Cybersecurity Assessment

Transcription

1 Cybersecurity Assessment What Will the Regulators Be Looking For? Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar March 18,

2 Introduction & Overview Today s discussion: Who are the regulators in this area? What are they saying? What are they looking for? Practical steps to ensure compliance 2

3 Who are the regulators in this area? 3

4 Key State and Federal Cybersecurity Regulators State Attorneys General Enforce: State Unfair and Deceptive Acts and Practices (UDAP) statutes (50 states) State data breach notification and data security statutes (47 states) FTC Enforces 34 laws/rules on privacy and data security, including: FTC Act, Section 5 Fair Credit Reporting Act Children s Online Privacy Protection Act Proposed: Consumer Privacy Bill of Rights Act (Section 105) CFPB Enforces: Privacy/data security provisions of the Gramm-Leach-Bliley Act and rules Fair Credit Reporting Act 4

5 Key State and Federal Cybersecurity Regulators DHS Enforces: Privacy Act of 1974 and related regulations Homeland Security Act of 2002 HHS Enforces HIPAA Privacy Rule, Security Rule, and Omnibus Rule FCC Enforces privacy/data security provisions of the Communications Act and rules Federal Prudential Regulators State Prudential Regulators 5

6 What are they saying? 6

7 State AG Enforcement: Recent Data Security Activity Multi-State Investigations 2009 TJX Data Breach Settlement TJX owns popular retailers Marshalls, TJ Maxx, and HomeGoods. Allegation of massive data breach and a review of TJX s data security polices and procedures. 41 AGs $9.75 million + agreement to improve data security protocols 2014 TD Bank Data Breach Settlement In October 2012, TD Bank self-reported a March 2012 breach involving the Bank s loss of unencrypted backup tapes containing the personal data of 260,000 customers nationwide. 9 AGs $850,000 + agreement to strengthen security policies, including the use of data encryption 2015 Zappos Data Breach Settlement Allegations that a January 2012 breach of a Zappos computer server exposed the personal data of 24 million customers, including names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials of customers. 9 AGs $106,000 + agreement to strengthen security policies 7

8 Federal Enforcement: Recent Data Security Activity FTC 2012 Google Safari Cookies Consent Decree Involved similar allegations to those in the investigation by Attorneys General Mixture of privacy and data security concerns $22.5 million fine, largest FTC penalty ever for a settlement violation 2012 Wyndham Data Security Complaint Landmark data security complaint against Wyndham hotels for alleged data security failures that led to three data breaches in less than two years, resulting in millions of dollars in fraud loss, and the export of hundreds of thousands of consumers payment card account information to an Internet domain address registered in Russia. Case is currently on appeal in the Third Circuit 2014 Debt Brokers Data Security Complaint Allegation that two debt sellers - Cornerstone & Company LLC and Bayview Solutions LLC posted on a public website the sensitive personal information of more than 70,000 consumers, including bank account and credit card numbers, and information about debts the consumers allegedly owned, exposing them to identity theft and phantom debt collection. Court entered a preliminary injunction against the debt sellers, requiring them to notify affected consumers and use reasonable safeguards for consumer information they possess. 8

9 Federal Enforcement: Recent Data Security Activity HHS 2013 New Omnibus Rule Expands existing data security requirements to business associates of entities that receive protected health information Increases penalties for noncompliance (up to $1.5 million per violation) FCC 2014 TerraCom/YourTel Proposed Fine Allegation that TerraCom and YourTel stored SSN, names, addresses, driver s licenses, and other sensitive information for up to 305,000 consumers on unprotected Internet servers that anyone could access $10 million proposed fine Commission s first data privacy action and largest privacy action 2015 New Privacy & Data Security Provision under Open Internet Order Open Internet Order applies privacy and data security protections for phone companies to Internet Service Providers (ISPs) 9

10 What are they looking for? 10

11 NY DFS: Cyber Sec Exam Exam Focus Corporate Governance Cyber security process integration Resources info sec, risk mgmt Shared infrastructure risk Intrusion detection Authentication multi-factor Server & Database configurations Testing, monitoring, pen-testing Incident detection & response Training info sec & others Third party provider management Info sec integration with BC/DR Cyber security insurance Additional Questions CISO or equivalent CV, skillset Security Policy set Data classification integration Vulnerability & patch management Identity and access management Multi-factory authentication 3rd party service provider vetting, selecting, monitoring & due diligence Application development standards including secure development life cycle Incident response program Info sec is incorporated into BCP/DR Significant changes to IT portfolio over previous 24 months 11

12 Cyber Risk: Raskin Framework In her Remarks at The Texas Bankers Association Executive Leadership Cybersecurity Conference, Deputy Secretary of the Treasury Raskin divided the subject of cyber security into three categories: Baseline protections Information sharing Response & recovery Major concepts: Is cyber risk part of our current risk management framework? Cyber risk management framework as part of enterprise risk framework Identify cyber threats presented by their specific businesses and operations Match threats to appropriate technology solutions CEOs and Boards should adopt policies, procedures, and other controls like training and governance address cyber threats that Requires Board and senior management gain a reasonable understanding of: Cyber risk management Threat landscape Data risk and cyber risk applicable Current capability and availability of response/control mechanisms generally Current cyber-response readiness state of enterprise and ecosystem Ability, time, and expense required to implement operational controls Additional consideration: Required clear communication of residual risk Maturity of ERM programs varies widely by company and industry 12

13 Cybersecurity Red Flags Lack of reasonable cybersecurity measures No designated employees accountable for cybersecurity Overbroad data collection No privacy risk assessment Lack of incident response (IR) plan for data breach Undeveloped employee training / broad employee access to sensitive information and/or systems Spotty testing and updates of security protocols No vetting of third-party vendors cybersecurity 13

14 Practical steps to ensure compliance 14

15 Enterprise Practical Steps Assess the current cyber risk evaluation process, response program, and breach response playbook against regulatory guidance, established industry frameworks, and the NIST Cybersecurity Framework (see appendix for additional resources) Review and update the enterprise cyber threat landscape assessment Align security program/policies with business processes and tech. architecture Incorporate board participation and relevant third parties in cyber-attack-response simulation(s) using real-world complex use cases Develop communication (external, internal, regulatory) plan to manage cyber incident/breach response Identify third party risk, create control profiles, evaluate current third parties, apply mitigating controls as needed Identify and solidify internal and external skill-sets that can respond immediately when cyber-incident occurs Where appropriate, participate in industry forums to share cyber risk response information 15

16 Steps to Avoid Attention Reduce customer complaints Understand the state and federal regulatory landscape and promptly resolve issues before your regulators appear Maintain relationships with your primary AG and your primary federal regulators Exercise caution when offering products targeted to groups whose interests have become politicized Children Elderly 16

17 Responding to Inquiries Respond promptly to subpoenas Quickly gain an understanding of your regulator s concerns Do not automatically put on litigation battle gear Work diligently for an early resolution 17

18 Questions 18

19 Contact Information Margo H.K. Tank Partner Rena Mears Managing Director Douglas F. Gansler Partner Stephen M. Ruckman Associate