4/5/2017

1

CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

April 5, 2017

4/5/2017

2

TO RECEIVE CPE CREDIT Participate in entire webinar

Answer polls when they are provided

If you are viewing this webinar in a group

• Complete group attendance form with

o Title & date of live webinar

o Your company name

o Your printed name, signature & email address

• All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar

• Answer polls when they are provided

If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar

YOUR PRESENTERJan Hertzberg, Director

• Cybersecurity practice leader

• More than 30 years of experience in providing IT audit, risk, cybersecurity & privacy compliance services

4/5/2017

3

OBJECTIVES

Identify activities that can help management & boards effectively address cyber-risk

Describe key foundational elements of an effective cybersecurity program

Describe how cybersecurity risk landscape has changed & why cyber-risk must be managed as an enterprise-wide concern, not just an IT issue

RAPIDLY EVOLVING CYBERTHREATS – MOTIVATIONAL SHIFTS

ADDITIVE MOTIVATION PROGRESSION LINE

HACKTIVISTS NATION-STATESFRAUDSTERS

THEFT DISRUPTION DESTRUCTION

4/5/2017

4

TOP CYBER THREATS BY INDUSTRY

Transportation (77%)• Web application attacks• Denial of service• Cyber-espionage

Utilities (69%)• Cyber-espionage• Crimeware• Denial of service

Manufacturing (55%)• Denial of service• Cyber-espionage• Insider & privilege misuse

(password)

Source: Verizon Data Breach Investigation Report 2015

TOP 10 CYBER-ESPIONAGE TARGETS

Source: Verizon Data Breach Investigation Report 2015

MANUFACTURING

PUBLIC SECTOR

PROFESSIONAL

27.4%

20.2%

13.3%

INFORMATION 6.2%

UTILITIES

TRANSPORTATION

EDUCATIONAL

REAL ESTATE

FINANCIAL SERVICES

HEALTH CARE

3.9%

1.8%

1.7%

1.3%

0.8%

0.7%

4/5/2017

5

BUSINESS EMAIL COMPROMISE: A SPECIAL KIND OF “PHISH”

Sources: http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams

From October 2013 through February 2016, law enforcement received reports from 17,642 victims

Total exposed loss = $2.3 billion since 2013

FBI has identified a 270% increase in BEC attack victims & exposed loss since Jan. 2015

Law enforcement globally has received complaints from victims in every U.S. state & 95 countries

In Arizona, average loss per scam is between $25,000& $75,000

BREACH IMPACTS

Regulatorysanctions

Regulatorscrutiny

Legal liability

Fines

Damaged patient

relationships

Damaged employee

relationships

Deceptive orunfair tradecharges

Diversion of resources

Lost productivity

Negative publicity

Refusal to share personal

information

Damage to brand

4/5/2017

6

WHAT DRIVES COST OF BREACHES?

INTERESTING STATISTICS• Timingo In 93% of breaches, it took attackers minutes or less to compromise systems

(Adobe products easiest to hack; Mozilla the most difficult) o In 83% of cases, it took weeks or more to discover an incident occurredoAttackers take easiest route (63% leveraged weak, default or stolen passwords)o95% of breaches were made possible by nine patterns including poor IT support

processes, employee error & insider/privilege misuse of access

• Companies go back to basics once breachedo53% training & awarenesso49% additional manual controlso52% expand use of encryptiono19% security certification or audit

4/5/2017

7

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)Coverso Health care providerso Health care payorso Health care clearinghouseso Employers who administer their own health plans

Protected Health Information (PHI)o Covered entities may only use or disclose PHI as permitted

Enforced byo HHS Office for Civil Rightso State attorneys general

Introducedo HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013)

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Coverso Businesses accepting credit & debit card paymentso “Card Present” transactions (card swipes)o “Card Not Present” transactions (eCommerce)

Cardholder Datao Handling, processing & transmission by “merchants”

Enforced byo Credit card brandso “Acquiring Bank” responsible for processing payment transactions

Introducedo PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,

MasterCard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on three-year cycle

4/5/2017

8

EXECUTIVE ORDER 13556 (CONTROLLED UNCLASSIFIED INFORMATION)Coverso Nonfederal contractors that support the delivery of essential products &

services to federal customers, state, local & tribal governments as well as colleges & universities

Controlled Unclassified Information (CUI)o Information systems that process, store & transmit sensitive, unclassified

federal informationo Included 14 “families” of security requirements (e.g. access control,

incident response, media protection, system & information integrity)Enforced byo Federal agencies

Introducedo November 4, 2010 Controlled Unclassified Information

BOARD CYBER-RISK OVERSIGHT

4/5/2017

9

BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT

• 51% of respondents indicated cyber risk is allocated to audit committee

Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey

BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT

• 89% indicated cybersecurity is discussed regularly during board meetings

Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey

4/5/2017

10

BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT

• 62% indicated CIO delivers reports to the board about cybersecurity

Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey

BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT

• 24% expressed dissatisfaction with quality of cyber-risk information provided to board

Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey

4/5/2017

11

WHAT DO BOARDS WANT TO KNOW?What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?

Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected?

Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?

Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?

NACD PUBLIC COMPANY GOVERNANCE SURVEY

Reviewed the company’s current approach to protecting its most critical data assets

Reviewed the technology infrastructure used to protect the company’s most critical data assets

Communicated with management about the types of cyber-risk information the board requires

Reviewed the company’s response plan in the case of a breach

Assessed risks associated with third-party vendors or suppliers

4/5/2017

12

FIVE PRINCIPLES OF CYBER RISK TO CONSIDERI. Organizations need to understand & approach cybersecurity as enterprise-wide risk

management issue, not just IT issue

II. Organizations should understand legal implications of cyber risks as they relate to their company’s specific circumstances

III. Boards should have adequate access to cybersecurity expertise, & discussions about cyber-risk management should be given regular & adequate time on the board meeting agenda

IV. Organizations should set expectation management will establish an enterprise-wide cyber-risk management framework with adequate staffing & budget

V. Board/management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach

Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey

PRINCIPLE IUnderstand & approach cybersecurity as enterprise-wide risk management issue, not just IT issue

4/5/2017

13

PRINCIPLE IIUnderstand legal implications of cyber risks as they relate to their company’s specific circumstances

Issue Risk Recommendations

Contractual obligations to customers, e.g., compliance, breach notification requirements, may not be identified & monitored over time

Lack of awareness of specific contractual obligations to protect data

Perform enterprise-wide contract review to ensure cyber-related contract obligations are well understood

Lacks comprehensive, risk-based vendor management program that includes all third-party relationships across vendor life cycle (from risk assessment through monitoring)

Use of vendors with poor cybersecurity controls may increase risk; inconsistent expectations around notification requirements may complicate timely resolution of data breaches

Implement & maintain comprehensive vendor management program

Company may be unaware of personal identifiable information (PII) held across the enterprise & corresponding legal requirements to protect it

Insufficient understanding of cyber risks posed by “overlooked” data

Ensure data is properly classified, e.g., confidential, internal use only, public, & that enterprise-wide data inventory is completed. Inventory should reflect how data should be shared as well as “owner”

COMMITTEE RESPONSIBLE FOR OVERSIGHT

4/5/2017

14

PRINCIPLE IIIBoards should have adequate access to cybersecurity expertise, & discussions about cyber-risk management should be given regular & adequate time on board meeting agenda

CYBERSECURITY REPORTING TO BOARD

4/5/2017

15

PRINCIPLE IVSet expectation management will establish an enterprise-wide cyber-risk management framework with adequate staffing & budget

NIST CYBERSECURITY FRAMEWORKFramework Overview & Design• Backgroundo Published February 12, 2014, by the National Institute of Standards & Technology (NIST)o Voluntary federal framework (not a set of standards) for critical infrastructure services o Provides common language for organizations to assess, communicate & measure

improvement security posture

• Controlso High-level controls provide framework of “what” but not “how”o Five functions, 22 control categories, 98 key controls derived from industry best practice &

standards o Contains four maturity tier ratings

4/5/2017

16

NIST CYBERSECURITY FRAMEWORKAsset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

Access Control

Awareness & Training

Data Security

Information Protection Processes

Maintenance

Protective Technology

Anomalies & Events

Security Continuous Monitoring

Response Planning

Detection Processes

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

PRINCIPLE VBoard/management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach

4/5/2017

17

STRATEGIC QUESTIONS• What data, & how much data, are we willing to lose

or have compromised? (“risk appetite”)

• How should our cyber-risk mitigation investments be allocated among basic & advanced defenses?

• What options are available to us to mitigate? transfer?

• How should we assess impact of cybersecurity incidents?

CONCLUSION• Company information assets are increasingly at risk across a

number of industries

• Choosing a robust cybersecurity framework against which company's & organization's cybersecurity & processes may be assessed

• Board involvement in cyber risk can provide much-needed strategic insight & support

4/5/2017

18

RESOURCES• ISACA® & Institute of Internal Auditors Research Foundation (IIA RF),

“Cybersecurity: What the Board of Directors Needs to Ask”, 2014

• National Institute of Standards & Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0, February 12, 2014

• National Association of Corporate Directors, “Cyber-Risk Oversight”, Director’s Handbook Series, 2017

• http://www.verizonenterprise.com/DBIR/2016/

• http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf

ADDITIONAL RESOURCES• CERT (http://www.cert.org/incident-management/) • ISACA (www.isaca.org)

• NIST (www.nist.gov)

• NACD (www.nacdonline.org)

• PCI Security Standards Council (https://www.pcisecuritystandards.org)

4/5/2017

19

The information contained in these slides is presented by professionals for your information only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars.

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

4/5/2017

20

CPE CREDITCPE credit may be awarded upon verification of participant

attendance

For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

Jan Hertzberg | 630.282.9500 | jhertzberg@bkd.com

4/5/2017

21