Belton Zeigler speaks on cybersecurity at the SC Municipal Association's Risk Managers conference in November 2017. The discussion centered around the changing cyber threat landscape as it applies to smaller, data-dependent organizations.

1. womblebonddickinson.com
Cyber Security: An Update for
Risk Managers
Prepared for the Municipal Association of
South Carolina
SCMIT/SCIRF Risk Managers Association

2. 1. Scope of the Problem.
2. Traditional Targets (Personal and Credit Card Data) vs. New
Targets (Ransomware)
3. Business Email Compromise
4. Vendor Issues in Cyber –Outsourcing and the Cloud
5. Preparation/Planning/Insurance
Overview
p2

3. • Hiscox estimated that the global cost of cyber crime in
2016 was on the order of $450 billion (0.6% global gdp).
• Ransomware is the growing edge of cybercrime—tripling
in 2016-2017. 60% of malware is now ransomware.
• Business Email Compromise scams have netted $5
billion globally as of June 2016 --40,000 attempts were
reported to FBI in 2016
• Equifax -143 million credit records.
Scope of Problem
p3

4. Eight Key Questions For the Leadership Team
1. Has a competent cyber security consultant audited your cyber security
preparedness?
2. Have you identified the data protection statutes that apply?
3. Do you have a breach response plan?
4. Have you trained your leadership team and governing board on your
breach response plan?
5. Do you have breach response insurance?
6. Have you identified the IT experts who can respond immediately to
manage a breach response?
7. Have you documented your preparations so you can show the public you
have been diligent and responsible in managing these risks?
8. Do you have a law firm that can advise you under attorney client
privilege?

5. Historically:
• Big targets (Target, Home Depo, Banks, Hotels) leading to
lots of small paydays
• Value achieved through resale of Credit Card/PII data
through a complex criminal network.
Targets are shifting towards:
• Specifically targeted medium sized data-dependent
companies (including local governments).
• Value achieved by ransoming access to data systems
Cybercriminals: Shifting Economic Targets
p5

6. • Off-the-shelf malware available on the dark web for app.
$3,500, breached through HVAC vendor’s link.
• The Target card dumps were marketed on the Russian
language cybercrime forum Lampeduza under this logo:
• The card dumps were searchable by zip code, gang friendly.
• The initial price was app. $25-100 per card, money back
guarantee of current validity.
2013: The Target Breach
p6

7. p7

8. • Ransomware encrypted all records on February 5, 2016.
• Hospital operated without access to patient records or email
for app. 10 days.
• Paid $17,000 for key.
Presbyterian Hospital Beverly Hills
p8

9. NotPetya –June 2017
p9
1. Russian Wiper-ware that targeted
Ukrainian interests.
2. Spread through international
commerce.
3. First week losses exceeded $1 billion –
Maersk; Merck; FedEx, DLA Piper;
others.

10. • .
Law Enforcement

11. • A 2,370% increase in identified
exposed losses in 2016 (FBI).
• Redirecting remittances to
foreign suppliers.
• Real-estate transactions
increasingly targeted.
• Fraudulent payment requests.
• Responses:
• Limit personal data
• Train personnel
• Confirm all transactions
Business Email Compromise

12. The Vendor Problem
p12
http://enterprise-content.akamai.com/2016-it-
survey-enterprise-application-access
http://en.softeck.co/tprisk2016
http://www.ponemon.org/library/data-risk-in-the-
third-party-ecosystem
https://securityintelligence.com/media/2016-cost-
data-breach-study/

13. Examples

14. • Regular security training
• Let risks drive budgets
• Create a role for outside experts
• Document
• Insurance
How to Protect Your
Mayor/Council/Executive Leadership

15. Breach Response
The press and public will judge you on competency of
breach response.
• The level of preparedness will determine the reputational
and political damage from a breach.
• Insurance can be key to effective response.

16. Best Practice: Organize Data Breach Teams In
Advance
1. Assign people to team by roles
2. Should include a 3-person strike force
Strike force works 24/7 on the incident until
maximum understanding is reached
3. Should include a broader “incident response team”
All major stakeholders have a seat
Meets daily or more often at first
Meets less as control is established

17. Train Governing Body/Public Facing
Leadership
• Aggressive press attention likely.
• The intuitive response is to say too much too soon.
• Facts emerge slowly.
• It can take weeks to determine extent of damage and to
restore safely.
• Initial/intuitive/political responses are almost always wrong.

18. NIST Cybersecurity Framework
“The [NIST] Framework provides
organizations with a risk-based
compilation of guidelines that can help
them identify, implement, and improve
cybersecurity practices.”
August 31, 2016
https://www.ftc.gov/news-events/blogs/business-
blog/2016/08/nist-cybersecurity-framework-
ftc?utm_source=govdelivery

19. Procurement Resources
• Vendor security rating services:
https://www.bitsighttech.com/
https://securityscorecard.com/company/
http://www.riskrecon.com/
• Vendor security questionnaires:
https://www.vendorsecurityalliance.org/
https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
• Security certification: ISO/IEC 27001:2013
http://www.iso27001security.com/html/27001.html
• Reports: SOC-2
https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2
Report.aspx

21. Cloud
• Amazon Web Services Whitepapers:
https://aws.amazon.com/whitepapers/overview-of-security-processes/
• Cloud Security Alliance
https://cloudsecurityalliance.org/

22. womblebonddickinson.com
Cyber Security: An Update for
Risk Managers
Conclusion and Questions