CYBER RISK MANAGEMENT AND BEST PRACTICES

© 2017 All Rights Reserved

Reinhart Boerner Van Deuren s.c.0

CYBER RISK MANAGEMENT

AND BEST PRACTICES

Heather Fields, JD, CHC, CCEP(414) 298-8166

[email protected]

Reinhart Boerner Van Deuren s.c.

1000 North Water Street, Suite 1700, Milwaukee, WI 53202

www.reinhartlaw.com



Agenda

• Role of the Board

• Role of the C-Suite



Equifax: What we all want to avoid



Lessons Learned: Prepare, Prepare,

Prepare

• Combination of inadequate security risk management and lack of

comprehensive and timely response

� Security issues arose with Equifax's website that offered

consumers credit monitoring

• Tweeted a link to a fake website 13 times

• Used a less secure content management system than what is

industry recommended

� Response plan Initially only offered credit monitoring if

consumers waived the right to sue (Equifax has since removed

the language)



Cyber Risk Management :

Role of the Board



Three Tasks for the Board

1. Have an Informed View and a Vision

2. Train and Educate

3. Ensure Ongoing Reporting to Enable

Oversight



Have an Informed View and a Vision

Task 1



Creating an Informed View and Vision

Evaluate your current data security program

Decide what your ideal data security program looks like

Plan for how to get there



Evaluating Your Current Program

Know the following:

• What is your threat/risk profile?

• What controls are in place now?

• Do you have a planned incident response? What does that look like?

• What is your insurance profile?

Number of board members

and C-level executives who

said they lack confidence in

their companies’ level of

cybersecurity187%

1 EY's 19th Global Information Security Survey 2016-17.

“Directors don’t need to be

technologists to play an

effective role in cyber risk

oversight — but every board

can take the opportunity to

improve the effectiveness of

their cyber oversight

practices.” — Peter Gleason,

NACD President



Resourcing: Who Can Help ?

• Internal resources� IT department

� Chief Information Security Officer or Chief Information Officer

� Human Resources

� Board member with IT experience

• External resources� Managed Security Service Providers (MSSPs)

� Penetration testers or forensic consultants

� Lawyers

� Cyber Strategy Advisors

� Industry groups



Develop an Action Plan

• What steps need to be

taken

• Who should be involved

• What is your timeline

• Who will ensure the plan

stays on track



Train and Educate

Task 2



Training and Education

• Onboard training should include

cybersecurity training

• Board members should receive

cybersecurity training annually

• Training should be industry focused and

specific to the company

• Training should be both general and

specific to board position

The NACD reports

only 41 % of

surveyed boards

review cyber risk

as a full board



Ensure Ongoing Reporting to Enable

Oversight

Task 3



Ensure Ongoing Reporting to Enable

Oversight

• Consider dashboards

• Have a special reporting process or

framework

• Board involvement in the incident

response and action plans

• Periodic reviews of management's

assessment of cybersecurity risks



Cyber Risk Management :

Role of the C-Suite



Six Cyber Steps for the C-Suite

1. Develop a culture of security

2. Embed cybersecurity into overall enterprise

risk management

3. Engage the Human Resources department

4. Evaluate insurance policies periodically

5. Institute contracting and vendor management

controls

6. Reassess and test incident response plan on

routine basis



Cyber Security Starts at the Keyboard

• Employees should receive

cyber security training upon

hire and annually thereafter

• All employees should receive

notice when the procedures or

policies are updated

• Must have well understood

and publicized reporting

procedures

• Penetration tests can help

train employees on what to

watch for

• Regularly talk to employees

about cyber security

• Take all employee reports and

questions seriously



Embed Cybersecurity into General Risk

Management

• Security risk management must be part of existing organizational

governance, leadership and operational structures

� Governance: board, compliance committee, operational committees

� Leadership: general counsel, CEO, CIO/CTO, CFO, COO, CISO,

compliance officer, risk manager

� Operational Divisions/Departments: finance, billing, purchasing, HR,

PR/communications, gov't relations, clinical research, medical staff,

CIN/ACO, payroll

• Risk Management should:

� Define and oversee ongoing cybersecurity risk management

� Monitor breach and cybersecurity risk trends and measure risk

management execution

� Evaluate effectiveness of cybersecurity breach response and

technology risk management



Engage Human Resources

HR can help ensure that:

• Employees are following and

implementing security policies

• Every employee receives

appropriate security training

• Communication between all

departments fosters a culture

of cybersecurity



Evaluate Insurance Policies

• Review policies and

understand exactly what is

covered

• Policies tend to define breach

incident differently

• Review the policy with the

information security team

• Does it cover external

breaches only? Internal?

• What are the exceptions?

• Realize that the norms are

being established

Update coverage to

reflect new business

lines and changes in

your IT security profile



Institute Contracting Standards

• Contracting parties should consider seeking additional protections

beyond the legal framework requirements

• Security provisions should be based on the parties' business

relationship and extent of use and disclosure of data

• Scope of services may merit separate data security agreement

(e.g., hosting services)

• Ensure you know what your current contracts require of you

• Evaluate whether any contract provisions shift cyber liability

• BUT, contractual protections do not equate to a vendor

management program



Vendor Management

• Identify your organization's full scope of dependencies on third-

party service providers or vendors that collect, access, process,

disclose, transmit, or host sensitive or confidential data

• Management of contracts involving or affecting sensitive or

regulated data should be centralized, risk-based, and involve a

multi-disciplinary review process

• Develop formal privacy and data security vendor management

processes, such as:

� Vendor due diligence process

� Vendor oversight and contract enforcement

� Maintain vendor contact information and ensure key vendors

are represented and included as part of incident response team



Reassess and Test Incident Response

Plan

Plan Must:• Be tailored to your risk

• Assign responsibility for investigational response

• Reflect various and current notification requirements

• State, Federal and International

• Consider intangible costs (customers and reputational harm)

• Be tested



Summary

The Board Should:• Have an informed view and

vision

• Train and educate

• Ensure ongoing reporting to

enable oversight

Executives Should:• Develop a culture of security

• Embed cybersecurity into

overall enterprise risk

management

• Engage HR

• Evaluate insurance policies

• Institute contracting and

vendor management controls

• Reassess and test incident

response plan



Questions?

Thank you!

CYBER RISK MANAGEMENT AND BEST PRACTICES

Documents

Transcript of CYBER RISK MANAGEMENT AND BEST PRACTICES