CYBER RISK MANAGEMENT AND BEST PRACTICES
Transcript of CYBER RISK MANAGEMENT AND BEST PRACTICES
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.0
CYBER RISK MANAGEMENT
AND BEST PRACTICES
Heather Fields, JD, CHC, CCEP(414) 298-8166
Reinhart Boerner Van Deuren s.c.
1000 North Water Street, Suite 1700, Milwaukee, WI 53202
www.reinhartlaw.com
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.1
Agenda
• Role of the Board
• Role of the C-Suite
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.2
Equifax: What we all want to avoid
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.3
Lessons Learned: Prepare, Prepare,
Prepare
• Combination of inadequate security risk management and lack of
comprehensive and timely response
� Security issues arose with Equifax's website that offered
consumers credit monitoring
• Tweeted a link to a fake website 13 times
• Used a less secure content management system than what is
industry recommended
� Response plan Initially only offered credit monitoring if
consumers waived the right to sue (Equifax has since removed
the language)
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.4
Cyber Risk Management :
Role of the Board
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.5
Three Tasks for the Board
1. Have an Informed View and a Vision
2. Train and Educate
3. Ensure Ongoing Reporting to Enable
Oversight
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.6
Have an Informed View and a Vision
Task 1
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.7
Creating an Informed View and Vision
Evaluate your current data security program
Decide what your ideal data security program looks like
Plan for how to get there
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.8
Evaluating Your Current Program
Know the following:
• What is your threat/risk profile?
• What controls are in place now?
• Do you have a planned incident response? What does that look like?
• What is your insurance profile?
Number of board members
and C-level executives who
said they lack confidence in
their companies’ level of
cybersecurity187%
1 EY's 19th Global Information Security Survey 2016-17.
“Directors don’t need to be
technologists to play an
effective role in cyber risk
oversight — but every board
can take the opportunity to
improve the effectiveness of
their cyber oversight
practices.” — Peter Gleason,
NACD President
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.9
Resourcing: Who Can Help ?
• Internal resources� IT department
� Chief Information Security Officer or Chief Information Officer
� Human Resources
� Board member with IT experience
• External resources� Managed Security Service Providers (MSSPs)
� Penetration testers or forensic consultants
� Lawyers
� Cyber Strategy Advisors
� Industry groups
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.10
Develop an Action Plan
• What steps need to be
taken
• Who should be involved
• What is your timeline
• Who will ensure the plan
stays on track
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.11
Train and Educate
Task 2
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.12
Training and Education
• Onboard training should include
cybersecurity training
• Board members should receive
cybersecurity training annually
• Training should be industry focused and
specific to the company
• Training should be both general and
specific to board position
The NACD reports
only 41 % of
surveyed boards
review cyber risk
as a full board
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.13
Ensure Ongoing Reporting to Enable
Oversight
Task 3
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.14
Ensure Ongoing Reporting to Enable
Oversight
• Consider dashboards
• Have a special reporting process or
framework
• Board involvement in the incident
response and action plans
• Periodic reviews of management's
assessment of cybersecurity risks
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.15
Cyber Risk Management :
Role of the C-Suite
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.16
Six Cyber Steps for the C-Suite
1. Develop a culture of security
2. Embed cybersecurity into overall enterprise
risk management
3. Engage the Human Resources department
4. Evaluate insurance policies periodically
5. Institute contracting and vendor management
controls
6. Reassess and test incident response plan on
routine basis
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.17
Cyber Security Starts at the Keyboard
• Employees should receive
cyber security training upon
hire and annually thereafter
• All employees should receive
notice when the procedures or
policies are updated
• Must have well understood
and publicized reporting
procedures
• Penetration tests can help
train employees on what to
watch for
• Regularly talk to employees
about cyber security
• Take all employee reports and
questions seriously
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.18
Embed Cybersecurity into General Risk
Management
• Security risk management must be part of existing organizational
governance, leadership and operational structures
� Governance: board, compliance committee, operational committees
� Leadership: general counsel, CEO, CIO/CTO, CFO, COO, CISO,
compliance officer, risk manager
� Operational Divisions/Departments: finance, billing, purchasing, HR,
PR/communications, gov't relations, clinical research, medical staff,
CIN/ACO, payroll
• Risk Management should:
� Define and oversee ongoing cybersecurity risk management
� Monitor breach and cybersecurity risk trends and measure risk
management execution
� Evaluate effectiveness of cybersecurity breach response and
technology risk management
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.19
Engage Human Resources
HR can help ensure that:
• Employees are following and
implementing security policies
• Every employee receives
appropriate security training
• Communication between all
departments fosters a culture
of cybersecurity
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.20
Evaluate Insurance Policies
• Review policies and
understand exactly what is
covered
• Policies tend to define breach
incident differently
• Review the policy with the
information security team
• Does it cover external
breaches only? Internal?
• What are the exceptions?
• Realize that the norms are
being established
Update coverage to
reflect new business
lines and changes in
your IT security profile
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.
Institute Contracting Standards
• Contracting parties should consider seeking additional protections
beyond the legal framework requirements
• Security provisions should be based on the parties' business
relationship and extent of use and disclosure of data
• Scope of services may merit separate data security agreement
(e.g., hosting services)
• Ensure you know what your current contracts require of you
• Evaluate whether any contract provisions shift cyber liability
• BUT, contractual protections do not equate to a vendor
management program
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.22
Vendor Management
• Identify your organization's full scope of dependencies on third-
party service providers or vendors that collect, access, process,
disclose, transmit, or host sensitive or confidential data
• Management of contracts involving or affecting sensitive or
regulated data should be centralized, risk-based, and involve a
multi-disciplinary review process
• Develop formal privacy and data security vendor management
processes, such as:
� Vendor due diligence process
� Vendor oversight and contract enforcement
� Maintain vendor contact information and ensure key vendors
are represented and included as part of incident response team
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.23
Reassess and Test Incident Response
Plan
Plan Must:• Be tailored to your risk
• Assign responsibility for investigational response
• Reflect various and current notification requirements
• State, Federal and International
• Consider intangible costs (customers and reputational harm)
• Be tested
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.24
Summary
The Board Should:• Have an informed view and
vision
• Train and educate
• Ensure ongoing reporting to
enable oversight
Executives Should:• Develop a culture of security
• Embed cybersecurity into
overall enterprise risk
management
• Engage HR
• Evaluate insurance policies
• Institute contracting and
vendor management controls
• Reassess and test incident
response plan
© 2017 All Rights Reserved
Reinhart Boerner Van Deuren s.c.
Questions?
Thank you!