The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.
Panelists:
Gant Redmon, General Counsel and VP of Business Development, Co3 Systems
This document discusses cyber risks and cyber liability insurance. It summarizes that many major companies have experienced data breaches in recent years. It outlines common cyber risks like computer intrusions, loss of physical devices, and social media issues. It recommends basic loss control techniques and identifies what cyber liability insurance can cover, such as first and third party losses from network security breaches, privacy breaches, and internet media liability. Coverage limits start at $100,000 with premiums as low as $250.
Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.
Panelists:
Gant Redmon, General Counsel and VP of Business Development, Co3 Systems
This document discusses cyber risks and cyber liability insurance. It summarizes that many major companies have experienced data breaches in recent years. It outlines common cyber risks like computer intrusions, loss of physical devices, and social media issues. It recommends basic loss control techniques and identifies what cyber liability insurance can cover, such as first and third party losses from network security breaches, privacy breaches, and internet media liability. Coverage limits start at $100,000 with premiums as low as $250.
Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.
The document discusses how cybersecurity risks have become a major topic of discussion at high levels of organizations due to a combination of forces over the past decade. Sophisticated attackers now outpace security controls, and data breach disclosure laws have led to extensive media coverage of cyber attacks. This has increased pressure on boards of directors to oversee cybersecurity risks. Several case studies of large companies that suffered data breaches like Sony, Target, and TJX are presented to show how cyber attacks can significantly impact businesses but typically do not cause their downfall.
This document discusses the importance of having a cyber liability insurance policy and developing policies to manage cyber risks for a business. It notes that as technology becomes more important, cyber liability insurance will also grow in importance. It provides examples of exposures that could be covered by a cyber policy, such as data breaches, business interruptions, intellectual property issues, and system failures. The document also provides suggestions for developing policies around security roles, privacy, internet usage, social media, and reputation risks. It stresses analyzing your specific risks and working with an expert to ensure you have the proper insurance coverage.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
Are cybersecurity concerns keeping you up at night? Join Paige Boshell and Amy Leopard who lead our Privacy and Information Security Team for a discussion on developing and updating your cybersecurity plan, incorporating industry standards and regulatory guidance from the Financial Institution and Healthcare industries.
Higher education institutions experience more data breaches than any other industry. The document discusses privacy and security laws and regulations that apply to higher education such as FERPA, GLB, and state privacy laws. It provides recommendations for developing a comprehensive privacy program including inventorying information assets, assessing risks, reviewing policies, training employees, and monitoring compliance.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
This document provides an overview of typical cyber insurance policy coverage, including available first party losses coverage for breach costs, business interruption, hacker damage, and cyber extortion. It also discusses third party liability coverage for privacy claims, investigations, and media liability. Common pitfalls are outlined, such as precautions against loss, employee dishonesty exclusions, issues with third party suppliers, and jurisdictional limits. The summary emphasizes that cyber policies can vary and understanding the specific risks to your business and the details of coverage is important, advising the reader to seek advice when purchasing a policy.
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
1. Regulatory agencies are required to follow a defined rulemaking process when creating new regulations. This includes publishing proposed regulations for public comment and allowing time for feedback before finalizing rules.
2. Many companies do not properly protect customer data, with over half admitting to data breaches. However, customers believe they have a right to control their personal information. This disconnect has eroded trust between organizations and consumers.
3. Regulators are increasingly focused on enforcing data breach notification laws and requiring organizations to take reasonable security measures to prevent breaches. Non-compliance can result in penalties, while implementing best practices helps build a "culture of caring" and regulatory confidence.
This document discusses privacy and security risks in the digital age and strategies for managing those risks. It outlines increasing regulation at the federal, state, and international levels related to data breaches and privacy. This has led organizations to undertake multiple, siloed compliance efforts. The document proposes a unified approach to information security compliance that addresses all legal requirements and uses popular standards. It also discusses how risk transfer through insurance can help organizations manage security and privacy risks.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This presentation presents the findings of the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals. This presentation will define the insider threat, quantify the prevalence of the problem, and uncover controls that have proven most effective at minimizing the risk of insider threats.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses cybersecurity risks and challenges for banks. It notes that banks hold sensitive financial and customer data, making them attractive targets for sophisticated cyber attacks seeking monetary rewards. The document outlines key cybersecurity issues banks face such as regulatory compliance pressures, consumerization trends, emerging attack types like APTs, and the sophistication of threats. It provides examples of past attacks on banks and discusses security challenges from e-banking, mobile banking, outsourcing, and PSD2 regulations. The document advocates for strategies like threat intelligence, compliance with standards like PCI DSS and ISO 27001, and information security maturity to help banks mitigate cybersecurity risks.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgePerficient, Inc.
The document discusses consumer privacy laws and IT's responsibility in managing privacy risks. It outlines challenges in complying with various privacy regulations and standards. It emphasizes the need for an integrated privacy management framework and promoting an organizational culture of privacy compliance.
This document discusses protecting businesses from identity theft and fraud, which is described as the greatest threat of the 21st century. It notes that identity theft directly impacts businesses through their customers and employees. Businesses must comply with various federal and state regulations regarding privacy and security of personal and financial information. The document outlines how identity theft can occur and have devastating consequences for businesses through lost customers, damaged reputation, stolen money, and high costs of recovery. It recommends businesses take administrative, technical, and policy measures to protect against threats and comply with relevant laws.
The document discusses how cybersecurity risks have become a major topic of discussion at high levels of organizations due to a combination of forces over the past decade. Sophisticated attackers now outpace security controls, and data breach disclosure laws have led to extensive media coverage of cyber attacks. This has increased pressure on boards of directors to oversee cybersecurity risks. Several case studies of large companies that suffered data breaches like Sony, Target, and TJX are presented to show how cyber attacks can significantly impact businesses but typically do not cause their downfall.
This document discusses the importance of having a cyber liability insurance policy and developing policies to manage cyber risks for a business. It notes that as technology becomes more important, cyber liability insurance will also grow in importance. It provides examples of exposures that could be covered by a cyber policy, such as data breaches, business interruptions, intellectual property issues, and system failures. The document also provides suggestions for developing policies around security roles, privacy, internet usage, social media, and reputation risks. It stresses analyzing your specific risks and working with an expert to ensure you have the proper insurance coverage.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
Are cybersecurity concerns keeping you up at night? Join Paige Boshell and Amy Leopard who lead our Privacy and Information Security Team for a discussion on developing and updating your cybersecurity plan, incorporating industry standards and regulatory guidance from the Financial Institution and Healthcare industries.
Higher education institutions experience more data breaches than any other industry. The document discusses privacy and security laws and regulations that apply to higher education such as FERPA, GLB, and state privacy laws. It provides recommendations for developing a comprehensive privacy program including inventorying information assets, assessing risks, reviewing policies, training employees, and monitoring compliance.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
This document provides an overview of typical cyber insurance policy coverage, including available first party losses coverage for breach costs, business interruption, hacker damage, and cyber extortion. It also discusses third party liability coverage for privacy claims, investigations, and media liability. Common pitfalls are outlined, such as precautions against loss, employee dishonesty exclusions, issues with third party suppliers, and jurisdictional limits. The summary emphasizes that cyber policies can vary and understanding the specific risks to your business and the details of coverage is important, advising the reader to seek advice when purchasing a policy.
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
1. Regulatory agencies are required to follow a defined rulemaking process when creating new regulations. This includes publishing proposed regulations for public comment and allowing time for feedback before finalizing rules.
2. Many companies do not properly protect customer data, with over half admitting to data breaches. However, customers believe they have a right to control their personal information. This disconnect has eroded trust between organizations and consumers.
3. Regulators are increasingly focused on enforcing data breach notification laws and requiring organizations to take reasonable security measures to prevent breaches. Non-compliance can result in penalties, while implementing best practices helps build a "culture of caring" and regulatory confidence.
This document discusses privacy and security risks in the digital age and strategies for managing those risks. It outlines increasing regulation at the federal, state, and international levels related to data breaches and privacy. This has led organizations to undertake multiple, siloed compliance efforts. The document proposes a unified approach to information security compliance that addresses all legal requirements and uses popular standards. It also discusses how risk transfer through insurance can help organizations manage security and privacy risks.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This presentation presents the findings of the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals. This presentation will define the insider threat, quantify the prevalence of the problem, and uncover controls that have proven most effective at minimizing the risk of insider threats.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses cybersecurity risks and challenges for banks. It notes that banks hold sensitive financial and customer data, making them attractive targets for sophisticated cyber attacks seeking monetary rewards. The document outlines key cybersecurity issues banks face such as regulatory compliance pressures, consumerization trends, emerging attack types like APTs, and the sophistication of threats. It provides examples of past attacks on banks and discusses security challenges from e-banking, mobile banking, outsourcing, and PSD2 regulations. The document advocates for strategies like threat intelligence, compliance with standards like PCI DSS and ISO 27001, and information security maturity to help banks mitigate cybersecurity risks.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgePerficient, Inc.
The document discusses consumer privacy laws and IT's responsibility in managing privacy risks. It outlines challenges in complying with various privacy regulations and standards. It emphasizes the need for an integrated privacy management framework and promoting an organizational culture of privacy compliance.
This document discusses protecting businesses from identity theft and fraud, which is described as the greatest threat of the 21st century. It notes that identity theft directly impacts businesses through their customers and employees. Businesses must comply with various federal and state regulations regarding privacy and security of personal and financial information. The document outlines how identity theft can occur and have devastating consequences for businesses through lost customers, damaged reputation, stolen money, and high costs of recovery. It recommends businesses take administrative, technical, and policy measures to protect against threats and comply with relevant laws.
The document discusses risk management in companies. It provides questions for senior executives and IT executives about risks to the business from data security, regulatory compliance, and technological issues. It also summarizes statistics about the high costs of data breaches for companies and discusses how outsourcing some risk management functions can help companies focus on compliance in today's complex regulatory environment.
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
This document summarizes a seminar on cybersecurity insurance. It discusses the presenters and provides examples of data breach headlines. It then explains the threats to data, including internal and external threats. The document outlines the immediate expenses of a data breach such as notification, call centers, credit monitoring, legal expenses, and forensics. Finally, it discusses the typical costs of a data breach, which can range from hundreds of thousands to millions of dollars depending on the size and type of breach.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
This document summarizes a presentation on cybersecurity legal issues for companies. It discusses the growing costs and impacts of cyberattacks like data breaches and ransomware. Bug bounty programs that hire security researchers are presented as a way for companies to find vulnerabilities, but they may also increase legal obligations to notify breaches. The role of legal counsel in addressing these issues is examined, including maintaining technical competence. Elements of effective cybersecurity programs and incident response planning are outlined to help mitigate risks and consequences.
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
This presentation covers:
Social Engineering
Targets, Costs, Frequency
Real Life Examples
Mitigating Risks
Internal Programs
Data Security & Privacy Liability
Cyber Liability
Cyber Insurance
Financial Impact
Key Coverage Components
Checklist for Assessing your Level of Cyber Risk
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
This document analyzes data from the Privacy Rights Clearinghouse database on data breach incidents reported from 2005 to 2015. Some key findings include:
- Hacking or malware were behind 25% of breaches, while insider leaks accounted for 12% and unintended disclosures 17.4%.
- Payment card data breaches increased substantially after 2010 likely due to malware targeting point-of-sale systems.
- The healthcare sector experienced the most breaches followed by government and retail. Personally identifiable information and financial data were the most commonly stolen records.
- While credit card and bank account information is frequently dumped online, accounts for services like Uber, PayPal and poker saw increased dumping.
- Organizations must strengthen
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Network Security and Privacy Liability - Four Reasons Why You need This Cove...CBIZ, Inc.
This document discusses the need for corporate information protection and cyber liability insurance. It outlines four reasons why businesses need this coverage: 1) Increasingly stringent laws and regulations, 2) Advances in technology, 3) Risks associated with global outsourcing, and 4) User error. Statistically, attackers are often able to compromise organizations within minutes, and most theft or loss of sensitive data occurs within the victim's work area. Cyber liability insurance provides coverage for legal liability, defense costs, expense reimbursement, and helps businesses assess privacy programs and risks.
The document analyzes data breach records from 2005-2015 to examine trends by industry. It finds that healthcare, education, government, retail, and finance were most commonly affected, accounting for over 80% of breaches. Personal information was the most frequently stolen record type, compromised through various methods like device loss, insider leaks, and hacking. The analysis also looks specifically at breach trends in the healthcare industry, where loss of portable devices like laptops was a primary source of compromises.
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
Complex cybersecurity issues like data breaches, ransomware attacks, and evolving threats from sophisticated hackers are an ongoing challenge for all industries. The healthcare industry in particular saw over 100 million patient records compromised in 2015. While estimating costs of data breaches is difficult, the average reported cost is around $6.5 million per breach or $217 per compromised record. Proper preparation, compliance, security practices, incident response planning, and legal risk management are needed to deal with these ongoing threats.
This document provides guidance on minimizing business risks related to data security. It discusses identifying important business information, threats from outside and inside the organization, assessing risks based on likelihood and impact, and mitigation strategies like technology safeguards, policies, processes, employee training, and physical security measures. The document emphasizes that leadership must be aware of risks and implement adequate safeguards to protect the organization.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Business Law Training: Market Turmoil in D&O Insurance and Is Your Company Pr...Quarles & Brady
This lively discussion focused on the market turmoil in the current public and private D&O markets. Additionally, the professionals explained the scope of Cyber Insurance for tradition exposures, operational risk and regulatory compliance.
2. Breach Education Alliance:
Integrated Team Approach With Complementary Resources
Legal
Insurance
Reputation
Mngmt
Security
IT Network
2
Your
Organization
4. Goals of a Successful Investigation
Did an incident
Occur?
Scope of Incident Cause of Incident Assess Damages
Activate BC/DR? Consider further
Actions
5. Not all Malicious
Malicious Attackers
50% - 60% are internal attackers
Malicious Attacks less than 10% of all security incidents
4%
6%
90%
Security Incidents
External Internal Accidents
6. Goals of a successful Investigation
• Lack of Baseline
• Lack of Corporate Policies
• False-Positives
Did an incident
Occur?
Scope of the
Investigation
• Does it affect Confidentiality, Integrity, Availability?
• Is disclosure required?
• Will 3rd parties aid in the investigation?
7. Goals of a successful Investigation
• Was the cause internal or External?
• Did a person cause it?
• Was it Malicious?
Determine Cause
Assess Damage
• How does the incident affect Business Operations?
• Will the investigation affect Operations
• Will Business Operations impede the Investigation / Destroy
Evidence
8. Goals of a successful Investigation
• Take Legal Action
• Report Incident to 3rd Party
• File an Insurance Claim
• Learn from the incident and plan
Activate BC/DR
Further Actions
• Did the incident inhibit/Cease Operations?
• Has the Integrity of data been compromised?
• Has your TCB been Compromised?
10. Lack of knowledge of Environment
The most common mistake
How can you identify malicious activity, if you don’t know
what legitimate activity looks like?
Inventory software, devices and other assets.
Software updates often fix security problems, so download
updates as soon as they become available.
11. Use strong Passwords or Password Phrases
“Mary had a little lamb”.
The space bar is a unique character!
Easy to remember, don’t have to write them down and unique to everyone!
12. Train your employees …
They need to be aware of Phishing and email traps, links, downloads.
Security Awareness training is critical.
13. Understand your business…
Key areas:
• Where are you vulnerable? What IP does your company have?
• What threats should you be aware of?
• What impact would these threats have on your business?
• What does potential Regulatory Compliance require of you?
• Establish risk thresholds or tolerance levels. Will you Mitigate, Accept
or Insure those risks.
15. Complex Issues – Here to Stay
CyberGroup/cybersecurity/data breach/privacy™
CyberGroup
cybersecurity/data breach/privacy™
16. Complex Issues — Here to Stay
Sophisticated Threats, Evolving Technology, Internet of Things
64% increase—information security incidents 2015 vs 2014
Healthcare—frequently attacked industry
Ransomware attacks
100 million healthcare records compromised 2015 (credit card, email, SSN, employment, med history data)
High price on black market “dark internet”
Cyber thieves use data to launch spear phishing attacks, commit fraud, steal medical identities
But no industry immune—
Manufacturing (automotive. chemical. corp. IP networks)
Financial Services (consumer banking, mobile apps)
Government (IRS and HHS breaches)
Transportation (freight, shipping, air)
Retail/Wholesale
16
19. Costs
Assessing/predicting costs of data breaches DIFFICULT--lack of quality data.
High INTEREST AMONG firms at risk, insurance carriers, researchers, and social
planners.
Based on recent survey data estimates the average cost of a data breach is
around $6.5 million (or, $217 per record; Ponemon 2015).
Averages may be misleading: the statistical mean as a measure of the cost of a
data breach (or cyber event) pegs the loss for a data breach at almost $6 million,
but the median loss is only $170k.
Similarly skewed values arise for phishing and security incidents.
Privacy violations, however, account for a much larger median loss of $1.3 million.
19
20. Statistics Do Not Account For:
Business interruption
Reputational loss
Customer retention/loss
Cost of allocation of resources/time
Responding to private litigation/ potential class
actions
Responding to federal and state regulatory bodies
20
21. Four Types Of Threats
Data Breaches (unauthorized disclosure of personal information)
Security Incidents (malicious attacks directed at a company)
Privacy Violations (alleged violation of consumer privacy)
Phishing/Skimming incidents (individual financial crimes).
STATISTICALLY, of all cyber incidents data breaches are by
far the most common, dwarfing rates of all other cyber events.
21
22. Who Does This Stuff to Us?
Next attacker—someone you thought you could trust
Competitors
Outside criminal element/ foreign and domestic/ bored
teenager
State Sponsored Activity
HUMAN ERROR
Mixed motives—financial gain, inflicting physical damage,
stealing intellectual property, spreading political protest
22
23. Dealing With Threats
There is no 100%
Compliance ≠ Security
Prioritize business objectives w/in risk tolerance
Management of contractual relationships/terms
Proactive Security Plan with technology and
policy
Coordinated and tested incident response plan
Prepare Response to the Inevitable Attack
Understand threat landscape
Access right resources and skills
Promote Culture of Security Awareness
Train
Avoid careless mistakes
Protect key IP and business assets
23
24. Legal Management Issues
Effective Privacy Notices
Industry Specific Regulations
Federal
State
Assessment of Legal Duties/ Disclosure
Determination of Key Areas for Cyberinsurance
Contractual Matters
Indemnification
Limitation of Liability
Risk Transfer
Representations & Warranties
Acquisitions- Due Diligence
24
25. Legal Ramifications
PRIVATE LITIGATION
Suppliers, commercial customers
Consumers, individuals, class actions
GOVERNMENT INVESTIGATIONS
State laws/ Attorney General Actions
Federal Laws/ FTC and Industry Specific Regulations
Privacy Actions
Criminal Violations
In federal courts approximately 1700 pending legal actions over 50% are private civil actions,
17% are criminal actions.
25
26. Real Life Lessons From The FTC
LABMD, A clinical laboratory, experienced unusual data breaches that compromised personal, medical
information of 9300 consumers. The FTC’s decision, relying on extensive expert testimony, found that
from 2005 to 2010 LabMD failed to:
maintain file integrity monitoring;
provide intrusion detection;
monitor digital traffic across its firewalls;
delete no longer needed consumer data;
provide security training to employees;
implement a strong password policy (a number of employees used the same password “labmd”);
update its software to deal with known vulnerabilities;
control administrative rights to employee laptops and allowed employees to download any software, business
related or not;
prevent use of peer-to-peer software (LimeWire), which enabled download of a file containing 1,718 pages of
confidential information on approximately 9,300 consumers
26
27. Lessons From LABMD
FTC has made it clear that any industry in possession of sensitive consumer data
(such as names, addresses, dates of birth, Social Security numbers, and insurance
information) will be required to maintain reasonable data security practices
Enforcement actions may result even if there has been no identifiable harm to the subjects
of such data.
the FTC is going to assert its authority expansively and stay in the cyber cop business.
In a data breach case, no actual harm is necessary.
Employers must train their employees on infoSEC
COMPANIES MUST establish reasonable protocols commensurate with their risk profile to
try to protect against cyber intrusions.
27
28. Role Of Management And Board
Duty To Maintain, Grow, And Protect The Assets Of The Company
Public Company Risks
Failure To Maintain Adequate Controls
Failure To Disclose
Failure To Investigate And Make Informed Judgments
Shareholder Actions And Derivative Claims
Government Focus On Individual Liability
Indemnification Issues
28
29. What You Need in Place in
Before, During & After
Management commitment
Clear lines of communication
Set infosec as an organizational priority
Specialized knowledge
Business compliance and continuity plans
Policies and procedures for data protection
Statutory compliance by industry/profession/location
Employee training/ response teams
WHEN THE INFORMATION SECURITY/CYBER
PROBLEM HAPPENS (and it will)
24/7 responsiveness w/ resources
Ability to contain harm/ calm management of crisis
Guidance on legal duties/notification/reputation management
Dealing with government bodies
Positioning/shaping facts w/future litigation in mind
Avoid exorbitant costs/ potential liabilities
29
30. THINK IN THREE PHASES
• Legal
• Insurance
• IT/Network
• PR
• Forensic
Testing
Before a
Problem
Arises
• Legal
• PR
• Insurance
• Forensic
Investigation
Responding
to a Breach
• Legal
• PR
• IT/Network
Post
Breach
30
31. Questions / Contact Information:
Glenn E. Davis
Lead Partner
HBCyberGroup
www.HeplerBroom.com |
glenn.davis@helperbroom.com
Direct: 314.480.4154 | Mobile: 314.550.5122
31
33. Why Prepare?
Big guys (Target, Schnucks) have been hacked
My company is small
I do not have to worry
You are wrong!!
33
34. IT Infrastructure
Includes all components
Not just limited to desktops or laptops
Includes mobile devices as well
Servers, on-site, off site or in the cloud
E-mail records, files attached to said messages
Internal IT infrastructure, servers, routers, copiers
34
35. How To Prepare-Pre Event
Define current environment
Decide what type(s) of attack to prepare for
Conduct what-if scenarios
Decide what risk factors are for each scenario
Attack shortcomings on a priority basis
Test systems to make sure systems work as designed
Update on a regular basis
Make sure the environment has an “owner”
35
36. Define Current Environment
Firewall configuration
Anti virus in-place, business grade
Software security updates installed
Backups in-place and functional
Disaster recovery plan in-place and verified
Redundant systems, connectivity
Redundant systems, storage
Servers contain PHI? Are they encrypted/monitored?
Includes desktops, laptops, mobile devices
36
37. What Attacks To Consider
Business dependent
Internal employee attacks
Phishing attacks
Crypto Locker
Unpatched software
DDoS
Malware
Botnets
Hacktivists, and the list goes on…
37
38. Conducting What If Scenarios
Technical team needs to do this
Hire ethical hackers
Look at system architecture for responses
Learn from other breaches
Learn from industry groups
Penetration testing at some frequency
Test restored backup files
Conduct disaster recovery simulations
38
39. Scenario Risk Factors
What is the probability of a specific attack?
What data, information, IP would be lost?
What is the cost to recreate the lost information?
Small and medium sized companies DO get hacked!
Are there employees, current of former with agendas?
How aware are employees of the risks?
What company functions are the most critical?
39
40. Setting Organizational Priority
Importance of potential breach area; H M, or L
Probability of potential breach; H, M, or L
Allowable time delay for recovery; Short, Medium, Longer
Number of people impacted; H, M, or L
Number of company functions impacted; H, M, or L
Ability of company to generate revenue; H, M, or L
Safety (all types) of the client; Critical, Medium, or Low
Build matrix of all factors, rate 1-5, 5 being high or critical
Address those items with the highest number first
Implement fixes accordingly
40
41. Test Fixes for Verification
Verify the fix has been fully implemented
Design test scenario
Testing party should NOT be that who did the fix!
Verify desired result
If successful retest at some frequency
If unsuccessful, address failure, repair, retest
41
42. Follow up Is Critical
Set some schedule for retesting based on criticality
Make sure this process has an owner
Make sure the owner has authority and support
Include this as part of the strategic plan
Address as part of internal SWOT analysis
Be sure to consider legal, insurance, and messaging issues as these items are
addressed
42
45. What Can Cyber Insurance Cover?
Insurable assets:
Personally identifiable information and/or protected
health information of employees or consumers
Corporate Confidential Information
Data breach response costs to include the
following:
Notification mailings & call center
Credit monitoring
Credit Correction
IT forensics
Public relations
Defense costs and civil fines from a privacy
regulatory action
Defense costs and damages from civil litigation
46. What Can Cyber Insurance Cover?
Corporate information technology network:
Addresses the loss of income as a consequence of network
downtime. Certain insurers will also extend coverage to
downtime of vendors on whom a policyholder is reliant. This
is commonly known as “contingent business interruption.”
Costs to restore compromised data
Reimbursement for costs associated with an extortion
threat
Operational technology:
A few insurers have begun to extend coverage beyond the
information technology network to also include operational
technology such as industrial control systems.
47. What Can Cyber Insurance Cover?
Reputation and Brand:
Insuring reputational risk from some form of cyber event remains out of the scope of the
majority of insurers. At the time of writing, the London market has begun to innovate to
address the financial loss after adverse media publicity. However, capacity remains
constrained at $100,000,000 at best.
Physical Assets:
Cyber security is no longer just about risks to information assets. A cyber attack can now
cause property damage that also could lead to financial loss from business interruption, as
well as liability from bodily injury or pollution, for example.
An assumption that coverage should rest within a property or terrorism policy may not be
accurate. Exclusionary language has begun to emerge and is expected to accelerate
across the marketplace as losses occur. Dedicated products also have started to appear.
48. Insuring Agreements Available in Insurance
Network Security Liability
Claim expenses and damages arising from network and non-
network security breaches
Multimedia Liability
Claim expenses and damages arising from personal injury torts and
intellectual property infringement (except patent infringement)
Claim expenses and damages arising from electronic publishing
(website) and other dissemination of matter
Privacy Liability
Claim expenses and damages emanating from a violation of a
privacy law or regulation
Common law invasion of privacy or infringement of privacy rights
Privacy Regulatory Proceedings + Fines
Claim expenses in connection with a regulatory inquiry,
investigation or proceeding
Privacy regulation civil fines and consumer redress fund
PCI DSS fines and assessments
Technology E&O/Miscellaneous E&O
Claim expenses and damages emanating from a wrongful act in
the performance of or failure to perform technology services or
other professional services.
Claim expenses and damages emanating from your technology
products’ failure to perform or serve the purpose intended
Data Breach Expense Reimbursement
Expense reimbursement for third-party reasonable and necessary
costs including:
Public relations costs
Legal and forensics expenses
Credit protection, mailing and tracking, call center, etc.
Address three scenarios—mandatory, contractual and voluntary
Cyber Extortion
Reasonable and necessary expenses and any funds paid in
connection with an extortion attempt
Network Business Interruption + Data Restoration and Reputation
Harm
Loss of net income and Extra Expense
49. What Does Cyber Insurance Not Cover?
Intellectual property assets
Theft of one’s own corporate intellectual property (IP)
still remains uninsurable today as insurers struggle to
understand its intrinsic loss value once compromised.
Cyber Attack Exclusion Clause
Where this clause is endorsed on policies covering
risks of war, civil war, revolution, rebellion, insurrection,
or civil strife arising therefrom, or any hostile act by or
against a belligerent power, or terrorism or any person
acting from a political motive.
49
51. The Risk of Risks:
Reputation Risk Resiliency
Managing the message!
52. A strong reputation enables your business to
meet its goals
The intangibles can comprise more than 60% of a company’s value
Public perception impacts profitability, book value, sales
Strong reputation can result in strong stock price growth
Investors use reputation in purchase decisions
A strong reputation can be a competitive differentiator
52
53. Reputation risk underlies all risks
The Economist Intelligence Unit survey:
“Reputational risk… the most significant threat to a business.”
Reputation is prized, vulnerable; source of competitive advantage
Standard & Poor:
Added reputation risk to its enterprise risk management assessment
World Economic Forum:
25% of company’s market value directly attributable to reputation
Zurich:
70% of consumers avoid buying a product if they don’t like the company behind it
And, are 350% more likely to purchase products from companies they like and trust
53
54. Reputation is owned by stakeholders
Reputation = judgments and perceptions of others
‒ Customers
‒ Suppliers
‒ Investors
‒ JV partners
‒ Agents
‒ Distributors
‒ Advocacy groups
‒ Regulators
‒ Policymakers
‒ General public
54
55. Organizational challenge to managing
reputation risk
Reputation literacy
not on the risk
agenda
Risk literacy not on
the reputation
agenda
55
56. A resilient organization manages all
types of risk
Ability to manage risks
and function/adapt
throughout the
lifecycle of operational
disruptions
Ability to maintain
good stakeholder
perceptions and
supportive behavior
at all times
Operational
Resiliency
Reputation
Resiliency
56
57. “Overall, costs associated with
remediating a reputational event
can be two to seven times higher
than costs related to the operational failure
that caused the reputation damage in the first place.”
Protecting reputation against risk makes good
business sense
The cost of remediation of reputation risk
far exceeds the cost of the initial failure.
RIMS 2016 (Risk & Insurance)
57
58. Why we’re here: Compliance Week identified
top risks to reputation (Aug. 26, 2016)
Type of risk How it impacts reputation
Culture risk Upset employee criticizes company
publicly, revealing weaknesses in the
culture,
Cyber risk Cybercriminal finds vulnerability,
enters systems, publicly demands
ransom
Third party risk Supplier doesn’t follow policy and
inadvertently releases personal medical
information
58
59. Data breaches come in all sizes
Breaches are up, ransomware is up, complaints are up
HHS said 113 million records compromised in 2015 – 8X those breached in 2014
Healthcare has the highest cost per breached record of any industry - $402:
80 million patient records breached at Anthem
400 unencrypted patient records on a stolen iPhone from Catholic Health Services in
Philadelphia
Even small breaches are expensive: Catholic Health Services breach resulted in a
$650K regulatory fine
59
60. Clinical: fraudulent claims processed; inaccurate diagnosis; bad data in research
Operational: Cost of new hires; cost of training; cost of reorganization
Legal/regulatory: OCR fines; state fines; loss of accreditation; cost of lawsuit
Financial: Remediation; communication; insurance impact; changing vendors;
business distraction
Reputational: Loss of patients (average 7%); loss of current/new customers; loss
of partners; loss of staff; negative press; see all other costs above.
True cost of a healthcare breach:
$700/compromised record (Ponemon Institute 2016)
60
63. Prioritize the risks that are likely and have high
impact
Ability to
attract &…
Advisors give
faulty
projections
Cont'd pressure
from small
employers on
cost
Data breach/data…
Don’t deliver on
promises
Don’t develop exec.
leadership
Economic
environment
Ext. belief we can be replaced…
Ext. political
environment
Federal govt involved
in healthcare
Financial integrity…
Investment…
Legislative/regulatory issues
Pension fund
collapses
Products
impacted by
ACA
Societal/cultural
issues
Outdated
technology
Thought of as for-
profit
Top leaders leave
0
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7 8 9 10
LikelihoodofHappening
Severity of Impact
63
64. Thinking you can wait until an event unfolds to determine how to handle it.
It’s only a worry for the IT department.
Everyone knows data breaches happen and that they aren’t our fault.
We give a lot of money to the community. They know we’re a good company.
Our budget is focused on hardening our network. We don’t need to invest in crisis
planning.
Blind spots about reputation risk and data
breaches
64
65. A data breach will happen; if you plan ahead you will react more quickly and it will
cost you less.
Invest in a strong cybersecurity program now to protect your reputation later. You
don’t want to be the organization that says publicly, “We didn’t know.”
A strong reputation for preparedness may result in better relationships with
regulators.
Reputation is about how you make decisions when no one is looking. It’s not just
about PR, philanthropy or advertising.
Reputation resiliency happens when you invest as much effort in managing it
before, during and after events, just like you do for other key assets.
How to protect your reputation for the
inevitable data breach
65
66. Questions / Contact Information:
Linda Locke
Standing Partnership
Building, protecting and restoring reputations
www.StandingPartnership.com
LLocke@StandingPartnership.com
@Reputationista
Direct: 314.435.3428
66
67. Reputational risk a top concern for boards
‒63% of directors see reputational risk as top concern…and
concerns are growing
‒Primary concerns cover product quality, liability, customer
satisfaction
‒Secondary concerns: integrity, fraud, ethics
‒Three-fourths of directors seek broad-based risk assessment…
and they want to know more
Third Annual Board of Directors Survey 2012 - Concerns About Risks Confronting Boards – EisnerAmp
It keeps your boards up at night
67
68. JPMorganChase: attract staff; regulatory compliance; confidential information;
investor confidence
Strayer Education, Inc: license to operate (participation in federal and state
programs); data breach
Facebook: loss of revenue; ability to grow; unfavorable media coverage; technical
performance; user metric accuracy
Kellogg: product quality and availability; food safety
Kraft Heinz: product recalls
Magellan: business practices; data breach
Monsanto: degree of public understanding
Examine what your firm has disclosed as its
reputation risks from 10K filings
68