Cyber-security briefing focused on the problem, solutions, and required actions. A starting point for understanding across the organization.

1. Cyber-Security: Problem > Solutions >Actions

2. Agenda
• Problem
• Hacker Economy
• Legal and Regulatory Environment
• Business Impact
• Solutions
• Cyber Strategies
• Strengths / Weaknesses
• Actions
• Risk Analysis
• Priorities
• Roadmap and Action Plan

3. Problem
$445 Billion Global Cost in 2015*
Confidential3
* McAfee, Net Losses: Estimating the Global Cost of Cybercrime

4. Recent Global Data Losses
In 2015
• 85% increase in companies
choosing not to report the
number of records lost
• 43% of all attacks targeted at
small businesses with less than
250 employees
• Over 1,000,000 daily web
attacks against people
• 55% increase in spear-phishing
campaigns targeting employees
• 35% increase in ransomware
4
2015 total reported exposed identities jumped 23% to 429 million
www.informationisbeautiful.net

5. 5
Ransomware is on the Rise
38% of organizations have been targeted by cyber-extortion
2016 Internet Security Threat Report

6. Cybercrime is Big Business, with product developers,
distributors, brokers, individuals, and gangs all trying to
monetize your sensitive information.
• Product Developers
Exploit Tools, Zero Day
Researchers, Malware Writers
• Distributors & Brokers
As a Service Providers,
Marketplace Owners, Tool
Vendors, Hosted System Providers
• Individuals and Gangs
Utilize widely available tools and
resources to research and target
companies and individuals
Credit Cards: $1 to $30
Payment Accounts: $20 - $300
Health Care Records: $10 to $50
Identities, & Accounts: $1 to $100s
Crypto Ransom: $15,000+
Intellectual Property: $MM to $BB
Confidential6
Source: McAfee The Hidden Data Economy

7. Inside the mind of a hacker: It’s a business and time is
money. Most are looking for targets of opportunity -
increasingly small and medium size businesses
Percent of Surveyed Hackers who Agree or Strongly Agree Percent
Hackers go after the easiest targets first 72%
Automated hacking tools make it easier to execute attacks 68%
Hacker tools are highly effective for exploiting targeted organizations 64%
Attacks are deterred by an increase of 40 hours to conduct an attack 60%
Time & resources to execute successful attacks have decreased 56%
Most hackers can be defeated with common sense controls 47%
Confidential7
Source: Flipping the Economics of Attacks Ponemon Institute, 2016

8. Direct legal, forensic, notification, and PR costs of a
breach can be substantial. Many of the highest claims
have been in small and medium size businesses.
Based on a 2015 insurance claim
study by NetDiligence:
• The average cost for Crisis Services
was $499,710
• The average cost for legal defense was
$434,354.
• The average cost for legal settlement
was $880,839.
• 46% of claims were for organizations
under $300M. 71% for organizations
under $2B
• There was insider involvement in 32%
of the claims submitted.
Confidential8
$0
$2,000,000
$4,000,000
$6,000,000
$8,000,000
$10,000,000
$12,000,000
$14,000,000
$16,000,000
-
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
Under $50M $50M to
$300M
$300M to
$2B
$2B to $10B $10B+
totalInsuredCosts
RecordsExposed
Insurance Payouts
Max in Study Sample
Records Exposed Total Insured Costs 2015 NetDiligence® Cyber Claims Study

9. Damage to a company’s brand is estimated to cost 7.5 times more than the direct
costs of recovering from an attack.
Confidential9
7.5X
Kaspersky: CYBERCRIMINALS: UNMASKING THE VILLAIN

10. CEOs and Boards Top Concerns
10
• 61% ranked cybersecurity/IT as a
top concern to their board
• 67% indicated their boards
engaged internal or external
auditors to monitor or address
cybersecurity risk
Eisner Amper: Concerns About Risks Confronting Boards

11. The Growing Involvement of Boards
“To me, it’s about teaching the Board that security is not some
hairy monster out there hiding in the dark. Instead, it’s a risk
that can be managed as an economic decision,”
Stuart Berman of Steelcase
• 45% of Boards participate in the
overall security strategy
• 24% increase in security spending
was attributed to Boards
participation in cybersecurity
budget discussions
• Board level involvement and the
purchase of insurance can reduce
the cost of a data breach.
• National Association for Corporate
Directors (NACD) guidelines advise
that Boards should view cyber-risks
from an enterprise- wide standpoint
11
PWC: The Global State of Information Security® Survey 2016

12. The Legal and Regulatory environment is evolving, with
new case law and a complex array of federal and state
agencies battling over jurisdiction.
• Federal Law
• Federal Trade Commission Act
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Children's Online Privacy
Protection Act
• Sarbanes-Oxley (SOX)
• HIPPA/HITECH
• State Law
• Consumer Protection Acts
• Data Breach Notification Statutes
Confidential12
Organizations must seek legal
guidance to:
• Assess their internal cyber-
security positon and risks
• Understand their third-party
obligations and risks
• Have a breach response plan
• Manage, in confidence,
communications with all affected
parties

13. Solutions
An evolving set of tactics
Confidential13

14. Basic: The Walled City
• Initial defensive strategy
• Focus on keeping intruders at
bay with:
• Firewalls
• Passwords
• Virus Protection
• Once in, may have unlimited
access
Confidential14

15. Stronger: Moat and Castle
• Next Generation Strategy
• Focus on layers of protection
with:
• Defense in depth
• Vulnerability scanning and
patching
• Segregated networks
• Limited use of administrative
passwords
• Once in, more difficult to exploit
Confidential15

16. Advanced: The Shopping Mall
• Evolving strategy
• Focus on watching and taking
action on bad actors while
limiting usefulness of exploits
• Monitoring
• Encryption
• Honey Pots
• Big data use profiles and alerts
• Quickly find and stop intrusions
Confidential16

17. Goal: Two Men and a Bear
• Economic and Due Care strategy
• Exceed industry and regulatory
standards:
• Focus on implementing
sufficient security controls to
make it too costly for
criminals to exploit
• Criminals move on to the
next target
• Minimize legal and regulatory
exposure
Confidential17

18. Actions
Addressing Cyber Risk
Confidential18

19. Actions
Confidential19
• Conduct a cyber-security assessment
• Establish a cyber roadmap and action planAssess
• Based on identified risks and priorities,
implement people, process and technology
initiatives
Implement
• Have a breach response plan in place
• Have the extended team contracted for and
ready to go
Be Ready

20. Assessment provides clear measurements of key
issues for your particular environment
Threat Assessment
Understand what could truly
harm the organization
• Identify key threats and risks
specific to the organization &
its industry
Technology Environment
Understand the current
technology environment
• Systems
• Networks
• Information Stores
• Partner/Supplier/Customer
Integration
Organizational Environment
Understand the current
organizational environment
• People
• Skills
• Capabilities
• Resources
• Cyber Awareness
Control Environment
Assess current cyber security
capabilities & controls
• Regulatory Requirements
• Control Framework
• Control Activities (Policies,
Procedures, Technology,
Management)
• Actual use and
implementation
• Resilience Strategy &
Capability
Recommendations
Executive Summary
• Overall vulnerabilities
• What’s working
• What could be improved
• Control areas to focus on
• Implementation Roadmap
• Assessment Summary by Key
Control Area
Confidential20
Interviews, Data Gathering, & Direct Observations Action Plans

21. Confidential21
Probability of Occurrence High ++++Low +
High ++++
Low +
Potential
Impact
Theft / Loss
of Patient
PHI & PII
SAMPLE THREAT MATRIX
Loss of
Funds
Loss of
System
Resources
Theft / Loss
of Provider
PII
Theft / Loss
of Employee
PII
Loss of
Confidential
Management
Information
Impact and probability of occurrence are relative and judgmentally
based on potential financial/reputational loss, the value of information
to external parties and current trends in cyber-security exploits.
Theft of
Donor
Information

22. Example Recommended
Cyber Strategies
• Improve cyber-security culture
• Reduce data and system exposures
• Make it too expensive for attackers
• Increase ability to detect
compromise
• Improve 3rd party security &
contractual obligations
• Practice crisis response plan
• Provide for long-term sustainability
Confidential22

23. Resilience Planning – Preparing for the
inevitable
Current
Environment
Key Threats
Information
Supply Chain
Security Controls
& Organization
Response
Plans
Organizational
Responsibilities
Breach Response
Checklist
Communication
Strategies
Monitoring &
Tracking Solutions
Response
Team
Legal
Forensics
Insurance
Public Relations
Surge Capabilities
Legal
Requirements
Compliance &
Regulatory
Notification
Contractual
Financial
Exposure
Cyber Insurance
Contractual
Obligations
Contractual
Support / Risk
Sharing
Confidential23

24. Conclusions
Exercising Due Care
Confidential24

25. Conclusions
• Cybersecurity is a Business Problem that
affects the entire organization and not just IT
• The risk cannot be ignored
• There is no one size that fits all. Every
organization is unique.
• Cyber assessments and breach response
should be performed under attorney client
privilege.
• The right partners can reduce complexity and
cost
• The time to start an assessment is now
Confidential25

26. Contact Information
Joe Nathans
Partner
Technology Services
NextLevel
1420 Fifth Ave.
Suite 2200
Seattle, WA 98101
Mobile: 425.931.8102
Joe.nathans@nlbev.com
www.nlbev.com
Chuck Gottschalk
CEO & Founder
NextLevel
1420 Fifth Ave.
Suite 2200
Seattle, WA 98101
Mobile: 206.420.1222
Ofiice: 206.915.1839
Chuck.Gottschalk@nlbev.com
www.nlbev.com
26 Confidential