The document discusses defensible cybersecurity strategies and practices. It notes recent large data breaches and increasing regulatory focus on data privacy and cybersecurity. It emphasizes the importance of having a comprehensive cybersecurity plan that uses industry standards and best practices, and of demonstrating executive involvement, in order to defend against potential legal liability from cyber incidents. It provides examples of business risks from cybersecurity issues and costs of data breaches. It recommends prioritizing privacy and security using standards like NIST CSF, documenting policies and procedures, and making cybersecurity part of an organization's culture.

1. DEFENSIBLE
CYBERSECURITY
James Goepel
CEO and General Counsel
Fathom Cyber, LLC
© 2019 Fathom Cyber

2. 2
Latest News
Marriott Breach – 500,000,000 records,
including 5,250,000 unencrypted passport
numbers and another 20,300,000 encrypted
passport numbers
Collection 1 – more than 1 billion unique E-
mail addresses and passwords have been
released, purportedly from multiple breaches
and services, including 2,000 databases

3. 3
Recent Legislative and Regulatory Reactions
Data Privacy
• EU’s General Data Protection
Regulation (“GDPR”)
• Canada’s PIPEDA
• California’s AB 375 (“CCPA”)
• Every state’s unique data
breach notification laws
Cybersecurity
• California AB 327
• Colorado HB 18-1128
• Connecticut cybersecurity action
plan
• New York State Department of
Financial Services Rule 500
• SEC Cybersecurity Guidance
• USA National Cybersecurity
Strategy
• Chile’s National Cybersecurity
Policy

4. 4
General
California Consumer Privacy Act
General Data Protection Regulation
Massachusetts Cybersecurity Law
Securities and Exchange Commission
Industry-specific
South Carolina and Ohio recently adopted
modified versions of NAIC model cybersecurity
law, which is based on New York State’s 23
NYCRR 500.
Legal Obligations are Constantly Evolving

5. 5
Consistent
Vagueness
Typically Focused on
Protecting Consumers and PII

6. 6
LOST CORPORATE
INTELLECTUAL PROPERTY
LOST PARTNER
INTELLECTUAL PROPERTY
DISCLOSURE OF PENDING
DEALS
Cybersecurity Incidents can Impact more
than Personal Information

7. 7
Ultimate goal:
Defensibility
This requires not merely a written
plan, but a plan that is well
architected and that addresses the
appropriate topics.
Demonstrate to regulators,
shareholders, and a jury that you
were doing the right thing.

8. 8
This Includes Required Legal Duties
Duty to disclose
* This typically focuses on privacy
violations
* Exceptions: Securities and
Exchange Commission, New York
State Department of Financial
Services
Duty to attest
* This doesn’t happen often (so
far).
* Typically only in specific,
consumer risk industries (e.g.,
banking, insurance, healthcare).
Duty to protect
* Frequently vague (“reasonable
cybersecurity plan”,
“comprehensive cybersecurity
plan”, etc.)
* Occasionally a few technology
requirements/recommendations

9. 9
How do you prove your plan is
comprehensive and
reasonable?
Use industry standards and best practices.

10. 10
Cybersecurity is more than just Technology Implementation

11. 11
What
best
practice
should
you use?
1
General strategic
frameworks (e.g., NIST
CSF)
2
Industry-specific
frameworks (e.g.,
HITRUST for healthcare)
and requirements (e.g.,
Payment Card Industry
(“PCI”) for those
processing payment card
data)
3
Operational/implementati
on best practices (e.g., CIS
Top 20 Controls)

12. 12
The Federal
Government
Uses NIST CSF
It is hard to argue that the
NIST CSF isn’t appropriate for
your organization. Harder
argument is why you didn’t
use it.

13. 13
“But my organization’s executives
think technology is confusing. They
will never get involved!”

14. 14
They don’t have
a choice.
 The SEC’s recent cybersecurity guidance casts as suspect
any trades made while there are unreported
cybersecurity/privacy issues. Acting improperly can
have significant consequences, including jail.
 NAIC model law, 23 NYCRR 500, and other regulations
require senior management to attest to their
involvement in cybersecurity.
 Proxy firms are pushing for removal of board members
who resist (see, e.g., Target and Equifax).
 Investors know that 60% of small and medium
businesses are out of business within 6 months of a data
breach, and that incidents can have long-lasting impacts
on the bottom-lines of large companies for many years.
They are no longer tolerating executive inaction.
 Boards are removing executive staff for not protecting
the company (including Yahoo!’s General Counsel).

15. 15
• Fraud can rise to the level of criminal
activity and is punishable by jail time.
Recent SEC guidance says that
cybersecurity and data privacy
issues can have material impacts
on share price, and withholding
such information could be seen
as defrauding investors.
• Insider trading can result in criminal
charges and is punishable by up to 20
years in prison.
The SEC’s guidance also suggests
that insider trades conducted
after an incident occurs but
before it is publicly reported are
suspect as insider trades.
Seriously? Jail time?

16. 16
We can make it
easier for the
executives
 Integrate cybersecurity and data privacy
into the organization’s risk management
processes.
 Position IT issues from a business
perspective (e.g., customer impact,
business delivery/operations impact,
employee safety, etc.).
 Use industry standards for consistency.
 Standardize the way information is
presented (e.g., scores of 1-10, 1-100, etc.).
 Hold special, executives-only education
sessions.

17. 17
Topics for
today:
Walk-through of how Facebook’s
privacy policy has changed over
the past 5 years
GRU modifications to BadRabbit
to work against ICS targets
New key sharing techniques in
WPA3
How to grab session keys to
capture PII from Google+

18. 18
“One of the transistors in the
stereo system is shot. The part is
$0.50, and it’s about an hour for
me to fix it.”
“The check engine light is on because
car sensed that there was trouble in an
electronic switch. If the switch fails, the
car may stall on the highway. The total
repair cost will be $230.”
“The 25 amp P-channel
MOSFET on the analog to
digital conversion board is
shorting out, causing a
feedback loop.”

19. 19
Focus on:
BUSINESS RISK COST/RESOURCES TIME ALTERNATIVES

20. 20
Example Business Risks/Impacts
LOST SHAREHOLDER
VALUE
LOST COMPETITIVE
ADVANTAGES
LOST INTELLECTUAL
PROPERTY
INVESTMENTS
LOST CUSTOMER
CONFIDENCE/
REPUTATION
MASSIVE FINES BUSINESS
INTERRUPTION
EXECUTIVES CAN GO
TO JAIL

21. 21
Bottom-line Impacts
The average cost of a lost or stolen
record in the U.S. is $258.1
The average data breach costs U.S.
companies $7.91 million.1
60% of small- and mid-size
companies are out of business
within 6 months of a data breach. 2
1. Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute, IBM Security, https://www.ibm.com/security/data-breach.
2. Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), available at
http://docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-SD003-U4.pdf. Although Dr. LeClair does not provide a citation for this statistic, it appears to come from a 2012 study by the National Cyber Security Alliance, which found that
60 percent of small firms go out of business within six months of a data breach. National Cyber Security Alliance, America’s Small Businesses Must Take Online Security More Seriously (Oct. 2012), available at
www.staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic.

22. 22
Five no/low-cost ways to reduce bottom-line
impact
Create an
incident
response team -
$141
01
Extensively use
encryption -
$13.11
02
Increase
employee
awareness -
$9.31
03
Participate in
threat sharing -
$8.71
04
Board-level
involvement -
$6.51
05
$52.20 per record: a 20% savings

23. 23
Average CISO Tenure is 18-24 months

24. 24
Why don’t CISOs last longer?
THEY ARE ACTIVELY RECRUITED
AWAY
THEY GET FRUSTRATED WITH
MANAGEMENT AND LEAVE
THEIR EMPLOYER IS BREACHED
AND THEY ARE BLAMED

25. 25
Demonstrates that you not only had a plan, but were acting
on it
Documents decisions made
May show flawed thinking, but helps refute negligence
Adding Governance and Oversight

26. 26
Cybersecurity and data privacy are business issues, and the planning team needs to
include more than just technology people
Human
Resources
Legal Accounting
Information
Technology
Internal Audit Engineering/
Development

27. 27
Defensible
cybersecurity
requires
prioritization of
privacy and
security.
 Use industry standards (e.g., NIST Cybersecurity
Framework and Center for Internet Security Top
20 Controls) to create policies and procedures.
 Document everything. Executive-level actions,
day-to-day cyber hygiene tasks, and everything
in between.
 Enforce the rules.
 Make cybersecurity and data privacy part of the
organization’s culture (e.g., privacy by design
and security by design).
 Management/executives need to be actively
involved in cybersecurity and data privacy
planning and decisions, not simply passively
receiving data.

28. 28
 Mitchell Martin, Inc. (MMI) is a leader in Talent Acquisition Solutions, providing
information technology staffing, healthcare staffing and payroll solutions
nationwide
 We operate a specialized niche practice in cybersecurity with a focused pipeline
of top candidates
 Founded in 1984, we now serve clients in 34 states across eight regional offices
 US Office Locations in NY, NJ, PA, NC, TX, IL, FL, GA and offshore locations in
India and the Philippines
 Consistently ranked in the Top 100 Largest Staffing Firms in U.S. by Staffing
Industry Analysts
Mitchell Martin Technology Division
Corporate Headquarters
307 West 38th Street
Suite 1305
New York, NY 10018
Phone: 212-943-1404
Fax: 646-355-0229