Cybersecurity Risk: How a Data Breach Can Impact a Transaction

John Williamson, CPA, CIA, CISA

Jesus Vega, CISSP

• Anatomy of a Breach• How Breaches Happen

• Latest Trends

• Financial Impact of Breach• The Cost of a Breach

• Case Study Review

• How It Impacts Your Transaction• Industry Profiles

• Top Risks/Questions You Should Ask

• Q&A session

Agenda

2

4

Anatomy of a Breach

Verizon Enterprise Solutions: A division of Verizon Communications that offers cloud services and managed security services.

A report summarizing security incidents and breaches investigated by Verizon or provided by a set of 73 contributors in the security services industry.

• 41,686 incidents

• 2,013 breaches

Verizon Data Breach Investigations Report

4

Incidents vs. Breaches• An incident is a security event that compromises the integrity, confidentiality, or availability of an

information asset.

• A breach is an incident that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.

Personal Data

• Personal data are data that allow the identification of a person directly or indirectly.

Key Definitions

• Name and surname• Home address• Email address• Identification card number• Location data

• Internet Protocol (IP) address• Cookie ID• Advertising identifier of your phone• Medical data

5

How Breaches Happen

7

Who Are the Victims?

8

Latest Trends

9

Financial Impact of a Breach

10

Financial Impact

11

1. Detection & Escalation Costs2. Notification Costs

3. Post Breach Costs4. Lost Business Costs

Primary Cost Drivers:

Financial Impact (cost per record, by industry)

12

Financial Impact

13

Impact on Your Transaction

13

• Organization acquires a small company to break into a niche market

• The following unexpected surprises occurred:• $9,000 monthly colocation cost

• 75% of the equipment used to host application was beyond End-Of-Life

• Company did not meet PCI compliance regulations • The Payment Card Industry Data Security Standard (PCI DSS) is an information security

standard for organizations that handle branded credit cards from the major card schemes

• You’ll hear talk of PCI compliance fines, and those fines can range from $5,000 to $100,000 a month, depending on factors like the size of your business and the length and degree of your non-compliance.

Case Study

15

• Trust but Verify: has a 3rd party performed any type of due diligence• Financial Audit

• Quality of Earnings

• Cybersecurity Examination

• Has the organization identified the risky data they hold • Personal Identifiable Information (PII)

• Payment Card Data (PCI-DSS)

• Protected Health Information (PHI)

• Intellectual Property

Risk in Your Transaction

16

HIPAA/HITECH• Know your business associates

• Segmentation and protection of PHI

• Encryption methods (in transit and at rest)

• Privacy practices and notices

• Incident response planning is key

Industry Profile: Healthcare

Unaware of violation and exercising reasonable due

diligence

$100 to $25,000

Reasonable cause that the entity knew about or should have known

$1,000 to $100,000

Willful neglect, but corrected within 30 days

of discovery

$10,000 to $250,000

Willful neglect and made no effort to correct within

30 days of discovery

$50,000 to $1.5M

Tier 1 Tier 2 Tier 3 Tier 4

HHS

17

Payment Card Industry Data Security Standard (PCI-DSS)

• Does the business process credit cards themselves or do they outsource to a 3rd party processor?

• If they process the cards themselves, focus on:• Network segmentation

• Data classification

• Cardholder Data Flow

• Self-Assessment Questionnaires/Reports on Compliance

• Central logging of events

• If they use a 3rd party processor, focus on:• Contractual commitments with vendors

• Vendor PCI compliance reporting

Industry Profile: Retail

18

• Generally, technology companies will collect, process, and store data on behalf of their customers.

• Focus on the types of data processed (PII, PHI, Cardholder data)

• Privacy commitments• Data belonging to California residents

• Data belonging to EU citizens

• Data belonging to US citizens (no current legislation, but its on its way)

• 3rd party risk (SOC reports, contracts, SLAs)

• Independent assessment to determine: Scalability, Security, and Integration

Industry Profile: Technology

19

The Value of IT Due Diligence

20

The Top Concerns from Security Professionals:

• No vulnerability scans

• No asset inventory

• No data mapping (which is a method of understanding physical and logical location of data)

• Poorly defined/lack of contracts with vendors (no SLAs)

• Poorly designed architecture (which impacts scalability, security, and integration)

• Diversification risk regarding key personnel/no succession planning

Overall Risks/Red Flags

21

Questions?

22