Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Spence Hoole Cyber Panel Presentation 2015 Summit

731 views

Published on

Spence Hoole Cyber Panel Presentation 2015 Summit

Published in: Business
  • Very nice tips on this. In case you need help on any kind of academic writing visit website ⇒ www.WritePaper.info ⇐ and place your order
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Spence Hoole Cyber Panel Presentation 2015 Summit

  1. 1. THE CYBER SECURITY PLAYBOOK FOR EXECUTIVE OFFICERS AND BOARDS December 3, 2015 Panel Members: Spencer Hoole Jennifer Archie Jeff Sanchez Lauri Floresca
  2. 2. 2 Difference Between a Data Breach & a Security Incident? ‣ Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers, PCI data and personal health records. ‣ There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance. ‣ Organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches.
  3. 3. 3 Most Recent Data Breaches
  4. 4. The Kill Chain - Is the high-level framework that advanced threat actors employ in their efforts to compromise the target. Profile of Current Threat 4 Reconnaissance Exploitation Installation Command & Control Development Weaponization Delivery Actions on Objective
  5. 5. Ponemon Institute 2015 Cost of Data Breach Study 5
  6. 6. 6
  7. 7. © 2015 Protiviti Inc. CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. SUMMIT 2015 PREVENTING A DATA BREACH JEFFREY SANCHEZ
  8. 8. © 2015 Protiviti Inc. CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. CORRELATION BETWEEN DIRECTOR INVOLVEMENT AND GOOD SECURITY 8 DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT PREVENT TARGETED EXTERNAL ATTACK 8.0 7.8 7.7 6.5 6.4 6.1 PREVENT BREACH BY A COMPANY INSIDER *Scale: 1-10 High Confidence – 10 Low Confidence - 1
  9. 9. © 2015 Protiviti Inc. CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. SECURITY STANDARDS 9 INFORMATION SECURITY STANDARDS FOLLOWPICK MEASURE FUNCTIONS CATEGORIES SUB CATEGORIES INFORMATIVE REFERENCES IDENTIFY PROTECT DETECT RESPOND RECOVER NIST CSF SANS Top20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Continuous Vulnerability Assessment and Remediation • Controlled Use of Administrative Privileges • Maintenance, Monitoring, and Analysis of Audit Logs • Email and Web Browser Protections • Malware Defenses • Limitation and Control of Network Ports, Protocols, and Services • Data Recovery Capability • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Boundary Defense • Data Protection • Controlled Access Based on the Need to Know • Wireless Access Control • Account Monitoring and Control • Security Skills Assessment and Appropriate Training to Fill Gaps • Application Software Security • Incident Response and Management • Penetration Tests and Red Team Exercises ISO 27000 MODEL BUSINESS CONTINUITY MANAGEMENT SYSTEM PLAN CHECK DOACT
  10. 10. © 2015 Protiviti Inc. CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. PHISHING 10
  11. 11. © 2015 Protiviti Inc. CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. VERIFICATION 11 IS YOUR SECURITY AS GOOD AS YOU THINK? MOST OF THE TIME IT ISN’T.
  12. 12. Insurance Services | Risk Management | Employee Benefits AN ASSUREX GLOBAL & IBN PARTNER CA License 0329598 CO License 448197 OR License 0100167994 Summit 2015 Cyber Insurance Lauri Floresca December 3, 2015
  13. 13. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 18 Why you need Cyber Liability Insurance
  14. 14. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 19 Components of a Cyber Policy
  15. 15. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 20 First-Party v. Third-Party Coverage
  16. 16. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 21 What is Typically Not Covered
  17. 17. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 22 Cyber/E&O Limit Decision Factors
  18. 18. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 23 Models Provide Insight, but Many Variables to Consider
  19. 19. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 24 Cyber is a Board-Level Concern In October 2011, the SEC published guidance for companies that suggested issuers should consider • the “probability of cyber incidents occurring” • “the quantitative and qualitative magnitude of those risks” • that appropriate disclosure may include a “description of relevant insurance coverage.” Significant Data Breaches Can Lead to D&O Issues Company Cyber Event D&O Matter Status ChoicePoint (2005) 500,000 PII exposed via a data warehouser. (2005) Class Action (2008) Settled $10M TJX (2006-2007) 45M+ customer credit card data and other PII hacked ; cost $171M. (2007) Books & Records (2007) Derivative Suit (breach of fiduciary duty) (2010) Settled $595K plaintiffs fee award & therapeutics Heartland Payment (2009) 130M cards at payment processor; cost $140M. (2009) Class Action (2009) Dismissed Target (2013) 70M+ credit/debit cards breach at POS system; estimated cost over $1 billion. (Jan 2014) Derivative Suit (breach of fiduciary duty) Pending Wyndham (2008 - 2010) Three breaches; 619,000 customers impacted. (Feb 2014) Derivative Suit (breach of fiduciary duty) (Oct 2014) Dismissed Home Depot (2014) 56M+ credit/debit cards breach at POS system (June 2015) Books & Records (August 2015) Derivative Suit (breach of fiduciary duty) Pending
  20. 20. © Woodruff-Sawyer & Co., 2014. All rights reserved. Woodruff-Sawyer & Co. 50 California Street, Floor 12 San Francisco, CA 94111 www.wsandco.com Insurance Services | Risk Management | Employee Benefits

×