CareFirst BlueCross BlueShield is the shared business name of CareFirst of Maryland, Inc. and Group Hospitalization and Medical Services, Inc. which are independent licensees of the Blue Cross and Blue Shield Association. ® Registered trademark of the Blue Cross and Blue Shield Association. ®′ Registered trademark of CareFirst of Maryland, Inc.

Cybersecurity in the Age of Government Regulation

Compliance versus Security

October 28, 2015

Harry D. FoxEVP, Technical and Operational Support Services

CareFirst BlueCross BlueShield

Agenda

2

• Security Landscape

• Increased Demand For Controls And Scrutiny

• Compliant vs Secure

• Cybersecurity Frameworks and Governance

• Key Action Steps

Sobering Thought…

3

Cybercrime will Cost Businesses

Over $2 Trillion by 2019

“New research from market analysts, Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally

by 2019, increasing to almost four times the estimated cost of breaches in 2015.” – Juniper Research, The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation, May 2015

Security Landscape

4

AV-TEST Institute registers over 390,000 new malicious programs every day.

Malware Growth Last 10 Years

“Many executives are declaring cyber as the risk that will define our generation,” said Dennis Chesley, Global Risk Consulting Leader for PwC. – from Turnaround and Transformationin Cybersecurity, by PwC

Threat Actors are Sophisticated, Well Organized, and Well Funded

5

Source: Mandiant APT1 Exposing One of China’s Cyber Espionage Units

Threats Continue to Evolve

6

• While we can’t ignore the threats of the past, there isgrowing sophistication– Social Engineering– Spear Phishing– Advanced Malware that changes its

signature and profile

• The motives and actors are also changing– Nation States– Hacktivism– Organized Crime

“Cyberspace has become a full-blown war zone as governments across the globe clash

for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are

becoming a key weapon for governments seeking to defend national sovereignty and

project national power.” – FireEye, World War C: Understanding Nation-State Motives Behind

Today’s Cyber Attacks

• Cyberattacks and breaches haveleft organizations scrambling to find ways to measure and demonstrate due diligence

• Security doesn’t have a “one-size-fits-all” solution making measuring due diligence challenging

Increased Controls and Scrutiny

7

• Compliance can bring sweeping changes to the organization well beyond the traditional scope of Information Security

Greater Legislation on the way…

8

From SC Magazine 10/20/2015

Compliance and Security

9

Compliance ≠ Security

Compliance and Security

10

Risk-based Compliance Frameworks

11

Of respondents to a recent PwC study have selected a

risk-based cybersecurity framework.

ISO 27001 and NIST are the most

common.

Adapted from Slide Team’s 0514 risk management framework PowerPoint Presentation

Using a risk-based approach, companies should apply relevant compliance frameworks against

technical, process, and people controls

Mapping Frameworks to Controls

12

From: Do’s and Don'ts of Risk-based Security Management in a Compliance-driven Culture by Shahid N. Shah

Multiple Frameworks

13

• Many enterprises are bound to multiple frameworks and requirements through regulations and contracts

• These controlsmust be centralized intoa common framework

Common Controls Hub from Unified Compliance Framework

Governance Model

14

A well defined Governance Model is critical

Source: Framework for Improving Critical Infrastructure CybersecurityVersion 1.0 National Institute of Standards and Technology February 12, 2014

Challenges and Risks

15

Overreach

Focus on high-profile/low-value controls

Overly prescriptive

Over focus on compliance and process

Laws and expectations aren’t consistent with current societal norms

Cost of security and compliance could overwhelm small companies

Key Steps

16

Adopt a cybersecurity framework and apply it using a Risk Management Framework (RMF).

Create a well-defined governance model with senior management oversight of decisions, risks, controls, audit/assessment, and management action plans.

Create an inventory of systems, conduct a risk assessment, and use the RMF to define achievable goals.

Create a multi-year roadmap for cybersecurity with clearly defined deliverables against which you can measure progress.

Security threats never stop evolving so your roadmap must continually evolve to meet those threats, new obligations, and support changes in business needs.

Harry D. FoxEVP, Technical and Operational Support Services

CareFirst BlueCross BlueShieldharry.d.fox@carefirst.com

10455 Mill Run CircleMail Stop: 01-965

Owings Mills, MD 21117