Cyber and Data Risk What Keeps You Up at Night?



Similar documents
Cybersecurity Assessment

Identifying and Managing Third Party Data Security Risk

Why you should adopt the NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool

Cybersecurity and Privacy Hot Topics 2015

Cybersecurity The role of Internal Audit

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

How To Write A Cybersecurity Framework

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

State Governments at Risk: The Data Breach Reality

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

Why you should adopt the NIST Cybersecurity Framework

NIST Cybersecurity Framework & A Tale of Two Criticalities

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

What Directors need to know about Cybersecurity?

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Managing cyber risks with insurance

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

fs viewpoint

Internal audit value optimization for insurance organizations

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Business Continuity for Cyber Threat

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Cybersecurity in the States 2012: Priorities, Issues and Trends

Governance, Risk, and Compliance (GRC) White Paper

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

Integrating Security and Privacy Considerations into Client Services, Products and Day-To-Day Operations. WMACCA September 16, 2014

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Cybersecurity Issues for Community Banks

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

FINRA Publishes its 2015 Report on Cybersecurity Practices

The NIST Cybersecurity Framework

Italy. EY s Global Information Security Survey 2013

Logging In: Auditing Cybersecurity in an Unsecure World

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Cybersecurity Awareness for Executives

PRIORITIZING CYBERSECURITY

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cybersecurity and internal audit. August 15, 2014

Cyber Risks in the Boardroom

Click to edit Master title style

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Information Security Program CHARTER

Into the cybersecurity breach

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

PwC Cybersecurity Briefing

Developing a robust cyber security governance framework 16 April 2015

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

White Paper on Financial Institution Vendor Management

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

VENDOR MANAGEMENT. General Overview

Enterprise Security Tactical Plan

Cybercrime and Regulatory Priorities for Cybersecurity

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

CONSULTING IMAGE PLACEHOLDER

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

How to ensure control and security when moving to SaaS/cloud applications

The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis

Cyber Security and the Board of Directors

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cyber security Building confidence in your digital future

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Third Party Risk Management 12 April 2012

Past vs. Present: Third Party Risk

Lessons from Defending Cyberspace

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

PACB One-Day Cybersecurity Workshop

Securing the Cloud Infrastructure

Overview TECHIS Manage information security business resilience activities

Vendor Risk Management Financial Organizations

Certified Information Security Manager (CISM)

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Is Your Company Ready for a Big Data Breach?

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Earning Your Security Trustmark+

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity. Are you prepared?

Our Commitment to Information Security

Time Is Not On Our Side!

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

From Information Management to Information Governance: The New Paradigm

Transcription:

Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014

Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks Role of the board & senior management Privacy and security program development Cybersecurity, data protection, and data breach response Privacy and security gap assessments and reporting Managing change and developing risk aware cultures Cybersecurity: The process of protecting information by preventing, detecting and responding to attacks.* 2 * Framework for Improving Critical Infrastructure Cybersecurity

Data as a Strategic Asset Asset in Hyper-growth Mode: Highly Vulnerable: White noise to big data Ubiquitous, portable Electronic transaction and paperless processes Ephemeral, high velocity Rights & obligations complex Online commerce Regulatory Immature management Product personalization to KYC processes Personal profile & behavior Lagging defense mechanisms analysis Diverse bad actors /motivation Data mining = market success Unpredictability of harm Strategic/core to every business Competition for resources Result: Produce more data, mine more data, acquire more data = High Value Target 3

Data Risk: Cybersecurity Data Risk: Encompasses a variety of risks including: Accuracy Completeness Consistency Timeliness Availability Fitness for Use Confidentiality Financial Operational Brand Regulatory Cybersecurity Risk: Risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.* 4 * The Institute of Risk Management

Cyber Risk Response Plan Optimal Enterprise Program: Mature Process Defined risk-based, strategic Documented life cycle Operationalized roles, processes Evaluated metrics, periodically Sustainable adjust/change Reality Siloed : Immature Process Defined tactically, operational Documented incomplete Operationally IT/Security focused Evaluated incident focused Maintained static, limited scope Integrated: All levels of the organization Enterprise eco-system Separated: Function focus and/or mid-level Reactively involve eco-system 5

Role of Board & Senior Management The role of the board and senior management in identifying, managing, and responding to cyber risk is under increasing scrutiny from shareholders, regulators, and the marketplace Deputy Secretary of the Treasury Raskin recently divided the subject into three categories with 10 questions: Baseline protections Information sharing Response & recovery The following discussion will focus on baseline protections and response & recovery 6

Baseline Protection 1 Is cyber risk part of our current risk management framework? Deputy Secretary Raskin: Cyber risk management framework as part of enterprise risk framework Identify cyber threats presented by their specific businesses and operations Match threats to appropriate technology solutions CEOs and Boards should adopt policies, procedures, and other controls like training and governance address cyber threats that Requires Board and senior management gain a reasonable understanding of: Cyber risk management Threat landscape Data risk and cyber risk applicable Current capability and availability of response/control mechanisms generally Current cyber-response readiness state of enterprise and ecosystem Ability, time, and expense required to implement operational controls Additional consideration: Required clear communication of residual risk Maturity of ERM programs varies widely by company and industry 7

Baseline Protection 2 Do we follow the NIST Cybersecurity Framework? Deputy Secretary Raskin: Risk-based approach identify cyber risk posture determine risk profile and tolerance Not technical focus is oversight and governance Organization communication plans for responding to attacks Provides common language and set of practices, standards, and guidelines Aligns with enterprise risk management Provides tools to evaluate thirdparty risk Considerations for Board and senior management: Many companies base security in frameworks other than NIST NIST Cybersecurity Framework also offers mapping to other security focused frameworks so takeaway is on adoption of an accepted authoritative framework Communication plans are key and should address the enterprise and its ecosystem (regulatory, stakeholders, partners, vendors) Adopting common terms, definitions, and language is essential to respond to and effectively manage cyber attack 8

Baseline Protection 3 Do we know the cyber risks third parties expose us to? Deputy Secretary Raskin: Outsourced services for payment systems and/or back office processes mean non-employees may have access to enterprise networks, systems and data Imperative that enterprise understand what security safeguards vendors and third parties have in place: Knowing all vendors and 3rd parties with access Ensuring 3rd parties have appropriate protections in place to safeguard enterprise systems and data Conducting on-going monitoring to ensure adherence to protections Documenting protections and related obligations in contracts Considerations for board and senior management: Complexity of third-party risk: Identifying and defining 3rd parties/profiles Imposing requirements/managing exceptions Evaluation and enforcing Sustaining the process Pre-, During, and Post- incident Consider cyber risk impact in strategic decisions involving third parties Include third party vendors and providers in cyber incident response planning Communicate to the board third-party cyber risk classifications, profiles, requirements and discuss potential impact on cyber response capabilities 9

Response & Recovery Deputy Secretary Raskin: Increasingly focus efforts on making response and recover more efficient, effective, and predictable. Do we have a cyber-security incident playbook? What roles do senior leaders and the board play? When and how do we engage? Considerations for board and senior management: Does a cyber-incident playbook exist? Has it been operationalized? Are adequately skilled resources identified and available? Is there an owner? Cyber response requires a leader with appropriate authority to manage the responsibility and meet the objectives. Clearly communicate roles and expectations to board and senior management before an incident occurs Leverage established communication channels to manage expectations during and post cyber incident Law enforcement engagement may enhance enterprise response effectiveness 10

Cyber Response: Complexities Preparing the board and senior management for some of the complexities that can occur: Third party involvement - modularization of business and IT processes: Cloud strategies Serial outsourcing and complex third party ecosystems Proving the negative Business risk decision Regulatory inquiries Many regulators, all at once, with different concerns/focus Managing consistency of response Media glare Pre-breach messaging and spokesman Train spokesmen and spokesmen on media tactics and appropriate responses 11

Cyber: Practical Steps Assess the current cyber risk process, program and playbook against the NIST Cybersecurity framework Provide training sessions focused on the role and expectations of the Board and Senior Management pre-, during, and post cyber incident Incorporate board participation in cyber-attack-response simulation(s) using real-world complex use cases Develop communication (external, internal, regulatory) plan to manage cyber incident/breach response Identify third party risk, create control profiles, evaluate current third parties, apply mitigating controls as needed Identify and solidify internal and external skill-sets that can respond immediately when cyber-incident occurs 12

Questions Margo H. K. Tank Partner, BuckleySandler LLP 202.349.8050 mtank@buckleysandler.com Rena Mears Managing Director Privacy, Cyber Risk & Data Security Group, BuckleySandler LLP 202.349.7977 rmears@buckleysandler.com Barbara Lawler Chief Privacy Officer, Intuit 650.944.5136 Barbara_lawler@intuit.com 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information