Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Legal Case for Cyber Risk Management Programs and What They Should Include

704 views

Published on

Cybersecurity & Data Privacy Attorney Shawn Tuma presented this session to The American Institute of Architects' Large Firm Round Table on March 15, 2018. For more of Shawn Tuma's presentations please visit: https://shawnetuma.com/presentations/

Published in: Law
  • Be the first to comment

  • Be the first to like this

The Legal Case for Cyber Risk Management Programs and What They Should Include

  1. 1. Shawn E. Tuma Cybersecurity & Data Privacy Attorney Scheef & Stone, LLP Shawn.Tuma@solidcounsel.com (214) 472-2135 @shawnetuma The Legal Case for Cyber Risk Management Programs and What They Should Include
  2. 2. Cybersecurity is no longer just an IT issue— it is an overall business risk issue.
  3. 3. Security and IT protect companies’ data; Legal protects companies from their data.
  4. 4. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Common Cybersecurity Best Practices
  5. 5. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Does your company have reasonable cybersecurity? In re Target Data Security Breach Litigation, (Financial Institutions) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015)
  6. 6. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Does your company have adequate internal network controls? FTC v. LabMD, (July 2016 FTC Commission Order)
  7. 7. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Does your company have written policies and procedures focused on cybersecurity? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015)
  8. 8. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Does your company have a written cybersecurity incident response plan? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015)
  9. 9. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Does your company manage third- party cyber risk? In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
  10. 10. “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32 How mature is your company’s cyber risk management program?
  11. 11. Why have an attorney lead your cyber risk management program? Our role as attorneys is to provide legal advice regarding the legal, regulatory compliance, and overall defensibility of the company’s current cyber risk and cybersecurity defense posture and then lead the company in developing, implementing, testing, and maturing a comprehensive cyber risk management program. • In providing this legal advice, we will engage the services of other professionals – consulting experts – to assist us in evaluating the current status and moving towards a more defensible posture. • Our work may be treated as attorney-client privileged and work-product. • But, both attorney-client privilege and work-product are very uncertain in this environment and are certainly no guarantees. • Communicate as though there will be no privilege.
  12. 12. Too little – “just check the box” Too much – “boiling the ocean” What is reasonable cybersecurity?
  13. 13. Identify: Assess Cyber Risk Identify & Protect: Strategic Planning Protect & Detect: Implement Strategy & Deploy Assets Protect: Develop, Implement & Train on P&P, 3rd Pty Risk Respond: Develop IR Plan & Tabletop Recover & Identify: Reassess, Refine & Mature Overview: Cyber Risk Management Program
  14. 14. What should your company’s cyber risk management program look like? • Based on a risk assessment1,2,3,4,5 • Implemented and maintained (i.e., maturing)1,2,3 • Fully documented in writing for both content and implementation1,2,3 • Comprehensive1,2,3,4,5 • Contain administrative, technical, and physical safeguards1,2,3 • Reasonably designed to protect against risks to network and data1,2,3,4,5 • Identify and assess internal and external risks2 • Use defensive infrastructure and policies and procedures to protect network and data1,2,3,4,5 • Workforce training2,3 • Detect events2 • Respond to events to mitigate negative impact2 • Recover from events to restore normalcy2 • Regularly review network activity such as audit logs, access reports, incident tracking reports3 • Assign responsibility for security to an individual3,5 • Address third-party risk2,3,5 • Certify compliance by Chair of Board or Senior Officer or Chief Privacy Officer2 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.02 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 32
  15. 15. The most essential step? • How do you protect against what you don’t know? • How do you protect what you don’t know you have? • How do you comply with rules you don’t know exist? • Demonstrates real commitment to protect, not just “check the box compliance.” • No two companies are alike, neither are their risks, neither are their risk tolerances. Cyber Risk Management Program Identify: Assess Cyber Risk “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” –Sun Tzu
  16. 16. Required by - • FTC: “shall contain administrative, technical, and physical safeguards appropriate to …” (GMR) • HHS: “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.” (HHS Guidance on Risk Analysis) • SEC: “We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents.” (SEC Statement and Guidance 2/21/18) • NYDFS: “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. (NYDFS § 500:09) • GDPR: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures ….” (GDPR Art. 24 and 32) Cyber Risk Management Program Identify: Assess Cyber Risk
  17. 17. Cyber Risk Management Program – Identify: Assess Cyber Risk What are we assessing? • What information it has, where is it, who has access to it, how it moves into, through, and out of the company2,6 • The company’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information it maintains1 • Workforce • Industry risks4 • “Nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”5 • Technological developments and evolving threats2 • Availability and effectiveness of controls2 and limits on ability to use controls4 • Documentation of how identified risks will be mitigated or accepted and how the program will address the risks2 • Third-party and nth-party risk2 • Prior incidents and probability of future incidents4 • Availability of insurance coverage for incidents4 • Potential for reputational harm4 • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents4 • Jurisdiction and existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies4 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.09 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 24 and 32 6. FTC Protecting Personal Information
  18. 18. What laws and regulations are the company subject to? • Types • Security • Privacy • Unauthorized Access • International Laws • Privacy Shield • GDPR • Federal Laws & Regs. • HIPAA, GLBA, FERPA • FTC, SEC, FCC, HHS • State Laws • 48 states (AL & SD) • NYDFS & Colorado FinServ • Industry Groups • PCI, FINRA • Contracts • 3rd Party Bus. Assoc. • Data Security Addendum
  19. 19. What does strategy consider? • Resources • Risks & environment • Who is your general? Who is on your team? • Inside and outside • Technical – MSP, MSSP, pen testing, forensics • Strategic – CISO, outsource / fractional CISO, legal, CPO • Risk transfer – cyber risk insurance • Prioritization is critical: “you can’t boil the ocean” • Evaluating risk = probability x loss x cost x time to implement x impact on resources x benefits / detriments • “where do we die first?” • Don’t forget 3rd and Nth party risk • Write out your Strategic Plan Cyber Risk Management Program Identify & Protect: Strategic Planning “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” −Sun Tsu
  20. 20. “Gimme Action! Action! Action not words!” –Def Leppard • Execute your Strategic Plan in order of priorities. • Make sure to document this process (and all others). • Execution will vary wildly, based on size and complexity of company and Strategic Plan. • Include redundancy (where appropriate – think Equifax / Apache Struts patch) and verification of execution (example: recent W-2 case with DLP setting). • If you have the assets, you must use them and respond appropriately (Target Financial Case). • Have appropriate procedures for quickly assessing and responding to anomalies and incidents from Detection in reasonable time. Cyber Risk Management Program Protect & Detect: Implement Strategy & Deploy Assets “A good plan violently executed now is better than a perfect plan executed next week.” –George Patton
  21. 21. Protect: Develop, Implement & Train on Policies & Procedures • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017
  22. 22. Key points to consider in evaluating third-party risk. • Focus on objectives: protecting, responding, responsibility of data/network. • Staff appropriately. • Understand facts of relationship/transaction. • Understand risks by thinking worst case scenario from outset. • Minimalize risks: do not risk it if you do not have to. • Discuss objectives, facts, risks, protection with those responsible. • Assess third party’s sophistication and commitment. • Agree upon appropriate protections. • Investigate ability to comply. • Obligate compliance, notification (to you), responsibility. • Include in incident response planning. • Cyber Insurance: transfer risk where possible. Cyber Risk Management Program Protect: Third-Party Risk
  23. 23. Use contracts and contractual rights to minimize third-party risk: • Minimize risk, including third-party risk; and • Determine the process and responsibility for incidents. This risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: • Networks; and • Data. Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  24. 24. In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers; 2. Obligate data service providers to adhere to the appropriate level of data security protections; and 3. Verify that the data service providers are complying with obligations (contracts). Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  25. 25. “It would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure: . . . . the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks.” SEC Statement, February 21, 2018 In January 2014, SEC indicates that the new standard of care for companies may require policies in place for: 1. Prevention, detection, and response to cyber attacks and data breaches, 2. IT training focused on security, and 3. Vendor access to company systems and vendor due diligence. Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  26. 26. New NIST Cybersecurity Framework adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function: • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners; • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met. Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  27. 27. NYDFS § 500.11 Third-Party Service Provider Security Policy “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; and • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI; • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&P. Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  28. 28. Third-Party Processing and Risk Under the GDPR • Controller, individually or with other controllers (jointly and severally), is responsible to the data subjects. Art. 26 • Processor only process on controller’s instructions. Art. 29 • Using a risk assessment, the controller must implement appropriate technical and organizational safeguards (incl. P&P) to ensure personal data is processed lawfully. Reassessment and maturation is required. Art. 24(1) • Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to satisfy GDPR. Art. 28 • Processor must have controller’s written authorization to engage another sub-processor; • Processor must have binding contract with controller specifying particulars of processing; • Processor must be bound to confidentiality; • Processor must demonstrate compliance and agree to audits and inspections; and • Nth processors liable to upstream processor, which is liable to the controller, which is ultimately liable. • Non-regulated controllers and processors can contractually agree to be bound. Art. 42 Cyber Risk Management Program Protect: Third-Party Risk (into the weeds)
  29. 29. Preparation is the key to a successful incident response. • There is no magic size to an Incident Response Plan but it must be written. • Know who is on your IR team and have them involved. • Understand your legal obligations, including contractual. • Know the difference between an incident and a breach – breach is a legal term. • Make sure your legal counsel understands the meaning of “non-reportable incident”! • Put yourself in the incident and think through it from there. Cyber Risk Management Program Respond: Develop IR Plan & Tabletop Testing "Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” SEC v. R.T. Jones
  30. 30. Cyber Risk Management Program Respond: Develop IR Plan & Tabletop Testing @shawnetuma shawnetuma.com/publications
  31. 31. Cyber Risk Management Program – Respond: Develop IR Plan & TT Testing Incident Response Checklist • Determine whether incident justifies escalation • Begin documentation of decisions and actions • Engage experienced legal counsel to lead process, determine privilege vs disclosure tracks • Notify and convene Incident Response Team • Notify cyber insurance carrier • Engage forensics to mitigate continued harm, gather evidence, and investigate • Assess scope and nature of data compromised • Preliminarily determine legal obligations • Determine whether to notify law enforcement • Begin preparing public relations message • Engage notification / credit services vendor • Notify affected business partners • Investigate whether data has been “breached” • Determine when notification “clock” started • Remediate and protect against future breaches • Confirm notification / remediation obligations • Determine proper remediation services • Obtain contact information for notifications • Prepare notification letters, frequently asked questions, and call centers • Plan and time notification “drop” • Implement public relations strategy • Administrative reporting (i.e., FTC, HHS, SEC & AGs) • Implement Cybersecurity Risk Management Program
  32. 32. • There is no such thing as being “cyber secure.” Until we fix human nature, bad people will do bad things and cyber will be a weapon of choice until something more efficient comes along. • Just as hackers will continue to evolve in their objectives and tactics, companies must evolve in how they protect against them. • Our goal is to have effective and defensible cybersecurity that is reasonable—that is, that is tailored to address the unique risks of the company and appropriate based on the company’s resources. Cyber Risk Management Program Recover & Identify: Reassess, Refine & Mature “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” −Sun Tsu
  33. 33. “You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
  34. 34. • Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • PolicyCouncil, NationalTechnology Security Coalition • CybersecurityTask Force, IntelligentTransportationSociety of America • Practitioner Editor, Bloomberg BNA –Texas Cybersecurity & Data Privacy Law • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-17 • Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law) • Council,Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, CollinCounty Bench Bar Conference • Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American BarAssociation • NorthTexas Crime Commission,Cybercrime Committee & Infragard (FBI) • InternationalAssociation of Privacy Professionals (IAPP) ShawnTuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com

×