Spence Hoole Cyber Panel Presentation 2015 Summit

THE CYBER SECURITY PLAYBOOK FOR EXECUTIVE OFFICERS AND BOARDS

December 3, 2015

Panel Members:Spencer Hoole Jennifer Archie

Jeff SanchezLauri Floresca

2

Difference Between a Data Breach & a Security Incident?

‣ Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers, PCI data and personal health records.

‣ There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance.

‣ Organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches.

3

Most Recent Data Breaches

The Kill Chain - Is the high-level framework that advanced threat actors employ in their efforts to compromise the target.

Profile of Current Threat

4

Reconnaissance

Exploitation Installation Command & Control

Development Weaponization Delivery

Actions on Objective

Ponemon Institute2015 Cost of Data Breach Study

5

6

© 2015 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

SUMMIT 2015PREVENTING A DATA BREACH

JEFFREYSANCHEZ


CORRELATIONBETWEENDIRECTORINVOLVEMENTANDGOODSECURITY

8

DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT

MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT

PREVENT TARGETED EXTERNAL ATTACK

8.0

7.8

7.7

6.5

6.4

6.1

PREVENT BREACH BY A COMPANY INSIDER

*Scale: 1-10 High Confidence – 10 Low Confidence - 1


SECURITYSTANDARDS

9

INFORMATION SECURITY STANDARDS

FOLLOWPICK MEASURE

FUNCTIONS CATEGORIES SUBCATEGORIES

INFORMATIVEREFERENCES

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

NIST CSF SANS Top20• InventoryofAuthorizedand

UnauthorizedDevices• InventoryofAuthorizedand

UnauthorizedSoftware• SecureConfigurationsfor

HardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers

• ContinuousVulnerabilityAssessmentandRemediation

• ControlledUseofAdministrativePrivileges

• Maintenance,Monitoring,andAnalysisofAuditLogs

• EmailandWebBrowserProtections

• MalwareDefenses• LimitationandControlof

NetworkPorts,Protocols,andServices

• DataRecoveryCapability• SecureConfigurationsfor

NetworkDevicessuchasFirewalls,Routers,andSwitches

• BoundaryDefense• DataProtection• ControlledAccessBasedon

theNeedtoKnow• WirelessAccessControl• AccountMonitoringand

Control• SecuritySkillsAssessment

andAppropriateTrainingtoFillGaps

• ApplicationSoftwareSecurity

• IncidentResponseandManagement

• PenetrationTestsandRedTeamExercises

ISO 27000 MODEL

BUSINESS CONTINUITY

MANAGEMENTSYSTEM

PLAN

CHECK

DOACT


PHISHING

10


VERIFICATION

11

IS YOUR SECURITY AS GOOD AS YOU THINK? MOST OF THE TIME IT ISN’T.

InsuranceServices|RiskManagement|EmployeeBenefits

ANASSUREXGLOBAL&IBNPARTNER CALicense0329598COLicense448197ORLicense0100167994

Summit 2015Cyber Insurance

LauriFloresca

December3,2015

http://www.wsandco.com/


www.wsandco.com|

Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.

18

Why you need Cyber Liability Insurance


www.wsandco.com|


19

Components of a Cyber Policy


www.wsandco.com|


20

First-Party v. Third-Party Coverage


www.wsandco.com|


21

What is Typically Not Covered


www.wsandco.com|


22

Cyber/E&O Limit Decision Factors


www.wsandco.com|


23

Models Provide Insight, but Many Variables to Consider


www.wsandco.com|


24

Cyber is a Board-Level ConcernIn October 2011, the SEC published guidance for companies that suggested issuers should consider

• the“probabilityofcyberincidentsoccurring”

• “thequantitativeandqualitativemagnitudeofthoserisks”

• thatappropriatedisclosuremayincludea“descriptionofrelevantinsurancecoverage.”Significant Data Breaches Can Lead to D&O IssuesCompany CyberEvent D&OMatter Status

ChoicePoint (2005)500,000PIIexposedviaadatawarehouser. (2005)ClassAction (2008)Settled$10M

TJX (2006-2007)45M+customercreditcarddataandotherPIIhacked;cost$171M.

(2007)Books&Records

(2007)DerivativeSuit(breachoffiduciaryduty)

(2010)Settled$595Kplaintiffsfeeaward&therapeutics

HeartlandPayment

(2009)130Mcardsatpaymentprocessor;cost$140M. (2009)ClassAction (2009)Dismissed

Target (2013)70M+credit/debitcardsbreachatPOSsystem;estimatedcostover$1billion.

(Jan2014)DerivativeSuit(breachoffiduciaryduty)

Pending

Wyndham(2008-2010)Threebreaches;619,000customersimpacted.

(Feb2014)DerivativeSuit(breachoffiduciaryduty)

(Oct2014)Dismissed

HomeDepot (2014)56M+credit/debitcardsbreachatPOSsystem (June2015)Books&Records(August2015)DerivativeSuit(breachoffiduciaryduty)

Pending


© Woodruff-Sawyer & Co., 2014. All rights reserved.

Woodruff-Sawyer & Co.50 California Street, Floor 12San Francisco, CA 94111

www.wsandco.com

Insurance Services | Risk Management | Employee Benefits

http://www.linkedin.com/company/woodruff-sawyer-and-co

http://www.facebook.com/woodruffsawyer

http://www.twitter.com/WoodruffSawyer

https://plus.google.com/+WsandcoWoodruffSawyer/about

http://www.youtube.com/user/WoodruffSawyer



mailto:[email protected]

Business

Spence Hoole Cyber Panel Presentation 2015 Summit