9/23/2020
1
Building Your Cybersecurity Response
& RecoveryDan Banick, Chief Information Security Officer, Warwick Communications
Chad Mowery, Shareholder, Roetzel & Andress
Joseph Ruscak, Shareholder, Roetzel & Andress
Recap: NIST and OHIO Safe Harbor
1
2
9/23/2020
2
What is the Safe Harbor?
• Safe Harbor provides entities that fulfill
the requirements with an affirmative
defense to “any cause of action sounding
in tort . . . that alleges that the failure to
implement reasonable information
security controls results in a data
breach.”
• Safe Harbor applies both to actions
brought in Ohio State Courts and to
actions brought under Ohio law.
• Safe Harbor can apply to either “personal
information,” “restricted information,” or
both.
How to Establish Affirmative Defense
• The qualifying organization must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection” of personal information or personal information and restricted information
• The qualifying organization must demonstrate that the written cybersecurity framework “reasonably conforms to an industry recognized cybersecurity framework.”
3
4
9/23/2020
3
How to Establish Affirmative Defense
• The qualifying organization’s program must be designed to:
1) Protect the security and confidentiality of the information;
2) Protect against any anticipated threats or hazards to the security or
integrity of the information; and
3) Protect against unauthorized access to and acquisition of the
information that is likely to result in a material risk of identity theft or
other fraud to the individual to whom the information relates.
• Law specifically identifies frameworks, including that for improving critical
infrastructure cybersecurity developed by the national institute of
standards and technology (“NIST”), as options in accomplishing these
aims.
NIST Cybersecurityfor Manufacturing
https://www.nist.gov/news-events/news/2018/05/mep-centers-aid-manufacturers-cybersecurity
5
6
9/23/2020
4
Key Areas to Strengthen
Key Areas to StrengthenIDENTIFY
Identifying Risks Outside of Your Current Corporate
IT Infrastructure
Identifying
“Data Partners”
Monitoring
Incorporation of
New Technology
Investigating IT
Systems that are
Part of Any
Corporate
Acquisition
7
8
9/23/2020
5
Key Areas to StrengthenIDENTIFY
Different Types of “Data Partners”
• Partners that have direct access to your systems
• Partners to which you send data, especially employee or
customer data
• Partners that help you administer your IT systems
Steps to Identify Issues with “Data Partners”
• Require clear language on which entity owns the data
at issue
• Perform due diligence on the partner’s cybersecurity
protocols and applicable insurance
• Demand contract provisions that require notice of any
data breach to the company and not just the affected
individuals
• Request to see record retention schedules for data in
question or require certain deletion schedules
9
10
9/23/2020
6
New Technology Can Significantly Change Cybersecurity Planning
• Increase in remote working has changed a number of basic assumptions in cybersecurity planning
• New technology can be requested, introduced, or pushed through areas of the company other than the IT Department or IT vendor
• Often times, new infrastructure is pursued before consulting the people in charge of cybersecurity issues
How to Identify and Address Issues Created by New Technology
• Make the cybersecurity team part of the process before bids for new technology go out
• Monitor employee use of new applications or technologies
• Have regular meetings between the cybersecurity team and the IT Department or IT vendor to discuss upcoming initiatives and blue sky planning, including the decommissioning of older systems
11
12
9/23/2020
7
Purchases Can Cause You to Inherit Legacy Cybersecurity Problems
• Large scale acquisitions often times include IT infrastructure
• In a vast majority of deals, the purchasing company receives the IT infrastructure “as is”
• The disclosures in such deals usually only discuss past cybersecurity incidents and make no representations about the current state of the systems being acquired
Identify Issues in Business Deals Involving Acquisition of IT Assets
• Consider an IT audit as part of your due diligence
• Conduct an insurance audit as part of your due diligence
• Pursue contract provisions that allocate costs between the parties of any later discovered cybersecurity issues
13
14
9/23/2020
8
Key Areas to StrengthenDETECT
Detecting Threats Inside & Outside Your Organization
Key Areas to StrengthenDETECT
PRO TIP - Evaluate all connections entering your organization.
Detecting Threats Inside & Outside Your Organization
15
16
9/23/2020
9
Key Areas to StrengthenDETECT
PRO TIP – Detect threats from the Internet and Darkweb.
Cloud
Detecting Threats Inside & Outside Your Organization
Your Technology and Facilities
Internet and Cloud Services
TheDarkweb
Key Areas to StrengthenDETECT
Detecting Threats Inside & Outside Your Organization
Cloud
Internal• Enterprise Detection & Response• Vendor Risk Management• Internal Vulnerability Detection
Internet / Cloud• External Vulnerability Detection• Email / Cloud Embedded Security• Intrusion Detection Services
Darkweb• Account Compromise Detection• Cyber Threat Intelligence• ‘White Hat’ Hacking Services
PRO TIP - Consider these advanced security tools and services.
17
18
9/23/2020
10
The Target Breach
PRO TIP – An HVAC provider was the source of the breach!
Key Areas to StrengthenRESPOND / RECOVER
• Breach Occurs – complete shutdown
• What do you do?
• Does your company have a detailed plan to respond to a
cyber incident?
• What are your first actions?
• How does the new normal affect this?
• i.e. can you get a hold of key people working remotely?
19
20
9/23/2020
11
Key Areas to StrengthenRESPOND / RECOVER
Security Protocols
• Do you have protocols for cash
control/disbursements?
• Key personnel working remotely
• Or a blend of office/home
• Hackers prefer your guard down
• Do your key protocols change?
• Reinforce diligence
• What to do with multiple devices
coming back
• NSFW? Company devices
may be loaded with
Netflix…or worse
Key Areas to StrengthenRESPOND / RECOVER
Data Breach Response Plan Based Upon Definition of “Data
Breach”• The plan should specifically state that all cyber incidents are not
data breaches
• One person or group of people should be officially given the
power to declare a data breach
• One person for entire organization
• Group of people divided by area or system
• Person or people with declaration power should be given the
ability to consult with necessary cyber experts in order to
determine whether or not breach has occurred.
21
22
9/23/2020
12
Assembling the Team
• Clear team leader
• Can be the person who declared the breach or another
• Can delegate certain responsibilities, but needs to control key decisions
• Cybersecurity forensics specialists
• Need assessment of internal capabilities as draft plan
• Have relationship with any necessary outside vendors already established
Assembling the Team
• Representatives of affected business unit
• Provide information about data in question
• Aid in development of business aspect of response
• Legal counsel
• Provide legal advice on reporting requirements
• Outside legal counsel can be necessary to preserve privilege
• Public relations specialists
• Need to handle communications with public as well as business partners
• Outside vendors may needed to handle large notification drives
• Representative from Corporate Risk
• Provide any necessary notification to insurers
• Develop plans for abatement of costs associated with response
23
24
9/23/2020
13
Assembling the Team
• Representative from Human Resources
• Disciplinary action related to breach
• Development of future training
• Representative from Corporate Auditing
• Prepare reports for internal audits of systems
• Work with any necessary outside auditors on issues related to the breach
• Information Governance Specialist
• Provide information about data affected
• Identify other sources of similar data or areas with similar concerns
Key Provisions
• Provision creating employee duty to report potential cyber incidents
• Duty is important to insurers
• Creates expectation on employees
• Allows for disciplinary action
• Provision for creating and maintaining key records about response
• Duty should be assigned
• Records are increasingly important for regulators
25
26
9/23/2020
14
Key Provisions
• Provision assigning responsibility of notification of law enforcement or regulatory body
• Questions exist as when best to contact law enforcement
• Need key point person to resolve doubt and set key timelines
• Provision creating feedback loop
• “Lessons learned” are very important to both insurers and regulators
• “Lessons learned” should be incorporated into training
• “Lessons learned” should be updated even if another breach does not occur
Often Missing Provisions
• Data Breach Response Plan should…
• Address both personally sensitive information
and confidential and proprietary business
information
• Have a method of team communication outside
of email system
• Include a provision requiring it to be updated
periodically or when new systems come on-line
• contain a clear method or methods of distribution
to employees and potentially a clear definition of
what employees will receive copies
• be tested
27
28
9/23/2020
15
CybersecurityA Parallel to Manufacturing
Final Thoughts
&
Question and Answer Session
Parallel Cycles:Manufacturing & Security
29
30
9/23/2020
16
Parallel Cycles:Manufacturing & Security
Cloud
The Parallels:
• Cybersecurity operates in continuous repeating cycles
• Manufacturing operates in continuous repeating cycles
• The strongest programs and products have developed over time and incrementally improved
• Cybersecurity and Manufacturing industries are constantly evolving – leverage your partners, vendors, customers, and even competitors contributions through professional organizations to stay ahead of the curve.
Q&ADan Banick, Chief Information Security Officer, Warwick Communications
Chad Mowery, Shareholder, Roetzel & Andress
Joseph Ruscak, Shareholder, Roetzel & Andress
31
32
Top Related