Exercising Your Enterprise Cyber Response Crisis Management Capabilities



Similar documents
Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cyber Insurance Presentation

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cybersecurity y Managing g the Risks

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: A SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN THE ASIA-PACIFIC REGION

Cyber Risks and Insurance Solutions Malaysia, November 2013

Managing Cyber Risk through Insurance

Managing cyber risks with insurance

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

ISO? ISO? ISO? LTD ISO?

Third Party Risk Management 12 April 2012

Network & Information Security Policy

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Cybercrime: risks, penalties and prevention

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

How To Cover A Data Breach In The European Market

Risk Considerations for Internal Audit

ACE European Risk Briefing 2012

COMPETITION TRIGGERS BATTLE FOR TALENT AND ACQUISITIONS

HEALTH CARE AND CYBER SECURITY:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Vendor Management. Outsourcing Technology Services

Cybersecurity and internal audit. August 15, 2014

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

The promise and pitfalls of cyber insurance January 2016

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Understanding Professional Liability Insurance

CGI Cyber Risk Advisory and Management Services for Insurers

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cybersecurity and Privacy Hot Topics 2015

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Virginia Commonwealth University School of Medicine Information Security Standard

Cyber security Building confidence in your digital future

Business Resiliency Business Continuity Management - January 14, 2014

June What investors need to know about cybersecurity: How to evaluate investment risks

Managing business risk

Cyber Risks in the Boardroom

Mitigating and managing cyber risk: ten issues to consider

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

How To Assess A Critical Service Provider

PRIORITIZING CYBERSECURITY

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

The economics of IT risk and reputation

Into the cybersecurity breach

CYBER SECURITY SPECIALREPORT

Risk management + Strategic planning IT TAKES AN ENTIRE ORGANIZATION

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Developing National Frameworks & Engaging the Private Sector

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Certified Disaster Recovery Engineer

Principles for BCM requirements for the Dutch financial sector and its providers.

OECD PROJECT ON CYBER RISK INSURANCE

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

Network Security & Privacy Landscape

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Internet threats: steps to security for your small business

Insuring Innovation. CyberFirst Coverage for Technology Companies

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

State of Security Survey GLOBAL FINDINGS

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Transcription:

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Agenda CEO view of cyber risks and recent statistics Cyber risk disclosures Cyber incident timeline Cyber incident enterprise impact Business continuity management definitions and benefits Legacy cyber incident exercises and the impacted enterprise Cyber incident interruption scenarios to consider & exercise timeline Some questions for management

CEO s view of cyber risks 69% of CEO s are concerned about IP/customer data protection, intellectual property protection, and cybersecurity. In some industry sectors, cyber risk threatens growth. 71% of US CEOs in banking and capital markets cite cybersecurity concerns. Companies are beginning to change how they think about cybersecurity viewing it as a business issue, not an IT one. Isn t it time that the crisis management program in its entirety be practiced to respond to these threats?

Recent statistics Financial Calculation Cyber Monday Protection Response and Remediation Mobile Cybercrime is a tax on innovation, cost and jobs. It costs $445 billion each year in loss and clean-up 2014 Cyber Monday saw fewer attacks, but near record amounts of data stolen* Cybercrime and IT failure ranks in Top 5 business risks for 1 st time. There was an increase from 8 th place in 2014 and 15 th place in 2013** 78% of CIO/CISO s have not provided a security strategy to their Board of Directors Malware infection rates are now split 50/50 between Windows laptops and Android devices*** * IBM **Kroll Ontrack ***Alcatel-Lucent

Cyber risk public disclosures It is common place to see cyber-breach / cyber-attack disclosures in companies 10-K SEC filings. Any failure to maintain the security of the information relating to our customers, associates and vendors that we hold, whether as a result of cybersecurity attacks or otherwise, could damage our reputation with customers, associates, vendors and others, could cause us to incur substantial additional costs and to become subject to litigation, and could materially adversely affect our operating results. Retail & Consumer Company If our security measures are breached, or if our services are subject to attacks that degrade or deny the ability of users to access our products and services, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure. - Technology Company Increased cybersecurity requirements, vulnerabilities, threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, products, solutions, services and data. Industrial Conglomerate A cyber attack, information or security breach, or a technology failure of ours or of a third party could adversely affect our ability to conduct our business, manage our exposure to risk or expand our businesses, result in the disclosure or misuse of confidential or proprietary information, increase our costs to maintain and update our operational and security systems and infrastructure, and adversely impact our results of operations, cash flows, liquidity and financial condition, as well as cause reputational harm. Financial Services Company

Pre-Crisis Preparation Crisis Event Incident timeline Effective incident response depends on a well-designed & coordinated Business Continuity Management Program. Minutes Hours Days Weeks Incident/Emergency Response Crisis Management IIA - GTAG 10 (2010) IT Disaster Recovery Business Continuity

Cyber incidents have enterprise-wide impacts Financial, Operational, Reputation Impacts Increased Costs Interrupted and abandoned transactions Financial analyst and investor concerns result in value loss Supply/service chain interruption Loss of technology services Overwhelmed contact centers Unwelcomed media coverage Strained business relationships Technology remediation Restoring brand Legal & regulatory Product redesign Advisors Compliance Insurance Training

Reducing the cyber incident s impact Negative Impacts Safety Reputational Financial Legal Regulatory Operational Morale Ineffective, Uncoordinated BCM Effective, Coordinated BCM: Incident Response, Crisis Management, Business Continuity, IT Disaster Recovery Event Impact Duration

Business continuity management defined Business Continuity Management Process of identifying, preventing, preparing for, and responding to, events that may disrupt business activities. Crisis Management Supports command and control during an operational disruption and includes incident identification, evaluation, escalation, declaration, plan activation and deactivation with significant focus on crisis communication. Incident / Emergency Response Facilitates and organizes actions during emergencies. These involve procedures to protect personnel & assets. IT Disaster Recovery Addresses the restoration of business system software, hardware, IT infrastructure services and data during an incident. Business Continuity Addresses the recovery and continuity of critical business functions required to maintain an acceptable level of operation during an incident.

BCM can improve enterprise incident response BCM program governance BC/DR exercises Program assessment Exercise & Maintain Risk Assessment What risks could interrupt our operations? How are these risks currently addressed? Business Continuity Plans for critical processes Crisis Management Plans IT DR plan improvements Develop Plans Recovery Strategy Selection Business Impact Analysis How are critical processes impacted by service interruptions? What resources do these critical processes rely upon to function effectively (technology, personnel, facilities, third parties)? Which recovery strategies should be used? Which strategies have worked previously?

Legacy cyber incident exercises Traditionally, cyber incident response exercises were often IT focused events. Determine the what, how, where, and extent of breach. Stop additional data loss or impact. Take infected machines offline, but leave power on. Initiate clean machines to take control Ensure you won't infect the new machines Summarize exercise results Request additional cyber defense funding

Impacted enterprise A cyber incident s impact often resonates throughout the organization IT Customer Care Internal External Communications Finance & Investor Relations Legal HR Supply / Service Chain Vendor Management Operations / Point of Service & Delivery

Cyber incident scenarios to consider The following cyber incident exercise scenarios can easily be designed to exercise the enterprises crisis management plan: Denial of Service attack Customers and business partners unable to interact with the organization, fear of exposed data Data Breach Customer, patient, employee and IP data exposed and/or corrupted Unplanned Outage of IT or Telecommunications Denial of service turned inward, interrupting technology services, full-stop of critical operations Loss of Key Supplier due to a cyber incident Supply and service chain interruption, confidential IP exposed, other business partners concerned about their cyber exposure related to your vendor.

Example cyber table top exercise timeline Act 1 It begins: unusual network activity detected that quickly overwhelms network and incapacitates applications. [IT Incident Response] Act 2 Widespread impact: Media reports breached data examples, customers unable to transact business, efforts to restore systems stability marginally effective, employees unable to access several key systems, stock price decrease. [IT Incident Response, Crisis Management, IT Disaster Recovery] Act 3 Picking up the pieces: Some systems restored and others remain unstable, media focus continues, revenue / order volume at lower levels, first lawsuit filed. [IT Disaster Recovery, Crisis Management, Business Continuity]

Example cyber table top exercise timeline Act 1 It begins: unusual network activity detected that quickly overwhelms network and incapacitates applications. [IT Incident Response] Act 2 Widespread impact: Media reports breached data examples, customers unable to transact business, efforts to restore systems stability marginally effective, employees unable to access several key systems, stock price decrease. [IT Incident Response, Crisis Management, IT Disaster Recovery] Act 3 Picking up the pieces: Some systems restored and others remain unstable, media focus continues, revenue / order volume at lower levels, first lawsuit filed. [IT Disaster Recovery, Crisis Management, Business Continuity]

Questions for management 1. Have you discussed cyber security risks with your audit committee? 2. Does your company have a comprehensive internal audit plan for your company s cyber security program? 3. How well was your business continuity plan designed to respond to cyber incidents? 4. If cyber threats present a significant risk to the organization, has a crisis management table top exercise been conducted using a cyber incident scenario? 5. If a cyber incident response has been exercised, was the business impact analysis used to identify exercise participants based on interrupt impact? 6. Has the organization determined how it will respond to one of their key vendors being impacted by a cyber incident resulting in their product / service interruption? 7. Does your company have a cyber security program and has your company assessed it using the federally issued preliminary cyber security framework? 8. What company assets are most vulnerable to cyber attacks? 9. Does your company have an cyber incident response plan? And is that plan updated and tested periodically?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information