Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • 777 East Wisconsin Avenue, Milwaukee, WI 53202 • 414.271.2400
A Case Study of Building an Effective and Resilient Program
Cybersecurity –A Team Sport:
Thursday, January 12, 2017
Tim RileyCIONetwork Health Inc.
Jennifer RathburnPartnerFoley & Lardner LLP
Augustine DoeVP ERMNetwork Health Inc.
Joseph AbrenioVP, Commercial ServicesDelta Risk LLC
Presenters
Moderator
©2017 Foley & Lardner LLP
Introductions
1
A. Data breach �ndings that have implications for organizations
B. Game prep—coming together to create a cyber ecosystem
C. Team roster and responsibilities
D. Playbook—executive risk o�cer
E. Playbook—executive information technology o�cer
F. Playbook—cyber risk consultant
G. Playbook—cyber attorney
H. Goal line themes
I. Appendices
©2017 Foley & Lardner LLP
Agenda
2
A. Hackers and criminal insiders cause the most data breaches
48%
27%
25%
Malicious or criminal attack
System glitch
Human error
Distribution of Root Cause of Data Breach
Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations
3
B. Based on threat action varieties in breaches overtime—phishing and point-of-sale are a big deal!
Threat Action Varieties in Breaches Over Time
Source: 2016 Verizon Data Breach Investigations Report
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
2009 2012 2015
Brea
ch c
ount
2010 2011 2013 2014
2
40
60
80
100
50
100
150
200
250
100
200
4
300
00
500
50
100
150
200
100
200
300
400
500
100
200
300
400
500
200
400
600
800
Malware - C2
Hacking - Use of stolen creds
Malware - Export data
Hacking - Use of backdoor or C2
Social - Phishing
Malware - Spyware/Keylogger
Malware - RAM
Hacking - Brute force
Malware - Backdoor
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
4
Percent of Breaches per Asset Category Over Time
Source: 2016 Verizon Data Breach Investigations Report
0%
10%
20%
30%
40%
50%
2009 20122010 2011 2013 2014 2015
Server
User Device
Person
Media
Kiosk/Terminal
Network
C. Where phishing and point-of-sale are root cause of breach—server and user device are assets of choice
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
5
Per Capita Data Breach Cost by Industry Classi�cation
Source: Research Report, 2016 Cost of Data Breach Study: United States, Ponemon Institute (2016)
D. The cost of data breach varies by industry—regulated industries such as health care and �nancial services have the most costly data breaches because of �nes and the higher than average rate of lost business and customers
Average cost =$221/record (US Data)
*Per capita cost by industry
$86
$148
$172
$177
$186
$196
$200
$218
$220
$226
$245
$246
$247
$264
$301
$402
$0 $50 $100 $150 $200 $250 $300 $350 $400 $450
Public
Hospitality
Research
Media
Industrial
Technology
Retail
Consumer
Education
Services
Communications
Energy
Transportation
Financial
Life Science
Health
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
6
Impact of 16 Factors on the Per Capita Cost of Data BreachConsolidated view (n=383), measured in US$
$(20.3)
$(15.4)
$(14.3)
$(5.8)
$(5.1)
$6.9
$5.9
$7.5
$8.2
$8.6
$9.5
$11.6
$13.3
$15.4
$18.9
$25.8
$(50) $(30) $(10) $10 $30
Third party involvementExtensive cloud migration
Rush to notify
Lost or stolen devices
Consultants engagedProvision of ID protection
Insurance protection
Data classi�cation schemaBoard-level involvement
CISO appointed
Extensive use of DLP
Participation in threat sharing
BCM involvementEmployee training
Extensive use of encryptionIncident response team
Source: Research Report, 2016 Cost of Data Breach Study: United States, Ponemon Institute (2016)
E. Factors that in�uence the cost of data breach—certain factors decreased the cost of data breach while others increased it
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
7
Probability of a Data Breach Involving a Minimum of 10,000 to 100,000 Records
Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)
F. Inverse relationship between the probability of a data breach and the size of records—the probability of a data breach decreases as the size of records increases
0.256
0.164
0.111 0.095
0.065 0.050
0.028 0.019 0.015 0.012
0.000
0.050
0.100
0.150
0.200
0.250
0.300
10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000
Prob
abili
ty
Number of breached records
Consolidated view (n=383)
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
8
Relationship Between Mean Time to Identify and Total Average Cost
Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)
G. Time to identify and contain data breaches impact cost—the longer it takes to identify and contain data breach, the more it costs the organization
$3.23
$4.38
$-$0.50$1.00$1.50$2.00$2.50$3.00$3.50$4.00$4.50$5.00
MTTI < 100 days MTTI ≥ 100 days
Consolidated view (n=383), measured in US$
Relationship Between Mean Time to Contain and Total Average Cost
Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)
$3.18
$4.35
$-$0.50$1.00$1.50$2.00$2.50$3.00$3.50$4.00$4.50$5.00
MTTC < 30 days MTTC ≥ 30 days
Consolidated view (n=383), measured in US$
©2017 Foley & Lardner LLP
Data Breach Findings that have Implications for Organizations (cont.)
9
Indirect costs of data breach costs in US $(in millions)
$0.79$0.59
$-
$0.50
$1.00
$1.50
$2.00
$2.50
$3.00
$3.50
$4.00
$4.50Consolidated view (n=383), measured in US$
US
Dol
lars
(in
mill
ions
)
$1.72
$3.97
Average Indirect Costs: $145/recordAverage Direct Costs: $76/record
Indirect Costs Include:• Time employees spend on data breach noti�cation e�ort or investigations of the incident• Loss of brand value and reputation• Customer churn
Direct Costs Include:• Forensic Experts• Legal Fees• Identity/Credit monitoring services to victims
Description and Escalation
Noti�cationCosts
Post-breach Costs Lost Business
Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)
©2017 Foley & Lardner LLP
66% of the Cost of Data Breach Are Indirect Costs
10
TIE Framework
CyberRisk
Technology Solutions
Enterprise-wide Risk Oversight
Insurance
Health Care Industry Risk Heat Map
3.0
4.0
5.0
0
FINANCIAL IMPACT
PRO
BAB
ILIT
Y O
F O
CC
UR
RE
NC
E
HIGHLOW
HIG
HLO
W
CyberRisk
3.0 4.0 5.0
Cyber Risk
Very High Risk
Number
Risk Legend
45
HighVery High
≥$20,000,000 but < $40,000,000≥ $40,000,000
Meaning of Probability Range of Financial Capacity
©2017 Foley & Lardner LLP
Game Prep—Coming Together to Create a Cyber Ecosystem
11
A. Executive information technology o�cer (CIO, CTO, etc.) responsible for Technology Solutions
B. Executive risk o�cer (CRO, VP ERM, etc.) responsible for Insurance and Enterprise-wide Risk Oversight
C. Expert cyber risk consultant (Cyber consultant, VP Sales, etc.) responsible for the e�ective integration of People, Process, and Technology Solutions
D. Cyber attorney (Partner) responsible for Legal Advice
©2017 Foley & Lardner LLP
Team Roster and Responsibilities
12
Cyber Aggregate limit and retention
Model for Estimating Aggregate Cyber Liability Limits & Retention
A. Insurance: Cyber, Fiduciary, & D&O
Exposure basis
Number of data type(PCI/PHI/PII, non-card �nancial)or records
500,000
Total insurable cyber loss and liabilities ($402a per exposure basis)201,000,000$
51,456,000$
Less Robust IT security and cyber response program discount (40%)20,582,400$
Net potential insurable cyber losses and liabilities30,873,600$
Retained potential insurable cyber losses and liabilities (varies by risk appetite: 5%)1,543,680$
Aggregate limit of cyber insurance that should be purchased (95%)29,329,920$
Notes:a Average cost of data breach for healthcare organization based on Ponemon study is $402b Probability of data breach involving a minimum of 10,000 to 100,000 records is between .256 and 0.012 based on Ponemom study
Estimating Cost of Cyber Risk for Healthcare Organization
Potential insurable cyber losses and liabilities (based on probability of 0.256b)
©2017 Foley & Lardner LLP
Playbook—Executive Risk Officer
13
Insurance sub-limits
Control Group De�nition Panel law �rm and vendors for privacy breach response services Credit monitoring services Identity theft prevention and information disposal programs PCI exclusions First party computer security coverage endorsement Fiduciary & D/O Potential for Ds/Os to be subject to shareholder suits alleging breaches of �duciary duties in the wake of system breaches—ensure Board provides oversight of cyber program Palkon ex rel. Wyndham Corp. v. Holmes
Determining Cyber Insurance Sublimits
Exposure basisNumber of data type (PCI/PHI/PII, non-card �nancial) or records 500,000
US Industry Averages* Sublimits
$0.73 $365,000
$0.59 $295,000
$1.72 $860,000
$3.97 $1,985,000
Note: * Need to compute your speci�c industry average as average costs vary by industry
Detection and escalation: forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors
Noti�cation and compliance: IT activities associated with creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and in-bound communication set-up
Post-breach: help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions
Uninsurable lost business: abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill
©2017 Foley & Lardner LLP
Playbook—Executive Risk Officer (cont.)
14
B. Enterprise-wide risk oversight Ensure board-level and enterprise-wide involvement through ERM program Manage and monitor cyber risk through risk reporting tools
Business Continuity Management Program (BCMP) should include breach response and noti�cation plan (team), IT disaster recovery plan, and continuity plan for each business operation
TOOL 2Risk Register
TOOL 3Risk
Dashboards
TOOL 4Risk Tolerance
Policy
TOOL 5Risk Appetite
Statement
Risk ToolsCreation Cycle
See Appendices for sample tools
TOOL 1Risk Heat Map
©2017 Foley & Lardner LLP
Playbook—Executive Risk Officer (cont.)
15
A. Technology Solutions 1. Executive planning approach—service excellence
Business Opportunities
Manage:
• Schedule
• Value ROI
• Usability
• Risk
• Cost
• Quality
SystemsContinuous Improvement
• People
• Process
• Technology
Disruptive Events
Regulatory
Release Management
TQI
Other Project Resource CompetitionCommon Requests / Uncommon Requests / Incidents / Projects
©2017 Foley & Lardner LLP
Playbook—Executive Information Technology Officer
16
2. Understand current state of organization’s network infrastructure Conducted physical and �rmware assessment
Conducted comprehensive security reviews and vulnerability assessments using vendors: Coal�re, Delta Risk, and Mandiant
Learned more about IT general controls from Model Audit Rule (MAR) implementation
3. Developed and began to implement solutions to address identi�ed gaps Redesigned network infrastructure to improve uptime and availability 1. Equipment covered by 24X7 support, 4-hour response 2. Redundant network equipment in case of equipment failure 3. Updated uninterruptable power 4. Installed climate control
Worked with third-party data center operator to tighten security with Web �ltering, con�guration of servers and updated McAfee to include current patches
©2017 Foley & Lardner LLP17
Playbook—Executive Information Technology Officer (cont.)
4. Adopted new framework for administering IT functions and operations
5. Operationalized new IT framework
Active Eye24/7 coverageManaged Security Information and Event Management (SIEM)
Privacy IncidentsSecurity IncidentsBusiness Continuity Plan
Training BulletinsExecutive Expectations
Monitor
Respond
Awareness
Awareness
Monitor Respond
Frame
©2017 Foley & Lardner LLP
Playbook—Executive Information Technology Officer (cont.)
18
B. Bene�ts we are experiencing from operationalized framework 1. Robust incident response and team—business continuity
2. Continuous corporate-wide employee awareness of ways to help organization manage and monitor cyber risks
3. Corporate training on how to spot cyber threats, report threat—participate in threat sharing
4. Extensive use of encryption to protect data—lost or stolen devices
5. Provision of ID protection
6. Scaled-back on cloud migration to provide control over data unless SOC report indicates robust cloud security
7. Reduced number of data in motion through reduction in number of IT-related third party involvement
8. Extensive use of DLP and data classi�cation schema
©2017 Foley & Lardner LLP19
Playbook—Executive Information Technology Officer (cont.)
A. Technology Solutions 1. Support IT and organization with best-in-class cyber risk management practices and solutions
2. Active network monitoring—Delta Risk Active Eye
3. Integration of organization’s employees and business partners into the organization’s cyber risk management
4. Lead the development of the organization’s cyber risk response program
©2017 Foley & Lardner LLP
Playbook—Cyber Risk Consultant
20
A. Legal Cyber Related Counseling 1. Involve Legal Counsel to Enhance Attorney Client Privilege and Control Communications
2. Cybersecurity and Privacy Program Documentation and Policy Review
3. Board of Director Training
4. Data Breach Preparation and Response
5. Hiring of Outside Security and Other Vendors
6. Government Investigations and Litigation Assistance
7. Vendor Management/Contract Review and Other Transactional Assistance
8. Cyber Insurance Review©2017 Foley & Lardner LLP
Playbook—Cyber Attorney
21
A. Ecosystem in which CRO, CIO, cyber attorney and cyber consultant collaboratively manage and monitor riskB. Ongoing Board, senior management and organization-wide involvement in cyber risk management and monitoring
©2017 Foley & Lardner LLP
Goal Line Themes
22
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • 777 East Wisconsin Avenue, Milwaukee, WI 53202 • 414.271.2400
Appendices
Continued on next page
3.0
4.0
5.0
0
FINANCIAL IMPACT
PRO
BAB
ILIT
Y O
F O
CC
UR
RE
NC
E
HIGHLOW
HIG
HLO
W
CyberRisk
3.0 4.0 5.0
Cyber Risk
Very High Risk
Number
Risk Legend
45
HighVery High
≥$20,000,000 but < $40,000,000≥ $40,000,000
Meaning of Probability Range of Financial Capacity
©2017 Foley & Lardner LLP
Appendix A—Healthcare Industry Risk Heat Map: Sample
24
Risk Name
Description of Risk
Risk Owner(s)
Key Drivers of Risk
Probability of Risk
Data loss/privacy
Data loss may expose us to privacy breaches which may negatively impact our reputation
Chief Technology Officer (First name, Last name)
Vendor securityEmployee security practicesHackers
Airlines/operators withdrawingDecline in the number of flights that land
Implement IT security management and controls by February XX, 20XXImplement software that monitors emails real time by March XX, 20XX
Number of vendors reviewed for data security compliance by IT per monthNumber of unsuccessful hacking attempts per month
Number of hacking threats per monthNumber of successful threats per monthNumber of employee non-compliance with IT security practices per month
IT Security PolicyVendor IT security SLAsFirewallsData encryption
Potential Financial Impact of Risk 3 ($12 million to $20 million)
Potential Operational Impact of Risk
Key Performance Indicators (KPIs)
Key Risk Indicators (KRIs)
Risk Control/Mitigating Measures
Actions Required
KEY ASPECTS OF RISK
4 (Moderate to High: 35% to 50% chance of occurring)
©2017 Foley & Lardner LLP
Appendix B—IT Risk Register: Sample
25
AcceptableLevel
ConcernLevel
UnacceptableLevel
Decreasing RBC
Brand-Making andReputational Risk
OWNERHead ofFinance
Actions Required and Corrective Actions
Update Overall Status460% 400% 530%
OWNERHead of
Communications
Update Overall Status99.6% 95% 100%
Current Value Policy Minimum Policy Maximum
Current Value Policy Minimum Policy Maximum
Actions Required and Corrective Actions
Subsidiary results, losses and cost overruns continue to negatively impact our RBC = (TAC / ACL RBC)
Experience reputational incidents that tarnish our brand image (Health of brand = Customer Satisfaction (CSAT) score)
Work with Head of HR to refine Employee Expense Reimbursement approval process and Terms of Employment policyContinue to monitor brand image real time using Street Smart ResearchDevelop and implement transparent communication messaging that conveys to the public how company is managing reputational incidents
•
••
Head of Finance to develop policies and procedures for Finance sign-off on new initiatives that require an investment of over $200,000Board and Management to revisit corporate governance of subsidiary operations to provide appropriate oversight and controlsHead of Finance to develop reports that track intercompany balances and budget variances
• On July 9, 2014, policies and procedures for Finance sign-off was completed and discussed with New Business DevelopmentReports that track intercompany balances expected to be completed by July 10, 2014
•
•
On June 27, 2014 completed refining expense reimbursement approval processConduct Street Smart Research in July 2015
•
•
•
•
©2017 Foley & Lardner LLP
Appendix C—Risk Dashboard: Samples
26
Description of RiskKey Risk/Performance Indicators (KRIs/KPIs)
MinimumThreshold
MaximumThreshold Risk Owner
Underwriting health insurance inpost-ACA market
Quarterly loss ratio 75% 90% Head of Actuary
Data loss and privacy breaches Total number of successful hackingattempts per month
35 60 Head of IT
Brand-making and reputational incidents Customer satisfaction (CSAT) score 95% 100% Head of Communications
Decreasing RBC Quarterly ratio (%) of TAC / ACL RBC 530%400% Head of Finance
Comprehensive people strategy Monthly employee turnover(voluntary)
10% 25% Head of Human Resources
IT unable to support operations Monthly systems uptime 200 hours 350 hours Head of IT
Inability to accomplish risk-based audit Total monthly hours available toaudit
600 hours 750 hours Head of Audit and/or Risk Management
Regulatory non-compliance Number of regulatory warnings 10 20 Head of Legal or Risk Management
Subsidiary cost overruns Subsidiary budget variance $200,000 $400,000 Head of Finance
Substantial increase in Workers’Compensation reserves
Percentage change in WC reserves 3% monthly 8% monthly Head of Audit and/or Risk Management
Declining investment portfolio Monthly change in value of portfolio 3% monthly 7% monthly Head of Finance
Decreasing COBRA benefits Percentage change in COBRAbenefits administered
5% monthly Head of Business Unit8% monthly
©2017 Foley & Lardner LLP
Appendix D—Risk Tolerance Policy: Sample
27
Risk Elements Our Assertions Additional SupportGuiding Statement
Brand-making andreputation
Contribution to Surplus
Network ProviderPenetration
Operational RiskParameters
Human Resources Risk Parameters
Capital Adequacy
This Formal Risk Appetite Statement is drafted solely for the purpose of providing Company XYZ, its subsidiaries and affiliates guidance on how to manage enterprise-wide risks. No statements made herein bind Company XYZ, its subsidiaries and affiliates to any contemplated contracts or agreements. Company XYZ, its subsidiaries and affiliates reserve the right to change any statements made herein with or without notice to any third parties.
Company XYZ is an insurance company that exists for the benefit of its policyholders. We protect our brand, maintain adequate capital, run sustainable subsidiary and affiliate operations, carry-out core operations and leverage our market share to ensure we return value to our policyholders.
Brand protection and enhancements: We strive to proactively avoid any situation or action that has the potential to unnecessarily impair our brand and reputation. This involves ensuring our employees, business partners and policyholders are committed to our values and that their actions and behaviors reflect these values. We believe this is what would allow us to take appropriate actions to preserve the strength of our brand and reputation in the areas of corporate compliance, customer privacy, corporate information security, governance and positive public image.
Risk-based capital: We will strive to grow to an RBC level appropriate to the risk of our core operations to ensure our sustainability in our market.(1) Controlled subsidiaries: Controlled subsidiaries are expected to manage their businesses and operations with the best interest of the shareholder and other appropriate stakeholders in mind. This expectation includes analysis and understanding of the risks associated with business initiatives to be undertaken by the controlled subsidiary. Further, controlled subsidiaries should comply with defined agreements (e.g. inter-company agreements, dividend policies, etc.) and governance processes as established with their shareholder.(2) External Portfolio risk: Must contemplate the risk profile of our controlled subsidiaries, the risk profile of our core business and Company XYZ's capital position.
Income/earnings: In order to remain viable in our market, we target an annual operating margin of 5% across all core operations. Product segments (both core and non-core) are expected to have a positive contribution to RBC.
Provider reimbursements: We will maintain adequate market share to provide the best value to our policyholders. We target no less than 50% of aggregate California health care providers' private payer revenue.
Contract management and bid and proposal review: No projects or bids will be pursued without appropriate review and analysis based on defined governance processes, which should include an assessment of material risks and financial impact.
Human Capital: We will ensure Company XYZ has identified key talent and leadership to develop new leaders through defined succession plans and development. We will maintain the resources and tools to attract, develop and retain the employees necessary to fulfill our mission.
Vision andMission Statements
Employee Expenses Reimbursement Policies Employment Policies
Investment Policy Intercompany Agreements and Dividend Policies with Subsidiaries
Human Resources Policies
©2017 Foley & Lardner LLP
Appendix E—Formal Risk Appetite Statement: Sample
28