CYBERSECURITY RISK

MANAGEMENT
IASA Ohio Chapter Fall Conference
November 21, 2016

BDO USA, LLP, a Delaware limited liability partnership, is the

U.S. member of BDO International Limited, a UK company
limited by guarantee, and forms part of the international
BDO network of independent member firms.
 WITH YOU
TODAY
JUDY SELBY
Managing Director
BDO Consulting
Technology Advisory Services

+1 203 905-6252 | jsleby@bdo.com

Page 2
  Today’s Threat Landscape

 Regulatory Requirements

Understanding Your Risk

AGENDA 

 Cybersecurity Risk Management Overview

 Cybersecurity Mitigation

 Conclusion

Page 3
 TODAY’S
THREAT
LANDSCAPE

Page 4
 CYBERSECURITY TODAY

INTERNAL THREAT: Internal actors were responsible for

43% of data loss, half of which is intentional, half
accidental.

COMPUTER INTRUSIONS:
This year, companies that had
data breaches involving less than 10,000 records, the
average cost of data breach was $4.9 million and
those companies with the loss or theft of more than
50,000 records had a cost of data
breach of $13.1 million.

TODAY’S
BUSINESS E-MAIL COMPROMISE: Between January 2015

THREAT and June 2016, there has been a 1,300% increase in

identified exposed losses, a combined explosed dollar
loss of more than $3 billion.
LANDSCAPE
RANSOMWARE: Nearly 80% of organizations [surveyed
in the U.S.] have been victim of a cyber attack during
the past 12 months and nearly 50% have been victim
of a ransomware attack.

• Intel Security Report, Grand Theft Data: Data exfiltration study: Actors, tactics, and detection
• 2016 Data Breach Study: United States, Benchmark research sponsored by IBM Independently
conducted by Ponemon Institute LLC, June 2016
• FBI Public Service Announcement, June 14, 2016; Alert Number I-061416-PSA
Page 5 • Understanding the Depth of the Global Ransomware Problem, Osterman Research Survey Report,
Published August 2016, Sponsored by Malwarebytes
 CYBERSECURITY TODAY

TODAY’S
THREAT
LANDSCAPE

Page 6
• Intel Security Report, Grand Theft Data: Data exfiltration study: Actors, tactics, and detection
• Intel Security Report, Dissecting the Top Five Network Attack Methods: A Thief’s Perspective
 TODAY’S LANDSCAPE: DATA
BREACHES BY THE NUMBERS

48% $4 million 29%

caused by average cost increase in total
malicious or of a data cost of data
criminal attacks breach breach since 2013
TODAY’S
THREAT
LANDSCAPE $158average cost per
$355
average cost per lost
lost or stolen or stolen record in
record healthcare
organizations

Page 7 2016 Data Breach Study: Global Analysis, Benchmark research sponsored by IBM Independently
conducted by Ponemon Institute LLC
June 2016
CYBER INTRUSIONS INCREASING
2016

2015

2014 HackingTeam

2013

2012

2011

2010
 Rate of breaches increasing since 2005
2009
 Cross-industry impact: healthcare,
2008 retail, insurance, technology, financial
services
2007  Multiple types of breaches/threats

2006  Hottest breaches – phishing and

ransomware
2005

Page 8
 CYBER THREATS CANNOT
BE ELIMINATED. THEY CAN
ONLY BE MITIGATED.
“I always tell [our workers], ‘Don't ever forget that
at the end, we’re dealing with a choice that some
human made on a keyboard somewhere else in the
world … There was a man or woman on the other
end of this.’” – Admiral Michael Rogers, Director,
TODAY’S NSA and Cyber Command

THREAT
“The Russians hack our systems all the time, not just
LANDSCAPE government, but also corporate and personal systems.
And so do the Chinese and others, including non-state
actors. The point is, cyber will continue to be a huge
problem for the next Presidential administration, as it
has been a challenge for this one.” – Hon. James R.
Clapper, Director of National Intelligence

Page 9
ANATOMY OF A HACK

Page 10
 INSURANCE COMPANY
BREACHES

TODAY’S
THREAT
LANDSCAPE

Page 11
 REGULATORY
REQUIREMENTS

Page 12
 Laws imposing civil or Laws requiring
criminal liability for implementation of
hacking security measures

REGULATORY Contractual duties re:

security and/or breach
Regulator enforcement
consent decrees, and
notification
REQUIREMENTS
related requirements

Laws requiring Regulator and industry

notification of security standards, guidelines,
breaches and frameworks

Page 13
 PROPOSED NEW YORK STATE
DEPARTMENT OF FINANCIAL SERVICES
REGULATION

REGULATORY
REQUIREMENTS

Page 14
 NYDFS ESTABLISHMENT OF A
CYBERSEUCURITY PROGRAM

Regulated financial institutions will establish a

cybersecurity program designed to ensure the
confidentiality, integrity and availability of
information systems that performs five core
cybersecurity functions:

REGULATORY  Identification of cyber risks.

REQUIREMENTS  Implementation of policies and procedures to protect
unauthorized access/use or other malicious acts.

 Detection of cybersecurity events.

 Responsiveness to identified cybersecurity events to mitigate

any negative events.

 Recovery from cybersecurity events and restoration of

normal operations and services.

Page 15
 NYDFS ADOPTION OF A
CYBERSECURITY POLICY

Regulated financial institutions must adopt a

written cybersecurity policy, setting forth policies
and procedures for the protection of their
information systems and nonpublic information
that addresses, at a minimum, the following:

REGULATORY 


Information security.
Data governance and
 Systems and network
monitoring.

REQUIREMENTS classification.  Systems and application

development and quality
 Access controls and identity
management. assurance.

 Business continuity and  Physical security and

disaster recovery planning environmental controls.
and resources.  Customer data privacy.
 Capacity and performance  Vendor and third-party service
planning. provider management.
 Systems operations and  Risk assessment.
availability concerns.  Incident response.
Page 16  Systems and network security.
 NYDFS CHIEF INFORMATION
SECURITY OFFICER (CISO)

Regulated financial institutions shall designate a

qualified individual to serve as CISO responsible
for overseeing and implementing the institution’s
cybersecurity program and enforcing its
cybersecurity policy. The CISO must report to the
board, at least bi-annually, to:
REGULATORY  Assess the confidentiality, integrity and availability of
REQUIREMENTS information systems.

 Detail exceptions to cybersecurity policies and procedures.

 Identify cyber risks.

 Assess the effectiveness of the cybersecurity program.

 Propose steps to remediate any inadequacies identified.

 Include a summary of all material cybersecurity events that

affected the regulated institution during the time period
addressed by the report.
Page 17
 NYDFS THIRD-PARTY
SERVICE PROVIDERS

Regulated entities must have policies and

procedures designed to ensure the security of
information systems and nonpublic information
accessible to, or held by, third-parties and include
the following:

REGULATORY  Identification and risk assessment of third-parties with

access to such information systems or such nonpublic
REQUIREMENTS information.

 Minimum cybersecurity practices required to be met by such

third-parties.

 Due diligence processes used to evaluate the adequacy of

cybersecurity practices of such third-parties; and

 Periodic assessment, at least annually, of third-parties and

the continued adequacy of their cybersecurity practices.

Page 18
 NYDFS ADDITIONAL REQUIREMENTS

Each cybersecurity program shall include the

following:
 Annual penetration testing and vulnerability assessments.

 Implementation and maintenance of an audit trail system to

reconstruct transactions & log access privileges.

REGULATORY  Limitations and periodic reviews of access privileges.

REQUIREMENTS  Written application security procedures, guidelines &

standards that are reviewed & updated at least annually.

 Annual risk assessment of the confidentiality, integrity &

availability of information systems; adequacy of controls;
and how identified risks will be mitigated or accepted.

 Employment and training of cybersecurity personnel to stay

abreast of changing threats and countermeasures.

Page 19
 NYDFS ADDITIONAL
REQUIREMENTS, CONT.
 Multi-factor authentication for individuals accessing internal
systems who have privileged access or to support functions
including remote access.

 Timely destruction of nonpublic information that is no longer

necessary except where required to be retained by law or
regulation.

REGULATORY  Monitoring of authorized users and cybersecurity awareness

training for all personnel.
REQUIREMENTS  Encryption of all nonpublic information held or transmitted.
For in transit data, this requirement is effective one year
from the effective date of the regulation. For at rest data,
this requirement is effective five years from the effective
date as long as there are compensating controls.

 Written incident response plan to respond to, and recover

from, any cybersecurity event.

Page 20
 NAIC RAMPS UP
CYBERSECURITY EFFORTS

REGULATORY
REQUIREMENTS

Page 21
 NAIC MODEL LAW

 Preemption: The revised version is “not to be construed as

superseding, altering, or affecting any statute, regulation,
order or interruption of law in this state, except to the
extent that such statute, regulation, order or interpretation
is inconsistent with the provisions of this act and then only
to the extent of the inconsistency.”

Definition of Consumer: Broad definition includes

REGULATORY

applicants, policyholders, insureds, beneficiaries, claimants,
certificate holders and others whose personal information is
REQUIREMENTS in a licensee’s possession, custody or control, even if there is
no contractual relationship.

Page 22
 NAIC MODEL LAW, CONT.

 Information Security Program: Must be appropriate to the

size and complexity of the company.

 NIST Framework: This mandate to adopt the National

Institute of Standards and Technology’s (NIST) cybersecurity
standards was dropped.

 Encryption: Definition was changed from “rendered

REGULATORY unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology
REQUIREMENTS generally accepted in the field of information security” to
“the transformation of data into a form which results in a
low probability of assigning meaning without the use of a
protective process or key.”

 Board Responsibility: Requirement for the board of

directors to approve the written information security
program was removed, although the board is still responsible
for oversight.

Page 23
 NAIC MODEL LAW, CONT.

 Third Party Service Providers: Onerous requirements on

third party service provider agreements were dropped.
Companies can “contract only with third party service
providers that are capable of maintaining appropriate
safeguards for personal information.”

 Consumer Rights Before a Data Breach: Removed

requirement for consumer notice of the types of personal
REGULATORY information collected and stored by the insurance company.

REQUIREMENTS  Notification of Data Breach: Insurance companies must

notify insurance commissioners within 72 hours. Insurance
commissioners also have the final say regarding the
notification to consumers, and must receive a draft of the
notice in advance. The definitions of breach and personal
information were revised to limit the scope of what
constitutes a data breach.

Page 24
 NAIC MODEL LAW, CONT.

 Consumer Protection Following a Data Breach: Insurance

companies must offer identity theft protection services.
Insurance commissioner may “take other action deemed
necessary to protect consumers.”

 Private Right of Action: This was eliminated.

 Enforcement Procedure and Penalties: Refers to the

REGULATORY enacting state’s administrative procedure act or insurance
code applicable to administrative enforcement proceedings
REQUIREMENTS for serious violations.

Page 25
UNDERSTANDING
YOUR RISK

Page 26
 THREAT
VULNERABILITY

UNDERSTANDING + CONSEQUENCE

YOUR RISK
RISK

Page 27
 TARGETED DATA

Defense,
National Business
PII PCI PHI Security, IP Intelligence
Critical MNPI
Infrastructure

Page 28
 CYBERSECURITY RISKS
A set of scenarios based on impacts to Assets by
potential Threats and their ability to leverage
Vulnerabilities

ASSETS
Processes, Information, and Systems
with varying degrees of value to the
organization
UNDERSTANDING
YOUR RISK THREATS
Actors that are motivated to attack or
misuse your assets

VULNERABILITIES
Flaws, control weaknesses or
exposures of an asset to compromise

Page 29
 DIGITIAL ASSET VALUATION

Three Principles of Digital Asset Valuation

1. Consider who gets value from the asset

2. Understand the role your digital assets play in
creating economic value / generating revenue
3. Look forward – valuing your digital assets requires an
outward view (previously invested costs to create the
asset are “sunk”)
UNDERSTANDING
YOUR RISK Understanding the Value of Digital Assets
 Intrinsic – Critical element that allows the digital
asset to exist in the first place (e.g. the person,
binary data, physical object, legal contract etc.)
 Extrinsic – Opportunities to leverage the digital asset
making it more useful to prospective users
 Sum it up – Metadata defines the extrinsic value of
your digital assets, informing their value

Page 30
 DATA CLASSIFICATION

 Review and analyze

report(s)  Data assets
 Readjust framework and  Data custodians
re-classify data as
needed
Act Identify

UNDERSTANDING DATA
YOUR RISK CLASSIFICATION

Classify Plan
 Create classification
framework
 Develop protection
profiles

Page 31
 LIFE CYCLE OF DATA PRIVACY AND
PROTECTION

Creation /
Collection

UNDERSTANDING Disposition Storage

YOUR RISK

Duration Use

Page 32
MOTIVATIONS AND INCENTIVES

Page 33
 EMPLOYEE RISKS
 Employees as cyber targets  Negligent Employees
 Phishing
 Non-compliant Employees
 Spearphishing / Social
Engineering
 Email spoofing and
hijacking

UNDERSTANDING
YOUR RISK

Page 34
 VULNERABILITIES
SOFTWARE PATCHING
Lack of software updates

ACCESS CONTROL
Who has access to your
system and do they really
need it?
UNDERSTANDING
YOUR RISK
THIRD PARTY VENDORS
Are your third party vendors
secure?

PEOPLE
Internal actors up to no good
or being exploited
Page 35
CYBERSECURITY
RISK
MANAGEMENT
OVERVIEW

Page 36
 WHAT IS “CYBERSECURITY RISK
MANAGEMENT PROGRAM”?
 Integrated set of policies, processes,
technologies and controls that minimize
vulnerabilities and protect against
threat to support
CYBERSECURITY  Confidentiality – information kept
private and secure
RISK
 Integrity – data not inappropriately
MANAGEMENT modified, deleted or added

OVERVIEW  Availability – systems/information

available to whom requires them

Page 37
 A HOLISTIC APPROACH

CYBERSECURITY
RISK
MANAGEMENT
OVERVIEW

Page 38
CYBERSECURITY
MITIGATION

Page 39
BDO CYBERSECURITY FRAMEWORK

Key Policy & Governance &

Cybersecurity Lifecycle Strategy
Process Domains

 Data privacy / IDENTIFY

protection  Cybersecurity risk
profile management
 Identity & access
management ASSETS  Cybersecurity risk
management program
 Threat & risk
intelligence  Organization roles
RECOVER PROTECT
INTEGRITY and responsibilities
 Third party / vendor AVAILABILITY (Board of Directors,
management CONFIDENTIALITY
Executive
 Incident response & VULNERABILITIES THREATS Management, etc.)
planning
 Investment
 Asset inventories optimization
 Metrics / reporting  Legal & compliance
RESPOND DETECT
 Training / awareness  Cyber insurance

Page 40
 RECOMMENDED STEPS FOR
MITIGATION
AWARENESS AND CONFIGURATION
TRAINING

SPAM FILTERS MACRO SCRIPTS

CYBERSECURITY E-MAIL DETECTION SOFWARE RESTRICTION

POLICIES

MITIGATION
ANTI-VIRUS and APP WHITELISTING
MALWARE

ACCESS CONTROLS CATEGORIZE DATA

Page 41
 RECOMMENDED STEPS FOR
REMEDIATION
ISOLATE
Affected computers

DO NOT CLEAN OR RE-IMAGE

Affected computers
CYBERSECURITY
MITIGATION CONTACT LAW ENFORCEMENT
Provide relevant logs

IMPLEMENT
Incident Response and BC Plans

Page 42
 THREAT INTELLIGENCE

CYBERSECURITY Private Sector Government Classified Cyber Threat

MITIGATION Threat
Information
and Unclassified
Evidence and
Intelligence

Intelligence

Page 43
 INFORMATION SHARING
CHANNELS

CYBERSECURITY
MITIGATION

Page 44
 CONCLUSION

Page 45
  Cyber Risk Management Strategy &
Program Design
 Cyber Risk Assessment & Security Testing
 Data Privacy & Protection
 Security Architecture & Transformation
 Incident Response Planning
OUR
 Business Continuity Planning & Disaster
CYBERSECURITY Recovery
SERVICES  Digital Forensics & Cyber Investigations
 Cyber Insurance Claim Preparation &
Coverage Adequacy Evaluation

Page 46
 JUDY SELBY
Managing Director
BDO Consulting
Technology Advisory Services

+1 203 905-6252 | jselby@bdo.com

Judy Selby is a Managing Director in BDO Consulting’s Technology Advisory Services

practice, having more than 20 years of experience in insurance and technology.
Known as “one of the premier voices in legal technology” by Legaltech News, she
consults with clients on cyber insurance, cybersecurity, information governance,
data privacy and complex insurance matters. She advises clients on best practices
for handling information throughout its life cycle, from creation or collection
through disposition.
SPEAKER BIO In addition, Judy works with organizations and their counsel to advise on data
privacy and cyber insurance issues, having depth of experience in coverage
adequacy evaluation, international arbitration and all phases of insurance coverage
litigation.
Prior to joining BDO, Judy was a partner at Baker Hostetler, where she was Co-
chair of the Information Governance team and founder of the eDiscovery and
Technology team. She is the Co-chair of the Claims and Litigation Management
(CLM) Alliance Cyber Liability Committee and serves on the Law360 Insurance and
Legaltech News editorial boards. Judy has completed courses on the internet of
things (IoT), big data, crisis management / business continuity and cybersecurity at
the Massachusetts Institute of Technology.

Page 47
About BDO Consulting
BDO Consulting, a division of BDO USA, LLP, provides clients with Financial
Advisory, Business Advisory and Technology Services in the U.S. and around the
world, leveraging BDO’s global network of more than 64,000 professionals.
Having a depth of industry expertise, we provide rapid, strategic guidance in
the most challenging of environments to achieve exceptional client service.

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm
providing assurance, tax, advisory and consulting services to a wide range of
publicly traded and privately held companies. BDO USA, LLP, a Delaware
limited liability partnership, is the U.S. member of BDO International Limited,
a UK company limited by guarantee, and forms part of the international BDO
network of independent member firms. BDO is the brand name for the BDO
network and for each of the BDO Member Firms. For more information please
visit: www.bdo.com.

Material discussed is meant to provide general information and should not be

acted on without professional advice tailored to your firm’s individual needs.

© 2016 BDO USA, LLP. All rights reserved.