9/23/2020

1

Building Your Cybersecurity Response

& RecoveryDan Banick, Chief Information Security Officer, Warwick Communications

Chad Mowery, Shareholder, Roetzel & Andress

Joseph Ruscak, Shareholder, Roetzel & Andress

Recap: NIST and OHIO Safe Harbor

1

2

9/23/2020

2

What is the Safe Harbor?

• Safe Harbor provides entities that fulfill

the requirements with an affirmative

defense to “any cause of action sounding

in tort . . . that alleges that the failure to

implement reasonable information

security controls results in a data

breach.”

• Safe Harbor applies both to actions

brought in Ohio State Courts and to

actions brought under Ohio law.

• Safe Harbor can apply to either “personal

information,” “restricted information,” or

both.

How to Establish Affirmative Defense

• The qualifying organization must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection” of personal information or personal information and restricted information

• The qualifying organization must demonstrate that the written cybersecurity framework “reasonably conforms to an industry recognized cybersecurity framework.”

3

4

9/23/2020

3

How to Establish Affirmative Defense

• The qualifying organization’s program must be designed to:

1) Protect the security and confidentiality of the information;

2) Protect against any anticipated threats or hazards to the security or

integrity of the information; and

3) Protect against unauthorized access to and acquisition of the

information that is likely to result in a material risk of identity theft or

other fraud to the individual to whom the information relates.

• Law specifically identifies frameworks, including that for improving critical

infrastructure cybersecurity developed by the national institute of

standards and technology (“NIST”), as options in accomplishing these

aims.

NIST Cybersecurityfor Manufacturing

https://www.nist.gov/news-events/news/2018/05/mep-centers-aid-manufacturers-cybersecurity

5

6

9/23/2020

4

Key Areas to Strengthen

Key Areas to StrengthenIDENTIFY

Identifying Risks Outside of Your Current Corporate

IT Infrastructure

Identifying

“Data Partners”

Monitoring

Incorporation of

New Technology

Investigating IT

Systems that are

Part of Any

Corporate

Acquisition

7

8

9/23/2020

5

Key Areas to StrengthenIDENTIFY

Different Types of “Data Partners”

• Partners that have direct access to your systems

• Partners to which you send data, especially employee or

customer data

• Partners that help you administer your IT systems

Steps to Identify Issues with “Data Partners”

• Require clear language on which entity owns the data

at issue

• Perform due diligence on the partner’s cybersecurity

protocols and applicable insurance

• Demand contract provisions that require notice of any

data breach to the company and not just the affected

individuals

• Request to see record retention schedules for data in

question or require certain deletion schedules

9

10

9/23/2020

6

New Technology Can Significantly Change Cybersecurity Planning

• Increase in remote working has changed a number of basic assumptions in cybersecurity planning

• New technology can be requested, introduced, or pushed through areas of the company other than the IT Department or IT vendor

• Often times, new infrastructure is pursued before consulting the people in charge of cybersecurity issues

How to Identify and Address Issues Created by New Technology

• Make the cybersecurity team part of the process before bids for new technology go out

• Monitor employee use of new applications or technologies

• Have regular meetings between the cybersecurity team and the IT Department or IT vendor to discuss upcoming initiatives and blue sky planning, including the decommissioning of older systems

11

12

9/23/2020

7

Purchases Can Cause You to Inherit Legacy Cybersecurity Problems

• Large scale acquisitions often times include IT infrastructure

• In a vast majority of deals, the purchasing company receives the IT infrastructure “as is”

• The disclosures in such deals usually only discuss past cybersecurity incidents and make no representations about the current state of the systems being acquired

Identify Issues in Business Deals Involving Acquisition of IT Assets

• Consider an IT audit as part of your due diligence

• Conduct an insurance audit as part of your due diligence

• Pursue contract provisions that allocate costs between the parties of any later discovered cybersecurity issues

13

14

9/23/2020

8

Key Areas to StrengthenDETECT

Detecting Threats Inside & Outside Your Organization

Key Areas to StrengthenDETECT

PRO TIP - Evaluate all connections entering your organization.

Detecting Threats Inside & Outside Your Organization

15

16

9/23/2020

9

Key Areas to StrengthenDETECT

PRO TIP – Detect threats from the Internet and Darkweb.

Cloud

Detecting Threats Inside & Outside Your Organization

Your Technology and Facilities

Internet and Cloud Services

TheDarkweb

Key Areas to StrengthenDETECT

Detecting Threats Inside & Outside Your Organization

Cloud

Internal• Enterprise Detection & Response• Vendor Risk Management• Internal Vulnerability Detection

Internet / Cloud• External Vulnerability Detection• Email / Cloud Embedded Security• Intrusion Detection Services

Darkweb• Account Compromise Detection• Cyber Threat Intelligence• ‘White Hat’ Hacking Services

PRO TIP - Consider these advanced security tools and services.

17

18

9/23/2020

10

The Target Breach

PRO TIP – An HVAC provider was the source of the breach!

Key Areas to StrengthenRESPOND / RECOVER

• Breach Occurs – complete shutdown

• What do you do?

• Does your company have a detailed plan to respond to a

cyber incident?

• What are your first actions?

• How does the new normal affect this?

• i.e. can you get a hold of key people working remotely?

19

20

9/23/2020

11

Key Areas to StrengthenRESPOND / RECOVER

Security Protocols

• Do you have protocols for cash

control/disbursements?

• Key personnel working remotely

• Or a blend of office/home

• Hackers prefer your guard down

• Do your key protocols change?

• Reinforce diligence

• What to do with multiple devices

coming back

• NSFW? Company devices

may be loaded with

Netflix…or worse

Key Areas to StrengthenRESPOND / RECOVER

Data Breach Response Plan Based Upon Definition of “Data

Breach”• The plan should specifically state that all cyber incidents are not

data breaches

• One person or group of people should be officially given the

power to declare a data breach

• One person for entire organization

• Group of people divided by area or system

• Person or people with declaration power should be given the

ability to consult with necessary cyber experts in order to

determine whether or not breach has occurred.

21

22

9/23/2020

12

Assembling the Team

• Clear team leader

• Can be the person who declared the breach or another

• Can delegate certain responsibilities, but needs to control key decisions

• Cybersecurity forensics specialists

• Need assessment of internal capabilities as draft plan

• Have relationship with any necessary outside vendors already established

Assembling the Team

• Representatives of affected business unit

• Provide information about data in question

• Aid in development of business aspect of response

• Legal counsel

• Provide legal advice on reporting requirements

• Outside legal counsel can be necessary to preserve privilege

• Public relations specialists

• Need to handle communications with public as well as business partners

• Outside vendors may needed to handle large notification drives

• Representative from Corporate Risk

• Provide any necessary notification to insurers

• Develop plans for abatement of costs associated with response

23

24

9/23/2020

13

Assembling the Team

• Representative from Human Resources

• Disciplinary action related to breach

• Development of future training

• Representative from Corporate Auditing

• Prepare reports for internal audits of systems

• Work with any necessary outside auditors on issues related to the breach

• Information Governance Specialist

• Provide information about data affected

• Identify other sources of similar data or areas with similar concerns

Key Provisions

• Provision creating employee duty to report potential cyber incidents

• Duty is important to insurers

• Creates expectation on employees

• Allows for disciplinary action

• Provision for creating and maintaining key records about response

• Duty should be assigned

• Records are increasingly important for regulators

25

26

9/23/2020

14

Key Provisions

• Provision assigning responsibility of notification of law enforcement or regulatory body

• Questions exist as when best to contact law enforcement

• Need key point person to resolve doubt and set key timelines

• Provision creating feedback loop

• “Lessons learned” are very important to both insurers and regulators

• “Lessons learned” should be incorporated into training

• “Lessons learned” should be updated even if another breach does not occur

Often Missing Provisions

• Data Breach Response Plan should…

• Address both personally sensitive information

and confidential and proprietary business

information

• Have a method of team communication outside

of email system

• Include a provision requiring it to be updated

periodically or when new systems come on-line

• contain a clear method or methods of distribution

to employees and potentially a clear definition of

what employees will receive copies

• be tested

27

28

9/23/2020

15

CybersecurityA Parallel to Manufacturing

Final Thoughts

&

Question and Answer Session

Parallel Cycles:Manufacturing & Security

29

30

9/23/2020

16

Parallel Cycles:Manufacturing & Security

Cloud

The Parallels:

• Cybersecurity operates in continuous repeating cycles

• Manufacturing operates in continuous repeating cycles

• The strongest programs and products have developed over time and incrementally improved

• Cybersecurity and Manufacturing industries are constantly evolving – leverage your partners, vendors, customers, and even competitors contributions through professional organizations to stay ahead of the curve.

Q&ADan Banick, Chief Information Security Officer, Warwick Communications

dbanick@warwickinc.com

Chad Mowery, Shareholder, Roetzel & Andress

cmowery@ralaw.com

Joseph Ruscak, Shareholder, Roetzel & Andress

jruscak@ralaw.com

31

32