1

Cybersecurity and 

Credit Risk Management

March 19, 2018

AGENDA• Why should credit professionals care about cybersecurity?

• Why talk to lawyers about cybersecurity?

• Criminals go to work every day 

• What is cyber diligence?

• What can you do?

• Questions

2

2

Why Should Credit Professionals Care About Cyber Incidents?

• Cyber attacks may immediately disrupt business ops and cut off income:– Stores with POS systems

–Manufacturers with SCADA/ICS systems

– E‐Commerce

3

Why Should Credit Professionals Care About Cyber Incidents?

• Cyber attacks on others can affect you, e.g.,– you extended credit, now they can’t pay;

– third party service providers can make you look bad

4

3

Why Should Credit Professionals Care About Cyber Incidents?

• Interconnected systems = additional challenges– access to your systems 

(ordering, accounting, tracking)?

– shared systems?

– business by e‐mail?

5

Why Should Credit Professionals Care About Cyber Incidents?

Because there is a significant economic cost to ignoring cybersecurity 

6

4

7

Why talk to lawyers about cybersecurity?

• Technology and law – 2gether 4ever

• Statutory, regulatory, contractual

• Litigation risk—liability, eDiscovery

• Relationships‐regulators and 

law enforcement

• Cyber insurance

• Privilege protection

7

8

A Brief Detour: Privacy

• Privacy – Cybersecurity‐distinct but related concepts

• Privacy – Cybersecurity‐conundrum

8

5

What is Private or Personal Information?

Definition varies, but may include name and:•Social Security Number•Driver’s License Number•Health Information•Certain Personal Contact Information•Financial Data (such as Account Numbers)•Passwords or other Access Information•Educational Records•Employment Records•Consumer Preferences/History•Geo‐Locating Information

9

Privacy Pitfalls

Improper use or disclosure of 

info, even if properly obtained•Blabbing at the bar about client (breach of attorney‐client privilege) 

•Bragging about celebrity patient (breach of doctor‐patient privilege) 

•Selling customer lists (potential breach of contract/deceptive practice)

•Marketing to a consumer based on tracking (Big Data)

10

6

Privacy Pitfalls

Obligations may extend to information in your “possession, custody or control”‐‐•What data do you get from your customers?

•Do you repossess/foreclose on collateral comprising/containing data?

•Are you responsible for funding another party’s maintenance of data?

11

Cybersecurity

• Cybersecurity concerns protection of the Confidentiality, Integrity and Availability of electronic data and systems 

• A cybersecurity breach is typically a situation involving a successful attack on electronic systems and/or content (data), which could include access, destruction, control, manipulation, etc.

12

7

CIA Triad

13

Cybersecurity Pitfalls

Hacks of all shapes and sizes…an infinite and growing library of attacks (a/k/a “exploits”) including:• Malware (like Ransomware)

• Denial of Service

• Spoofing

• Phishing (and variations like Spear Phishing)

• Social engineering

• Advanced Persistent Threats

• Password Attacks

• Unpatched Systems Vulnerabilities

• SQL Injection

14

8

Obligations

• Federal (Sector‐by‐Sector Approach)

• State 

• Self‐Regulating Organizations

• Industry Associations 

• Contractual 

• International

15

Summary of FTC’s Approach

FTC’s “Reasonableness” Standard

“The touchstone of the Commission’s approach to data security is reasonableness: acompany’s data security measures must be reasonable and appropriate in light of thesensitivity and volume of consumer information it holds, the size and complexity of itsbusiness, and the cost of available tools to improve security and reduce vulnerabilities.Through its settlements, testimony, and public statements, the Commission has madeclear that it does not require perfect security; reasonable and appropriate security is acontinuous process of assessing and addressing risks; there is no one‐size‐fits‐all datasecurity program; and the mere fact that a breach occurred does not mean that acompany violated the law.”

• FTC’s Statement Marking 50th Data Security Settlement, 1/21/14

16

9

17

New York

NYS Dept. of Financial Services (DFS)Cybersecurity Requirements for Financial Services Companies 

•All DFS‐regulated entities are “covered entities” (i.e., banks, insurance companies, money transmitters)

•Covered entities and their vendors/partners, must “assess [their] specific risk profile[s] and design a program that addresses its risks in a robust fashion.”

•Broad definition of “non‐public information” 

•Cybersecurity is a Board of Directors‐level responsibility•Written plans, evaluations and compliance certifications are required

•Covered entities must appoint a Chief Information Security Officer (CISO)

•Became effective on March 1, 2017, with phase‐in for compliance with certain provisions beginning  August 28, 2017

17

Contractual Considerations

• Obligations and liabilities are often a contractual matter 

• Three main considerations:1.  Business‐to‐Business

• Vendor agreements to maintain certain standards

• Credit card association agreements

2.  Business‐to‐Consumer• Express written contract (credit cards or loan agreements) or implied contract (posting of a privacy policy or other public statements/representations)

3.  Employer‐to‐Employee• Employment agreement or employee manual/code of conduct

18

10

Criminals Go To Work Every Day

19

Going Beyond The Headlines

We are all too familiar with headline‐grabbing incidents in which massive amounts of personal information are compromised:

20

11

Going Beyond The Headlines

These are the tip of the iceberg; the vast majority of cyber‐incidents impacting businesses are never disclosed.  They include:

‐insider threats activated

‐industrial espionage through hacking

‐state sponsored cyberattacks

‐unexplained outages (DoS)

‐other unrecognized or undisclosed 

incidents

21

What Is Cyber‐Diligence and How Does It Relate To You?

• process for assessing business partner’s cybersecurity risk

• tool for evaluating likelihood of cyber event, but also level of cybersecurity maturity

• guides decision whether to enter business relationship, on what terms

22

12

How to Conduct Cyber Diligence 

• Risk assessment methods and reporting

• Information gathering

• Standards and certifications

• Vulnerability assessments

• Penetration testing

• Contractual protections

23

You’ve Done Your Cyber Diligence, Now What? 

• Negative cyber diligence report need not “kill” relationship 

• Consider conditions to proceeding:

– Remediate issues highlighted

– Update on remediation progress

– Indemnify for losses from cyber

– Obtain cyber insurance

24

13

In Conclusion: A Cautionary Tale

Robert and Bethany Millard v. Patricia L. Doran

25

Lessons LearnedRobert and Bethany Millard v. Patricia L. Doran Hackers target all types

More robust email systems may be more secure

Simple verification procedures can help

Employ a healthy dose of skepticism

Do not ignore security in favor of a closing deadline

26

14

Cybersecurity Is Technical, But Comes Down To People

27

All Organizations Should Plan For Attack:The Question Is Not “If,” It Is “When”?

28

15

THANK YOU

For More Information:

Erik Weinick  eweinick@otterbourg.comwww.otterbourg.com

Adam Cohen acohen@thinkbrg.com www.thinkbrg.com

Credit Research Foundation  www.crfonline.org

29