3 April 2019

Global Cybersecurity Enterprise Risk ManagementKelly Harris Prudential Insurance Company of America

Stratis PridgeonWyndham Destinations

Speaker

Kelly HarrisVice President, Corporation Counsel, Privacy & CybersecurityPrudential Insurance Company of AmericaKelly Harris is Vice President, Corporate Counsel, Privacy & Cybersecurity at Prudential Insurance Company of America, based in Newark, NJ. In her role, Kelly provides specialized legal advice and counsel regarding information security and privacy laws/regulations, data usage and governance, and legal issues related to information protection, cybersecurity, and emerging technologies to all of Prudential’s complex and federated businesses and groups.

Before joining Prudential 2 years ago, Kelly spent 7 years helping to build the Privacy and Information Security programs at Wyndham Worldwide. She started her legal career as an associate with Kirkpatrick & Lockhart (now K&L Gates) and then Gibbons, PC before going in-house to Japanese pharmaceutical companies Daiichi Sankyo and Otsuka.

2

Speaker

Stratis PridgeonGroup Vice President, LegalWyndham Destinations

Stratis Pridgeon serves as Group Vice President, Legal, and Global Privacy Lead for Wyndham Destinations. His responsibilities include advising the company on privacy and data security issues, information technology contracts and licenses, and information management. He previously served in a similar capacity with Wyndham Vacation Ownership.

Prior to joining Wyndham, Stratis was a bank examiner with the State of Florida as well as counsel for multiple Florida regulatory agencies. He has chaired the Privacy Subcommittee of the American Resort Development Association (ARDA) since its inception almost twenty years ago, and has been a frequent speaker at ARDA and other industry conferences on privacy and data security. Stratis is a graduate of The Florida State University and Stetson University College of Law and holds the distinction of Certified Information Privacy Professional/US from the International Association of Privacy Professionals.

3

Global Cyber ERM

Disclaimer

The opinions expressed in this session are solely those of the participants. The opinions are not those of the organizers or sponsors of this conference or the panel participants’ respective companies /firms or any of their officers or directors.

This presentation and its contents do not constitute legal advice. You are encouraged to consult your own counsel regarding the application of any laws or regulations discussed herein to your company, to your client or to your specific circumstances.

The mention of any products or services or their providers or any organizations is not intended to be an endorsement.

4

Global Cyber ERM

“Risk comes from not knowing what you’re doing.”

- Warren Buffett (2014 or earlier)

5

Global Cyber ERM

“Cyber is uncharted territory. It’s going to get worse, not better.”

- Warren Buffett (2018)

6

Global Cyber ERM

• Introduction

• Risk Frameworks and Other Tools

• The 7 C’s of Cyber ERM

• ERM/Cyber ERM Resources

• Questions7

Introduction What is Enterprise Risk

Management (or “ERM”)? What is Cyber ERM? Why do we care about ERM / Cyber

ERM?

Global Cyber ERM

What is Enterprise Risk Management (or “ERM”)?

One Definition –

9

“A process, effected by an entity’s board ofdirectors, management or other personnel, appliedin strategy-setting and across the enterprise,designed to identify potential events that may affectthe entity, and manage risk to be within its riskappetite, to provide reasonable assurance regardingthe achievement of entity objectives.”*

*From “Enterprise Risk Management – Integrated Framework - Executive Summary” ©2004 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Global Cyber ERM What is Cyber ERM?

A key component of an organization’s overall Enterprise Risk Management program that requires new focus due to increases in cyber threats and uses of new technologies

The US Department of Homeland Security highlights the following Key Cyber Risk Management Concepts: Incorporate cyber risks into existing risk management Begin cyber risk management discussions with your leadership team Implement industry standards and best practices Evaluate and manage specific cyber risks Provide oversight and review Develop and test incident response plans Coordinate cyber incident response planning across the enterprise Maintain awareness of cyber threats (“Cyber Risk Management Primer for CEOs” - dhs.gov)

10

Global Cyber ERM Why do we care about ERM / Cyber ERM?

Compliance with laws (too many to name) Sarbanes Oxley (SOX) NY DFS Cybersecurity Regulation (“risk-based approach”) General Data Protection Regulation (GDPR) China Internet Security Law California Consumer Privacy Act (CCPA)

Business Disruption Impact on customer service Loss of value

Consumer impact Effect of loss/misuse of personal information

11

Global Cyber ERM Why do we care about ERM / Cyber ERM?

Threats Cyberattacks Internal actors Deficient products/services Litigation

Brand reputation Negative publicity Competitive disadvantage

Business efficiency New technologies (IOT) Cloud vs. on-prem Balance demands of business leaders and public

12

Global Cyber ERM Why do we care about ERM / Cyber ERM?

Making the Case: Complexity Organizations are incredibly complex: multiple subsidiaries

on a global scale, numerous business functions, thousands of employees, service providers, and processes

Multiple risk owners spread across corporate functions and operating divisions

Extension of cyber risks to service providers (e.g., cloud) and issues of responsibility/liability

Constantly evolving nature of cyber risk due to advancements in technology and more sophisticated “bad actors”

Need: View of cyber risk that flows through the entire organization with cross-functional understanding

13

Global Cyber ERM Why do we care about ERM / Cyber ERM?

Making the Case: In the Matter of: Voya Financial Advisors, Inc. Overview

On September 26, 2018, the SEC issued an Order against Voya Financial Advisors, Inc., (“VFA”) a division of Voya

The Order related to a 2016 online security breach of the accounts of three independent advisors

Using social engineering, fraudsters took over the independent advisors’ VFA accounts, leading to the compromise of the personal information of 5,600 people, but no financial loss.

Voya agreed to pay a fine of $1,000,000.

14

Global Cyber ERM Why do we care about ERM / Cyber ERM?

Making the Case: In the Matter of: Voya Financial Advisors, Inc. Significance

The SEC found that VFA violated both the Safeguards Rule and the Identity Theft Red Flags Rule.

Both rules require policies and procedures to keep information safe and to respond to fraud.

VFA had such policies and procedures, but the SEC found that:o VFA did not regularly update the policies in response to threatso There were gaps in VFA’s policies (“risks”)o VFA did not always follow its policies

15In the Matter of Voya Financial Advisors Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048 (Sept. 26, 2018), available at https://www.sec.gov/litigation/admin/2018/34-84288.pdf.

Risk Frameworks and Other Tools General Enterprise Risk Cyber/IT Privacy Sector-specific Tools (example)

Global Cyber ERM General Enterprise Risk Frameworks

COSO “Enterprise Risk Management – Integrated Framework” (2004) A “set of principles organized into five interrelated

components”:o Governance and Cultureo Strategy and Objective-Settingo Performanceo Review and Revisiono Information, Communication, and Reporting*

Supplemented by the “COSO Enterprise Risk Management –Integrating with Strategy and Performance” (2017)

“COSO in the Cyber Age” (Thought Paper)

17*From “Enterprise Risk Management – Integrating with Strategy and Performance – Executive Summary” ©2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Global Cyber ERM Cyber/IT Risk Frameworks

NIST (US National Institute of Standards and Technology) Cybersecurity Framework Basics Users Components

ISO 27001 (Organisation Internationale de Normalisation aka International Organization for Standardization)

PCI Security Standards Council Data Security Standard

18

Global Cyber ERM Cyber/IT Risk Frameworks

NIST Cybersecurity Framework

Basics

Voluntary guidanceBased on existing standardsHelp organizations manage

and reduce risksFoster risk and cybersecurity

communications

Use is voluntaryCustomize for sectors/

organizations to their unique risks

Version 1.0 issued in February 2014Collaboration between

industry, academia, and governmentCurrent Version 1.1

issued April 16, 2018

FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework

19

Global Cyber ERM Cyber/IT Risk Frameworks

NIST Cybersecurity Framework

Users

Intended to address “critical infrastructure”However, other

organizations can use

Can be used by organizations with mature cybersecurity programs

Raise awareness Improve

communicationsShare cybersecurity

expectationsUse as a strategic

planning tool

FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework

20

Global Cyber ERM Cyber/IT Risk Frameworks

NIST Cybersecurity Framework

Components

Core Functions Identify Protect Detect Respond Recover

Profile Alignment of

standards, guidelines and practices

Current vs. Target Prioritization and

self-assessments

Implementation Tiers Partial (Tier 1) Risk Aware (Tier 2) Repeatable (Tier 3) Adaptable (Tier 4)

FROM: https://www.nist.gov/cyberframework/questions-and-answers#framework

21

Global Cyber ERM Cyber/IT Risk Frameworks

NIST Cybersecurity Framework Implementation Tiers

Partial (Tier 1) Risk Informed (Tier 2) Repeatable (Tier 3) Adaptive (Tier 4)

Ad hoc /reactive

---------------------- Limited awareness

---------------------- Lack of

understanding or awareness

Risk mgmt. practices approved by mgmt. but not org. wide

------------------------------------ Awareness at org level but

not managed org-wide------------------------------------General understanding;

collaborates but doesn’t share

RMP

IRMP

EP

Risk mgmt. practices formally approved and expressed as policy

--------------------------------- Consistent methods in

place to respond to changes in risk

--------------------------------Organization is aware of

cyber supply chain risk associated with products/services

Risk mgmt. practices formally approved and expressed as policy

----------------------------- Consistent methods in

place to respond to changes in risk

-----------------------------Understands role and

contributes to broader understanding of risks

FROM: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

22

Global Cyber ERM Cyber/IT Risk Frameworks

ISO 27001 (Organisation Internationale de Normalisation aka International Organization for Standardization) ISO (along with IEC, the “International Electrotechnical

Commission) provides a “family of standards” under ISO/IEC 27000 to assist organizations with managing risks related to their information security management systems

ISO 27001 is often referenced in contractual security requirements as documentation of an organization’s security practices

Certification of ISO 27001 compliance is available through ISO and independent auditors.

Documentation available for purchase through ISO. (iso.org)

23

Global Cyber ERM Cyber/IT Risk Frameworks

PCI Data Security Standard (PCI DSS) “Framework for a robust payment card data security process” Consists of 12 requirements for securing cardholder data Includes a Prioritized Approach for compliance with the PCI DSS

Roadmap to address risks “Quick wins” Supports financial and operational planning Progress indicators that are objective and measurable Helps promote assessor consistency

FROM: https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI-DSS-v3_2_1.pdf

24

Global Cyber ERM Cyber/IT Risk Frameworks

PCI Data Security Standard (PCI DSS)

Prioritized Approach to PCI DSS

FROM: https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI-DSS-v3_2_1.pdf

Milestone Goals

1 Remove sensitive authentication data and limit data retention

2 Protect systems and networks, and be prepared to respond to a system breach

3 Secure payment card applications

4 Monitor and control access to your systems

5 Protect stored cardholder data

6 Finalize remaining compliance efforts, and ensure all controls are in place

25

Global Cyber ERM Privacy Risk Frameworks

NIST (US National Institute of Standards and Technology) Privacy Framework Status

o Currently under developmento Official Request for Information (RFI) period ended

January 14, 2019, but still accepting input

NIST Privacy Framework Working Outline – Components Basics Core Profile Implementation Tiers

26FROM: www.nist.gov/privacy-framework

Global Cyber ERM Privacy Risk Frameworks

NIST Privacy Framework

Basics “…will provide a set of activities to achieve specific privacy outcomes….” “…will present key privacy outcomes identified by stakeholders as helpful in

managing privacy risk.”

Core (four elements) Functions Categories Subcategories Informative References

27FROM: www.nist.gov/privacy-framework

Global Cyber ERM Privacy Risk Frameworks

NIST Privacy Framework

Develop the organizational understanding to manage privacy risk for individuals arising from data processing or their interactions with products, services or systems.

Develop and implement appropriate data safeguards.

Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to meet privacy objectives.

Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data is processed.

Develop and implement appropriate activities to take actions regarding a privacy breach.

Core Functions

Identify

Protect

Control

Inform

Respond

28FROM: www.nist.gov/privacy-framework

Global Cyber ERM Privacy Risk Frameworks

NIST Privacy Framework

Profile

Functions Categories Subcategories

Business requirements Risk tolerance Privacy Objectives Resources

Aligned With

Current ProfilePrivacy outcomes currently achieving

Target ProfileOutcomes needed to achieve desired privacy risk management goals

• Gauge resources• Communicate risk

29

FROM: www.nist.gov/privacy-framework

Global Cyber ERM Privacy Risk Frameworks

NIST Privacy Framework Implementation Tiers

Partial (Tier 1)

Risk Informed (Tier 2)

Repeatable (Tier 3)

Adaptive (Tier 4)

Risk Management Process

Integrated Risk Management Process

External Participation

30

FROM: www.nist.gov/privacy-framework

Global Cyber ERM Sector-Specific Tools (example)

HIPAA Security Guidance

HHS Security Risk Assessment (SRA) Tool Security Rule requires covered entities and business associates conduct a risk

assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards

Downloadable to local instance Best for small to medium organizations

NIST HIPAA Security Toolkit Application Intended to help organizations better understand and implement Security Rule

requirements Assist covered entities and business associates

31FROM: www.hhs.gov and www.healthit.gov

The 7 C’s of Cyber ERM

Global Cyber ERM

The 7 C’s of Cyber ERM Where do ERM and Cyber meet?

Multitude of resources on the ERM, cybersecurity, and privacy sides

All with common themes Distilled into seven (7) sometimes

overlapping concepts as another way to think about it

Each with potential effects and suggested processes (not all-inclusive)

33

Global Cyber ERM

The 7 C’s of Cyber ERM Culture

Communication Capability

Consensus Clarity

Correction Cover

34

Global Cyber ERM Culture

Increase understanding of “risk appetite” of the organization

Enhance alignment of risk to business Institute or enhance risk governance Enrich risk recognition and

consideration Empower collaboration on risk-based

practices across functions

Develop cyber risk strategies and objectives

Obtain and retain C-suite support Establish a risk committee or council

(could be “cyber risk” or “information risk”)

Embrace “privacy/security/risk by design”

Effects Processes

35

Global Cyber ERM Communication

Improve alignment on risk across organization

Increase transparency on risk tolerance

Enhance risk awareness

Communicate risk strategies, objectives, practices, and tolerance

Institute reporting mechanism (employee hotline)

Emphasize risk mitigation practices (e.g., conduct phishing tests)

Effects Processes

36

Global Cyber ERM

Capability

Increase efficiencies of resources Minimize employee or vendor

lapses Improve reaction/response time

Engage “Risk Champions” Recruit certified cybersecurity

and compliance talent Retain vendors with proven track

record Engage vendors under attorney-

client privilege

Effects Processes

37

Global Cyber ERM

Lessen volatility of economic impact

Minimize risk of new vulnerabilities

Reduce “fire drills” for incident response

Create more efficient use of resources

Consensus

Utilize a recognized Framework Obtain agreement on strategy for cross-

functional risks (implement risk and policy councils)

Implement policies and procedureso Develop an ERM policy with cyber risk and

privacy componentso Develop data security policies and standards

mapped to industry/regulatory requirements

Effects Processes

38

Global Cyber ERM

Clarity

Reduce impact of known or unknown vulnerabilities

Minimize impact of “trusted” sources

Maximize response on highest impact

Conduct data inventory and mapping

Control and audit access to data (hold managers accountable)

Categorize and classify systems based on whether critical, customer-facing and similar impact criteria

Effects Processes

39

Global Cyber ERM

Correction

Decrease likelihood of reoccurrence of incidents

Increase resiliency in anticipation of future events

Remediate impacted systems and applications

Conduct post-incident debrief Review processes for gaps Provide additional training for

those involved Take appropriate personnel or

contract action

Effects Processes

40

Global Cyber ERM

Cover

Mitigate impact of cybersecurity incidents

Reduce impact of vendor performance deficiencies

Increase likelihood of economic recovery

Prepare appropriate contract language (privacy and data protection, indemnification, insurance)

Conduct vendor risk assessments

Purchase cybersecurity coverage

Effects Processes

41

ERM / Cyber ERM Resources

Global Cyber ERM ERM Resources

o Committee of Sponsoring Organizations of the Treadway Commission (COSO)

• www.coso.org (“Enterprise Risk Management - Integrated Framework”)• https://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf

(“COSO in the Cyber Age”)(Thought Paper)o Organisation Internationale de Normalisation (International

Organization for Standardization) (ISO)• www.iso.org (ISO 31000 – Risk management)

o NC State University Poole College of Management• erm.ncsu.edu

o American Society for Healthcare Risk Management• www.ashrm.org

o The Institute of Risk Management (London)• www.theirm.org

43

Global Cyber ERM Cybersecurity Risk Resources

o National Institute of Standards and Technology (NIST) (US)• www.nist.gov/cyberframework (“Framework for Improving Critical

Infrastructure Cybersecurity”)o ISO www.iso.org (ISO/IEC 27000 family – Information security management

systems)o Information Systems and Audit Control Association (ISACA)

• www.isaca.org (“Control Objectives for Information and Related Technology – Framework for IT Governance and Control” (COBIT) and “Risk IT”)

o PCI Security Standards Council• www.pcisecuritystandards.org (“PCI Data Security Standard” or “PCI DSS”)

o ASIS International• www.asisonline.org (CSO Roundtable – Enterprise Security Risk Management)

o BSA | The Software Alliance• bsacybersecurity.bsa.org (Cybersecurity Policy Framework)

44

Global Cyber ERM Privacy Risk Resources

o NIST Privacy Framework• www.nist.gov/privacy-framework (“NIST Privacy Framework: An Enterprise

Risk Management Tool”)

o International Association of Privacy Professionals• www.iapp.org

45

Global Cyber ERM Legal/Regulatory Resourceso Sarbanes Oxley (SOX) (Section 404)

• http://legcounsel.house.gov/Comps/Sarbanes-oxley%20Act%20Of%202002.pdf

o GLBA Safeguards Rule• https://www.ecfr.gov/cgi-bin/text-

idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A1.0.1.3.38&idno=16

o HIPAA Security Rule https://www.hhs.gov/hipaa/for-professionals/security/index.html

o NY DFS Cybersecurity Regulation https://www.dfs.ny.gov/industry_guidance/cyber_filings

o Massachusetts Rule: 201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth

• https://www.mass.gov/regulations/201-CMR-17-standards-for-the-protection-of-personal-information-of-residents-of-the

46

Global Cyber ERM Legal/Regulatory Resources

o General Data Protection Regulation (GDPR) https://ec.europa.eu

o China Internet Security Law (English translation)• https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-

cybersecurity-law-peoples-republic-china/

o California Consumer Privacy Act (CCPA)• https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375• https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121

47

Questions

Questions + Contacts

Kelly HarrisVice President, Corporate Counsel, Privacy & CybersecurityPrudential Insurance Company of America+1.973.802.6463Kelly.Harris@prudential.com

Stratis PridgeonGroup Vice President, LegalWyndham Destinations+1.407.626.5171Stratis.Pridgeon@wyn.com

49