Cybersecurity & Data Privacy Attorney Shawn Tuma presented this session to The American Institute of Architects' Large Firm Round Table on March 15, 2018. For more of Shawn Tuma's presentations please visit: https://shawnetuma.com/presentations/
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
was delivered as a webinar to the State Bar of Texas Women and the Law Section on February 15, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
Presentation to the Association of Continuity Professionals, North Texas Chapter, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
was delivered as a webinar to the State Bar of Texas Women and the Law Section on February 15, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
Presentation to the Association of Continuity Professionals, North Texas Chapter, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline.
The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
Presentation to the Texas Bar CLE program on Contract Drafting, Review and Negotiation on December 5, 2017 in Austin, Texas, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Cyber risk isn't new, but the stakes grow higher every day. An incident is no longer likely to be an isolated event, but a sustained and persistent campaign. There is no single solution that will offer protection from an attack, but a Cyber Resilience strategy can provide a multi-layered approach that encompasses people, processes and technology. Pete's presentation talks about eliminating the gap between IT and the business to present a united front against threats. This is a paradigm shift that uses security intelligence to guide decisions and support agility.
Effective cybersecurity for small and midsize businessesShawn Tuma
This presentation was delivered at the Center for American & International Law's Second Annual Cybersecurity & Data Privacy Law Conference on April 13, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline.
The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
Presentation to the Texas Bar CLE program on Contract Drafting, Review and Negotiation on December 5, 2017 in Austin, Texas, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Cyber risk isn't new, but the stakes grow higher every day. An incident is no longer likely to be an isolated event, but a sustained and persistent campaign. There is no single solution that will offer protection from an attack, but a Cyber Resilience strategy can provide a multi-layered approach that encompasses people, processes and technology. Pete's presentation talks about eliminating the gap between IT and the business to present a united front against threats. This is a paradigm shift that uses security intelligence to guide decisions and support agility.
Effective cybersecurity for small and midsize businessesShawn Tuma
This presentation was delivered at the Center for American & International Law's Second Annual Cybersecurity & Data Privacy Law Conference on April 13, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma presents the lunch keynote on the Legal Case for Cybersecurity at SecureWorld-Dallas in 2017.
Here is a link directly to the YouTube video of this presentation: https://youtu.be/3ZeJ86Ebas0
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
Cybersecurity: Cyber Risk Management for Lawyers and ClientsShawn Tuma
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled "Cybersecurity: Cyber Risk Management for Lawyers and Clients" at the Texas Bar CLE's 16th Annual Advanced Business Law Course on November 8, 2018.
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
Cyber Security presentation for the GS-GMIS in Columbia, SC on 7-19-2018, 125 people present, discussion at an Executive level to help Project Managers better understand Cyber Security and recent updates and guidance to help you plan for your company
Ensuring cyber resilience presents different risk points and many challenges. Not all organizations possess the internal capabilities and expertise necessary to strategize, execute, and safeguard their attack surface. By identifying vulnerabilities, deploying tools, and educating users, cybersecurity services can make the digital environment safer for all.
Our Cyber Resilience FasTrak provides three flexible options for personalized
protection. Select the service that is right for your organization:
- Improve cyber defenses with a Security Health Check
- Uncover hidden threats with AI powered Threat Hunting Service
- Don’t be scared, be prepared with Incident Response Simulation
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...cyberprosocial
In today’s time, where businesses heavily depend on technology for their daily operations, the danger of cyberattacks is a big concern. Companies need to have a solid plan in place to manage the risks associated with cybersecurity. This means taking the necessary steps to protect sensitive data and systems from bad guys who want to cause harm. In this article, we’ll explain why cybersecurity risk management is so important and share some practical strategies to help you keep your digital assets safe. So, let’s dive in and explore how you can protect your business from cyber threats!
Similar to The Legal Case for Cyber Risk Management Programs and What They Should Include (20)
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Southern Methodist University Digital Branding Class on October 27, 2020.
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Columbia University for the Executive Masters of Technology Management Program on November 21, 2020.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Dallas Baptist University Reimagine Technology Conference course in Dallas, Texas on November 18, 2020.
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma delivered this presentation on April 9, 2019, at the Oklahoma State University 4th Annual Cyber Security Conference in Oklahoma City, Oklahoma.
In twenty years of practicing cyber law, Shawn Tuma has seen a multitude of cybersecurity and data breach cases that have helped him understand the real-world risks companies face and the practical things they can do to prioritize their resources and effectively manage cyber risk. In this presentation, he will share his experience on issues such as:
· Why cybersecurity is an overall business risk issue that must be properly managed to comply with laws and regulations
· Why strategic leadership is critical in cybersecurity
· Why teams are critical for cybersecurity and how to personalities and psychology can impact that team
· The most likely real-world risks that most companies face
· How to prioritize limited resources to effectively manage the most likely real-world risks
· What is reasonable cybersecurity
· How to develop, implement, and mature a cyber risk management program
· Why cyber insurance is a critical component of the cyber risk management process
Real World Cyber Risk. Understand it. Manage it.Shawn Tuma
Renaissance Executive Forums 2019 CEO Summit presentation by Shawn E. Tuma, Co-Chair, Data Privacy & Cybersecurity Group, Spencer Fane, LLP
March 7, 2019
Dallas, Texas
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
Spencer Fane LLP Cybersecurity and Data Privacy attorney Shawn Tuma delivered "The Legal Case for Cyber Risk Management Programs and What They Should Include" at the Texas Society of Certified Public Accountants' TSCPA CPE 2018 CPE Expo Conference on November 30, 2018, in Addison, Texas.
As an attorney serving as a guide for companies that have data breaches, I regularly advise clients through the data breach incident response process. Here is a checklist that I developed to give them a roadmap for how this process works, on a single page. While this is not an exhaustive list, these are the items that most often need to be performed in the cases in which I guide clients through the incident response and remediation process. Of course, there will be exceptions, additions, and omissions — take this for what it is, a starting point. Another important point to remember is that this is just a checklist, it is not a cybersecurity incident response plan. Fore more information see https://shawnetuma.com/incident-response-checklist/
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
Cybersecurity is a Team Sport: Why strategic leadership and an understanding of roles, personalities, and psychology is important for building and managing effective cybersecurity teams.
This presentation was a discussion of issues such as:
* Who should be on the team and what should they know?
* How should the team be organized?
* Who is responsible for developing the strategy and seeing the whole playing field?
* What are the team members responsibilities?
* How do team members personalities affect their roles and performance?
* Is there a role for lawyers if the "privilege" "magic wand" turns out to be more fairy-tale than reality?
The presentation was delivered by cybersecurity and data privacy attorney Shawn Tuma, Co-Chair of the Cybersecurity and Data Privacy Practice Group of Spencer Fane LLP, on October 10, 2018, at SecureWorld - Dallas.
Something is Phishy: Cyber Scams and How to Avoid ThemShawn Tuma
Reginald A. Hirsch and Shawn E. Tuma presented this talk at the Annual Meeting of the State Bar of Texas for the Law Practice Management Section of the State Bar of Texas. The date of the talk was June 22, 2018, and the location was Houston, Texas.
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
"What Could Go Wrong?" - We're Glad You Asked!Shawn Tuma
Dallas cybersecurity and data privacy attorney Shawn Tuma delivered this presentation on social media law to Social Media Breakfast on February 22, 2018.
Cybersecurity: How to Protect Your Firm from a Cyber AttackShawn Tuma
Cybersecurity: How to Protect Your Firm from a Cyber Attack was delivered on February 7, 2018, at the Texas Bar CLE Cybersecurity Workshop course by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Recovering from a Cyber Attack was delivered on February 7, 2018, at the Texas Bar CLE Cybersecurity Workshop course by Todd Hindman, Global Director, Data Breach Response Services of ID Experts Corp. and Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
The Legal Case for Cyber Risk Management Programs and What They Should Include
1. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
Shawn.Tuma@solidcounsel.com
(214) 472-2135
@shawnetuma
The Legal Case for Cyber Risk
Management Programs and What
They Should Include
2.
3. Cybersecurity is no longer just an IT issue—
it is an overall business risk issue.
4. Security and IT protect companies’ data;
Legal protects companies from their data.
5. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Common
Cybersecurity
Best Practices
6. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
reasonable
cybersecurity?
In re Target Data Security Breach
Litigation, (Financial Institutions)
(Dec. 2, 2014)
F.T.C. v. Wyndham Worldwide Corp.,
799 F.3d 236 (3rd Cir. Aug. 24, 2015)
7. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
adequate
internal network
controls?
FTC v. LabMD, (July 2016 FTC
Commission Order)
8. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
written policies
and procedures
focused on
cybersecurity?
SEC v. R.T. Jones Capital Equities
Mgt., Consent Order (Sept. 22, 2015)
9. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have a
written
cybersecurity
incident
response plan?
SEC v. R.T. Jones Capital Equities
Mgt., Consent Order (Sept. 22, 2015)
10. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company
manage third-
party cyber risk?
In re GMR Transcription Svcs, Inc.,
Consent Order (August 14, 2014)
11. “GMR Transcription Services, Inc. . . . Shall . . . establish and
implement, and thereafter maintain, a comprehensive information
security program that is reasonably designed to protect the security,
confidentiality, and integrity of personal information collected from
or about consumers.” In re GMR Transcription Svcs, Inc., Consent
Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a
board of directors is discharging its risk oversight responsibility in
this increasingly important area.” SEC Statement and Guidance (Feb.
21, 2018)
“Each Covered Entity shall maintain a cybersecurity program
designed to protect the confidentiality, integrity and availability of
the Covered Entity’s Information Systems.” NYDFS Cybersecurity
Regulations § 500.02
“Taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk,
including …” GDPR, Art. 32
How mature is
your company’s
cyber risk
management
program?
12. Why have an attorney lead your cyber risk management program?
Our role as attorneys is to provide legal advice regarding the legal, regulatory
compliance, and overall defensibility of the company’s current cyber risk and
cybersecurity defense posture and then lead the company in developing,
implementing, testing, and maturing a comprehensive cyber risk
management program.
• In providing this legal advice, we will engage the services of other
professionals – consulting experts – to assist us in evaluating the current
status and moving towards a more defensible posture.
• Our work may be treated as attorney-client privileged and work-product.
• But, both attorney-client privilege and work-product are very uncertain
in this environment and are certainly no guarantees.
• Communicate as though there will be no privilege.
13. Too little –
“just check the
box”
Too much –
“boiling the
ocean”
What is reasonable
cybersecurity?
15. What should your company’s cyber risk management program look like?
• Based on a risk assessment1,2,3,4,5
• Implemented and maintained (i.e.,
maturing)1,2,3
• Fully documented in writing for both content
and implementation1,2,3
• Comprehensive1,2,3,4,5
• Contain administrative, technical, and physical
safeguards1,2,3
• Reasonably designed to protect against risks to
network and data1,2,3,4,5
• Identify and assess internal and external risks2
• Use defensive infrastructure and policies and
procedures to protect network and data1,2,3,4,5
• Workforce training2,3
• Detect events2
• Respond to events to mitigate negative impact2
• Recover from events to restore normalcy2
• Regularly review network activity such as audit
logs, access reports, incident tracking reports3
• Assign responsibility for security to an
individual3,5
• Address third-party risk2,3,5
• Certify compliance by Chair of Board or Senior
Officer or Chief Privacy Officer2
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
16. The most essential step?
• How do you protect against what you don’t know?
• How do you protect what you don’t know you have?
• How do you comply with rules you don’t know exist?
• Demonstrates real commitment to protect, not just
“check the box compliance.”
• No two companies are alike, neither are their risks,
neither are their risk tolerances.
Cyber Risk
Management
Program
Identify:
Assess Cyber Risk
“If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you
will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.” –Sun Tzu
17. Required by -
• FTC: “shall contain administrative, technical, and physical
safeguards appropriate to …” (GMR)
• HHS: “The Security Rule requires entities to evaluate risks and
vulnerabilities in their environments and to implement reasonable
and appropriate security measures to protect against reasonably
anticipated threats or hazards to the security or integrity of ePHI.
Risk analysis is the first step in that process.” (HHS Guidance on
Risk Analysis)
• SEC: “We expect companies to provide disclosure that is tailored
to their particular cybersecurity risks and incidents.” (SEC
Statement and Guidance 2/21/18)
• NYDFS: “Each Covered Entity shall conduct a periodic Risk
Assessment of the Covered Entity’s Information Systems sufficient
to inform the design of the cybersecurity program as required by
this Part. (NYDFS § 500:09)
• GDPR: “Taking into account the nature, scope, context and
purposes of processing as well as the risks of varying likelihood
and severity for the rights and freedoms of natural persons, the
controller shall implement appropriate technical and
organizational measures ….” (GDPR Art. 24 and 32)
Cyber Risk
Management
Program
Identify:
Assess Cyber Risk
18. Cyber Risk Management Program – Identify: Assess Cyber Risk
What are we assessing?
• What information it has, where is it, who has access to
it, how it moves into, through, and out of the
company2,6
• The company’s size and complexity, the nature and
scope of its activities, and the sensitivity of the
personal information it maintains1
• Workforce
• Industry risks4
• “Nature, scope, context and purposes of processing as
well as the risks of varying likelihood and severity for
the rights and freedoms of natural persons”5
• Technological developments and evolving threats2
• Availability and effectiveness of controls2 and limits on
ability to use controls4
• Documentation of how identified risks will be mitigated
or accepted and how the program will address the
risks2
• Third-party and nth-party risk2
• Prior incidents and probability of future incidents4
• Availability of insurance coverage for incidents4
• Potential for reputational harm4
• litigation, regulatory investigation, and remediation
costs associated with cybersecurity incidents4
• Jurisdiction and existing or pending laws and
regulations that may affect the requirements to which
companies are subject relating to cybersecurity and the
associated costs to companies4
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.09
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 24 and 32
6. FTC Protecting Personal Information
19. What laws and regulations are the company subject to?
• Types
• Security
• Privacy
• Unauthorized Access
• International Laws
• Privacy Shield
• GDPR
• Federal Laws & Regs.
• HIPAA, GLBA, FERPA
• FTC, SEC, FCC, HHS
• State Laws
• 48 states (AL & SD)
• NYDFS & Colorado FinServ
• Industry Groups
• PCI, FINRA
• Contracts
• 3rd Party Bus. Assoc.
• Data Security Addendum
20. What does strategy consider?
• Resources
• Risks & environment
• Who is your general? Who is on your team?
• Inside and outside
• Technical – MSP, MSSP, pen testing, forensics
• Strategic – CISO, outsource / fractional CISO, legal, CPO
• Risk transfer – cyber risk insurance
• Prioritization is critical: “you can’t boil the ocean”
• Evaluating risk = probability x loss x cost x time to implement x
impact on resources x benefits / detriments
• “where do we die first?”
• Don’t forget 3rd and Nth party risk
• Write out your Strategic Plan
Cyber Risk
Management
Program
Identify & Protect:
Strategic Planning
“Strategy without tactics is the slowest route to victory,
tactics without strategy is the noise before defeat.”
−Sun Tsu
21. “Gimme Action! Action! Action not words!” –Def Leppard
• Execute your Strategic Plan in order of priorities.
• Make sure to document this process (and all others).
• Execution will vary wildly, based on size and complexity
of company and Strategic Plan.
• Include redundancy (where appropriate – think Equifax
/ Apache Struts patch) and verification of execution
(example: recent W-2 case with DLP setting).
• If you have the assets, you must use them and respond
appropriately (Target Financial Case).
• Have appropriate procedures for quickly assessing
and responding to anomalies and incidents from
Detection in reasonable time.
Cyber Risk
Management
Program
Protect & Detect:
Implement Strategy &
Deploy Assets
“A good plan violently executed now is better than a
perfect plan executed next week.” –George Patton
22. Protect: Develop, Implement & Train on Policies & Procedures
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
23. Key points to consider in evaluating third-party risk.
• Focus on objectives: protecting, responding,
responsibility of data/network.
• Staff appropriately.
• Understand facts of relationship/transaction.
• Understand risks by thinking worst case scenario from
outset.
• Minimalize risks: do not risk it if you do not have to.
• Discuss objectives, facts, risks, protection with those
responsible.
• Assess third party’s sophistication and commitment.
• Agree upon appropriate protections.
• Investigate ability to comply.
• Obligate compliance, notification (to you), responsibility.
• Include in incident response planning.
• Cyber Insurance: transfer risk where possible.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
24. Use contracts and contractual rights to minimize
third-party risk:
• Minimize risk, including third-party risk; and
• Determine the process and responsibility for
incidents.
This risk can be reduced to two basic things:
protecting – wherever and however – and
responding to incidents concerning:
• Networks; and
• Data.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
25. In re GMR Transcription Svcs., Inc., Consent Order (Aug.
14, 2014). FTC’s Order requires business to follow 3 steps
when working with third-party service providers:
1. Investigate before hiring data service providers;
2. Obligate data service providers to adhere to the
appropriate level of data security protections;
and
3. Verify that the data service providers are
complying with obligations (contracts).
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
26. “It would be helpful for companies to consider the following
issues, among others, in evaluating cybersecurity risk factor
disclosure: . . . . the aspects of the company’s business and
operations that give rise to material cybersecurity risks and the
potential costs and consequences of such risks, including
industry-specific risks and third-party supplier and service
provider risks.” SEC Statement, February 21, 2018
In January 2014, SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks
and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due
diligence.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
27. New NIST Cybersecurity Framework adds “Supply Chain
Risk Management (SCRM)” as a “Framework Core”
function:
• Coordinate cybersecurity efforts with suppliers of IT
and OT (operational technology) partners;
• Enact cybersecurity requirements through contracts;
• Communicate how cybersecurity standards will be
verified and validated; and
• Verify cybersecurity standards are met.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
28. NYDFS § 500.11 Third-Party Service Provider Security Policy
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information Systems
and Nonpublic Information that are accessible to, or held by, Third
Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and address the following,
as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP by
such TPSP; and
• Periodic assessment of such TPSP based on risk they present and
continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence and/or contractual
protections relating to TPSP and applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI;
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
29. Third-Party Processing and Risk Under the GDPR
• Controller, individually or with other controllers (jointly and severally), is
responsible to the data subjects. Art. 26
• Processor only process on controller’s instructions. Art. 29
• Using a risk assessment, the controller must implement appropriate
technical and organizational safeguards (incl. P&P) to ensure personal
data is processed lawfully. Reassessment and maturation is required. Art.
24(1)
• Controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organizational measures to satisfy
GDPR. Art. 28
• Processor must have controller’s written authorization to engage
another sub-processor;
• Processor must have binding contract with controller specifying
particulars of processing;
• Processor must be bound to confidentiality;
• Processor must demonstrate compliance and agree to audits and
inspections; and
• Nth processors liable to upstream processor, which is liable to the
controller, which is ultimately liable.
• Non-regulated controllers and processors can contractually agree to be
bound. Art. 42
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
30. Preparation is the key to a successful incident
response.
• There is no magic size to an Incident Response Plan but it
must be written.
• Know who is on your IR team and have them involved.
• Understand your legal obligations, including contractual.
• Know the difference between an incident and a breach –
breach is a legal term.
• Make sure your legal counsel understands the meaning of
“non-reportable incident”!
• Put yourself in the incident and think through it from
there.
Cyber Risk
Management
Program
Respond:
Develop IR Plan &
Tabletop Testing
"Firms must adopt written policies to protect their
clients’ private information and they need to anticipate
potential cybersecurity events and have clear
procedures in place rather than waiting to react once a
breach occurs.” SEC v. R.T. Jones
32. Cyber Risk Management Program – Respond: Develop IR Plan & TT Testing
Incident Response Checklist
• Determine whether incident justifies escalation
• Begin documentation of decisions and actions
• Engage experienced legal counsel to lead process,
determine privilege vs disclosure tracks
• Notify and convene Incident Response Team
• Notify cyber insurance carrier
• Engage forensics to mitigate continued harm, gather
evidence, and investigate
• Assess scope and nature of data compromised
• Preliminarily determine legal obligations
• Determine whether to notify law enforcement
• Begin preparing public relations message
• Engage notification / credit services vendor
• Notify affected business partners
• Investigate whether data has been “breached”
• Determine when notification “clock” started
• Remediate and protect against future breaches
• Confirm notification / remediation obligations
• Determine proper remediation services
• Obtain contact information for notifications
• Prepare notification letters, frequently asked questions,
and call centers
• Plan and time notification “drop”
• Implement public relations strategy
• Administrative reporting (i.e., FTC, HHS, SEC & AGs)
• Implement Cybersecurity Risk Management Program
33. • There is no such thing as being “cyber secure.” Until
we fix human nature, bad people will do bad things
and cyber will be a weapon of choice until something
more efficient comes along.
• Just as hackers will continue to evolve in their
objectives and tactics, companies must evolve in how
they protect against them.
• Our goal is to have effective and defensible
cybersecurity that is reasonable—that is, that is
tailored to address the unique risks of the company
and appropriate based on the company’s resources.
Cyber Risk
Management
Program
Recover & Identify:
Reassess, Refine &
Mature
“Water shapes its course according to the nature of the
ground over which it flows; the soldier works out his
victory in relation to the foe whom he is facing.”
−Sun Tsu
34. “You don’t drown by
falling in the water;
You drown by staying
there.” – Edwin Louis Cole
35. • Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• PolicyCouncil, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportationSociety of America
• Practitioner Editor, Bloomberg BNA –Texas Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-17
• Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law)
• Council,Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, CollinCounty Bench Bar Conference
• Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American BarAssociation
• NorthTexas Crime Commission,Cybercrime Committee & Infragard (FBI)
• InternationalAssociation of Privacy Professionals (IAPP)
ShawnTuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com