October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches

Similar documents
RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Cybersecurity The role of Internal Audit

Data Breach and Senior Living Communities May 29, 2015

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Network Security & Privacy Landscape

Cybersecurity: Protecting Your Business. March 11, 2015

Aftermath of a Data Breach Study

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Privacy Rights Clearing House

Mitigating and managing cyber risk: ten issues to consider

Anatomy of a Hotel Breach

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Rogers Insurance Client Presentation

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

CyberSecurity for Law Firms

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Cybersecurity and Privacy Hot Topics 2015

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Risks in the Boardroom

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber security Building confidence in your digital future

Data Privacy & Security: Essential Questions Every Business Must Ask

Brief. The BakerHostetler Data Security Incident Response Report 2015

Cyber Insurance: How to Investigate the Right Coverage for Your Company

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Into the cybersecurity breach

Managing cyber risks with insurance

Cybersecurity: What CFO s Need to Know

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber Security Risks for Banking Institutions.

Law Firm Cyber Security & Compliance Risks

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

I ve been breached! Now what?

CYBER SECURITY SPECIALREPORT

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Cyber-Crime Protection

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

The Importance of Senior Executive Involvement in Breach Response

Cyber Liability. What School Districts Need to Know

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Cybersecurity. Are you prepared?

RETHINKING CYBER SECURITY Changing the Business Conversation

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Security and Privacy

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Attachment A. Identification of Risks/Cybersecurity Governance

What Data? I m A Trucking Company!

Managing Cyber Risk through Insurance

U. S. Attorney Office Northern District of Texas March 2013

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cyber Security From The Front Lines

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Managing Cyber & Privacy Risks

Transcription:

October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches

AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1

Introductions 2

Introductions To Be Confirmed Title of Company To Be Confirmed Title of Company R. Jason Straight Senior Vice President, Chief Privacy Officer of UnitedLex 3

Cyber security and digitized information threats overview CYBER THREAT LANDSCAPE 4

CYBER THREAT LANDSCAPE Trends and Developments Cyber security has reached the top of the list of enterprise risks 5

CYBER THREAT LANDSCAPE Trends and Developments 6

CYBER THREAT LANDSCAPE Trends and Developments Gap between offense and defense is growing despite huge investments by defenders Percent of breaches with timelines of days or less 100% Time to Compromise 75% 50% 25% Time to Discovery 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 7 SOURCE: 2014 Verizon Data Breach Investigations Report

CYBER THREAT LANDSCAPE Trends and Developments

CYBER THREAT LANDSCAPE Trends and Developments Large companies now in state of continuous incident response ALERT! ALERT! ALERT! 9

CYBER THREAT LANDSCAPE Threat Actor Overview Accidental Data Compromise Negligent & Malicious Insiders State Sponsored Attackers Hacktivist Groups Organized Crime Syndicates Lone-Wolf Hackers Number of Breaches per threat actor over time 10 SOURCE: 2014 Verizon Data Breach Investigations Report

CYBER THREAT LANDSCAPE Trends and Developments Traditional perimeter defenses still necessary but no longer sufficient insider vulnerabilities are often overlooked Types of Data Breaches Experienced in Past 24 Months 11 SOURCE: Ponemon Institute, The Post Breach Boom, Feb. 2013

CYBER THREAT LANDSCAPE Trends and Developments Security industry moving from prevention to pre-emption focus relying on threat analytics and behavioral monitoring Collaboration across risk, compliance, legal, business units and IT Improved detection techniques Multiple layers of analytics and visualization Faster reaction to emerging threats 12 SOURCE: Gartner, Reality Check on Big Data Analytics for Cybersecurity and Fraud IDC, Raising on the Executive Agenda: Fraud Waste and Abuse in Healthcare and Financial Services

CYBER THREAT LANDSCAPE Types of Damages Brand damage Customer churn Business interruption Legal liability Regulatory Issues 13

CYBER THREAT LANDSCAPE Threat Vector Overview Hacking Attacks MA LWAR E Social Engineering Third Party Exposures 14

CYBER THREAT LANDSCAPE Hacking Attacks Opportunistic Attacks Estimated that 75% of attacks are opportunistic triggered by detection of vulnerability Includes incidents involving stolen devices Notification obligations may be triggered even absent affirmative evidence of malicious intent or actual exposure Targeted Attacks State-Sponsored Organized Crime Hacktivists 15

CYBER THREAT LANDSCAPE Social Engineering Spear Phishing 16

CYBER THREAT LANDSCAPE Third Party Exposures Source: Computerworld, IDG News Service, Feb 27, 2013 Source: DataBreach Today, June 13, 2014 Source: Krebs on Security, Feb 5, 2014 17

CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach SOURCE: Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer International Business Times The Target Breach By the numbers KrebsOnSecurity 18

CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach At least 100 lawsuits filed against Target in various state and federal courts Common causes of action brought against Target Negligence Breach of contract Breach of fiduciary duty Invasion of privacy Consumer fraud and deceptive business practices Violation of numerous state and federal statutes Common theories of damages caused by the breach Fraudulent charges Credit monitoring fees Identity theft Lost wages Damaged credit scores Anxiety over financial well-being Losses by financial institutions (replacing debit/credit cards, closing accounts, reversing fraudulent charges, lost interest/transaction fees) 19

CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach Congressional Inquiry Document Request 1. All written policies... relating to threat monitoring, network security... 2. All documentation... detailing the funds spent and persons employed on the network security of systems serving Target stores... 3. All email correspondence, analyses, reports, or any other communications relating to... information security systems implicated in this breach. 4. Please detail whether Target was previously aware of any potential vulnerabilities to... systems implicated in this breach. 20

CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach 21

CYBER THREAT LANDSCAPE Lessons Learned from the Target Breach Target Breach: Tallying the Fallout Transaction at Target fell 3-4% compared to previous year while other retailers report strong results 46% drop in profits in Q4 2013, Target lays off 475 Target CIO resigns Target CEO resigns 100+ lawsuits Direct costs relating to breach response and remediation (including legal fees) estimated to be as high as $1B Insurance coverage only $100M 22

Cyber security and digitized information threats overview CYBER RISK MITIGATION STRATEGIES 23

Not just an IT problem 24

Drivers of Business Risks Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. NIST Special Publication 800-30 Risk Threat Vulnerabilities Impact

Spending is driven by a historical IT-Centric focus versus a holistic business-centric approach to enterprise cyber risk management. Risk Threat Vulnerabilities Impact Traditionally the security investment in technology and services has focused on controlling and reacting to vulnerabilities. We estimate that >75% of historical IT security spend is here. 26

Engaging parties beyond IT 27

Focusing on Business Risks Key legal and business stakeholders should help IT address simple but critical questions. 28

Convergence of Cyber Security and Legal Functions Potential Breach = Potential Legal Liability/Regulatory Inquiry 29

Convergence of Cyber Security and Legal Functions Cyber due diligence M&A transactions and vendor screening 30

Effective Collaboration between legal and IT Tips for fostering effective communication between legal and IT functions 31

Effective Collaboration between legal and IT The privilege question in both incident response and risk assessment contexts 32

Effective Collaboration between legal and IT Involving legal in making traditional IT decisions that impact risk 33

Cloud Computing and IT Outsourcing Questions and Concerns 34

Conclusions and Q&A 35

BIOGRAPHY R. Jason Straight Senior Vice President, Chief Privacy Officer Jason has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Prior to joining UnitedLex, Jason held numerous leadership positions at a leading global investigations and cyber security company, most recently as a managing director in the cyber investigations practice. Jason began his career as an attorney at Fried, Frank, Harris, Shriver & Jacobsen in New York. As a recognized domain expert and Certified Information Privacy Professional (CIPP), Jason is a frequent speaker and author on topics relating to data privacy, cyber security, data breach response and computer forensics. 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information