9/20/2017
1
CYBER RISKWhat Not-for-Profit Management & Boards Need to Know
John DoughertyIT Director, [email protected]
Jan HertzbergDirector, BKD
September 20, 2017
9/20/2017
2
• Participate in entire webinar
• Answer polls when they are provided
• If you are viewing this webinar in a group
Complete group attendance form with
• Title & date of live webinar
• Your company name
• Your printed name, signature & email address
All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
TO RECEIVE CPE CREDIT
4
RAPIDLY EVOLVING CYBERTHREATS –MOTIVATIONAL SHIFTS
ADDITIVE MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION DESTRUCTION
9/20/2017
3
TOP CYBERCRIMES
• Business email compromise
• Ransomware
• Corporate account takeover
• Identity theft
• Theft of sensitive data
• Theft of intellectual property
• Denial of service
5
DATA BREACHES IN THE NEWS
6
2015
Breach of 10,00 donors personal info between 2013–2015
2017
Muncie, Indiana-based not-for-profit organization breached, lost all financial & client data
2016
Breach of data for 550,000 individuals
2014
309,000 university faculty, staff & students
9/20/2017
4
EXAMPLE: BUSINESS EMAIL COMPROMISE• University admin receives email from “CFO” requesting all employee W2s pursuant to an IRS
inquiry
• Needs it today (received in the afternoon)
• Admin puts it all together into one PDF, alphabetized
• Hacker responds, telling her “this is more than I had hoped for”
• Compromised W2 information sold on the underground market
• Numerous employees contacted by real IRS about issues with their returns, or why they submitted two returns
7
• Midsize health care provider sustained two consecutive attacks on EMR system; ransom paid in bitcoin After first attack, hardware/software upgrades were
identified but budgetary constraints delayed implementation
After second attack, provider performed forensic evaluation to verify breach extent & eradicate malware
• Performed a cybersecurity assessment to identify vulnerabilities
EXAMPLE: RANSOMWARE
8
9/20/2017
5
9
RANSOM LETTER
10
• Given the quantity & variety of Personal Identifiable Information (PII), cyber risk is inherently high
• Spending priority is often given to the organization’s mission rather than to “back-office”
Challenging to recruit & retain expensive resources
Infrastructure improvements may not be robust
• Heavy reliance on third-party service providers
• Reputational risk is critical
WHY ARE NOT-FOR-PROFIT ORGANIZATIONS SO VULNERABLE?
9/20/2017
6
POTENTIAL BREACH IMPACTS
Negative publicity
Regulatorysanctions
Refusal to share personal
information
Damage to brand
Regulatorscrutiny
Legal liability
Fines
Damaged donor
relationships
Damaged employee
relationships
Deceptive orunfair tradecharges
!
Diversion of resources
Lost productivity
11
DARK WEB PRICINGCredit Cards Price (2012–2014) Current Price
Visa & Mastercard $4 $7
Visa & Mastercard with Track 1 & Track 2 Data
$23 (V); $35 (MC) $30
Premium American Express $28 $30
Bank Account Credentials $15,000 for 500 $15,000 for 500
Email Accounts Price (2012–2014) Current Price
Popular Email (Gmail, Hotmail, Yahoo)
$100 per 100,000 $100 per 100,000
Corporate Email N/A $500 per Mailbox
IP Address of Email User $90 $90
12
9/20/2017
7
13
WHAT DRIVES COST OF BREACHES?
Ponemon 2016 Cost of Data Breach Study
14
• Timing In 93% of breaches, it took attackers minutes or less to compromise
systems (Adobe products easiest to hack; Mozilla the most difficult)
In 83% of cases, it took weeks or more to discover an incident occurred
Attackers take easiest route (63% leveraged weak, default or stolen passwords)
95% of breaches were made possible by nine patterns including poor IT support processes, employee error & insider/privilege misuse of access
INTERESTING STATISTICS
9/20/2017
8
REGULATORY RESPONSE OVER TIME
15
1934SEC Act
1996HIPAA
2000CFR17 Part
248 Brokers
Consumer Protection
2003California
Data Breach Law
2017Executive Order
Strengthening the Cybersecurity of
Federal Networks & Critical Infrastructure
2006Indiana Breach
Notification Law
1974Family
Educational Rights & Privacy
Act(FERPA)
1999Gramm-
Leach-Bliley Act
2001Cybersecurity Enhancement
Act2006
PCI DSS
2009HITECH
2018General Data
Protection Regulation (GDPR)
2013HIPAA
(Omnibus)
16
• Covers Health care providers
Health care payors
Health care clearinghouses
Employers who administer their own health plans
• Protected health information (PHI) Covered entities may only use or disclose PHI as permitted
• Enforced by HHS Office for Civil Rights State attorneys general
• Introduced HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013)
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
9/20/2017
9
17
• Covers
Businesses accepting credit & debit card payments
“Card Present” transactions (card swipes)
“Card Not Present” transactions (e-commerce)
• Cardholder data
Storing, processing & transmitting by “merchants”
• Enforced by
Credit card brands
“Acquiring Bank” responsible for processing payment transactions
• Introduced
PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa, Mastercard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on three-year cycle
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
18
• Covers Financial services organizations including post-secondary educational institutions
• Financial aid records Develop, implement & maintain a written information security program
Designate employee responsible for coordinating the security program
Identify & assess risks to student information
Select appropriate services providers capable of maintaining appropriate safeguards
Periodically evaluate & update their security program
• Enforced by Federal Trade Commission (FTC)
• Introduced Dear Colleague Letter GEN-15-18 (July 29, 2015)
GRAMM-LEACH-BLILEY ACT (GLBA)
9/20/2017
10
CYBER RISK OVERSIGHT
WHAT DO BOARDS WANT TO KNOW?
20
What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?
Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected?
Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?
Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?
9/20/2017
11
21
Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
1
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
22
Understand legal implications of cyber risks as they relate to their organization’s specific circumstances2
9/20/2017
12
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
23
Have adequate access to cybersecurity expertise, & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda3
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
24
Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget4
9/20/2017
13
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
25
Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach5
ASSESSING YOUR CYBERSECURITY PROGRAM
9/20/2017
14
27
NIST CYBERSECURITY FRAMEWORK (NIST CSF)• Background Published February 12, 2014, by the National Institute of Standards &
Technology (NIST)
Voluntary federal framework (not a set of standards) for critical infrastructure services
Provides common language for organizations to assess, communicate & measure improvement security posture
• Controls High-level controls provide framework of “what” but not “how”
Five functions, 22 control categories, 98 key controls derived from industry best practice & standards
Contains four maturity tier ratings
NIST CYBERSECURITY FRAMEWORK
28
Framework Categories
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness & Training
Data Security
Information Protection Processes
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Response Planning
Detection Processes
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
24
9/20/2017
15
29
FRAMEWORK BENEFITS
• Comprehensive in scope
• Intuitive
• Risk-based – allows the organization to prioritize remediation activities depending on the organization’s risk appetite & cybersecurity control maturity desired
• Commonly accepted standard – provides basis of consistent assessment in the future
OVERALL APPROACH
30
Phase 1 – Discovery• Determine business & compliance requirements for cybersecurity• Review documentation related to cybersecurity infrastructure, e.g., network diagrams, asset
inventory• Identify systems & data stores containing personally identifiable information (PII), electronic
protected health information (ePHI), etc.
Phase 2 – Analysis• Conduct on-site interviews with key stakeholders to
• Document processes that identify cyber risk, protect key information assets, detect/respond to threats & recover should a breach occur
• Evaluate process/control maturity & determine risk
Phase 3 – Remediation Planning• Identify recommendations & action plans addressing
• Remediation activities to be completed• Identify type of investment, e.g., resources, hardware/software
9/20/2017
16
CASE STUDY
32
• International not-for-profit that builds relationships of mutual respect & support to bridge cultural, religious & economic divides
• Sponsorship program connects individual sponsors with a child or elderly person in one of the 19 countries in which Unbound operates. Sponsor support provides education, food, health care & livelihood opportunities for families
• Serves more than 300,000 children, youth & elderly persons in Africa, Asia, Latin America & the Caribbean
• More than 260,000 sponsors throughout all 50 states in the U.S. & 86 other countries
• More than 92 cents of every dollar spent is going toward program support
ABOUT UNBOUND
9/20/2017
17
33
• Why did we do it? Board of directors felt that it was important to have an independent
review of cyber risks
President/CEO shall not fail to protect intellectual property, information & files from loss, breach or significant damage
• Initial concerns IT staff already very busy with operational activities & concerned
about potential time commitment
We are already focused on security, won’t this be a duplicate effort?
THE INSIDE STORY
34
• Next steps Evaluate remediation recommendations in light of current operational
requirements to determine if additional staffing, hardware & software is required
Priorities• Cyber risk insurance
• Vendor risk management program
• Update policies & procedures
• Security awareness training
THE INSIDE STORY
9/20/2017
18
35
• Although Unbound was already PCI-compliant, the NIST CSF assessment required the organization to evaluate processes & controls not related to the PCI Cardholder Data Environment (CDE). Determined that documentation & process consistency was missing in some cases
• Reaffirmed that other current processes & controls were working effectively, largely due to past PCI remediation activities
• Board & senior management gained greater knowledge of & insight into cybersecurity activities
• IT gained knowledge of practices by operational groups (HR, Finance) to safeguard information
• Operational groups had greater awareness of cyberissues & more committed to safeguarding their data
BENEFITS
36
• Cybersecurity risk has grown substantially fornot-for-profit organizations
• Framework-based cybersecurity assessment allows the organization to determine if an effective cybersecurity program is in place
• Remediation activities can be prioritized & scheduled based on level of risk & control maturity
SUMMARY
9/20/2017
19
QUESTIONS?
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
9/20/2017
20
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
CPE CREDIT
THANK YOU!FOR MORE INFORMATION
Jan Hertzberg | Director, BKD | [email protected] Dougherty | IT Director, Unbound | [email protected]
9/20/2017
21
