Presentation delivered by Mitch Tanenbaum, Principal, INFORMATION RISK STRATEGY CONSULTING at the IFG Wealth Management Forum Spring 2016 held in Scottsdale AZ.
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING
1. How To Survive In A Risky CyberWorld
2016 IFG Wealth Management Forum
Scottsdale, AZ
April 2016
Mitch Tanenbaum
www. CyberCecurity . com
Mitch @ CyberCecurity.com
720-891-1663
7. What can you do?
1. Backups, backups and more backups
2. Business continuity plan
3. Disaster recovery plan
4. Incident response plan
• Rowlett incident
Test repeatedly!
10. 1500 x the size of the WikiLeaks State Department cable leak
11. And Financial Advisors
Ask your law firms and advisors for a copy
of their written cyber security plan
As a law firm or advisor have a written plan
Same goes for family offices – have a plan,
ask for a plan
13. 1500+ CxOs and Directors
90% of respondents have a medium to high
cybersecurity vulnerability
91% of NEDs cannot read a cybersecurity
report, preventing them from asking the
intelligent questions (executive coaching)
40% don’t feel responsible for the
repercussions of a cyber attack.
15. Targeted Emails–often to execs and finance
Drop malware
Asks employees to wire money
Conduct phishing tests
• At one client, they sent 350 emails
139 were opened, 35 clicked on the malware
Including one C-Suite member
17. “I am convinced that there are only two types
of companies: those that have been hacked
and those that will be. And even they are
converging into one category: companies that
have been hacked and will be hacked again “
- Robert S Mueller III,
Director, Federal Bureau of Investigation
RSA Cyber Security Conference,
San Francisco, CA. , March 1, 2012
19. Shared proposal with every state, federal and
local regulator in the country
1. 12 written cyber security policies and
procedures
2.Third party service provider management
3. Multi factor authentication
4. Chief Information Security Officer
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/
http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
21. If you are required to comply, it will require
outside expertise
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/
http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
23. Issued Last September
1. Governance – manage the cyber risk process
2. Access rights – who can see what
3. Data Loss Prevention – PII in emails
4.Vendor Management – who do you share data with?
5.Training
6. Incident response plan
Cyber security exam initiative to improve compliance
http://mtanenbaum.us/sec-issues-risk-alert-to-advisors-and-brokers/
27. CA AG Kamala Harris released a breach
report in February
As part of that, she defined
REASONABLE SECURITY PROCEDURES as
referred to in CA AB 1950
28. Implement all CIS 20 controls which are
appropriate
Implement multi factor authentication for
consumer facing web sites containing
sensitive personal information
Consistently use strong encryption on
portable devices and maybe desktops
29. AG Harris Says:
The failure to implement all the controls
that apply to an organization’s environment
constitutes a lack of reasonable security.
30. What Is The CIS 20
Center For Internet Security:
1. Inventory devices
2. Inventory software
3. Secure configurations for user devices
4. Continuous vulnerability assessment
5. Control admin privileges
6. Manage audit logs
31. What Is The CIS 20
7. Email and web protection
8. Malware defenses
9. Control of ports, protocols and services
10. Data recovery capability
11. Secure configuration For network devices
12. Boundary defense
13. Data protection
32. What Is The CIS 20
14. Control access based on need to know
15.Wireless control
16. Account monitoring
17. Security skills assessment and training
18. Application software security
19. Incident response and management
20. Penetration testing and red team exercises
34. CFPB entered consent decree with fintech
firm Dwolla in February
Specifies what CFPB expects Dwolla to do
$100k fine, 5 years of monitoring
NO BREACH INVOLVED!
35. 1. Establish, implement and maintain a
comprehensive data security plan
2. Adopt and implement reasonable and appropriate
data security policies and procedures
3. Designate a qualified person to be accountable for
the data security program
4. Conduct data security risk assessments twice a
year
5. Evaluate and adjust the data security program in
light of the results
36. 6. Conduct regular, mandatory employee security
training
7. Develop, update and implement security patches
8. Develop, implement and maintain an appropriate
method of customer identity authentication at
registration time.
9. Develop, implement and maintain reasonable
procedure for third party risk (service providers).
10. Obtain an annual data security audit from an
independent, qualified, third party, using generally
accepted professional procedures and standards
37. The Board must review all submissions
The Board is ultimately responsible for
ensuring compliance with the consent
order
39. More and more sensitive data on mobile
Encrypt devices
Restrict what applications are installed
Use encrypted text (WhatsApp, Signal)
Use encrypted email (Absio)
• Both directions
• With clients and internally
40. Mobile Device Management (MDM)
software
Use current OS version
• Android Ver 6 – Marshmallow
• iPhone iOS 9
PATCH
42. It is not a silver bullet
We are seeing insurance carriers claiming
the insured “failed to follow minimum
required practices”
You need to verify that coverages and
practices are aligned