CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW...Issue Risk Recommendations Contractual...
Transcript of CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW...Issue Risk Recommendations Contractual...
4/5/2017
1
CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW
April 5, 2017
4/5/2017
2
TO RECEIVE CPE CREDIT Participate in entire webinar
Answer polls when they are provided
If you are viewing this webinar in a group
• Complete group attendance form with
o Title & date of live webinar
o Your company name
o Your printed name, signature & email address
• All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
• Answer polls when they are provided
If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
YOUR PRESENTERJan Hertzberg, Director
• Cybersecurity practice leader
• More than 30 years of experience in providing IT audit, risk, cybersecurity & privacy compliance services
4/5/2017
3
OBJECTIVES
Identify activities that can help management & boards effectively address cyber-risk
Describe key foundational elements of an effective cybersecurity program
Describe how cybersecurity risk landscape has changed & why cyber-risk must be managed as an enterprise-wide concern, not just an IT issue
RAPIDLY EVOLVING CYBERTHREATS – MOTIVATIONAL SHIFTS
ADDITIVE MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION DESTRUCTION
4/5/2017
4
TOP CYBER THREATS BY INDUSTRY
Transportation (77%)• Web application attacks• Denial of service• Cyber-espionage
Utilities (69%)• Cyber-espionage• Crimeware• Denial of service
Manufacturing (55%)• Denial of service• Cyber-espionage• Insider & privilege misuse
(password)
Source: Verizon Data Breach Investigation Report 2015
TOP 10 CYBER-ESPIONAGE TARGETS
Source: Verizon Data Breach Investigation Report 2015
MANUFACTURING
PUBLIC SECTOR
PROFESSIONAL
27.4%
20.2%
13.3%
INFORMATION 6.2%
UTILITIES
TRANSPORTATION
EDUCATIONAL
REAL ESTATE
FINANCIAL SERVICES
HEALTH CARE
3.9%
1.8%
1.7%
1.3%
0.8%
0.7%
4/5/2017
5
BUSINESS EMAIL COMPROMISE: A SPECIAL KIND OF “PHISH”
Sources: http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams
From October 2013 through February 2016, law enforcement received reports from 17,642 victims
Total exposed loss = $2.3 billion since 2013
FBI has identified a 270% increase in BEC attack victims & exposed loss since Jan. 2015
Law enforcement globally has received complaints from victims in every U.S. state & 95 countries
In Arizona, average loss per scam is between $25,000& $75,000
BREACH IMPACTS
Regulatorysanctions
Regulatorscrutiny
Legal liability
Fines
Damaged patient
relationships
Damaged employee
relationships
Deceptive orunfair tradecharges
Diversion of resources
Lost productivity
Negative publicity
Refusal to share personal
information
Damage to brand
4/5/2017
6
WHAT DRIVES COST OF BREACHES?
INTERESTING STATISTICS• Timingo In 93% of breaches, it took attackers minutes or less to compromise systems
(Adobe products easiest to hack; Mozilla the most difficult) o In 83% of cases, it took weeks or more to discover an incident occurredoAttackers take easiest route (63% leveraged weak, default or stolen passwords)o95% of breaches were made possible by nine patterns including poor IT support
processes, employee error & insider/privilege misuse of access
• Companies go back to basics once breachedo53% training & awarenesso49% additional manual controlso52% expand use of encryptiono19% security certification or audit
4/5/2017
7
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)Coverso Health care providerso Health care payorso Health care clearinghouseso Employers who administer their own health plans
Protected Health Information (PHI)o Covered entities may only use or disclose PHI as permitted
Enforced byo HHS Office for Civil Rightso State attorneys general
Introducedo HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013)
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
Coverso Businesses accepting credit & debit card paymentso “Card Present” transactions (card swipes)o “Card Not Present” transactions (eCommerce)
Cardholder Datao Handling, processing & transmission by “merchants”
Enforced byo Credit card brandso “Acquiring Bank” responsible for processing payment transactions
Introducedo PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,
MasterCard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on three-year cycle
4/5/2017
8
EXECUTIVE ORDER 13556 (CONTROLLED UNCLASSIFIED INFORMATION)Coverso Nonfederal contractors that support the delivery of essential products &
services to federal customers, state, local & tribal governments as well as colleges & universities
Controlled Unclassified Information (CUI)o Information systems that process, store & transmit sensitive, unclassified
federal informationo Included 14 “families” of security requirements (e.g. access control,
incident response, media protection, system & information integrity)Enforced byo Federal agencies
Introducedo November 4, 2010 Controlled Unclassified Information
BOARD CYBER-RISK OVERSIGHT
4/5/2017
9
BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT
• 51% of respondents indicated cyber risk is allocated to audit committee
Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey
BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT
• 89% indicated cybersecurity is discussed regularly during board meetings
Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey
4/5/2017
10
BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT
• 62% indicated CIO delivers reports to the board about cybersecurity
Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey
BOARDS SEEK GREATER INVOLVEMENT IN OVERSIGHT
• 24% expressed dissatisfaction with quality of cyber-risk information provided to board
Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey
4/5/2017
11
WHAT DO BOARDS WANT TO KNOW?What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?
Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected?
Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?
Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?
NACD PUBLIC COMPANY GOVERNANCE SURVEY
Reviewed the company’s current approach to protecting its most critical data assets
Reviewed the technology infrastructure used to protect the company’s most critical data assets
Communicated with management about the types of cyber-risk information the board requires
Reviewed the company’s response plan in the case of a breach
Assessed risks associated with third-party vendors or suppliers
4/5/2017
12
FIVE PRINCIPLES OF CYBER RISK TO CONSIDERI. Organizations need to understand & approach cybersecurity as enterprise-wide risk
management issue, not just IT issue
II. Organizations should understand legal implications of cyber risks as they relate to their company’s specific circumstances
III. Boards should have adequate access to cybersecurity expertise, & discussions about cyber-risk management should be given regular & adequate time on the board meeting agenda
IV. Organizations should set expectation management will establish an enterprise-wide cyber-risk management framework with adequate staffing & budget
V. Board/management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach
Source: National Association of Corporate Director’s (NACD), 2016–2017 NACD Public Company Governance Survey
PRINCIPLE IUnderstand & approach cybersecurity as enterprise-wide risk management issue, not just IT issue
4/5/2017
13
PRINCIPLE IIUnderstand legal implications of cyber risks as they relate to their company’s specific circumstances
Issue Risk Recommendations
Contractual obligations to customers, e.g., compliance, breach notification requirements, may not be identified & monitored over time
Lack of awareness of specific contractual obligations to protect data
Perform enterprise-wide contract review to ensure cyber-related contract obligations are well understood
Lacks comprehensive, risk-based vendor management program that includes all third-party relationships across vendor life cycle (from risk assessment through monitoring)
Use of vendors with poor cybersecurity controls may increase risk; inconsistent expectations around notification requirements may complicate timely resolution of data breaches
Implement & maintain comprehensive vendor management program
Company may be unaware of personal identifiable information (PII) held across the enterprise & corresponding legal requirements to protect it
Insufficient understanding of cyber risks posed by “overlooked” data
Ensure data is properly classified, e.g., confidential, internal use only, public, & that enterprise-wide data inventory is completed. Inventory should reflect how data should be shared as well as “owner”
COMMITTEE RESPONSIBLE FOR OVERSIGHT
4/5/2017
14
PRINCIPLE IIIBoards should have adequate access to cybersecurity expertise, & discussions about cyber-risk management should be given regular & adequate time on board meeting agenda
CYBERSECURITY REPORTING TO BOARD
4/5/2017
15
PRINCIPLE IVSet expectation management will establish an enterprise-wide cyber-risk management framework with adequate staffing & budget
NIST CYBERSECURITY FRAMEWORKFramework Overview & Design• Backgroundo Published February 12, 2014, by the National Institute of Standards & Technology (NIST)o Voluntary federal framework (not a set of standards) for critical infrastructure services o Provides common language for organizations to assess, communicate & measure
improvement security posture
• Controlso High-level controls provide framework of “what” but not “how”o Five functions, 22 control categories, 98 key controls derived from industry best practice &
standards o Contains four maturity tier ratings
4/5/2017
16
NIST CYBERSECURITY FRAMEWORKAsset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness & Training
Data Security
Information Protection Processes
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Response Planning
Detection Processes
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
PRINCIPLE VBoard/management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach
4/5/2017
17
STRATEGIC QUESTIONS• What data, & how much data, are we willing to lose
or have compromised? (“risk appetite”)
• How should our cyber-risk mitigation investments be allocated among basic & advanced defenses?
• What options are available to us to mitigate? transfer?
• How should we assess impact of cybersecurity incidents?
CONCLUSION• Company information assets are increasingly at risk across a
number of industries
• Choosing a robust cybersecurity framework against which company's & organization's cybersecurity & processes may be assessed
• Board involvement in cyber risk can provide much-needed strategic insight & support
4/5/2017
18
RESOURCES• ISACA® & Institute of Internal Auditors Research Foundation (IIA RF),
“Cybersecurity: What the Board of Directors Needs to Ask”, 2014
• National Institute of Standards & Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0, February 12, 2014
• National Association of Corporate Directors, “Cyber-Risk Oversight”, Director’s Handbook Series, 2017
• http://www.verizonenterprise.com/DBIR/2016/
• http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf
ADDITIONAL RESOURCES• CERT (http://www.cert.org/incident-management/) • ISACA (www.isaca.org)
• NIST (www.nist.gov)
• NACD (www.nacdonline.org)
• PCI Security Standards Council (https://www.pcisecuritystandards.org)
4/5/2017
19
The information contained in these slides is presented by professionals for your information only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars.
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
4/5/2017
20
CPE CREDITCPE credit may be awarded upon verification of participant
attendance
For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
Jan Hertzberg | 630.282.9500 | [email protected]
4/5/2017
21