RIMS ERM

CONFERENCE 2016

Enterprise Best Practices in the Cyber World

Drew Graham, Partner, Hall Booth Smith, P.C.

Patrick Powell, Attorney, Hall Booth Smith, P.C.

Rich Magrath, Regional Director Western US, Lloyd's

Grace Crickette, Interim AVP Business Operations, SFSU

HEALTH & SAFETY

• For your safety and security, it is required

that you wear your RIMS name badge to

all functions.

• Be safe! Locate your nearest exit(s), fire

equipment, etc.

• If you see something suspicious, say

something.

STAY CONNECTED

• Twitter: Follow @RIMSorg and tweet with

#RIMSERMCONF

• Facebook: “like” us at facebook.com/RIMSorg

• Instagram: Follow us @RIMSorg and tag photos with

#RIMSERMCONF

• LinkedIn: connect your presenters and join the official

RIMS group, compromising 55,000+ global members

• You’re challenged to meet at least 3 new people in this

room today to grow your professional network.

DON’T FORGET THE ATTENDEE

SURVEY!

• Download the mobile app to take the

attendee survey, as well as download

speaker handouts.

• Search for “RIMS Events” on your mobile

device.

CONTINUING EDUCATION

CREDITS

• This session qualifies for education

credits.

• Be sure to record this session on your

tracking sheet.

• To sign up, please visit the registration

area in the Great Room Foyer.– US $49 for RIMS members; $99 for non-members.

BECOME A RIMS MEMBER

• Join RIMS today – add value to your

organization and build lasting relationships

with a global network of risk professionals.

• Attendees are eligible for a US $100

discount off new Organizational or

Associate membership. Visit the

registration area in the Great Room Foyer

for details.

MARK YOUR CALENDAR!

RIMS RISK FORUM MIDDLE EAST 2016

December 13-14, 2016

Dubai, UAE

RIMS 2017 ANNUAL CONFERENCE &

EXHIBTION

April 23-26, 2017

Philadelphia, PA, USA

RIMS NEXTGEN SUMMIT 2017

June 5-6, 2017

Austin, TX, USA

RIMS CYBER RISK FORUM 2017

September 7-8, 2017

Las Vegas, NV, USA

RIMS RISK FORUM AUSTRALASIA 2017

August 21-22, 2017

Sydney, Australia

RIMS ERM CONFERENCE 2017

November 6-7, 2017

Los Angeles, CA, USA

THANK YOU TO OUR PLATINUM SPONSORS!

RIMS ERMBest Practices in the Cyber World

This Presentation has been Hacked!

Using Strategic Scenarios to Understand Cyber Risk

#Program Team => (

@Moderator:

:Drew Graham ||=> Partner, Hall Booth Smith, P.C.)

:Patrick Powell ||=> Attorney, Hall Booth Smith, P.C.

:Rich Magrath ||=> Regional Director, Western US, Lloyd’s of London)

:Grace Crickette||=> Associate Vice President of Business Operations, San Francisco State University

From: Flyaway Sam <fsam@traveltime.com> To: You <ceo@traveltime.com> Cc: Subject: Unexplained customer complaints

Today our call center received phone calls from eight new customers of Traveltime online booking program. The callers said that after booking trips last week, they experienced unexplained withdrawals from their checking accounts. Do you think someone could have gotten into the credit card and bank account data stored on our server? I have tried to reach the IT Security Team, but got their voice mail. I hate to leave this hanging over the weekend, but am not sure what else to do. Please advise Flyaway Sam | Vice President Customer Service O: 1 (510) 396-1213 | M: 1 (209) 988-8216 fsam@traveltime.com

Activate Incident Command

Scenario A

The IT manager confirms an outsider intrusion. System logs confirm:

Data gathered online from customers includes email, name, and zip code

Unauthorized access to servers, including one containing databases with HR and employee data

Credit and debit card numbers for 10,000 customers have been accessed, but the card numbers were encrypted

You thought, whew…this is not so bad, but then….

Scenario A

System logs show that:

The last user to access the credit card numbers database had a company-issued username, password, and de-encryption key which is assigned to a member of your sales staff

Immediately following the user’s access, information was copied to a file which cannot now be located on your system

Scenario A Key Takeaways

Planning and preparedness are critical given the high levels of uncertainty, stress, and risk when the incident occurs.

Know in advance what laws apply to the data that you keep as the “rules” change depending on the type of information.

Limiting access to information is critical to minimizing risk and keeping the access management process streamlined.

Scenario A Key TakeawaysWhen employee’s job duties change or they leave the company there should be a review of what they have access to and their privileges removed. Same goes for contractors/vendors that have our data.

Know who will providing notice to the counterparties and have a generic letter drafted in advance to avoid scrambling during the compromise or breach

Timely act to identify potentially responsive insurance, to notify brokers and insurers, to select vendors or have insurers do so (depending on policy language), etc.

Scenario BReview of the system logs show an independent breach and unauthorized access to the source code of the underlying software Traveltime uses for its monitoring services. The following statement is posted on a blog:

WE HAVE JUST HACKED INTO TRAVELTIME AND TAKEN THEIR SOURCE CODE. WE WILL PUBLISH THEIR SOURCE CODE IF TRAVELTIME DOES NOT AGREE TO STOP SUPPORTING THE ANTI-AMERICAN FOUNDATION.-THE PROTESTOR

Scenario B Key Takeaways

Yes, you should call law enforcement anytime there is a threat made against your organization.

It is critical to preserve evidence in the case of a breach or even a potential breach. Not doing so can complicate insurance coverage and card brand investigation, create difficulties with law enforcement, and weaken your ability to prove that you did the right things and/or that the incident did not rise to the level that would require notification.

Look at not only your cyber policy, but also your executive insurance and fidelity policies. Many Special Crime policies may contain names of companies to utilize in the event of extortion.

Scenario C

Immediately after receiving an email from Mr. Flyaway, you start investigating but cannot find any IT intrusions or problems.

Then, a few days later, the local police captain calls to say that hundreds of customer files, invoices and billing statements with credit card numbers and some medical data have been found at the dump. Codes on the paperwork indicate the records came from a Traveltime local office.

Scenario C Key Takeaways

Don’t forget that good old fashioned paper can result in a data breach. You need to minimize the retention of data whether electronic or on paper.

Ensure that any policies maintained take into account dumpster diving. CyberRisk is not the only risk, rather, consider Information Security.

Scenario D1

You learn that a copy of the accessed database was given electronically to your auditing firm, who is engaged to audit your Accounting and Information Security Practices:

An auditing firm employee stored this database on his laptop, to work on it while he traveledTwo weeks ago, the laptop was stolen from his car at a rest stop

Your auditing firm had not notified you before now, because they were conducting their own investigation

Scenario D2

Into the cloud……

Independent of the current situation, you receive a call from CLOUD INC., Traveltime’s third-party cloud service provider that hosts your data in its cloud.

They inform you that their server was hacked; they are unable to confirm if your data was accessed.

:detecting intrusion in a cloud computing environment is difficult||>>>>>>>>>>>

Scenario D1&2 Key Takeaways

You want to ensure that you have contract language for your vendor’s that protects you from their errors and that they have the insurance coverage for a data breach.Vendor’s insurance should cover the indemnity obligations owed to you.

Discuss need to monitor compliance with contract Terms & Conditions and methods for doing so.

Just because you outsource a system and it is in the cloud does not mean that you are not responsible for the breach, in fact you are. It is the owner of the data who is responsible not the vendor for ensuring appropriate notification and any penalties. If you have the right contract language you may be able to get the vendor to be responsible for responding for to the breach and reimburse you for costs including penalties.

Scenario D1&2 Key Takeaways

Even if you are not responsible for damages as a result of a breach, what reputational harm has this done? How do you account for a loss in market cap, client satisfaction, or shareholder comfort?

Consider insurance issues relating to such damages.

Know how best to respond to the public about a breach of a cloud through a vendor.

Conduct on site review of the vendor, even if providing cloud computing…to know what risks you see. You can tell much about an organization by being on-site annually to do an audit.

:Where to learn more||=>

http://www.microsoft.com/atwork/security/

http://www.insurancejournal.tv/videos/8466/

http://privacyguidance.com/myblog.html The Privacy Professor Blog

http://www.ponemon.org/ PonemonInstitute

Q&A

RIMS ERM

CONFERENCE 2016

Thank You For Coming!