Cybersecurity and Insurance Companies



Similar documents
CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Cybersecurity y Managing g the Risks

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

The Problems With SEC s Cybersecurity Approach

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Cybersecurity For Brokers: 'Only The Paranoid Survive'

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cyber Risks in the Boardroom

OCIE CYBERSECURITY INITIATIVE

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

How To Protect Your Cybersecurity From Cyber Incidents

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

CYBERSECURITY EXAMINATION SWEEP SUMMARY

CYBER READINESS FOR FINANCIAL INSTITUTIONS

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

FINRA Publishes its 2015 Report on Cybersecurity Practices

What are you trying to secure against Cyber Attack?

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

SCAC Annual Conference. Cybersecurity Demystified

Law Firm Cyber Security & Compliance Risks

Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security. What are we going to talk about today?

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Which Describes Your Cybersecurity Program Eager Beaver or Deer in Headlights? October 29, 2015

LEGAL ISSUES IN SHARING CYBER THREAT INTELLIGENCE: WHAT ARE THE REAL CONCERNS?

Moderated by: Paul M. Schwartz Berkeley Law School Fourth Annual BCLT Privacy Forum March 13, Data Security Issues

Big Data and Cybersecurity: Standards for Safeguarding Personal Information

Working with the FBI

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Outsourcing Technology Services A Management Decision

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

CYBER SECURITY SPECIALREPORT

White Paper on Financial Institution Vendor Management

Cyber security Building confidence in your digital future

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Ed McMurray, CISA, CISSP, CTGA CoNetrix

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Corporate Perspectives On Cybersecurity: A Survey Of Execs

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

PROPOSED INTERPRETIVE NOTICE

OCIE Technology Controls Program

Legislative Language

DSU Identity Theft Prevention Policy No. DSU

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Privacy Rights Clearing House

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

Data Security Incident Response Plan. [Insert Organization Name]

Perspectives on Cybersecurity and Its Legal Implications

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

CYBERSECURITY RISK MANAGEMENT

Cyber Liability Insurance:

The NIST Cybersecurity Framework

Transcription:

Cybersecurity and Insurance Companies ACLI Forum 500 CEO Leadership Retreat Timothy J. Nagle Vice President & Chief Privacy Counsel Prudential Financial 1 May 13, 2015

What is cybersecurity? Protecting sensitive data and maintaining network integrity Threat to proprietary information and personal information Combination of process, policy, training and technology Challenge for public and private sectors 2

Why Should I Care? Individual customers or institutional/corporate clients will assume it Corporate clients will ask for representations or assurances about it State insurance commissioners and attorneys general will require it Employees will want it Boards will ask about it (or will be advised to do so) The SEC and shareholders consider it part of corporate governance Your peers and the industry will address it 3

Pending Legislation H.R.234... Cyber Intelligence Sharing and Protection Act (CISPA) H.R.104... Cyber Privacy Fortification Act of 2015 S.177... Data Security and Breach Notification Act of 2015 S.456... The Cyber Threat Sharing Act of 2015 S.754... H.R.1770. H.R.1704 H.R.1560. Cybersecurity Information Sharing Act of 2015 (CISA) The Data Security and Breach Notification Act Personal Data Notification and Protection Act Protecting Cyber Networks Act H.R.1731 National Cybersecurity Protection Advancement Act of 2015 H.R.2205 (no title to date) S.961 The Data Security Act of 2015 4

Evolving Regulatory Guidance Securities and Exchange Commission CF Disclosure Guidance: Topic No. 2 (Cybersecurity), October 13, 2011 National Exam Program Risk Alert; OCIE Cybersecurity Initiative, April 15, 2014 Division of Investment Management; IM Guidance Update 2015-02 ( Cybersecurity Guidance ), April 2015 FINRA Report on Cybersecurity Practices (Feb 2015) Commodity Futures Trading Commission, CFTC Staff Advisory No. 14-21 ( Gramm-Leach-Bliley Act Security Safeguards ), Feb 26, 2014 5

Evolving Regulatory Guidance (cont d) FBI Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015) State of New York Division of Financial Services Report on Cyber Security in the Insurance Sector (February 2015) Update on Cyber Security in the Banking Sector: Third Party Service Providers (April 2015) NAIC Principles for Effective Cybersecurity: Insurance Regulatory Guidance (April 2015) OCC Bulletin 2013-29: Third Party Relationships (October 30, 2013) 6

The Top Ten List The Things I Wish I Would Have Done Before This Breach Event Happened 1. Been involved in employee training and awareness. 2. Managed vendors regarding contract language for security standards, privacy policy, and event notice/coordination requirements. Been involved in employee training and awareness. 3. Established relationships with outside counsel and a forensic/incident response/technology firm. Preservation of attorney-client privilege Negotiate a master service agreement An event should result in two types of report 4. Inserted myself into the reporting and threat intelligence collection process. 5. Identified and introduced myself to representatives from trade/industry groups, regulators and law enforcement agencies for ongoing dialogue, information sharing and event coordination. 7

Nagle s Top Ten (cont d) 6. Developed, implemented, socialized and exercised the event response plan. What constitutes an event and who makes the call? Distinguished between a network security breach and unauthorized access to personal information. 7. Scripted internal and external communications and had them preapproved to the extent possible. 8. Established criteria for formal notification to customers, regulators, executive management/board and shareholders. 9. Designated who leads the investigation, response, remediation, notification and after phases and who maintains the record. 10. Prepared for what happens after the event regarding insurance claims litigations and remediation. 8

SIX Things Every Company (Large or Small) Should Have 1. Information security policy/program 2. Privacy policy 3. Incident/breach response process 4. Employee training and awareness 5. Vendor management program 6. Business continuity plan 9

Other Considerations 1. Cyber insurance 2. Briefing the Board 3. SEC disclosures and other reporting requirements 4. State privacy breach reporting 5. Red flags rules 6. Payment Card Industry Data Security Standards 10

Timothy J. Nagle Vice President and Chief Privacy Counsel Prudential Financial, Inc. timothy.nagle@prudential.com 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information