RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS...
Transcript of RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS...
RIMS ERM
CONFERENCE 2016
Enterprise Best Practices in the Cyber World
Drew Graham, Partner, Hall Booth Smith, P.C.
Patrick Powell, Attorney, Hall Booth Smith, P.C.
Rich Magrath, Regional Director Western US, Lloyd's
Grace Crickette, Interim AVP Business Operations, SFSU
HEALTH & SAFETY
• For your safety and security, it is required
that you wear your RIMS name badge to
all functions.
• Be safe! Locate your nearest exit(s), fire
equipment, etc.
• If you see something suspicious, say
something.
STAY CONNECTED
• Twitter: Follow @RIMSorg and tweet with
#RIMSERMCONF
• Facebook: “like” us at facebook.com/RIMSorg
• Instagram: Follow us @RIMSorg and tag photos with
#RIMSERMCONF
• LinkedIn: connect your presenters and join the official
RIMS group, compromising 55,000+ global members
• You’re challenged to meet at least 3 new people in this
room today to grow your professional network.
DON’T FORGET THE ATTENDEE
SURVEY!
• Download the mobile app to take the
attendee survey, as well as download
speaker handouts.
• Search for “RIMS Events” on your mobile
device.
CONTINUING EDUCATION
CREDITS
• This session qualifies for education
credits.
• Be sure to record this session on your
tracking sheet.
• To sign up, please visit the registration
area in the Great Room Foyer.– US $49 for RIMS members; $99 for non-members.
BECOME A RIMS MEMBER
• Join RIMS today – add value to your
organization and build lasting relationships
with a global network of risk professionals.
• Attendees are eligible for a US $100
discount off new Organizational or
Associate membership. Visit the
registration area in the Great Room Foyer
for details.
MARK YOUR CALENDAR!
RIMS RISK FORUM MIDDLE EAST 2016
December 13-14, 2016
Dubai, UAE
RIMS 2017 ANNUAL CONFERENCE &
EXHIBTION
April 23-26, 2017
Philadelphia, PA, USA
RIMS NEXTGEN SUMMIT 2017
June 5-6, 2017
Austin, TX, USA
RIMS CYBER RISK FORUM 2017
September 7-8, 2017
Las Vegas, NV, USA
RIMS RISK FORUM AUSTRALASIA 2017
August 21-22, 2017
Sydney, Australia
RIMS ERM CONFERENCE 2017
November 6-7, 2017
Los Angeles, CA, USA
THANK YOU TO OUR PLATINUM SPONSORS!
RIMS ERMBest Practices in the Cyber World
This Presentation has been Hacked!
Using Strategic Scenarios to Understand Cyber Risk
#Program Team => (
@Moderator:
:Drew Graham ||=> Partner, Hall Booth Smith, P.C.)
:Patrick Powell ||=> Attorney, Hall Booth Smith, P.C.
:Rich Magrath ||=> Regional Director, Western US, Lloyd’s of London)
:Grace Crickette||=> Associate Vice President of Business Operations, San Francisco State University
From: Flyaway Sam <[email protected]> To: You <[email protected]> Cc: Subject: Unexplained customer complaints
Today our call center received phone calls from eight new customers of Traveltime online booking program. The callers said that after booking trips last week, they experienced unexplained withdrawals from their checking accounts. Do you think someone could have gotten into the credit card and bank account data stored on our server? I have tried to reach the IT Security Team, but got their voice mail. I hate to leave this hanging over the weekend, but am not sure what else to do. Please advise Flyaway Sam | Vice President Customer Service O: 1 (510) 396-1213 | M: 1 (209) 988-8216 [email protected]
Activate Incident Command
Scenario A
The IT manager confirms an outsider intrusion. System logs confirm:
Data gathered online from customers includes email, name, and zip code
Unauthorized access to servers, including one containing databases with HR and employee data
Credit and debit card numbers for 10,000 customers have been accessed, but the card numbers were encrypted
You thought, whew…this is not so bad, but then….
Scenario A
System logs show that:
The last user to access the credit card numbers database had a company-issued username, password, and de-encryption key which is assigned to a member of your sales staff
Immediately following the user’s access, information was copied to a file which cannot now be located on your system
Scenario A Key Takeaways
Planning and preparedness are critical given the high levels of uncertainty, stress, and risk when the incident occurs.
Know in advance what laws apply to the data that you keep as the “rules” change depending on the type of information.
Limiting access to information is critical to minimizing risk and keeping the access management process streamlined.
Scenario A Key TakeawaysWhen employee’s job duties change or they leave the company there should be a review of what they have access to and their privileges removed. Same goes for contractors/vendors that have our data.
Know who will providing notice to the counterparties and have a generic letter drafted in advance to avoid scrambling during the compromise or breach
Timely act to identify potentially responsive insurance, to notify brokers and insurers, to select vendors or have insurers do so (depending on policy language), etc.
Scenario BReview of the system logs show an independent breach and unauthorized access to the source code of the underlying software Traveltime uses for its monitoring services. The following statement is posted on a blog:
WE HAVE JUST HACKED INTO TRAVELTIME AND TAKEN THEIR SOURCE CODE. WE WILL PUBLISH THEIR SOURCE CODE IF TRAVELTIME DOES NOT AGREE TO STOP SUPPORTING THE ANTI-AMERICAN FOUNDATION.-THE PROTESTOR
Scenario B Key Takeaways
Yes, you should call law enforcement anytime there is a threat made against your organization.
It is critical to preserve evidence in the case of a breach or even a potential breach. Not doing so can complicate insurance coverage and card brand investigation, create difficulties with law enforcement, and weaken your ability to prove that you did the right things and/or that the incident did not rise to the level that would require notification.
Look at not only your cyber policy, but also your executive insurance and fidelity policies. Many Special Crime policies may contain names of companies to utilize in the event of extortion.
Scenario C
Immediately after receiving an email from Mr. Flyaway, you start investigating but cannot find any IT intrusions or problems.
Then, a few days later, the local police captain calls to say that hundreds of customer files, invoices and billing statements with credit card numbers and some medical data have been found at the dump. Codes on the paperwork indicate the records came from a Traveltime local office.
Scenario C Key Takeaways
Don’t forget that good old fashioned paper can result in a data breach. You need to minimize the retention of data whether electronic or on paper.
Ensure that any policies maintained take into account dumpster diving. CyberRisk is not the only risk, rather, consider Information Security.
Scenario D1
You learn that a copy of the accessed database was given electronically to your auditing firm, who is engaged to audit your Accounting and Information Security Practices:
An auditing firm employee stored this database on his laptop, to work on it while he traveledTwo weeks ago, the laptop was stolen from his car at a rest stop
Your auditing firm had not notified you before now, because they were conducting their own investigation
Scenario D2
Into the cloud……
Independent of the current situation, you receive a call from CLOUD INC., Traveltime’s third-party cloud service provider that hosts your data in its cloud.
They inform you that their server was hacked; they are unable to confirm if your data was accessed.
:detecting intrusion in a cloud computing environment is difficult||>>>>>>>>>>>
Scenario D1&2 Key Takeaways
You want to ensure that you have contract language for your vendor’s that protects you from their errors and that they have the insurance coverage for a data breach.Vendor’s insurance should cover the indemnity obligations owed to you.
Discuss need to monitor compliance with contract Terms & Conditions and methods for doing so.
Just because you outsource a system and it is in the cloud does not mean that you are not responsible for the breach, in fact you are. It is the owner of the data who is responsible not the vendor for ensuring appropriate notification and any penalties. If you have the right contract language you may be able to get the vendor to be responsible for responding for to the breach and reimburse you for costs including penalties.
Scenario D1&2 Key Takeaways
Even if you are not responsible for damages as a result of a breach, what reputational harm has this done? How do you account for a loss in market cap, client satisfaction, or shareholder comfort?
Consider insurance issues relating to such damages.
Know how best to respond to the public about a breach of a cloud through a vendor.
Conduct on site review of the vendor, even if providing cloud computing…to know what risks you see. You can tell much about an organization by being on-site annually to do an audit.
:Where to learn more||=>
http://www.microsoft.com/atwork/security/
http://www.insurancejournal.tv/videos/8466/
http://privacyguidance.com/myblog.html The Privacy Professor Blog
http://www.ponemon.org/ PonemonInstitute
Q&A
RIMS ERM
CONFERENCE 2016
Thank You For Coming!