Critical Issues in Cybersecurity:

Size: px

Start display at page:

Download "Critical Issues in Cybersecurity:"

Brianna Boone
5 years ago
Views:

1 Critical Issues in Cybersecurity: Are you prepared and in compliance? July 27, 2017 Robert Barbarowicz Scott Lyon JillAllison Opell

2 1 What Types of Information do We Collect? PII v. PHI v. NPI v. sensitive/confidential information Information specific to individual Social Security Number Account numbers Name Address Specific financial information Catch-all Information not publicly available

3 2 Now That You Have It, Protect It! GLBA Safeguards Rule: If you are going to accept responsibility for having someone s personal information, then protect it

4 New York Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR et. seq.

5 3 NYDFS Takes the Lead 3/2/16 NAIC proposes Insurance Data Security Model Law (version 2 8/17/16) 9/28/16 NYDFS proposes its own cybersecurity regulations for all DFS-regulated entities, financial institutions, insurance companies (domestic and admitted) and insurance producers. 12/28/16 NYDFS releases revised cybersecurity proposal 2/16/17 NYDFS regulations posted to New York State Register, to take effect on 3/1/17 March 2017 NAIC meeting in Denver NYDFS proposes that other states should use its cybersecurity regulations as a model for their own legislation

6 4 Covered Entity (c) Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. Financial institutions Insurance carriers Insurance brokers and agents Captive insurance Surplus line carriers

7 5 Deadlines March 1, 2017 effective date of regulation August 28, days Implement & maintain program and policy & Limit user access privileges as part of program Utilize qualified cybersecurity personnel Notify Superintendent of cybersecurity events File Notice of Exemption with Superintendent (e) Designate Chief Information Security Officer [CISO]* Establish a written incident response plan* * May NOT apply to Covered Entities that qualify for a Limited Exemption

8 6 February 15, 2018 Deadlines Submit annual certification of compliance to Superintendent March 1, 2018 one year Conduct periodic risk assessment CISO to provide annual report to board or governing body of agency* (b) Conduct annual penetration testing and bi-annual vulnerability assessments* (a)(1) & (a)(2) Multi-factor authentication if needed* Regular cybersecurity awareness training for all personnel * May NOT apply to Covered Entities that qualify for a Limited Exemption

9 7 Deadlines September 1, months Establish policies and procedures for data retention & disposal Establish audit trails* Establish procedures, guidelines and standards for development of in-house developed applications* Monitor authorized users* (a)(1) Encryption of data both in transit over external networks and at rest* * May NOT apply to Covered Entities that qualify for a Limited Exemption

10 8 Exemptions Covered Entities exempt from some requirements if they Have less than the specified number of NY employees, gross annual revenue from NY operations, or year-end total assets (a) Are an employee, agent, representative or designee of a Covered Entity (b) Do not directly or indirectly operate, maintain, utilize or control any Information Systems AND Do not directly or indirectly control, own, access, generate, receive or possess Nonpublic Information (c) Required to file a Notice of Exemption

11 Cybersecurity Programs: What Do You Need?

12 9 Who Do You Call? Regulatory compliance issue Attorney client privilege/work product Due diligence v. Post-breach investigation Breaches Ignorance (willful or otherwise) is not an excuse FTC enforcement actions - [An unfair act or practice] causes or is likely to cause substantial injury - 15 USC 45(n)

13 10 Cybersecurity Policy Goal: Protection of Information Security Systems & NPI/PII, based on Risk Assessment Risk Assessment Policy (the foundation) Data governance and classification (NPI/PII) Incident Response Plan Third Party Service Provider Security Policy Asset inventory and device management (what do you have) Access controls and identity management (PLP, restrictions) Business Continuity and Disaster Recovery Policy Customer Data Privacy policy System availability plan (Ransomware, DDoS) Physical security (not all administrative or technical)

11 Risk Assessment Policy Written policies and procedures for satisfying objectives - 500.

14 11 Risk Assessment Policy Written policies and procedures for satisfying objectives (b) Objectives Identify assets Identify threats/risks against assets Prioritize threats Mitigate threats

12 Risk Assessment Policy Identify assets Company information and data Hardware and software (servers and endpoints) Organization s reputation and branding

15 12 Risk Assessment Policy Identify assets Company information and data Hardware and software (servers and endpoints) Organization s reputation and branding Personnel Identify threats/risks against assets System hacked from inside System hacked from outside Data Unavailable Ransomware Hardware failure Analyze impact

16 13 Risk Assessment Policy Prioritize threats Ransomware healthcare and other service providers Data exfiltration confidential information (Ashley Madison) Mitigation techniques Ransomware robust backup strategy DDoS clustered servers, load balancers Insider threat Access Control Lists, Principle of Least Privilege, DLP solutions Outside threat Firewalls, IDS, IPS, encryption Residual Risk insurance = transferring risk

Healthcare NPI/PII Groups/Classes Role-based, not individual

17 14 Data Governance and Classification Policy Types of private/sensitive/ confidential information Financial Healthcare NPI/PII Groups/Classes Role-based, not individual HR, Accounting Sensitivity Top Secret Unclassified Principle of Least Privilege

18 15 Incident Response Plan Develop policies and procedures for responding to potential breaches Incident v. Breach v. Cybersecurity Event Internal processes for responding (ex: flow-chart) Roles, responsibilities and levels of decision-making authority Coordinating communications - Law Enforc, Forensics, HR, PR External and internal communications and information sharing Plan for remediation of identified weaknesses Documentation and reporting (forensics, chain of custody) Evaluation and revision (Lessons Learned)

16 Third Party Service Provider Security Policy Develop policies and procedures for Third Party Service Providers (TPSP) - 500.

19 16 Third Party Service Provider Security Policy Develop policies and procedures for Third Party Service Providers (TPSP) Based on the Risk Assessment Risk assessment of TPSP Minimum cybersecurity standards (ISO, addendum) Access controls Encryption Notification requirements Due diligence processes (auditing) Periodic assessment based on risk and adequacy

17 Disaster Recovery Plan Based on Risk Assessment (fire, flood, earthquake) Business Impact Assessment (BIA) Identify critical systems Prioritize recovery time objective Identify

20 17 Disaster Recovery Plan Based on Risk Assessment (fire, flood, earthquake) Business Impact Assessment (BIA) Identify critical systems Prioritize recovery time objective Identify preventative controls Ex: backup data centers Develop recovery strategies Ex: emergency office sharing Develop IT contingency plan Ex: remote login Backup strategy 3/2/1 (copies, media, offsite)

Tabletop Simulations executive fire drills Helps

21 18 Training and Testing Program Training educate employees Communicate business risks and consequences Tabletop Simulations executive fire drills Helps identify SPOF Policy revisions Penetration Testing periodic checkup

22 Recent Cases

23 19 PF Chang s Pt. 1 The Class Action Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) June 2014 breach notification # of consumers -??? # of restaurants -??? Length of breach -??? June 2014 Plaintiffs filed suit Aug Clarification 33 restaurants, >60k customers Dec District court dismissed claims for lack of out-ofpocket losses or actual damages April th Cir. Reversed fraudulent transactions and time, money and effort spent monitoring were sufficient injuries to confer standing

24 20 PF Chang s Pt. 2 The Insurance P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., 2016 WL (D. Ariz. May 31, 2016) Chubb paid claims ($1.7M) for Third party breach investigation and counsel Breach notifications Class action litigation 2015 MasterCard issued $1.9M PCI DSS assessment to BofA Merchant Services (BAMS) PF Chang s liable for assessment based on processing contract with BAMS Chubb refused claim; PF Chang s sued May 2016 Arizona district court held that Chubb cyber policy does not cover PCI DSS assessments under the BAMS processing contract

25 21 FTC v. Wyndham F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) Between 2008 and 2010 Wyndham was breached 3 times Exposed 619,000 payment card numbers Resulted in more than $10.6M fraud loss 2012 FTC files administrative complaint, alleging that weak security = unfair and deceptive trade practice April 2014 NJ district court denies motion to dismiss

26 22 Aug rd Cir. Affirms FTC v. Wyndham Wyndham was not entitled to know with ascertainable certainty the FTC s interpretation of what cybersecurity practices are required by 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute... As a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not to the agency s interpretation of the statute. Dec Stipulated Order PCI-DSS? But see LifeLock Consent Order ($100M)

27 23 FTC v. LabMD In the Matter of Labmd, Inc., Trade Cas. (CCH) (MSNET July 28, 2016) Feb patient records found on LimeWire Oct Sacramento PD found records in possession of identity thieves Aug FTC files administrative complaint for unfair acts or practices

28 24 FTC v. LabMD Nov ALJ Post-Hoc Analysis the absence of any evidence that any consumer has suffered harm as a result of [LabMD] s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of [the FTC] s claim that such harm is nevertheless likely to occur. (no harm, no foul) July 2016 FTC Reverses ALJ "When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context. Section 5 very clearly has a prophylactic purpose and authorizes the Commission to take preemptive action. We need not wait for consumers to suffer known harm at the hands of identity thieves.

29 25 Consequences of Breach Damages Costs of breach Notification costs Monitoring costs Legal costs FTC fines and penalties (state and federal) Insurance: loss of license Privilege: Make sure your preparation and response does not turn into the evidence against you Have a plan!

30 Questions?

31 Thank You! Robert Barbarowicz Scott Lyon JillAllison Opell

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,