Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Legal Case for Cyber Risk Management Programs and What They Should Include

370 views

Published on

Spencer Fane LLP Cybersecurity and Data Privacy attorney Shawn Tuma delivered "The Legal Case for Cyber Risk Management Programs and What They Should Include" at the Texas Society of Certified Public Accountants' TSCPA CPE 2018 CPE Expo Conference on November 30, 2018, in Addison, Texas.

Published in: Law
  • Be the first to comment

The Legal Case for Cyber Risk Management Programs and What They Should Include

  1. 1. Spencer Fane LLP | spencerfane.com The Legal Case for Cyber Risk Management Programs and What They Should Include TSCPA CPE 2018 CPE EXPO CONFERENCE Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP | @spencerfane spencerfane.com | @shawnetuma
  2. 2. Spencer Fane LLP | spencerfane.com
  3. 3. Spencer Fane LLP | spencerfane.com
  4. 4. Spencer Fane LLP | spencerfane.com Cybersecurity is no longer just an IT issue – it is an overall business risk issue.
  5. 5. Spencer Fane LLP | spencerfane.com 2 Critical Risk Issues You Need to Hear From an Attorney
  6. 6. Spencer Fane LLP | spencerfane.com Cyber / Privacy Risk Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your provider or broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sublimits? • Can you chose your counsel and vendors?
  7. 7. Spencer Fane LLP | spencerfane.com A few words about privilege • Great sales pitch → the magic wand! • Mature understanding → not so simple! • Prepare by doing everything possible to ensure the applicability of privileges but carry out the work as though there will be no privilege. – Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk management program. – List role in engagement agreement. – Develop communications protocol at the outset. • i.e., “if it doesn’t need to be in writing …” • Counsel must actively lead and stay engaged in the process. • Counsel should hire, direct, and receive info from consultants. • If incident, consider multiple tracks: – proactive risk management; – normal business investigation; – Investigation in anticipation of litigation.
  8. 8. Spencer Fane LLP | spencerfane.com Cybersecurity for Your Practice
  9. 9. Spencer Fane LLP | spencerfane.com The Problem for CPAs • Cybersecurity and privacy are issues that most professionals would prefer to ignore (trust me, I’m a lawyer!). • Cybersecurity and privacy impact all CPAs and CPA firms alike. • Clients demanding adequate security from their outside providers (firms are their third-party risk). • Professional services firms are an increasingly popular target. – Value and sensitivity of data. – Data for multiple clients.
  10. 10. Spencer Fane LLP | spencerfane.com The Ethics for CPAs Confidential Client Communications. Texas State Board of Public Accountancy Board Rule 501.75 “A person in the client practice of public accountancy shall take all reasonable measures to maintain the confidentiality of the client records and shall immediately upon becoming aware of the loss of, or loss of control over, the confidentiality of those records notify the client affected in writing of the date and time of the loss if known. Loss includes a cybersecurity breach or other incident exposing the records to a third party or parties without the client’s consent or the loss of the client records or the loss of control over the client records. Persons have a responsibility to maintain a back-up system in order to be able to immediately identify and notify clients of a loss.”
  11. 11. Spencer Fane LLP | spencerfane.com Rule 501.75 – Key Points • Protect -- shall take all reasonable measures to maintain the confidentiality of the client records. • Notify -- shall notify the client in writing immediately upon becoming aware of the loss of, or loss of control over, the confidentiality of those records. • Loss -- includes a cybersecurity breach or other incident – exposing the records to a third party without the client’s consent, or – loss of the client records, or – loss of control over the client records. • Backups -- maintain a back-up system in order to be able to immediately identify and notify clients of a loss.
  12. 12. Spencer Fane LLP | spencerfane.com http://www.tsbpa.state.tx.us/pdffi les/br1708.pdf
  13. 13. Spencer Fane LLP | spencerfane.com Cybersecurity for All
  14. 14. Spencer Fane LLP | spencerfane.com
  15. 15. Spencer Fane LLP | spencerfane.com Laws & Regulations • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (20+) – NYDFS, Colo FinServ, CaCPA • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum
  16. 16. Spencer Fane LLP | spencerfane.com Is it really always the Russians? • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017
  17. 17. Spencer Fane LLP | spencerfane.com 2 Themes to Remember • Cyber law is an expedition • The “issues” usually aren’t really that new
  18. 18. Spencer Fane LLP | spencerfane.com Common Cybersecurity Best Practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance.
  19. 19. Spencer Fane LLP | spencerfane.com Does the company have reasonable cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. In re Target Data Security Breach Litigation, (Financial Institutions) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015)
  20. 20. Spencer Fane LLP | spencerfane.com Does the company have adequate internal network controls? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. FTC v. LabMD, (July 2016 FTC Commission Order) SEC Report, (October 18, 2018)
  21. 21. Spencer Fane LLP | spencerfane.com Does the company have written policies and procedures focused on cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015)
  22. 22. Spencer Fane LLP | spencerfane.com Were the written policies and procedures implemented? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. SEC v. Voya Financial Advisors Inc., Consent Order (Sept. 26, 2018)
  23. 23. Spencer Fane LLP | spencerfane.com Does the company have a written cybersecurity incident response plan? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015)
  24. 24. Spencer Fane LLP | spencerfane.com Does the company manage third-party cyber risk? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) SEC v. Voya Financial Advisors Inc., Consent Order (Sept. 26, 2018)
  25. 25. Spencer Fane LLP | spencerfane.com
  26. 26. Spencer Fane LLP | spencerfane.com How mature is the company’s cyber risk management program? • “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) • “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) • “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
  27. 27. Spencer Fane LLP | spencerfane.com What is reasonable cybersecurity? Too little – “just check the box” Too much – “boiling the ocean”
  28. 28. Spencer Fane LLP | spencerfane.com Overview: Cyber Risk Management Program
  29. 29. Spencer Fane LLP | spencerfane.com What should the company’s cyber risk management program look like? • Based on a risk assessment1,2,3,4,5 • Implemented and maintained (i.e., maturing)1,2,3 • Fully documented in writing for both content and implementation1,2,3 • Comprehensive1,2,3,4,5 • Contain administrative, technical, and physical safeguards1,2,3 • Reasonably designed to protect against risks to network and data1,2,3,4,5 • Identify and assess internal and external risks2 • Use defensive infrastructure and policies and procedures to protect network and data1,2,3,4,5 • Workforce training2,3 • Detect events2 • Respond to events to mitigate negative impact2 • Recover from events to restore normalcy2 • Regularly review network activity such as audit logs, access reports, incident tracking reports3 • Assign responsibility for security to an individual3,5 • Address third-party risk2,3,5 • Certify compliance by Chair of Board or Senior Officer or Chief Privacy Officer2 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.02 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 32
  30. 30. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Identify: Assess Cyber Risk “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu The most essential step? • How do you protect against what you don’t know? • How do you protect what you don’t know you have? • How do you comply with rules you don’t know exist? • Demonstrates real commitment to protect, not just “check the box compliance.” • No two companies are alike, neither are their risks, neither are their risk tolerances.
  31. 31. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Identify: Assess Cyber Risk Required by – • FTC: “shall contain administrative, technical, and physical safeguards appropriate to …” (GMR) • HHS: “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.” (HHS Guidance on Risk Analysis) • SEC: “We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents.” (SEC Statement and Guidance 2/21/18) • NYDFS: “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. (NYDFS § 500:09) • GDPR: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures ….” (GDPR Art. 24 and 32)
  32. 32. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Identify: Assess Cyber Risk What are we assessing? • What information it has, where is it, who has access to it, how it moves into, through, and out of the company2,6 • The company’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information it maintains1 • Workforce • Industry risks4 • “Nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”5 • Technological developments and evolving threats2 • Availability and effectiveness of controls2 and limits on ability to use controls4 • Documentation of how identified risks will be mitigated or accepted and how the program will address the risks2 • Third-party and nth-party risk2 • Prior incidents and probability of future incidents4 • Availability of insurance coverage for incidents4 • Potential for reputational harm4 • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents4 • Jurisdiction and existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies4 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.09 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 24 and 32 6. FTC Protecting Personal Information
  33. 33. Spencer Fane LLP | spencerfane.com What laws and regulations are the company subject to? • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (20+) – NYDFS, Colo FinServ, CaCPA • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum
  34. 34. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Identify & Protect: Strategic Planning “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” – Sun Tsu What does strategy consider? • Resources • Risks & environment • Who is your head coach? Who is on your team? – Inside and outside – Technical – MSP, MSSP, pen testing, forensics – Strategic – CISO, outsource / fractional CISO, legal, CPO – Risk transfer – cyber risk insurance • Prioritization is critical: “you can’t boil the ocean” – Evaluating risk = probability x loss x cost x time to implement x impact on resources x benefits / detriments – “where do we die first?” • Don’t forget 3rd and Nth party risk • Write out your Strategic Plan
  35. 35. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect & Detect: Implement Strategy & Deploy Assets “A good plan violently executed now is better than a perfect plan executed next week.” – George Patton “Gimme Action! Action! Action not words!” – Def Leppard • Execute your Strategic Plan in order of priorities. • Make sure to document this process (and all others). • Execution will vary wildly, based on size and complexity of company and Strategic Plan. • Include redundancy (where appropriate – think Equifax / Apache Struts patch) and verification of execution (example: recent W-2 case with DLP setting). • If you have the assets, you must use them and respond appropriately (Target Financial Case). – Have appropriate procedures for quickly assessing and responding to anomalies and incidents from Detection in reasonable time.
  36. 36. Spencer Fane LLP | spencerfane.com Protect: Develop, Implement & Train on Policies & Procedures • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017
  37. 37. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk Key points to consider in evaluating third-party risk. • Focus on objectives: protecting, responding, responsibility of data/network. • Staff appropriately. • Understand facts of relationship/transaction. • Understand risks by thinking worst case scenario from outset. • Minimalize risks: do not risk it if you do not have to. • Discuss objectives, facts, risks, protection with those responsible. • Assess third party’s sophistication and commitment. • Agree upon appropriate protections. • Investigate ability to comply. • Obligate compliance, notification (to you), responsibility. • Include in incident response planning. • Cyber Insurance: transfer risk where possible.
  38. 38. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) • Use contracts and contractual rights to minimize third-party risk: – Minimize risk, including third-party risk; and – Determine the process and responsibility for incidents. • This risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: – Networks; and – Data.
  39. 39. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers; 2. Obligate data service providers to adhere to the appropriate level of data security protections; and 3. Verify that the data service providers are complying with obligations (contracts).
  40. 40. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) “It would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure: . . . . the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks.” SEC Statement, February 21, 2018 In January 2014, SEC indicates that the new standard of care for companies may require policies in place for: 1. Prevention, detection, and response to cyber attacks and data breaches, 2. IT training focused on security, and 3. Vendor access to company systems and vendor due diligence.
  41. 41. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) New NIST Cybersecurity Framework adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function: • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners; • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met.
  42. 42. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) NYDFS § 500.11 Third-Party Service Provider Security Policy “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: – The identification and risk assessment of TPSPs; – Minimum CP required by TPSP to do business with CE; – Due diligence process used to evaluate the adequacy of CP by such TPSP; and – Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: – TPSP’s P&P for access controls and MFA to IS / NPI; – TPSP’s P&P for use of encryption in transit and at rest; – Notice to be provided to CE for Cybersecurity Event; and – Reps and warranties addressing TPSP’s cybersecurity P&P.
  43. 43. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Protect: Third-Party Risk (into the weeds) Third-Party Processing and Risk Under the GDPR • Controller, individually or with other controllers (jointly and severally), is responsible to the data subjects. Art. 26 • Processor only process on controller’s instructions. Art. 29 • Using a risk assessment, the controller must implement appropriate technical and organizational safeguards (incl. P&P) to ensure personal data is processed lawfully. Reassessment and maturation is required. Art. 24(1) • Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to satisfy GDPR. Art. 28 – Processor must have controller’s written authorization to engage another sub-processor; – Processor must have binding contract with controller specifying particulars of processing; – Processor must be bound to confidentiality; – Processor must demonstrate compliance and agree to audits and inspections; and – Nth processors liable to upstream processor, which is liable to the controller, which is ultimately liable. • Non-regulated controllers and processors can contractually agree to be bound. Art. 42
  44. 44. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Respond: Develop IR Plan & Tabletop Testing “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” SEC v. R.T. Jones Preparation is the key to a successful incident response. • There is no magic size to an Incident Response Plan but it must be written. • Know who is on your IR team and have them involved. • Understand your legal obligations, including contractual. • Know the difference between an incident and a breach – breach is a legal term. • Make sure your legal counsel understands the meaning of “non-reportable incident”! • Put yourself in the incident and think through it from there.
  45. 45. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Respond: Develop IR Plan & Tabletop Testing @shawnetuma shawnetuma.com/publications
  46. 46. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Respond: Develop IR Plan & TT Testing Incident Response Checklist • Determine whether incident justifies escalation • Begin documentation of decisions and actions • Engage experienced legal counsel to lead process, determine privilege vs disclosure tracks • Notify and convene Incident Response Team • Notify cyber insurance carrier • Engage forensics to mitigate continued harm, gather evidence, and investigate • Assess scope and nature of data compromised • Preliminarily determine legal obligations • Determine whether to notify law enforcement • Begin preparing public relations message • Engage notification / credit services vendor • Notify affected business partners • Investigate whether data has been “breached” • Determine when notification “clock” started • Remediate and protect against future breaches • Confirm notification / remediation obligations • Determine proper remediation services • Obtain contact information for notifications • Prepare notification letters, frequently asked questions, and call centers • Plan and time notification “drop” • Implement public relations strategy • Administrative reporting (i.e., FTC, HHS, SEC & AGs) • Implement Cybersecurity Risk Management Program
  47. 47. Spencer Fane LLP | spencerfane.com Cyber Risk Management Program Recover & Identify: Reassess, Refine & Mature “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” − Sun Tsu • There is no such thing as being “cyber secure.” Until we fix human nature, bad people will do bad things and cyber will be a weapon of choice until something more efficient comes along. • Just as hackers will continue to evolve in their objectives and tactics, companies must evolve in how they protect against them. • Our goal is to have effective and defensible cybersecurity that is reasonable—that is, that is tailored to address the unique risks of the company and appropriate based on the company’s resources.
  48. 48. Spencer Fane LLP | spencerfane.com “You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
  49. 49. Spencer Fane LLP | spencerfane.com Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, SMU Cyber Program • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-18 • Best Lawyers in Dallas 2014-18, D Magazine (Cybersecurity Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)

×