Published March 10, P a g e

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Cyber-Insurance Metrics and Impact on Cyber-Security

Cyber-Insurance Metrics and Impact on Cyber-Security Cyber-Insurance Metrics and Impact on Cyber-Security Sometimes we can... be a little bit more vigorous in using market-based incentives, working with the insurance industry, for example... DHS Secretary

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am 1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber Insurance: How to Investigate the Right Coverage for Your Company 6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

SEC Cybersecurity Findings May Establish De Facto Standard

SEC Cybersecurity Findings May Establish De Facto Standard Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight

More information

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:

More information

IT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

IT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Cyber Insurance: How to Investigate the

Cyber Insurance: How to Investigate the 10-26-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)

More information

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015 Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report November 23, 2015 Table of contents Background Exercise objectives Quantum Dawn 3 (QD3) cyberattack scenario

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9

More information

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Client Update SEC Releases Updated Cybersecurity Examination Guidelines Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt

More information

OECD PROJECT ON CYBER RISK INSURANCE

OECD PROJECT ON CYBER RISK INSURANCE OECD PROJECT ON CYBER RISK INSURANCE Introduction 1. Cyber risks pose a real threat to society and the economy, the recognition of which has been given increasingly wide media coverage in recent years.

More information

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action Where insights lead Cybersecurity and the role of internal audit: An urgent call to action The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Cybersecurity and the Threat to Your Company

Cybersecurity and the Threat to Your Company Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September

More information

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification

More information

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015 Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Application of SOUTHERN CALIFORNIA GAS COMPANY (U 0 G) for Review of its Safety Model Assessment Proceeding Pursuant to Decision 1-1-0.

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

CYBER & PRIVACY LIABILITY INSURANCE GUIDE CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G,

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness All Eyes: A Security Breach Exercise Disaster Recovery/Security and Business Continuity Readiness Commonwealth of Pennsylvania Molly Dougherty, Director Continuity of Government and Records Information

More information

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity; NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity challenges facing the nation. Although implementing policies and practices that will make state systems and data more secure will

More information

Cyber and Data Risk What Keeps You Up at Night?

Cyber and Data Risk What Keeps You Up at Night? Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Risks and uncertainties

Risks and uncertainties Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Authored by Neeraj Sahni and Tim Stapleton Neeraj Sahni is Director, Insurance Channel at Kroll Cyber Investigations

More information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security

More information

2013 Risk and Finance Manager Survey

2013 Risk and Finance Manager Survey 2013 Risk and Finance Manager Survey Full Report Executive Summary The Towers Watson Risk and Finance Manager Survey examines how North American companies use outside resources, tools and frameworks to

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

What Directors need to know about Cybersecurity?

What Directors need to know about Cybersecurity? What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

Cyber security guide for boardroom members

Cyber security guide for boardroom members Cyber security guide for boardroom members 2 Cyber security guide for boardroom members Cyber security at strategic level Our society is rapidly digitising, and we are all reaping the benefits. Our country

More information

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008 U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October

More information

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing: Testimony of Doug Johnson On behalf of the New York Bankers Association before the New York State Senate Joint Public Hearing: Cybersecurity: Defending New York from Cyber Attacks November 18, 2013 Testimony

More information

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

IT Security Incident Management Policies and Practices

IT Security Incident Management Policies and Practices IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i Document Control Document

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider 1 Cyber/Information Security Insurance Pros / Cons and Facts to Consider 2 Presenters Calvin Rhodes, Georgia Chief Information Officer Ron Baldwin, Montana Chief Information Officer Ted Kobus, Partner

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The

More information

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security

More information

Supporting information technology risk management

Supporting information technology risk management IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

State Governments at Risk: The Data Breach Reality

State Governments at Risk: The Data Breach Reality State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

COMPETITION TRIGGERS BATTLE FOR TALENT AND ACQUISITIONS

COMPETITION TRIGGERS BATTLE FOR TALENT AND ACQUISITIONS 2015 www.bdo.com For more information on BDO USA s service offerings to this industry vertical, please contact one of the regional service leaders below: TIM CLACKETT Los Angeles 310-557-8201 / tclackett@bdo.com

More information

Portal Storm: A Cyber/Business Continuity Exercise. Cyber Security Initiatives

Portal Storm: A Cyber/Business Continuity Exercise. Cyber Security Initiatives Portal Storm: A Cyber/Business Continuity Exercise Cyber Security Initiatives Commonwealth of Pennsylvania Office of Administration Tony Encinias, Chief Information Officer Project Initiated: January 2013

More information

Presidential Summit Reveals Cybersecurity Concerns, Trends

Presidential Summit Reveals Cybersecurity Concerns, Trends Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,

More information

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012 Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives Initiation date: January 2012 Completion date: June 2012 Nomination submitted by: Samuel A. Nixon

More information

www.pwc.com Cybersecurity and Privacy Hot Topics 2015

www.pwc.com Cybersecurity and Privacy Hot Topics 2015 www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets

More information

Cybersecurity: A View from the Boardroom

Cybersecurity: A View from the Boardroom An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers

More information

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson

More information

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES 20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal

More information