Ironshore Data Privacy CE/CLE Seminar September 17, 2014 1.
-
Upload
britney-webster -
Category
Documents
-
view
212 -
download
0
Transcript of Ironshore Data Privacy CE/CLE Seminar September 17, 2014 1.
Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
1
Life Cycle of a Breach
Identification of the Threat or Security Incident What just happened?
Triggering the Incident Response Team Making sure the right people / partners are part of the team
Containment Have you stopped the “bleeding”?
Remediation Have you taken steps to prevent this type of event from occurring in
the future? Notification – and beyond
Overview
You are part of a company that operates retail stores throughout the United States. Payment-card and HR processing is handled by your corporate offices for all stores. The Company employees approximately 20,000 employees.
3
Cyber Attack!
4
ATTACK!
SQL Injection8/21/2014
Rafael Negron
SQL Demo
SQL Injection
What is SQL?
Web Application
Web Application
DatabaseDatabase
SQL
o SQL: Structured Query Language
o Used to store, edit, and retrieve database data
o Applications issue SQL commands that manage data
Change
sSQL
SQL Injection
Web Application
Web Application
o Malicious SQL statements are inserted into an entry field for execution
o Malicious SQL statements, are intended to do things, such as display,
“Username and Password”
Change
s
Insert Malicious Input
Insert Malicious Input
Database
Database
SQL Mini-Lesson
Table containing data
UserName
FirstName
LastName
Password
CJONES Cynthia Jones XXXXXX
BSMITH Bill Smith YYYYYY
SKING Susan King ZZZZZZZ
RSMITH Rob Smith AAAAA
Criteria rows must meet
"Users" Table
Query Results
Column data returnedSELECT UserName, Password
FROM Users
WHERE LastName = 'Smith'
Exploitation Methodology
Step 1 Scan
Step 1 Vulnerability Assessment
Step 3 Remote Exploitation
Step 3 Privilege Escalate
Windows Passwords
SQL Demonstration
Pass The Hash
Pass The Hash Demo
What Just Happened?
Your Company was the victim of a sql injection attack against a web application that provided information on customers who had purchased the Company’s services. The hacker appears to have gained access to a database that was serving the web application.
Question: What Do You Do?
19
Information Exposed
The initial investigation shows that the database contained
employees’ names, addresses, social security numbers, driver’s license numbers, position, and bank account information. The database has been operational for 5 years. The database appears to have stored cardholder information for repeat customers.
Question: Now what? Does this impact your initial plan of action?
20
Monkey Wrench #1
You just learned that Brian Krebs, an online reporter who is credited with breaking the story that Target had been breached, and is followed by thousands of other publications, posted a story on his blog that the Company appears to have been breached. The story mentions that the Company failed to return phone calls for two days.
21
Monkey Wrench #2
The CEO of the Company contacts you, and tells you that he just received an e-mail from an unknown e-mail address, informing him that this person has the personal information of the CEO and his daughter, provides his driver’s license as proof, and threatens to post it online unless the CEO pays a ransom.
22
Update From Investigation
The database contained a link to an application that was connected to the Company’s payment processing system, which is centrally located at the Company’s headquarters. The application automatically updated information for repeat customers, but also allowed the hacker to potentially access the payment card information of all customers, exposing over 2 million credit cards.
Monkey Wrench #3
The FBI has just showed up at your door, and wants access to your data center so it can image your computers and servers in order to investigate the cyber attack.
24
Money Wrench #4
In the midst of your investigation, you receive an Inquiry from regulatory agency requesting more information about the event, asking for policies and procedures, and seeking a meeting.
25
Summary
Responding Quickly, But Effectively Matters
Know Who Your “Team” Members Are Before You Have An Event - Internal And External
Training And Education Matters!
No Two Events Are Alike - Expect The Unexpected
26
Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
27
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Panelists:Anjali C. Das, Partner Wilson Elser, LLP
Ty R. Sagalow, President Innovation Insurance Group, LLC
William A. Boeck, SVP Lockton Companies
Lindsay B. Nickle, Partner Wilson Elser, LLP
Kristi Janicek, Ironshore
Brenda Barnat, Abernathy MacGregor Group
28
CYBER RISKS THE BUCK STOPS WITH THE BOARD
OVERVIEW
Corporate Exposures for a Data Breach Lack of Board Oversight for Data Privacy and
Security SEC Guidance and Enforcement Rise in Shareholder Litigation Against D&Os Corporate Governance and Cyber Risk
Management Cyber Insurance versus Other Insurance
29
CYBER RISKS THE BUCK STOPS WITH THE BOARD
DATA BREACHES IN THE NEWS
Target Neiman Marcus Advocate Healthcare Twitter Adobe Facebook Living Social Evernote Federal Reserve Bank
30
CYBER RISKS THE BUCK STOPS WITH THE BOARD
CORPORATE EXPOSURES FOR A DATA BREACH
31
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Average Data Breach Response Costs
Avg. total organizational cost of breach ($5,403,644)
Avg. detection costs ($395,262) Avg. notification costs ($565,020) Avg. remediation costs ($1,412,548) Avg. lost business costs ($3,030,814) $200 a record
Note: Figures do not include mega breaches in excess of 100,000 breached records
Source: Ponemon Institute 2013 Cost of Data Breach Study32
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Other Breach Related Costs
Litigation costsConsumer class actionsShareholder suitsGovernment investigations and proceedings
Impact on corporate financesCash flowLoan covenants and credit Shareholder valueReputational injury and loss of business
33
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Adverse Impact on Target’s Corporate Financials
5.5% decrease in sales in 4Q 2013 “Meaningfully softer results” following news of
the breach 11% drop in stock price Reputational injury
34
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Target Data Breach Related Costs
$88 million incurred for data breach response costs and related expenses to date
Amounts include internal investigation costs credit monitoring staffing call centers
$52 million in expected insurance recoveries $100 million in dedicated cyber liability insurance
35
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Target Management Shake Up
CIO/CEO “resignations” CFO testifies before Congress Shareholder proxy advisor ISS recommends
ousting Board members Appointment of new Chief Information Security
Officer
36
CYBER RISKS THE BUCK STOPS WITH THE BOARD
LACK OF BOARD OVERSIGHT FOR DATA SECURITY
37
CYBER RISKS THE BUCK STOPS WITH THE BOARD
“Only a few executive officers understand security and the rest are clueless. . . . [T]his causes a big disconnect between the people performing information security to protect an organization’s data and the top-level executives at the organization.”
Source: Larry Ponemon, Founder of the Ponemon Institute
38
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Many Boards are reassessing their skills in cyber risk management Experience in overseeing the growing threat of
cyber security risk is one of the key attributes Boards will consider when appointing new directors
IT expertise is now considered one of the top 5 attributes for today’s Board members
Only 11% of Boards are “very confident” of their ability to manage cyber risk
Source: NYSE 2014 Survey: What Directors Think
39
CYBER RISKS THE BUCK STOPS WITH THE BOARD
SEC GUIDANCE AND ENFORCEMENT FOR DATA
SECURITY AND PRIVACY
40
CYBER RISKS THE BUCK STOPS WITH THE BOARD
SEC Cyber Risk Disclosure Guidance
Discussion of aspects of business or operations that give rise to material cyber risks (costs and consequences)
Outsourced functions that may give rise to a cyber risk and how company manages that risk
Description of material cyber incidents to date (costs and consequences)
Risks related to cyber incidents that may remain undetected for an extended period
Description of relevant insurance coverage41
CYBER RISKS THE BUCK STOPS WITH THE BOARD
5/1/13 Letter from SEC Chair Mary Jo White to Senator Rockefeller highlights the SEC’s interest in cyber risk
Cybersecurity risks are an “increasing concern” for public companies and financial markets
Since 2012, the SEC has issued 50 comment letters to companies regarding their cyber risk disclosures
SEC continues to “prioritize” this issue SEC is evaluating the “efficacy” of its guidance Possibility that the SEC consider further action on
this topic
42
CYBER RISKS THE BUCK STOPS WITH THE BOARD
“Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
SEC Commissioner Luis Aguilar speaking at the NYSE Conference:
Cyber Risks and the Boardroom (June 10, 2014)
43
CYBER RISKS THE BUCK STOPS WITH THE BOARD
SEC “Blueprint” of Cybersecurity Issuesfor Wall Street Firms
1. Inventory of information security assets2. Dedicated employees responsible for monitoring
and detecting cybersecurity threats3. Cyber liability insurance4. Security policies, practices, and internal controls5. Cybersecurity risks associated with third party
vendors, service providers, and business partners
44
CYBER RISKS THE BUCK STOPS WITH THE BOARD
D&O CYBER EXPOSURE:THE NEW FRONTIER FOR SHAREHOLDER SUITS
45
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Securities Class ActionsWas there a stock drop following news of big
data breachDid the D&Os knowingly conceal a material
cyber risk (scienter)Were the stock losses caused by the bad news
or by a “corrective disclosure” (loss causation)Did company adequately disclose cyber risks in
its filings (per SEC guidance)
46
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Derivative ActionsBreach of fiduciary duties and lack of oversight
by BoardWeak internal controls for cyber risk Damages to company resulting from data
breach or other cyber threat
47
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Target Shareholder Suits Shareholder derivative suits against Target’s D&Os for
breach of fiduciary duty related to the 2013 data breach
Suits filed in Minnesota federal court Suits name CEO, CFO, CIO and Board of Directors D&Os allegedly failed to: (1) promptly notify
customers of the data breach, and (2) implement internal controls to detect and prevent a data breach
Complaints highlight Company’s Privacy Policy Company allegedly failed to use the PCI Data Security
Standard for large retail companies
48
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Company’s Purported Damages
1. Reputational injury and loss of business2. Loss of revenue and profits3. Costs of defending and/or settling consumer
class actions4. Costs incurred in response to government
investigations5. Costs incurred from Company’s internal
investigation6. Data breach remediation costs
49
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Corporate Governance and Cyber Risk Management Best Practices
50
CYBER RISKS THE BUCK STOPS WITH THE BOARD
SEC Recommendations to Boards to Manage Cyber Risk
1. Use the NIST Framework as Guidance 2. Retain Directors with technical and security
expertise 3. Companies should have skilled employees to
manage cyber risk on a day-to-day basis4. Boards should make sure that companies have a
tested data breach response and recovery plan in place
51
CYBER RISKS THE BUCK STOPS WITH THE BOARD
National Institute of Standards & Technology Framework
1) Identify critical IT and electronic data assets2) Protect these assets3) Detect cybersecurity threats4) Respond to cyber attacks (breach response plan)5) Recover lost, stolen, or impaired assets (recovery plan)
52
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Privacy Policy Due Diligence
Who is responsible for Privacy Policy (i.e., Chief Privacy Officer) What PII does the Company collect From which states/countries is PII collected Who has access to the PII (both inside and outside the Company)
Drafting the Privacy Policy Does it provide notice of the Company’s collection of PII Does it provide consumers with opt-in/opt-out for use of their information Is PII being protected through appropriate (industry standard) security Is the Policy prominently located on the Company’s Website
Compliance/Auditing Are employees trained on protecting PII Does the Company employ effective security measures to protect PII Does the Company periodically audit compliance with its Privacy Policy
53
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Contracts with Vendors/Business Associates
ID type of data to be stored or processed (PHI, PII, etc.) Where will data be stored, transferred, access Specify baseline security standards that Vendor must adhere to Does Vendor have its own Privacy Policy Definition of a reportable security breach Who will be responsible for notifying consumers (Company or Vendor) Data disposal and deletion requirements and time-frame Company’s right to audit Vendor for compliance with data
security/privacy Address Vendor’s use of Subcontractors Who has to comply with what laws, and who is financially responsible
(Company or Vendor, or both)
54
CYBER RISKS THE BUCK STOPS WITH THE BOARD
More Data Security Policies and Procedures
Training employees Restricting users and access to network resources Implementing a process for managing IT assets Adopting a security policy that addresses mobile media Maintaining controls to secure portable media Maintaining protection against DDoS attacks Maintaining a written data destruction policy Maintaining a written cybersecurity breach response plan Testing computer backup systems Using data encryption Conducting periodic audits to ensure compliance with security
policies55
Carnegie Mellon’s Corporate Governance Best Practices Checklist
for Cyber Risk
Establish a Board Cyber Risk Committee Recruit directors with IT and security expertise Conduct an annual audit of security and breach
response programs and controls Require management to give periodic reports on
privacy and security risks Require the Board to conduct an annual review of
budgets for privacy and security risk management Evaluate potential liabilities and losses for cyber risk Review the adequacy of cyber risk insurance
coverage
56
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Privacy and Security Risk Disclosures Privacy concerns relating to our technology could damage
our reputation and deter current and potential users from using our products and services.
In addition, as nearly all of our products and services are web-based, the amount of data we store for our users on our servers (including personal information) has been increasing. Any systems failure or compromise of our security that results in the release of our users’ data could seriously limit the adoption of our products and services, as well as harm our reputation and brand and, therefore, our business. We expect to continue to expend significant resources to protect against security breaches. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of web-based products and services we offer, and operate in more countries.(Source: Google Form 10-Q 7/24/14)
57
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Privacy and Security Risk Disclosures We experienced a significant data security breach in the fourth
quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.
We are currently subject to a number of governmental investigations and private litigation and other claims relating to the Data Breach, and in the future we may be subject to additional investigations and claims of this sort. These investigations and claims could have a material adverse impact on our results of operations or profitability.
Finally, we believe that the greatest risk to our business arising out of the Data Breach is the negative impact on our reputation and loss of confidence of our guests, as well as the possibility of decreased participation in our REDcards Rewards loyalty program which our internal analysis has indicated drives meaningful incremental sales. (Source: Target Form 10-K 3/14/14)
58
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Don’t Count on Traditional Insurance to Respond to Cyber Exposures
CGL Coverage
D&O Insurance
Cyber Liability Insurance
59
CYBER RISKS THE BUCK STOPS WITH THE BOARD
CGL Policy
Coverage A: Bodily Injury or Property Damage Property damage means physical injury to
tangible property, including loss of use of property
Is electronic data physical or tangible property? Evolution of ISO standard form CGL Policies
Pre-2001: No exclusion for electronic data Post-2001: Electronic data excluded Post-2004: Exclusion for damages arising out of the loss of,
damage to, corruption of, or inability to access electronic data60
CYBER RISKS THE BUCK STOPS WITH THE BOARD
CGL Policy
Coverage B: Personal and Advertising Injury Includes “oral or written publication of material
that violates a person’s right to privacy” Coverage B might apply to theft of consumer data
or misuse of customer information Post-2001 ISO standard form CGL policy exclude
coverage for Internet-related activities
61
CYBER RISKS THE BUCK STOPS WITH THE BOARD
New ISO Exclusion for CGL Policies
1). Arising out of any access or disclosure of any person’s or organization’s confidential or personal information; OR2). Arising out of the loss of, damage to, corruption of, or inability to access or manipulate electronic data
62
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Public Company D&O Policy
Coverage for shareholder suits Limited coverage for investigations Entity coverage limited to Securities Claims No specific cyber exclusions Bodily injury and property damage exclusion Personal injury exclusion Other insurance provision
63
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Private Company D&O Policy
Duty to defend Broad entity coverage Could include claims for negligence for failure to reasonably
safeguard customer information Bodily injury / property damage exclusion that applies to
injury to physical or tangible property Personal injury exclusion that applies to claims for “invasion
of privacy” Courts have held that loss or theft of PII pursuant to a data
breach does not give rise to a typical tort claim for invasion of privacy
64
CYBER RISKS THE BUCK STOPS WITH THE BOARD
Cyber Liability Policy
1. First Party Coverage, including: Breach notification costs Forensic investigation Credit monitoring or identity theft Public relations / crisis management Call centers
2. Business Interruption Coverage3. Cyber Extortion Coverage4. Third Party Claims against Insureds5. Regulatory Investigations
65
CYBER RISKS THE BUCK STOPS WITH THE BOARD
D&O and Corporate Cyber Exposure Takeaways
The buck stops with the Board No companies are immune to a data breach If the Target shareholder suits gain traction, more
may follow Companies should have adequate cyber risk
management policies and procedures Boards should be well-informed of cyber risks Duty to disclose material cyber risks Boards should consider how insurance responds to
cyber-related claims
66
CYBER RISKS THE BUCK STOPS WITH THE BOARD
HYPOTHETICAL DATA BREACH SCENARIO
&
MOCK EMERGENCY BOARD MEETING
67
Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
68
Imagine someone trying to break into your house. Now
imagine it 60,000 times a day.
http://www.ibm.com/smarterplanet/ie/en/business_resilience_management/overview/index.html?re=spf
69
Agenda
From a forensic, legal, and insurance perspective:
Bring Your Own Device (BYOD)
Vendor and Supply Chain Risks
What Data Do I Collect, Where Is My Data, Who Has Access To My Data
The Insider Threat
70
Thank You For Attending
Company Panel Participants:
71