THE CYBER SECURITY PLAYBOOK FOR EXECUTIVE OFFICERS AND BOARDS December 3, 2015 Panel Members: Spencer Hoole Jennifer Archie Jeff Sanchez Lauri Floresca
THE CYBER SECURITY PLAYBOOK FOR EXECUTIVE OFFICERS AND BOARDS
December 3, 2015
Panel Members:Spencer Hoole Jennifer Archie
Jeff SanchezLauri Floresca
2
Difference Between a Data Breach & a Security Incident?
‣ Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers, PCI data and personal health records.
‣ There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance.
‣ Organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches.
3
Most Recent Data Breaches
The Kill Chain - Is the high-level framework that advanced threat actors employ in their efforts to compromise the target.
Profile of Current Threat
4
Reconnaissance
Exploitation Installation Command & Control
Development Weaponization Delivery
Actions on Objective
Ponemon Institute2015 Cost of Data Breach Study
5
6
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SUMMIT 2015PREVENTING A DATA BREACH
JEFFREYSANCHEZ
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CORRELATIONBETWEENDIRECTORINVOLVEMENTANDGOODSECURITY
8
DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT
MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT
PREVENT TARGETED EXTERNAL ATTACK
8.0
7.8
7.7
6.5
6.4
6.1
PREVENT BREACH BY A COMPANY INSIDER
*Scale: 1-10 High Confidence – 10 Low Confidence - 1
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITYSTANDARDS
9
INFORMATION SECURITY STANDARDS
FOLLOWPICK MEASURE
FUNCTIONS CATEGORIES SUBCATEGORIES
INFORMATIVEREFERENCES
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
NIST CSF SANS Top20• InventoryofAuthorizedand
UnauthorizedDevices• InventoryofAuthorizedand
UnauthorizedSoftware• SecureConfigurationsfor
HardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers
• ContinuousVulnerabilityAssessmentandRemediation
• ControlledUseofAdministrativePrivileges
• Maintenance,Monitoring,andAnalysisofAuditLogs
• EmailandWebBrowserProtections
• MalwareDefenses• LimitationandControlof
NetworkPorts,Protocols,andServices
• DataRecoveryCapability• SecureConfigurationsfor
NetworkDevicessuchasFirewalls,Routers,andSwitches
• BoundaryDefense• DataProtection• ControlledAccessBasedon
theNeedtoKnow• WirelessAccessControl• AccountMonitoringand
Control• SecuritySkillsAssessment
andAppropriateTrainingtoFillGaps
• ApplicationSoftwareSecurity
• IncidentResponseandManagement
• PenetrationTestsandRedTeamExercises
ISO 27000 MODEL
BUSINESS CONTINUITY
MANAGEMENTSYSTEM
PLAN
CHECK
DOACT
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PHISHING
10
© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
VERIFICATION
11
IS YOUR SECURITY AS GOOD AS YOU THINK? MOST OF THE TIME IT ISN’T.
InsuranceServices|RiskManagement|EmployeeBenefits
ANASSUREXGLOBAL&IBNPARTNER CALicense0329598COLicense448197ORLicense0100167994
Summit 2015Cyber Insurance
LauriFloresca
December3,2015
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
18
Why you need Cyber Liability Insurance
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
19
Components of a Cyber Policy
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
20
First-Party v. Third-Party Coverage
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
21
What is Typically Not Covered
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
22
Cyber/E&O Limit Decision Factors
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
23
Models Provide Insight, but Many Variables to Consider
www.wsandco.com|
Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.
24
Cyber is a Board-Level ConcernIn October 2011, the SEC published guidance for companies that suggested issuers should consider
• the“probabilityofcyberincidentsoccurring”
• “thequantitativeandqualitativemagnitudeofthoserisks”
• thatappropriatedisclosuremayincludea“descriptionofrelevantinsurancecoverage.”Significant Data Breaches Can Lead to D&O IssuesCompany CyberEvent D&OMatter Status
ChoicePoint (2005)500,000PIIexposedviaadatawarehouser. (2005)ClassAction (2008)Settled$10M
TJX (2006-2007)45M+customercreditcarddataandotherPIIhacked;cost$171M.
(2007)Books&Records
(2007)DerivativeSuit(breachoffiduciaryduty)
(2010)Settled$595Kplaintiffsfeeaward&therapeutics
HeartlandPayment
(2009)130Mcardsatpaymentprocessor;cost$140M. (2009)ClassAction (2009)Dismissed
Target (2013)70M+credit/debitcardsbreachatPOSsystem;estimatedcostover$1billion.
(Jan2014)DerivativeSuit(breachoffiduciaryduty)
Pending
Wyndham(2008-2010)Threebreaches;619,000customersimpacted.
(Feb2014)DerivativeSuit(breachoffiduciaryduty)
(Oct2014)Dismissed
HomeDepot (2014)56M+credit/debitcardsbreachatPOSsystem (June2015)Books&Records(August2015)DerivativeSuit(breachoffiduciaryduty)
Pending
© Woodruff-Sawyer & Co., 2014. All rights reserved.
Woodruff-Sawyer & Co.50 California Street, Floor 12San Francisco, CA 94111
www.wsandco.com
Insurance Services | Risk Management | Employee Benefits