PROTECTING BRANDS IN CYBERSPACE

Abhishek Agarwal, CIPP/US:

• Security & Privacy Leader at Kraft Foods

• Manage compliance programs to safeguard consumer, customers and employee information.

• Responsible for protecting brand image and reputational risk

Past Experience:

• Financial Institutions: JPMorgan Chase & HSBC

• Consulting: The Limited Brands, Metlife, Roche, Amex, William Communications, Hospira, Komatsu, Wellpoint, Microsoft, SAP, Cigna, Westward Pharma, Conair, Express Scripts, Coface

Speaker Profile

PROTECTING BRANDS IN CYBERSPACE

• History of breaches and incidents

• Impact of revenue due to breach

• Key drivers for protecting brands in cyberspace

• Key elements of brand protection program

• Case Study

• Take Away: Do’s and Don’ts

Agenda

PROTECTING BRANDS IN CYBERSPACE

History of breaches & incidents - Reported

Source: http://www.privacyrights.org/data-breach

• 562,943,732 records

containing PII have been

stolen since 2005.

• Over 3,241 reported data

breaches have taken place.

• The average cost of record

per breach is $212.

• Through 2016, the financial

impact of cybercrime will

grow 10 percent per year

due to the continuing

discovery of new

vulnerabilities.

PROTECTING BRANDS IN CYBERSPACE

History of breaches & incidents - Unreported

Source: http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html

Company Hacking Incident Potential Impact

Coca Cola • Lost acquisition of China Huiyuan Juice Group (1886) after intruders stole confidential about the deal.

• The company wouldn’t discuss “security matters” and said to make disclosures in public filings.

• Reputational Risk • Financial Risk • Legal Risk • Technology Risk

BG Group Plc • Lost geological maps, drilling records and sensitive deals.

• Released a one-sentence risk factor in its regulatory filings: “Information security breaches may also result in the loss of BG Group’s commercially sensitive data.”

• Reputational Risk • Financial Risk • Loss of Business

ArcelorMittal • Executive lost confidential PowerPoint's and emails about business in China were stolen.

• Referenced the possibility of such a threat in its regulatory filings.

• Loss of Reputation • Loss of revenue due to loss

of business

Chesapeake Energy

• Investment banking details about natural gas leases that were up for sale.

• Loss of Reputation • Loss of revenue due to loss

of business

PROTECTING BRANDS IN CYBERSPACE

Impact on Revenue

Source: http://www.networkworld.com/news/2012/072712-global-payments-data-breach-cost-261204.html

Source: http://online.wsj.com/article/SB10001424052748703859304576307664174667924.html

Source: http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-to-Cost-Billions-in-WorstCase-Scenario-459480/

Source: http://www.informationweek.com/security/attacks/rsa-securid-breach-cost-66-million/231002833

Source: http://online.wsj.com/article/SB10001424052702304778304576375911873193624.html

Source: http://online.wsj.com/article/SB10001424127887323374504578220052106443158.html

Company Year Revenue Impact Number of Records Stolen

Global Payments

2012 $84.4 million USD 1.4 million payment cards

Sony 2011 $1.25 billion USD 10 million credit cards

Epsilon 2011 $465 million USD 60 million emails addresses

RSA 2010 $66 million USD 65 thousand customers

Heartland Payments

2008 $140 million USD 100 million credit cards

TJ Max 2006 $200 million USD 45 million customers records

PROTECTING BRANDS IN CYBERSPACE

Fine Imposed

Company Compliance Fines Imposed

Global Payments PCI $35.9 M USD

Sony U.K. ICO $250,000 USD

Epsilon -- Not Available

RSA -- Not Available

Heartland Payments PCI $12.5 M USD

TJ Max PCI $40.9 M USD

• EU DPA fines of up to one million Euros or two per cent of annual revenue for a data breach.

• SEC guidance ask publically traded companies to reporting cyber security risks in their annual report.

PROTECTING BRANDS IN CYBERSPACE

Impact on Revenue : Case Study – Sony

Source: Limiting the Impact of Data Breaches The Case of the Sony PlayStation Network. Author: Alessandro Gazzini and Matthew W. Holt

• The cost of 2010 earthquake to Sony was $2.3 B.

• Cost of breach to Sony varies from $5.6 to 24.5 B.

• The immediate impact of the earthquake on Sony’s share price (-19 percent) about the same as the impact to the general economy (-18 percent), but both recovered about 50 percent of the loss by March.

• The data breach, on the other hand, caused a sustained 12 percent loss in Sony’s share price—the equivalent of $3.6 billion in market capitalization.

• To put in perspective, Cost of Toyota Motor Corporation’s unintended acceleration crisis in 2010 for 8 million Camry was $2 billion and impact on its share price fell only 8.5 percent.

• So either the markets were irrational in their evaluation of the impact of the PSN data breach or the operational impact was more severe than the impact of Toyota’s crisis on a revenue percentage basis.

• Evaluating events based on share price is admittedly imperfect, but the key message is clear: The PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan.

PROTECTING BRANDS IN CYBERSPACE

Key drivers for protecting brands

SEC Guidance • SEC has provided guidance to publicly traded corporations

to report cyber incidents; and the adequacy of preventative actions taken to reduce cyber security risks.

Reputational Risk • DJSI Sustainability index and Corporate Governance

requires adequate data security and privacy controls over consumer information.

Compliance with Audit • Commitment to audit to improve the privacy and security

posture over the PII and thus reduce regulatory, brand, and/or reputational risks.

PROTECTING BRANDS IN CYBERSPACE

Media channels connecting to Cyberspace

Content Management

Digital Asset Management

Social / Community

Digital Analytics Marketing &

Campaign Management

Consumer Data Management

Leveraged Digital Marketing Solutions

Syndicated Content Brand Properties Promotions Brand Communities Mobile

eCommerce Security &

Compliance Web Hosting Search

Components & Web Services

Collaboration & Workflow

• Multiple technology media channels available to manage and deliver consistent, seamless, and contextual brand experiences.

PROTECTING BRANDS IN CYBERSPACE

Problem statement

• Breaches are impacting the bottom line of organizations.

• Increasing fines imposed by regulatory bodies. However, lack of self regulations. Companies are not reporting breach activities.

• Technology landscape is evolving quickly with mobility, cloud computing, social media and data analytics.

• How do companies protect their brands in cyberspace while reaching out to consumers with technology media channels?

PROTECTING BRANDS IN CYBERSPACE

Key elements of brand protection program

• Ensure cyber media presence have reasonable information security controls to minimize the risk and impact of hacking that negatively impacts business results that includes revenue, reputation risk, regulatory compliance risk.

Inventory Management

E-Discovery

Domains & IPs

Classification

Brand Assessment

Centralized, Standardized

Website Assessment

Continuous Monitoring

Reporting & Remediation

Management Dashboards

Reporting

Remediation Approach

Governance

Findings & Remediation's

Inventory Management

Third Party Service Provider

PROTECTING BRANDS IN CYBERSPACE

Risk based approach

• Risk rank the digital media inventory based privacy regulations, technology standards and business purpose.

PROTECTING BRANDS IN CYBERSPACE

Brand Assessment

• Targets the assessment for top 10 security threats and

vulnerabilities.

• Standardize set of checks based on the technology platform.

• Ensure key privacy components are covered through the

assessments, including, data collection, use limitation, notice and

choice, security safeguards and access to data.

• Ensure the gaps identified in security assessment are remediated

or accepted in a timely fashion.

PROTECTING BRANDS IN CYBERSPACE

Dashboard and Reporting

• Report brands security and privacy health index. • Brands by revenue per region with brand protection cost

savings.

PROTECTING BRANDS IN CYBERSPACE

16

Governance model

• 3rd party service providers supporting infrastructure. • Agencies and marketing services follow policies. • Maintain global digital inventory – centrally. • Establish a framework based on global privacy regulations. • Establish a centralize program to achieve standardization.

PROTECTING BRANDS IN CYBERSPACE

Program maturity

Authentication

Authorization

Encryption

Firewall

Anti Virus

Data Protection

Access Controls

Threat & Vulnerabilities

Year 1

Encryption

Data Protection

Access Controls

Threat & Vulnerabilities

Year 2

Governance Governance

Year 3

Governance

Governance

Threat & Vulnerabilities

Threat & Vulnerabilities

Year 5 Year 4

Access Controls

Threat & Vulnerabilities

Security & Privacy Controls Maturity

• Establish the maturity model to effectively manage budget and compliance.

• Reflect the cost savings and opportunity to stakeholders.

PROTECTING BRANDS IN CYBERSPACE

Case Study

• Company Profile:

• Industry: CPG organization with focus on Marketing

and Supply Chain

• Revenue: 20 billion USD

• Information profile:

• 10+ brands with over 500 millions in revenue

• 90+ brands with over 100 millions in revenue

• 10+ million consumer records

• 5000+ third party service providers, business

partners & agencies

• High Risks Areas:

• 3rd Party Risk, Privacy, Merger, Acquisitions &

Divestitures

PROTECTING BRANDS IN CYBERSPACE

Case Study

• Privacy & Security Posture:

• More than 7000 domains

• Over 750 websites, mobile sites and social media

• Privacy & Security Risks:

• Domain registrations & inventory management

• Risk ranked inventory based on privacy regulations

and technology platforms

• Consistent privacy policy, statement, notices

• Governance model over third party service

providers

• Corporate policy on website development

• Establish security baseline

PROTECTING BRANDS IN CYBERSPACE

Case Study

Source: https://www.trustwave.com/global-security-report

PROTECTING BRANDS IN CYBERSPACE

Take Away

• Identify the revenue generating brands: Read Organization's

Annual Report.

• Identify Stakeholders: CMO, CFO, CCO, CIO.

• Understand the technology strategy: Align with CIO, CTO.

• Develop a risk based strategy: Protect High Risk first.

• Set up the expectations: Say “when” breach will happen, not

“if” breach happens.

• Finally, Keep it Simple.

QUESTIONS