This document summarizes the key points from a cybersecurity workshop presented by E. Andrew Keeney. The workshop covered the value of electronically stored data, common cybersecurity threats like hackers and rogue employees, best practices for prevention and response, and insurance options. Major data breaches are occurring almost weekly, costing companies hundreds of thousands of dollars on average. While many organizations remain complacent about cybersecurity, the consequences of a breach include loss of goodwill, reputation damage, and regulatory fines. The workshop emphasized employee training, strong access controls, encryption, insurance, and having an incident response plan to mitigate risks.
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
Original air date: Aug. 29, 2017
Rebroadcast and recording info at http://www.mhmcpa.com
Cybercriminals don’t discriminate when it comes to valuable data. Not-for-profit organizations are just as vulnerable to technology-related risks as for-profit organizations. Robust cybersecurity and information technology controls can help not-for-profits keep sensitive information secure, and as data breaches become more common, information technology controls are increasingly vital to your operations.
In our webinar, we'll discuss some of the most common technology risks for not-for-profits and what management can do to mitigate those risks.
Dealing Data Leaks: Creating Your Data Breach Response Planbenefitexpress
Learn what steps an employer must take after their IT systems are breached. Covers both state and federal rules regarding employer data breach responses.
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
Original air date: Aug. 29, 2017
Rebroadcast and recording info at http://www.mhmcpa.com
Cybercriminals don’t discriminate when it comes to valuable data. Not-for-profit organizations are just as vulnerable to technology-related risks as for-profit organizations. Robust cybersecurity and information technology controls can help not-for-profits keep sensitive information secure, and as data breaches become more common, information technology controls are increasingly vital to your operations.
In our webinar, we'll discuss some of the most common technology risks for not-for-profits and what management can do to mitigate those risks.
Dealing Data Leaks: Creating Your Data Breach Response Planbenefitexpress
Learn what steps an employer must take after their IT systems are breached. Covers both state and federal rules regarding employer data breach responses.
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Presented at the 29th Annual FMA Conference
Topics:
> Raise awareness of the emerging trends in cybersecurity, such as the threats and the potential cost that a breach could have on your organization
> Establish an understanding of what your organization and board can do to reduce the likelihood and impact of a breach
> Identify key characteristics and aspects within an incident/breach response plan and how this plan will reduce the impact of the unfortunate event
A presentation on insurance coverage for cyber security given by Victor Ulrich of Arthur J. Gallagher & Co. at the Association of Hospitality Professionals' June 30th, 2017 meeting.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Presented at the 29th Annual FMA Conference
Topics:
> Raise awareness of the emerging trends in cybersecurity, such as the threats and the potential cost that a breach could have on your organization
> Establish an understanding of what your organization and board can do to reduce the likelihood and impact of a breach
> Identify key characteristics and aspects within an incident/breach response plan and how this plan will reduce the impact of the unfortunate event
A presentation on insurance coverage for cyber security given by Victor Ulrich of Arthur J. Gallagher & Co. at the Association of Hospitality Professionals' June 30th, 2017 meeting.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
This presentation covers:
Social Engineering
Targets, Costs, Frequency
Real Life Examples
Mitigating Risks
Internal Programs
Data Security & Privacy Liability
Cyber Liability
Cyber Insurance
Financial Impact
Key Coverage Components
Checklist for Assessing your Level of Cyber Risk
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
Every business is vulnerable to cyber threats and increasingly small and mid-size companies (SMBs) are targets. Yet most know little about what or how to communicate if faced with a breach. This slide presentation addresses the reputation risks for SMBs in today's digital landscape and resources to deal with the threat.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
Survey of law, regulation and technology risk including new cyber security regulations, HIPAA, European Privacy GDPR, Internet of Things Liability, State Law
William Gamble
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdfinfomalad
Question
Consider the Citibank incident in 2005 where more than 3.9 million customer’s personal
financial information disappeared during shipment from its Weehawken, NY facility.
Was this an unpreventable incident, or did Citibank fail to implement enough safeguards to
minimize this incident from occurring? Could Citibank’s corporate culture have played a part in
the incident occurring? Which aspect of the contingency planning process came up short, the IR,
BP, CP or a combination of a few. What benefits, if any, would have been gained if Citibank had
developed such a plan you have proposed? If you were Citibank’s CSO, what would you have
done differently? What practices and procedures would you have put in place? How should the
media have been secured, transmitted, and stored? How would you have guided the efforts of the
CSIRT, or were they not needed for this type of incident? Why do you believe that your direction
would have worked?
take that incident as refernce and provide me answers for questions provided in second
paragraph.
please provide me with citations and APA GUidelines.
Solution
Citibank
The information was lost by UPS. This happened while the information was in transit to a credit
bureau. It was the biggest breach of employee or customer data reported so far. The data loss
occurred in spite of the security procedures required of the couriers by Citibank. Customers had
received their loans. There was little risk of the accounts being compromised. Without the
customers\' approval, additional credit could not be issued. The tapes were produced in a
sophisticated mainframe data center environment, and, would have been difficult to decode
without the right equipment and special software.
The tapes included personal identification information, for example, Social Security numbers.
The thieves who managed to access the data could commit identity thefts or open accounts at
other financial institutions. Account information is sent regularly by financial institutions to
credit bureaus. This is for keeping consumers credit reports up to date.
CSIRT is a service organization responsible for reviewing and, receiving computer security
incident reports. Organizations can define computer security for their sites in the following
manner:
· The act of violating an implied or explicit security policy
· Any suspected event in relation to security of computer networks or computer systems
Activities for CSIRT include:
· An attempt to gain unauthorized access to a system or its data
· unwanted denial of service or disruption
· unauthorized processing or storage of data or use of a system
· changes to firmware, system hardware, or software characteristics without the owner\'s
knowledge, instruction, or, consent
Computer security incident activity is a network or host activity that threatens the security of
computer systems. CSIRT is required as intrusions are possible despite the presence of an
information security infrastructure. CSIRT can recommend .
Oct 23rd 2014 Offices of Arthur Cox - Presentation by Paul C Dwyer CEO of Cyber Risk International outlining a high level overview of the holistic cyber threat landscape in 2014
With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
The threat of fraud against your members continues to grow. Criminals will continue to find new ways to breach information technology systems and seek access to money and sensitive information from credit union members. This session covered the latest state-of-the-art ways to better manage fraud.
E. Andrew Keeney presented NCUA’s Examinations and Your Credit Union’s Rights at the NAFCU Annual Conference and Annual Solutions Expo on June 26, 2015.
E. Andrew Keeney presented Social Media Compliance Risks at The Credit Union League of Connecticut's Compliance Series: Social Media Compliance Risks on February 10, 2015.
E. Andrew Keeney presented CyberSecurity (Emerging Threats) at The Credit Union League of Connecticut's Compliance Series: Social Media Compliance Risks on February 10, 2015.
NAFCU Regulatory Compliance Seminar - Required Policies and Risk Assessments:
The Good News; Policy Generally Defined; Policy as Defined by NCUA; Master List of Policies; Required Policies
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
2. 2
E. Andrew Keeney, Esq.
Kaufman & Canoles, P.C.
150 West Main Street, Suite 2100
Norfolk, VA 23510
(757) 624-3153
eakeeney@kaufcan.com
http://www.kaufmanandcanoles.com/movies/credit-unions.html
3. 3
Overview and Agenda
• Value
– What electronically stored data has value to
thieves?
– Why is cybersecurity critically important to credit
unions?
• Breaches
− External vs. Internal Threats
− Hackers/Employee error/Rogue Employee
4. 4
Overview and Agenda –
continued
• Responses
• Prevention
• Insurance
• Laws and regulations
• Key takeaways/Best practices
6. 6
Data Security
Data & Cybersecurity: the practice of protecting
data and systems from unwanted use.
Data breach: security incident in which
sensitive, protected or confidential data is
copied, transmitted, viewed, stolen or used by
an individual unauthorized to do so.
7. 7
Why only a general
awareness?
• Complacency seems to still be the norm.
– There is a view that cybersecurity measures do
not add to the bottom line; rather, it is a cost.
– There is a dearth in knowledge among
management-level individuals about actual,
current risks.
– There is a general misunderstanding of specific
risks that are known.
– Belief abounds that “it won’t happen to our
business.”
8. 8
“We’re in a day when a person can commit
about 15,000 bank robberies sitting in their
basement.”
-Robert Anderson
Executive Assistant Director of the FBI’s Criminal Cyber
Response and Services Branch
“You’re going to be hacked.”
-Joseph Demarest
Assistant Director of the FBI’s Criminal Cyber Response and
Services Branch
9. 9
Categories of Business
Organizations
• Those that will suffer a breach.
• Those that have suffered a breach.
• And those that will suffer a breach again.
• No business organization is spared.
10. 10
Source: CUNA Mutual Group and NetDiligence 2013 Cyber Liability & Data Breach
Insurance Claims
11. 11
Busy Year 2013
• 617 documented breaches
– Average costs of these 317 breaches:
• $5 dollars per customer notification multiplied by millions
• $30 per card cancellation/related monitoring of credit
PER customer
• $2000 per hours in forensic examinations and data
security analysis costs
• $500,000 per breach in legal expenses
• 1 million dollars per breach in corporate settlement costs
– 1 million dollars per breach in regulatory fines or related
expenses
https://www.privacyrights.org/data-breach
12. 12
2014
• Identity Theft Resource Center reports that
between 2005 (when record keeping
commenced) and October 14, 2014 there
were 4,854 recorded breaches exposing
669,680,671 records.
• Major data breaches are reported almost
weekly
– JP Morgan Chase; Target; Home Depot; eBay;
Michaels; Neiman Marcus; Citibank; Sony, etc.
13. 13
Data Breach
Basics (cont’d)
• If large-scale breaches are regularly reported,
then the number of smaller-scale breaches
necessarily must be larger.
• Average cost to a company that suffers a
breach now is approximately $200.00 per
compromised record .
14. 14
Data Breach
Basics (cont’d)
• Average cost of lost laptop containing
personally identifiable information now has
approached $50,000, with only 2%
representing the actual cost of the device.
• Forensic experts hired to identify, contain,
and respond to data breaches easily cost 6-
figures within the first two weeks of
engagement.
15. 15
Target Breach Expenses
(does not include legal expenses)
• Severance for CEO amounted to 15.9 million
dollars alone
• Regulatory fines 1 billion dollars – for negligence
to the government
• Fraudulent credit card charges – whopping 2.2
billion dollars
– Was to be refunded by the company for losses from
those 40 million card accounts
– The retail chain suffered 440 million dollars in
revenue losses fueling 2014 so far as a result of
lowered consumer confidence from the hacks
16. 16
Vulnerability of So-Called
“Secure” Systems
• Viruses, spyware, worms, or Trojans
• Malware, including zero-day malware
• Web-based attacks
• Employee actions (both negligent and
intentional)
• phishing
17. 17
Simple Data Loss
• Lost or stolen devices
– Smartphones with weak or no password protection
– Laptops with weak or no password protection
– Flash drives or other portable memory devices
• Improper disposal of documents
• Improper disposal of computers and other
devices
• Improper disposal of system components
• Palm Springs Federal Credit Union
18. 18
Financial Sector Threats
• The number of incidents and level of
sophistication has increased dramatically in
recent years triggering active Cyber Division
of the FBI to take larger active role.
• Account Takeovers
– Exploitation of online financial and market
systems, such as Automated Clearing House
systems, payment card transactions, and market
trades.
19. 19
Threats (cont’d)
– Compromise typically is accomplished by
accessing an authorized user’s weak account
credentials.
• Third-Party Payment Processor Breaches
– Bad actors target these companies’ systems,
because the volume of personally identifiable
information and payment card information is
massive, and because such information has
immediate value on the black market.
20. 20
Threats (cont’d)
• Payment Card Skimming and Point of Sale
Schemes
– Steal card data to sell or create fake payment card
– Obsolete operating systems for ATMs and POS
machines is easily compromised
21. 21
Threats (cont’d)
• Mobile Banking Exploitation
– Increased risks
– Malware starting to show up
• Man-in-the-middle attacks utilizing special malware sent
via texts
• More prevalent in Androids
– Apple’s mobile payment system
22. 22
Threats (cont’d)
• Insider Access
– Direct access to confidential information, data, and
other insider information.
• Supply Chain Infiltration/Vendor Management
– Bad actors can gain physical and technical access
to credit union by compromising trusted suppliers
of technical, computer, and security equipment,
software, and hardware.
23. 23
Consequences of Inaction
• Loss of goodwill
• Reputation risk
• Transactional costs associated with loss
mitigation
• Forensic expert fees
• Civil liability exposure
• Exposure to fines
and other penalties
24. 24
FFIEC Cybersecurity
Assessment
• Inherent risk
– Connection types
– Technologies used
• Preparedness
– Risk management and oversight
– Collaboration and controls
– Incident management
25. 25
FS-ISAC
• Financial Services Information Sharing and
Analysis Center
• Launched in 1999 as the global go-to
resource for cyber threat
• www.fsisac.com
26. 26
Consumers
• “Breach fatigue”
• Complacency
• Not likely to impact shopping habits
• Credit unions should educate members and
encourage monitoring of account
28. 28
Risk Assessment/Prevention
• Preventive measures
• Including
– Identifying foreseeable threats
– Assess likelihood and danger of potential threats
– Assess sufficiency of policies, procedures
– Proper disposal of information
29. 29
Loss Prevention
• Employee Awareness Training
• Patch Management
• Encryption
• Periodic Testing of Computer Security
30. 30
Loss Prevention (cont’d)
• Strengthen Account Credentials
– Pass-phrases, rather than passwords
– Combine various character types
• Limit and restrict administrative access
• Cybersecurity and Data Protection Policies
and Procedures
31. 31
Breach Response
• Assess incident
• Notify NCUA or state supervisory authority
• Notify law enforcement
– File Suspicious Activity Report (“SAR”), if
applicable
• Preservation of records and evidence
• Member notification
• 12 C.F.R. Parts 748 and 1016
32. 32
Breach Response (cont’d)
• Cybersecurity and Data Breach Response
Plan
• Upon notice of a potential data compromise,
immediately contact a law firm with
cybersecurity expertise.
• Permit law firm to coordinate retention of
forensic experts.
33. 33
State Regulation
• Only 3 states do not currently have a law
requiring notification of security breaches
• Minnesota and Washington have statutes that
require a merchant to reimburse a financial
institution for reissuance of cards under
certain circumstances
• NJ bill introduced this year requires
reimbursement for costs incurred by financial
institutions
34. 34
Connecticut Consumer
Security Breach Notification
Any person who conducts business in this state, and who, in the ordinary course of
such person’s business, owns, licenses or maintains computerized data that
includes personal information, shall provide notice of any breach of security
following the discovery of the breach to any resident of this state whose personal
information was, or is reasonably believed to have been, accessed by an
unauthorized person through such breach of security. Such notice shall be made
without unreasonable delay, subject to the provisions of subsection (d) of this
section and the completion of an investigation by such person to determine the
nature and scope of the incident, to identify the individuals affected, or to restore
the reasonable integrity of the data system. Such notification shall not be required
if, after an appropriate investigation and consultation with relevant federal, state
and local agencies responsible for law enforcement, the person reasonably
determines that the breach will not likely result in harm to the individuals whose
personal information has been acquired and accessed.
35. 35
Connecticut Consumer
Security Breach Notification
Any person that maintains such person’s own security breach procedures as part of an
information security policy for the treatment of personal information and otherwise
complies with the timing requirements of this section, shall be deemed to be in compliance
with the security breach notification requirements of this section, provided such person
notifies, as applicable, residents of this state, owners and licensees in accordance with
such person’s policies in the event of a breach of security and in the case of notice to a
resident, such person also notifies the Attorney General not later than the time when
notice is provided to the resident. Any person that maintains such a security breach
procedure pursuant to the rules, regulations, procedures or guidelines established by the
primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in
compliance with the security breach notification requirements of this section, provided (1)
such person notifies, as applicable, such residents of this state, owners, and licensees
required to be notified under and in accordance with the policies or the rules, regulations,
procedures or guidelines established by the primary or functional regulator in the event of
a breach of security, and (2) if notice is given to a resident of this state in accordance with
subdivision (1) of this subsection regarding a breach of security, such person also notifies
the Attorney General not later than the time when notice is provided to the resident.
36. 36
Federal Regulation
• Tax Identity Theft Awareness Week:
www.mycreditunion.gov/protect/Pages/taxidtheft.aspx
• Prevent Identity Theft:
www.mycreditunion.gov/protect/Pages/Prevent-Identity-
Theft.aspx
• Frauds and Scams:
www.mycreditunion.gov/protect/fraud/Pages/default.aspx
• Cybersecurity Awareness: www.ffiec.gov/cybersecurity.htm
• NCUA Consumer Report: Frauds, Scams and Cyberthreats -
Part I: http://youtu.be/3Zlfy7_97Vc
• NCUA Consumer Report: Frauds, Scams and Cyberthreats -
Part II: http://youtu.be/5XfyfRgxsLE
38. 38
Insurance
“The vast majority of credit unions in the U.S.
don’t have adequate insurance coverage in the
event of another online data breach.”
-Credit Union Journal, November 10, 2014
39. 39
What Can You Do?
• Is your data security adequate?
• What does your insurance cover?
• What insurance is available for credit unions
that may experience data breach exposure?
40. 40
Cyber Insurance
• Approximately 50 companies in the U.S. offer
cybersecurity insurance
• $2 billion is expected to be spent in the
United States in 2014 on cyber insurance
– 67% increase from 2013
– In 2010 cyber insurance premiums totaled
$600,000
• Notifying affected customers of a credit card
breach can cost up to $500,000
41. 41
Cyber Insurance – continued
• $166,000
– average cost of a breach to credit unions
– according to CUNA Mutual
• CUNA Mutual’s cybersecurity policy includes
access to:
– Resources to help credit unions manage risks
– Insurance protection
– Breach recovery services
42. 42
• Employee Awareness Training
• Patch Management
• Encryption
• Periodic Testing of Computer Security
• Policies and Procedures
• Proactive and quick response
• Review current insurance coverage
43. 43
E. Andrew Keeney, Esq.
Kaufman & Canoles, P.C.
150 West Main Street, Suite 2100
Norfolk, VA 23510
(757) 624-3153
eakeeney@kaufcan.com
http://www.kaufmanandcanoles.com/movies/credit-unions.html