Data Protection and Cybersecurity: Addressing the Risks and Costs 5 September 2019
Data Protection and Cybersecurity:Addressing the Risks and Costs
5 September 2019
3 QUESTIONS
2This briefing is proprietary information and shall not be released without the express permission of Tier 1
What does this mean for small businesses?
$3.92M average cost of a data breach for small- and mid-sized companies (all sizes businesses is $8.19M average excluding mega breaches in U.S.)
90% of small businesses do not have data protection measures in place for company or customer information
71% of ransomware attacks targeted small businesses with an average cost of $116,000
66% of small to medium-sized businesses do not believe they are vulnerable to cyber attacks – yet, 67% of SMBs experienced a cyberattack in the last year
60% of small businesses go out of business within 6 months of a data breach
Likelihood of experiencing a data breach is growing….29.6% and increasing each year
Why do hackers target small- and medium-sized?• Less mature IT processes and procedures (GRC)• Less secure data architecture• Limited ability to detect when a breach occurs• Very limited data breach response capabilities or
procedures
This briefing is proprietary information and shall not be released without the express permission of Tier 1
Cyber-Fraud e.g., illegitimate financial transfer is made as a result of social engineering
FinancialIncident response costsDirectors’ and Officers’ liability
Cyber-Extortion e.g., ransomware that impedes access to data or a network until a ransom is paid
FinancialBusiness interruptionIncident response costsReputational damageDirector’s and Officer’s liabilityData and software loss
Data Breache.g., unauthorized disclosure of third party personally identifiable information, violation of data privacy requirements, or proprietary / controlled information
Incident response costsBreach of privacy compensation Defense costFines and penaltiesReputational damageDirector’s and Officer’s liabilityData and software loss
Potential lossesMost common cyber events
This briefing is proprietary information and shall not be released without the express permission of Tier 13
Who are the Actors?
Criminal Organizations & Hackers / Script Kiddies
Criminal groups are promising salaries averaging the equivalent of $360,000 per year to hackers w/ bonuses
Targeting high-worth individuals, such as company executives, financial investors, lawyers and doctors with extortion scams
Utilize social engineering, malware, wireless / IoT attack vectors
Insider Threat $513,290 average cost per incident
$283,281 average cost for negligence
Doubles to $648,845 for credential theft
53% companies reported remediation costs of $100,000+ and 12% reported remediation costs of over $1M in addition to initial financial losses
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber
HacktivistsCyber attacks are designed to punish or make a point
• Exposing corporate / CEO practices• Exposing corporate / CEO political support• Legal exposure• Pressure shareholders• Doxing of corporate officers
Exposure of corporate data & information• Business Clients (e.g. Federal Contracts)• Proprietary data• Controlled Unclassified Data
4
Advanced Persistent ThreatsAchieve and maintain ongoing access to the targeted network
Theft of intellectual property, classified, controlled unclassified information
Defense program intelligence collection
Utilize social engineering, malware, wireless / IoT attack vectors
What is the threat?External Threat Categories – mostly out of your control
Social Engineering
Malware Regulation / Litigation
Wireless / Mobile Tech
Cloud / IoT Industrial Espionage
Cryptojacking
Internal Threat Categories – within your control with proper risk management
Governance Security Controls
Training Outsourced Contracts
Networks / Architecture
Business Planning
Personal Device Use
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber5
Tier 1 SecureTM Cybersecurity Model:
Legal Requirements
Information Technology
BusinessRequirements
Cybersecurity must be tailored to business goals, objectives, and strategy
Business Requirements
Any effort to design and implement an effective security strategy must be built on a foundation of legal and regulatory requirements
Information TechnologyYou can only transfer the financial impact of a cyber event…the legal responsibility for consequences can almost never be transferred
Legal Requirements
Business Systems
Corporate Law
Cyber Law
Integrated Governance(Executive Team)
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber 15
Develop & implement a risk-based cybersecurity program
Integrate Governance, Risk Management, & Compliance
Tailored security to business goals, objectives, & strategy
Security controls aligned to the laws & regulations specific to your services
Establish Business Continuity and Disaster Recover Plans
Cyber Insurance to mitigate cost of a cyber event
Tier 1 SecureTM
What is your data protection and privacy posture?
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber (graphic source – Cyberisk)14
Government Contracting Regulatory Compliance:Requirements:• FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems• DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls• DFARS 252.204-7009: Limitations on the Use of Disclosure of Third-Party Contractor Information• DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting• NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems
Compliance: System Security Plan (SSP)
• Government (DCMA) reserves right to request a copy
Plan of Action & Milestones (POA&Ms)• Remediation Plans to address approx. 140 NIST 800-171 controls (technical and non-technical controls)
Audit (currently self-assessment)
Incident Reporting• Upon discovery / NLT 72 hours to DoD and Must report to Prime / Higher Tier Subcontractor• Must preserve and protect images, data, and system for 90 days • Must provide DoD additional information, equipment, forensics upon request• Must submit malicious software to Defense Cyber Crime Center (DC3)
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber
Cybersecurity Maturity Model Certification (CMMC)• Next stage in DoD’s efforts to properly secure the Defense Industrial Base (DIB)❑ Each RFP will have a minimum CMMC level for award (Level 1 – 5)❑ All future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI)❑ Cybersecurity added to preexisting acquisition criteria (cost, performance, and schedule).❑ CMMC will be a “Go / No-Go Decision” as part of source selection (RFP Section L&M)
• Criteria applies to both Prime and Subcontractors (flow down)
• 3rd Party Audit based upon the implementation of actual technical controls, policies, procedures • SSP, POA&M, and Self-Assessment as compliance for DFARS 252.204-7012 no longer meet the requirement• Rating based on sophistication of controls implemented and institutionalization of processes
• Certification Implementation approx. June 2020
• Existing work will be up for grabs depending upon which CMMC level is required by the contracting authority
• Teaming and subcontracting will be impacted
• IT Security costs are going to be an allowable charge on contracts moving forward and will be an element of your best value proposals (PENDING)
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber
Government Contracting Regulatory Compliance:
Cyber Exposure – Protect Your Data
•Do you collect or store data?•Personally Identifiable Information (PII)•Payment Card Information (PCI)•Personal Health Information (PHI)
•Whose Data?•Employees•Clients
Lowering Your Exposure
•Why is this valuable?• Fewer cyber losses• Safer place to work• Lower Insurance Premiums
•Cyber Security Limitations• Not every threat is within your control• Nothing can reduce your exposure to zero
THE SOLUTION?
Insurance
•Several policies work together•Cyber•Professional Liability•Crime
•Safety net if there is a breach
SAFETY
What Happens If There Is A Breach?
• Required by State and Federal Laws• You must know the requirements for each state• Notification to affected individuals or entities• Notification to Consumer Reporting Agencies• Provide Credit Monitoring to affected individuals• Other Compliance Issues
• How it affects your business• Investigation of the cause of breach• Remediation• Potential lawsuits
Cyber Insurance
Viruses, Malware, Rogue Employees, Denial of Service Attacks, Cyber Extortion
• Responds to First Party Claims• Notification• Credit Monitoring• Public Relations• Business Income
• Responds to Third Party Claims• Cost for defense• Damages
Crime Insurance
Social Engineering/Deception Fraud, Computer Fraud, Funds Transfer Fraud
•Cyber crime is more common• Criminals are getting smarter• Banks do not always catch this
•Most insurance programs do not cover Social Engineering/Deception Fraud
Professional Liability
Breach of Contract, Professional Error, Omission, Accidental Negligence
•Could you expose a vulnerability in your client’s network?• Products• Services• Advice
•Responds to lawsuits• Cost for defense• Damages
How Will Insurance Respond
•Professional Liability, Cyber Liability, Crime Insurance are not standardized
•Ensure you know how your policy will respond
•Does your coverage apply to your current exposures?
ABOUT USGovernment Technology Insurance Company (GovTech)GovTech is Operational in all 50 states and the District of Columbia. Chartered under the Federal Liability Risk Retention Act of 1986. GovTech is the only insurance company in the country that specializes in liability coverage for IT Services and related companies whose primary focus is Federal and State Government contracts.
Government Technology Association (GTA)GovTech is owned by the non-profit Government Technology Association (GTA) and managed by the GovTech Agency. GTA is headquartered in Bethesda, Maryland, and owned by GTA members who are the policyholders of GovTech. GTA is comprised of IT companies and contractors whose primary mission is service for Federal and State Governments.
Experience the GovTech DifferenceReliably managed by the industry’s leading insurance professionals and underwriters, GovTech is uniquely prepared to provide its policyholders with IT specific insurance coverage and notable savings. The GovTech Agency is reinsured by Lloyds of London and its largest syndicates. GovTech offers timely service extending beyond the client/carrier relationship with the advantage of direct savings to each policyholder.
The GovTech Difference
GovTech Services a Single Community
All GovTech policy holders are involved in providing the Federal and State Governments with IT and related services.
GovTech Policyholders Enjoy Premium Savings As Much As 40%
Federal and State IT and related Service Providers have had a long history of below average claims, yet have not been rewarded by the large insurance carriers with premiums that properly reflect the lower level of risk within their community.
Ryan Copenhaver, Partner Andrew Beardall, COO / General [email protected] [email protected] 301.907.7022
This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber
GovernanceRisk ManagementRegulatory ComplianceSecurity AuditingPrivacy Assessments
Security Solutions Cyber TrainingDisaster Recovery / COOPV|CISO Services3rd Party Due Diligence
Tier 1 SecureTM: Cyber Security Certification program enables your organization to
exceed technical, legal, and regulatory requirements that significantly reduce the impacts and costs of cyber events. The Tier 1 certification process begins with a 1,000-point comprehensive assessment, derived from the latest U.S. and International best practices to provide a complete cybersecurity program.
Joe UrbaniakCOO / CISO