Critical Issues in Cybersecurity:

Similar documents
CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Paul Jones, Jones & Co. Kathleen Rice, Faegre Baker Daniels, LLP

What we will cover today

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS

What You Need to Know to Make Sure Your Insurance Business Complies

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Cyber Risks & Insurance

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

FREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

H 7789 S T A T E O F R H O D E I S L A N D

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

PRIVACY AND CYBER SECURITY

Privacy and Data Breach Protection Modular application form

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

ARE YOU HIP WITH HIPAA?

Cyber, Data Risk and Media Insurance Application form

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Cybersecurity Privacy and Network Security and Risk Mitigation

HIPAA and Lawyers: Your stakes have just been raised

Trends, Vendor Management, and Practical Tips For In House Counsel. ACC National Capital Region October 16, 2018

CYBERINSURANCE TRENDS AND DEVELOPMENTS

Healthcare Data Breaches: Handle with Care.

CAPTIVE INSURANCE COMPANY REPORTS

Cyber-Insurance: Fraud, Waste or Abuse?

EQUIFAX INC. (Exact name of registrant as specified in Charter)

By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz

The General Data Protection Regulation s Impact on M&A

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

The Cyber Insurance Broker Conundrum

Data Breach and Cyber Risk Update November 17, 2011

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Vaco Cyber Security Panel

Cyber Risk Proposal Form

Summary Comparison of Current Senate Data Security and Breach Notification Bills

503 SURVIVING A HIPAA BREACH INVESTIGATION

A GUIDE TO CYBER RISKS COVER


Information Security and Third-Party Service Provider Agreements

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

Cyber Insurance 2017:

Evaluating Your Company s Data Protection & Recovery Plan

HEALTHCARE INDUSTRY SESSION CYBER IND 011

CYBER LIABILITY REINSURANCE SOLUTIONS

Defending Litigation After a Data Breach

South Carolina General Assembly 122nd Session,

DATA COMPROMISE COVERAGE FORM

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.

SENIOR CARE CYBER-LIABILITY, CRISIS MANAGEMENT AND REPUTATIONAL HARM SUPPLEMENTAL APPLICATION

Your defence toolkit. How to combat the cyber threat

HEALTHCARE BREACH TRIAGE

DEBUNKING MYTHS FOR CYBER INSURANCE

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Cyber Incident Response When You Didn t Have a Plan

Cyber ERM Proposal Form

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

HIPAA Basic Training for Health & Welfare Plan Administrators

Anatomy of a Data Breach

Emerging legal and regulatory risks

Cyber Risk & Insurance

Data Breach Financial Protection Program Terms and Conditions

Case 3:13-cv Document 49 Filed 07/18/13 Page 1 of 39 PageID #: 959

Data Compromise Issues: Is Your Company in Shape To Deal with Banks & Card Networks?

SAFE DESTRUCTION OF DOCUMENTS

ANALYSIS & ASSESSMENT OF TECHNOLOGY FROM A BOARD S PERSPECTIVE STEPHANIE L. BUCKLEW SLB CONSULTING

HIPAA Data Breach ITPC

How to Cut Down on Security Risks:

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Add our expertise to yours Protection from the consequences of cyber risks

What is a privacy breach / security breach?

CyberRisk: What we know and what we don't know

At the Heart of Cyber Risk Mitigation

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Cyber breaches: are you prepared?

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

CYBER-CRIMES: How Have Courts Dealt with the Insurance Implications of this Emerging Risk? By Alan Rutkin

FRAMEWORK FOR CONSUMER PRIVACY LEGISLATION

Invas ion of Privacy, Hacking and Intellectual Property Claims : Are You Covered?

Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

March 1. HIPAA Privacy Policy

NEW YORK STATE REGULATIONS APPLICABLE TO THE PLACEMENT OF EXCESS/SURPLUS LINES INSURANCE. Eric A. Portuguese, Esq. Lester Schwab Katz & Dwyer, LLP

Summary of Form Changes e-md /MEDEFENSE Plus Insurance Policy (from version P1818CE-0115 to P1818CE-0716)

Electronic Commerce and Cyber Risk

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

Cyber & Privacy Liability and Technology E&0

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

RIMS Cyber Presentation

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

Protecting Knowledge Assets Case & Method for New CISO Portfolio

Transcription:

Critical Issues in Cybersecurity: Are you prepared and in compliance? July 27, 2017 Robert Barbarowicz Scott Lyon JillAllison Opell

1 What Types of Information do We Collect? PII v. PHI v. NPI v. sensitive/confidential information Information specific to individual Social Security Number Account numbers Name Address Specific financial information Catch-all Information not publicly available

2 Now That You Have It, Protect It! GLBA Safeguards Rule: If you are going to accept responsibility for having someone s personal information, then protect it

New York Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR 500.01 et. seq.

3 NYDFS Takes the Lead 3/2/16 NAIC proposes Insurance Data Security Model Law (version 2 8/17/16) 9/28/16 NYDFS proposes its own cybersecurity regulations for all DFS-regulated entities, financial institutions, insurance companies (domestic and admitted) and insurance producers. 12/28/16 NYDFS releases revised cybersecurity proposal 2/16/17 NYDFS regulations posted to New York State Register, to take effect on 3/1/17 March 2017 NAIC meeting in Denver NYDFS proposes that other states should use its cybersecurity regulations as a model for their own legislation

4 Covered Entity 500.01(c) Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. Financial institutions Insurance carriers Insurance brokers and agents Captive insurance Surplus line carriers

5 Deadlines March 1, 2017 effective date of regulation August 28, 2017 180 days Implement & maintain program and policy - 500.02 & 500.03 Limit user access privileges as part of program - 500.07 Utilize qualified cybersecurity personnel - 500.10 Notify Superintendent of cybersecurity events - 500.16 File Notice of Exemption with Superintendent - 500.19(e) Designate Chief Information Security Officer [CISO]* - 500.04 Establish a written incident response plan* 500.16 * May NOT apply to Covered Entities that qualify for a Limited Exemption 500.19

6 February 15, 2018 Deadlines Submit annual certification of compliance to Superintendent March 1, 2018 one year Conduct periodic risk assessment CISO to provide annual report to board or governing body of agency* 500.04(b) Conduct annual penetration testing and bi-annual vulnerability assessments* 500.05(a)(1) & 500.05(a)(2) Multi-factor authentication if needed* 500.12 Regular cybersecurity awareness training for all personnel * May NOT apply to Covered Entities that qualify for a Limited Exemption 500.19

7 Deadlines September 1, 2018 18 months Establish policies and procedures for data retention & disposal - 500.13 Establish audit trails* - 500.06 Establish procedures, guidelines and standards for development of in-house developed applications* - 500.13 Monitor authorized users* - 500.14(a)(1) Encryption of data both in transit over external networks and at rest* - 500.15 * May NOT apply to Covered Entities that qualify for a Limited Exemption 500.19

8 Exemptions Covered Entities exempt from some requirements if they Have less than the specified number of NY employees, gross annual revenue from NY operations, or year-end total assets 500.19(a) Are an employee, agent, representative or designee of a Covered Entity - 500.19(b) Do not directly or indirectly operate, maintain, utilize or control any Information Systems AND Do not directly or indirectly control, own, access, generate, receive or possess Nonpublic Information - 500.19(c) Required to file a Notice of Exemption

Cybersecurity Programs: What Do You Need?

9 Who Do You Call? Regulatory compliance issue Attorney client privilege/work product Due diligence v. Post-breach investigation Breaches Ignorance (willful or otherwise) is not an excuse FTC enforcement actions - [An unfair act or practice] causes or is likely to cause substantial injury - 15 USC 45(n)

10 Cybersecurity Policy Goal: Protection of Information Security Systems & NPI/PII, based on Risk Assessment Risk Assessment Policy (the foundation) Data governance and classification (NPI/PII) Incident Response Plan Third Party Service Provider Security Policy Asset inventory and device management (what do you have) Access controls and identity management (PLP, restrictions) Business Continuity and Disaster Recovery Policy Customer Data Privacy policy System availability plan (Ransomware, DDoS) Physical security (not all administrative or technical)

11 Risk Assessment Policy Written policies and procedures for satisfying objectives - 500.09(b) Objectives Identify assets Identify threats/risks against assets Prioritize threats Mitigate threats

12 Risk Assessment Policy Identify assets Company information and data Hardware and software (servers and endpoints) Organization s reputation and branding Personnel Identify threats/risks against assets System hacked from inside System hacked from outside Data Unavailable Ransomware Hardware failure Analyze impact

13 Risk Assessment Policy Prioritize threats Ransomware healthcare and other service providers Data exfiltration confidential information (Ashley Madison) Mitigation techniques Ransomware robust backup strategy DDoS clustered servers, load balancers Insider threat Access Control Lists, Principle of Least Privilege, DLP solutions Outside threat Firewalls, IDS, IPS, encryption Residual Risk insurance = transferring risk

14 Data Governance and Classification Policy Types of private/sensitive/ confidential information Financial Healthcare NPI/PII Groups/Classes Role-based, not individual HR, Accounting Sensitivity Top Secret Unclassified Principle of Least Privilege

15 Incident Response Plan Develop policies and procedures for responding to potential breaches - 500.16 Incident v. Breach v. Cybersecurity Event Internal processes for responding (ex: flow-chart) Roles, responsibilities and levels of decision-making authority Coordinating communications - Law Enforc, Forensics, HR, PR External and internal communications and information sharing Plan for remediation of identified weaknesses Documentation and reporting (forensics, chain of custody) Evaluation and revision (Lessons Learned)

16 Third Party Service Provider Security Policy Develop policies and procedures for Third Party Service Providers (TPSP) - 500.11 Based on the Risk Assessment Risk assessment of TPSP Minimum cybersecurity standards (ISO, addendum) Access controls Encryption Notification requirements Due diligence processes (auditing) Periodic assessment based on risk and adequacy

17 Disaster Recovery Plan Based on Risk Assessment (fire, flood, earthquake) Business Impact Assessment (BIA) Identify critical systems Prioritize recovery time objective Identify preventative controls Ex: backup data centers Develop recovery strategies Ex: emergency office sharing Develop IT contingency plan Ex: remote login Backup strategy 3/2/1 (copies, media, offsite)

18 Training and Testing Program Training educate employees Communicate business risks and consequences Tabletop Simulations executive fire drills Helps identify SPOF Policy revisions Penetration Testing periodic checkup

Recent Cases

19 PF Chang s Pt. 1 The Class Action Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) June 2014 breach notification # of consumers -??? # of restaurants -??? Length of breach -??? June 2014 Plaintiffs filed suit Aug. 2014 Clarification 33 restaurants, >60k customers Dec. 2014 District court dismissed claims for lack of out-ofpocket losses or actual damages April 2016 7 th Cir. Reversed fraudulent transactions and time, money and effort spent monitoring were sufficient injuries to confer standing

20 PF Chang s Pt. 2 The Insurance P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016) Chubb paid claims ($1.7M) for Third party breach investigation and counsel Breach notifications Class action litigation 2015 MasterCard issued $1.9M PCI DSS assessment to BofA Merchant Services (BAMS) PF Chang s liable for assessment based on processing contract with BAMS Chubb refused claim; PF Chang s sued May 2016 Arizona district court held that Chubb cyber policy does not cover PCI DSS assessments under the BAMS processing contract

21 FTC v. Wyndham F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) Between 2008 and 2010 Wyndham was breached 3 times Exposed 619,000 payment card numbers Resulted in more than $10.6M fraud loss 2012 FTC files administrative complaint, alleging that weak security = unfair and deceptive trade practice April 2014 NJ district court denies motion to dismiss

22 Aug. 2015 3 rd Cir. Affirms FTC v. Wyndham Wyndham was not entitled to know with ascertainable certainty the FTC s interpretation of what cybersecurity practices are required by 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute... As a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not to the agency s interpretation of the statute. Dec. 2015 Stipulated Order PCI-DSS? But see LifeLock Consent Order ($100M)

23 FTC v. LabMD In the Matter of Labmd, Inc., 2016-2 Trade Cas. (CCH) 79708 (MSNET July 28, 2016) Feb. 2008 9300 patient records found on LimeWire Oct. 2012 Sacramento PD found records in possession of identity thieves Aug. 2013 FTC files administrative complaint for unfair acts or practices

24 FTC v. LabMD Nov. 2015 ALJ Post-Hoc Analysis the absence of any evidence that any consumer has suffered harm as a result of [LabMD] s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of [the FTC] s claim that such harm is nevertheless likely to occur. (no harm, no foul) July 2016 FTC Reverses ALJ "When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context. Section 5 very clearly has a prophylactic purpose and authorizes the Commission to take preemptive action. We need not wait for consumers to suffer known harm at the hands of identity thieves.

25 Consequences of Breach Damages Costs of breach Notification costs Monitoring costs Legal costs FTC fines and penalties (state and federal) Insurance: loss of license Privilege: Make sure your preparation and response does not turn into the evidence against you Have a plan!

Questions?

Thank You! Robert Barbarowicz rbarbarowicz@mrllp.com Scott Lyon slyon@mrllp.com JillAllison Opell jaopell@mrllp.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback