Global Cybersecurity Enterprise Risk Management...Global Cybersecurity Enterprise Risk Management....
Transcript of Global Cybersecurity Enterprise Risk Management...Global Cybersecurity Enterprise Risk Management....
3 April 2019
Global Cybersecurity Enterprise Risk ManagementKelly Harris Prudential Insurance Company of America
Stratis PridgeonWyndham Destinations
Speaker
Kelly HarrisVice President, Corporation Counsel, Privacy & CybersecurityPrudential Insurance Company of AmericaKelly Harris is Vice President, Corporate Counsel, Privacy & Cybersecurity at Prudential Insurance Company of America, based in Newark, NJ. In her role, Kelly provides specialized legal advice and counsel regarding information security and privacy laws/regulations, data usage and governance, and legal issues related to information protection, cybersecurity, and emerging technologies to all of Prudential’s complex and federated businesses and groups.
Before joining Prudential 2 years ago, Kelly spent 7 years helping to build the Privacy and Information Security programs at Wyndham Worldwide. She started her legal career as an associate with Kirkpatrick & Lockhart (now K&L Gates) and then Gibbons, PC before going in-house to Japanese pharmaceutical companies Daiichi Sankyo and Otsuka.
2
Speaker
Stratis PridgeonGroup Vice President, LegalWyndham Destinations
Stratis Pridgeon serves as Group Vice President, Legal, and Global Privacy Lead for Wyndham Destinations. His responsibilities include advising the company on privacy and data security issues, information technology contracts and licenses, and information management. He previously served in a similar capacity with Wyndham Vacation Ownership.
Prior to joining Wyndham, Stratis was a bank examiner with the State of Florida as well as counsel for multiple Florida regulatory agencies. He has chaired the Privacy Subcommittee of the American Resort Development Association (ARDA) since its inception almost twenty years ago, and has been a frequent speaker at ARDA and other industry conferences on privacy and data security. Stratis is a graduate of The Florida State University and Stetson University College of Law and holds the distinction of Certified Information Privacy Professional/US from the International Association of Privacy Professionals.
3
Global Cyber ERM
Disclaimer
The opinions expressed in this session are solely those of the participants. The opinions are not those of the organizers or sponsors of this conference or the panel participants’ respective companies /firms or any of their officers or directors.
This presentation and its contents do not constitute legal advice. You are encouraged to consult your own counsel regarding the application of any laws or regulations discussed herein to your company, to your client or to your specific circumstances.
The mention of any products or services or their providers or any organizations is not intended to be an endorsement.
4
Global Cyber ERM
“Risk comes from not knowing what you’re doing.”
- Warren Buffett (2014 or earlier)
5
Global Cyber ERM
“Cyber is uncharted territory. It’s going to get worse, not better.”
- Warren Buffett (2018)
6
Global Cyber ERM
• Introduction
• Risk Frameworks and Other Tools
• The 7 C’s of Cyber ERM
• ERM/Cyber ERM Resources
• Questions7
Introduction What is Enterprise Risk
Management (or “ERM”)? What is Cyber ERM? Why do we care about ERM / Cyber
ERM?
Global Cyber ERM
What is Enterprise Risk Management (or “ERM”)?
One Definition –
9
“A process, effected by an entity’s board ofdirectors, management or other personnel, appliedin strategy-setting and across the enterprise,designed to identify potential events that may affectthe entity, and manage risk to be within its riskappetite, to provide reasonable assurance regardingthe achievement of entity objectives.”*
*From “Enterprise Risk Management – Integrated Framework - Executive Summary” ©2004 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
Global Cyber ERM What is Cyber ERM?
A key component of an organization’s overall Enterprise Risk Management program that requires new focus due to increases in cyber threats and uses of new technologies
The US Department of Homeland Security highlights the following Key Cyber Risk Management Concepts: Incorporate cyber risks into existing risk management Begin cyber risk management discussions with your leadership team Implement industry standards and best practices Evaluate and manage specific cyber risks Provide oversight and review Develop and test incident response plans Coordinate cyber incident response planning across the enterprise Maintain awareness of cyber threats (“Cyber Risk Management Primer for CEOs” - dhs.gov)
10
Global Cyber ERM Why do we care about ERM / Cyber ERM?
Compliance with laws (too many to name) Sarbanes Oxley (SOX) NY DFS Cybersecurity Regulation (“risk-based approach”) General Data Protection Regulation (GDPR) China Internet Security Law California Consumer Privacy Act (CCPA)
Business Disruption Impact on customer service Loss of value
Consumer impact Effect of loss/misuse of personal information
11
Global Cyber ERM Why do we care about ERM / Cyber ERM?
Threats Cyberattacks Internal actors Deficient products/services Litigation
Brand reputation Negative publicity Competitive disadvantage
Business efficiency New technologies (IOT) Cloud vs. on-prem Balance demands of business leaders and public
12
Global Cyber ERM Why do we care about ERM / Cyber ERM?
Making the Case: Complexity Organizations are incredibly complex: multiple subsidiaries
on a global scale, numerous business functions, thousands of employees, service providers, and processes
Multiple risk owners spread across corporate functions and operating divisions
Extension of cyber risks to service providers (e.g., cloud) and issues of responsibility/liability
Constantly evolving nature of cyber risk due to advancements in technology and more sophisticated “bad actors”
Need: View of cyber risk that flows through the entire organization with cross-functional understanding
13
Global Cyber ERM Why do we care about ERM / Cyber ERM?
Making the Case: In the Matter of: Voya Financial Advisors, Inc. Overview
On September 26, 2018, the SEC issued an Order against Voya Financial Advisors, Inc., (“VFA”) a division of Voya
The Order related to a 2016 online security breach of the accounts of three independent advisors
Using social engineering, fraudsters took over the independent advisors’ VFA accounts, leading to the compromise of the personal information of 5,600 people, but no financial loss.
Voya agreed to pay a fine of $1,000,000.
14
Global Cyber ERM Why do we care about ERM / Cyber ERM?
Making the Case: In the Matter of: Voya Financial Advisors, Inc. Significance
The SEC found that VFA violated both the Safeguards Rule and the Identity Theft Red Flags Rule.
Both rules require policies and procedures to keep information safe and to respond to fraud.
VFA had such policies and procedures, but the SEC found that:o VFA did not regularly update the policies in response to threatso There were gaps in VFA’s policies (“risks”)o VFA did not always follow its policies
15In the Matter of Voya Financial Advisors Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048 (Sept. 26, 2018), available at https://www.sec.gov/litigation/admin/2018/34-84288.pdf.
Risk Frameworks and Other Tools General Enterprise Risk Cyber/IT Privacy Sector-specific Tools (example)
Global Cyber ERM General Enterprise Risk Frameworks
COSO “Enterprise Risk Management – Integrated Framework” (2004) A “set of principles organized into five interrelated
components”:o Governance and Cultureo Strategy and Objective-Settingo Performanceo Review and Revisiono Information, Communication, and Reporting*
Supplemented by the “COSO Enterprise Risk Management –Integrating with Strategy and Performance” (2017)
“COSO in the Cyber Age” (Thought Paper)
17*From “Enterprise Risk Management – Integrating with Strategy and Performance – Executive Summary” ©2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
Global Cyber ERM Cyber/IT Risk Frameworks
NIST (US National Institute of Standards and Technology) Cybersecurity Framework Basics Users Components
ISO 27001 (Organisation Internationale de Normalisation aka International Organization for Standardization)
PCI Security Standards Council Data Security Standard
18
Global Cyber ERM Cyber/IT Risk Frameworks
NIST Cybersecurity Framework
Basics
Voluntary guidanceBased on existing standardsHelp organizations manage
and reduce risksFoster risk and cybersecurity
communications
Use is voluntaryCustomize for sectors/
organizations to their unique risks
Version 1.0 issued in February 2014Collaboration between
industry, academia, and governmentCurrent Version 1.1
issued April 16, 2018
FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework
19
Global Cyber ERM Cyber/IT Risk Frameworks
NIST Cybersecurity Framework
Users
Intended to address “critical infrastructure”However, other
organizations can use
Can be used by organizations with mature cybersecurity programs
Raise awareness Improve
communicationsShare cybersecurity
expectationsUse as a strategic
planning tool
FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework
20
Global Cyber ERM Cyber/IT Risk Frameworks
NIST Cybersecurity Framework
Components
Core Functions Identify Protect Detect Respond Recover
Profile Alignment of
standards, guidelines and practices
Current vs. Target Prioritization and
self-assessments
Implementation Tiers Partial (Tier 1) Risk Aware (Tier 2) Repeatable (Tier 3) Adaptable (Tier 4)
FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework
21
Global Cyber ERM Cyber/IT Risk Frameworks
NIST Cybersecurity Framework Implementation Tiers
Partial (Tier 1) Risk Informed (Tier 2) Repeatable (Tier 3) Adaptive (Tier 4)
Ad hoc /reactive
---------------------- Limited awareness
---------------------- Lack of
understanding or awareness
Risk mgmt. practices approved by mgmt. but not org. wide
------------------------------------ Awareness at org level but
not managed org-wide------------------------------------General understanding;
collaborates but doesn’t share
RMP
IRMP
EP
Risk mgmt. practices formally approved and expressed as policy
--------------------------------- Consistent methods in
place to respond to changes in risk
--------------------------------Organization is aware of
cyber supply chain risk associated with products/services
Risk mgmt. practices formally approved and expressed as policy
----------------------------- Consistent methods in
place to respond to changes in risk
-----------------------------Understands role and
contributes to broader understanding of risks
FROM: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
22
Global Cyber ERM Cyber/IT Risk Frameworks
ISO 27001 (Organisation Internationale de Normalisation aka International Organization for Standardization) ISO (along with IEC, the “International Electrotechnical
Commission) provides a “family of standards” under ISO/IEC 27000 to assist organizations with managing risks related to their information security management systems
ISO 27001 is often referenced in contractual security requirements as documentation of an organization’s security practices
Certification of ISO 27001 compliance is available through ISO and independent auditors.
Documentation available for purchase through ISO. (iso.org)
23
Global Cyber ERM Cyber/IT Risk Frameworks
PCI Data Security Standard (PCI DSS) “Framework for a robust payment card data security process” Consists of 12 requirements for securing cardholder data Includes a Prioritized Approach for compliance with the PCI DSS
Roadmap to address risks “Quick wins” Supports financial and operational planning Progress indicators that are objective and measurable Helps promote assessor consistency
FROM: https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI-DSS-v3_2_1.pdf
24
Global Cyber ERM Cyber/IT Risk Frameworks
PCI Data Security Standard (PCI DSS)
Prioritized Approach to PCI DSS
FROM: https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI-DSS-v3_2_1.pdf
Milestone Goals
1 Remove sensitive authentication data and limit data retention
2 Protect systems and networks, and be prepared to respond to a system breach
3 Secure payment card applications
4 Monitor and control access to your systems
5 Protect stored cardholder data
6 Finalize remaining compliance efforts, and ensure all controls are in place
25
Global Cyber ERM Privacy Risk Frameworks
NIST (US National Institute of Standards and Technology) Privacy Framework Status
o Currently under developmento Official Request for Information (RFI) period ended
January 14, 2019, but still accepting input
NIST Privacy Framework Working Outline – Components Basics Core Profile Implementation Tiers
26FROM: www.nist.gov/privacy-framework
Global Cyber ERM Privacy Risk Frameworks
NIST Privacy Framework
Basics “…will provide a set of activities to achieve specific privacy outcomes….” “…will present key privacy outcomes identified by stakeholders as helpful in
managing privacy risk.”
Core (four elements) Functions Categories Subcategories Informative References
27FROM: www.nist.gov/privacy-framework
Global Cyber ERM Privacy Risk Frameworks
NIST Privacy Framework
Develop the organizational understanding to manage privacy risk for individuals arising from data processing or their interactions with products, services or systems.
Develop and implement appropriate data safeguards.
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to meet privacy objectives.
Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data is processed.
Develop and implement appropriate activities to take actions regarding a privacy breach.
Core Functions
Identify
Protect
Control
Inform
Respond
28FROM: www.nist.gov/privacy-framework
Global Cyber ERM Privacy Risk Frameworks
NIST Privacy Framework
Profile
Functions Categories Subcategories
Business requirements Risk tolerance Privacy Objectives Resources
Aligned With
Current ProfilePrivacy outcomes currently achieving
Target ProfileOutcomes needed to achieve desired privacy risk management goals
• Gauge resources• Communicate risk
29
FROM: www.nist.gov/privacy-framework
Global Cyber ERM Privacy Risk Frameworks
NIST Privacy Framework Implementation Tiers
Partial (Tier 1)
Risk Informed (Tier 2)
Repeatable (Tier 3)
Adaptive (Tier 4)
Risk Management Process
Integrated Risk Management Process
External Participation
30
FROM: www.nist.gov/privacy-framework
Global Cyber ERM Sector-Specific Tools (example)
HIPAA Security Guidance
HHS Security Risk Assessment (SRA) Tool Security Rule requires covered entities and business associates conduct a risk
assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards
Downloadable to local instance Best for small to medium organizations
NIST HIPAA Security Toolkit Application Intended to help organizations better understand and implement Security Rule
requirements Assist covered entities and business associates
31FROM: www.hhs.gov and www.healthit.gov
The 7 C’s of Cyber ERM
Global Cyber ERM
The 7 C’s of Cyber ERM Where do ERM and Cyber meet?
Multitude of resources on the ERM, cybersecurity, and privacy sides
All with common themes Distilled into seven (7) sometimes
overlapping concepts as another way to think about it
Each with potential effects and suggested processes (not all-inclusive)
33
Global Cyber ERM
The 7 C’s of Cyber ERM Culture
Communication Capability
Consensus Clarity
Correction Cover
34
Global Cyber ERM Culture
Increase understanding of “risk appetite” of the organization
Enhance alignment of risk to business Institute or enhance risk governance Enrich risk recognition and
consideration Empower collaboration on risk-based
practices across functions
Develop cyber risk strategies and objectives
Obtain and retain C-suite support Establish a risk committee or council
(could be “cyber risk” or “information risk”)
Embrace “privacy/security/risk by design”
Effects Processes
35
Global Cyber ERM Communication
Improve alignment on risk across organization
Increase transparency on risk tolerance
Enhance risk awareness
Communicate risk strategies, objectives, practices, and tolerance
Institute reporting mechanism (employee hotline)
Emphasize risk mitigation practices (e.g., conduct phishing tests)
Effects Processes
36
Global Cyber ERM
Capability
Increase efficiencies of resources Minimize employee or vendor
lapses Improve reaction/response time
Engage “Risk Champions” Recruit certified cybersecurity
and compliance talent Retain vendors with proven track
record Engage vendors under attorney-
client privilege
Effects Processes
37
Global Cyber ERM
Lessen volatility of economic impact
Minimize risk of new vulnerabilities
Reduce “fire drills” for incident response
Create more efficient use of resources
Consensus
Utilize a recognized Framework Obtain agreement on strategy for cross-
functional risks (implement risk and policy councils)
Implement policies and procedureso Develop an ERM policy with cyber risk and
privacy componentso Develop data security policies and standards
mapped to industry/regulatory requirements
Effects Processes
38
Global Cyber ERM
Clarity
Reduce impact of known or unknown vulnerabilities
Minimize impact of “trusted” sources
Maximize response on highest impact
Conduct data inventory and mapping
Control and audit access to data (hold managers accountable)
Categorize and classify systems based on whether critical, customer-facing and similar impact criteria
Effects Processes
39
Global Cyber ERM
Correction
Decrease likelihood of reoccurrence of incidents
Increase resiliency in anticipation of future events
Remediate impacted systems and applications
Conduct post-incident debrief Review processes for gaps Provide additional training for
those involved Take appropriate personnel or
contract action
Effects Processes
40
Global Cyber ERM
Cover
Mitigate impact of cybersecurity incidents
Reduce impact of vendor performance deficiencies
Increase likelihood of economic recovery
Prepare appropriate contract language (privacy and data protection, indemnification, insurance)
Conduct vendor risk assessments
Purchase cybersecurity coverage
Effects Processes
41
ERM / Cyber ERM Resources
Global Cyber ERM ERM Resources
o Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• www.coso.org (“Enterprise Risk Management - Integrated Framework”)• https://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf
(“COSO in the Cyber Age”)(Thought Paper)o Organisation Internationale de Normalisation (International
Organization for Standardization) (ISO)• www.iso.org (ISO 31000 – Risk management)
o NC State University Poole College of Management• erm.ncsu.edu
o American Society for Healthcare Risk Management• www.ashrm.org
o The Institute of Risk Management (London)• www.theirm.org
43
Global Cyber ERM Cybersecurity Risk Resources
o National Institute of Standards and Technology (NIST) (US)• www.nist.gov/cyberframework (“Framework for Improving Critical
Infrastructure Cybersecurity”)o ISO www.iso.org (ISO/IEC 27000 family – Information security management
systems)o Information Systems and Audit Control Association (ISACA)
• www.isaca.org (“Control Objectives for Information and Related Technology – Framework for IT Governance and Control” (COBIT) and “Risk IT”)
o PCI Security Standards Council• www.pcisecuritystandards.org (“PCI Data Security Standard” or “PCI DSS”)
o ASIS International• www.asisonline.org (CSO Roundtable – Enterprise Security Risk Management)
o BSA | The Software Alliance• bsacybersecurity.bsa.org (Cybersecurity Policy Framework)
44
Global Cyber ERM Privacy Risk Resources
o NIST Privacy Framework• www.nist.gov/privacy-framework (“NIST Privacy Framework: An Enterprise
Risk Management Tool”)
o International Association of Privacy Professionals• www.iapp.org
45
Global Cyber ERM Legal/Regulatory Resourceso Sarbanes Oxley (SOX) (Section 404)
• http://legcounsel.house.gov/Comps/Sarbanes-oxley%20Act%20Of%202002.pdf
o GLBA Safeguards Rule• https://www.ecfr.gov/cgi-bin/text-
idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A1.0.1.3.38&idno=16
o HIPAA Security Rule https://www.hhs.gov/hipaa/for-professionals/security/index.html
o NY DFS Cybersecurity Regulation https://www.dfs.ny.gov/industry_guidance/cyber_filings
o Massachusetts Rule: 201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth
• https://www.mass.gov/regulations/201-CMR-17-standards-for-the-protection-of-personal-information-of-residents-of-the
46
Global Cyber ERM Legal/Regulatory Resources
o General Data Protection Regulation (GDPR) https://ec.europa.eu
o China Internet Security Law (English translation)• https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-
cybersecurity-law-peoples-republic-china/
o California Consumer Privacy Act (CCPA)• https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375• https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121
47
Questions
Questions + Contacts
Kelly HarrisVice President, Corporate Counsel, Privacy & CybersecurityPrudential Insurance Company of [email protected]
Stratis PridgeonGroup Vice President, LegalWyndham [email protected]
49