Cybersecurity – A Team Sport · 1/12/2017 · Probability of a Data Breach Involving a Minimum...

©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • 777 East Wisconsin Avenue, Milwaukee, WI 53202 • 414.271.2400

A Case Study of Building an Effective and Resilient Program

Cybersecurity –A Team Sport:

Thursday, January 12, 2017

Tim RileyCIONetwork Health Inc.

Jennifer RathburnPartnerFoley & Lardner LLP

Augustine DoeVP ERMNetwork Health Inc.

Joseph AbrenioVP, Commercial ServicesDelta Risk LLC

Presenters

Moderator

©2017 Foley & Lardner LLP

Introductions

1

A. Data breach �ndings that have implications for organizations

B. Game prep—coming together to create a cyber ecosystem

C. Team roster and responsibilities

D. Playbook—executive risk o�cer

E. Playbook—executive information technology o�cer

F. Playbook—cyber risk consultant

G. Playbook—cyber attorney

H. Goal line themes

I. Appendices


Agenda

2

A. Hackers and criminal insiders cause the most data breaches

48%

27%

25%

Malicious or criminal attack

System glitch

Human error

Distribution of Root Cause of Data Breach

Source: Research Report, 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2016)


Data Breach Findings that have Implications for Organizations

3

B. Based on threat action varieties in breaches overtime—phishing and point-of-sale are a big deal!

Threat Action Varieties in Breaches Over Time

Source: 2016 Verizon Data Breach Investigations Report

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

2009 2012 2015

Brea

ch c

ount

2010 2011 2013 2014

2

40

60

80

100

50

100

150

200

250

100

200

4

300

00

500

50

100

150

200

100

200

300

400

500

100

200

300

400

500

200

400

600

800

Malware - C2

Hacking - Use of stolen creds

Malware - Export data

Hacking - Use of backdoor or C2

Social - Phishing

Malware - Spyware/Keylogger

Malware - RAM

Hacking - Brute force

Malware - Backdoor


Data Breach Findings that have Implications for Organizations (cont.)

4

Percent of Breaches per Asset Category Over Time

Source: 2016 Verizon Data Breach Investigations Report

0%

10%

20%

30%

40%

50%

2009 20122010 2011 2013 2014 2015

Server

User Device

Person

Media

Kiosk/Terminal

Network

C. Where phishing and point-of-sale are root cause of breach—server and user device are assets of choice



5

Per Capita Data Breach Cost by Industry Classi�cation

Source: Research Report, 2016 Cost of Data Breach Study: United States, Ponemon Institute (2016)

D. The cost of data breach varies by industry—regulated industries such as health care and �nancial services have the most costly data breaches because of �nes and the higher than average rate of lost business and customers

Average cost =$221/record (US Data)

*Per capita cost by industry

$86

$148

$172

$177

$186

$196

$200

$218

$220

$226

$245

$246

$247

$264

$301

$402

$0 $50 $100 $150 $200 $250 $300 $350 $400 $450

Public

Hospitality

Research

Media

Industrial

Technology

Retail

Consumer

Education

Services

Communications

Energy

Transportation

Financial

Life Science

Health



6

Impact of 16 Factors on the Per Capita Cost of Data BreachConsolidated view (n=383), measured in US$

$(20.3)

$(15.4)

$(14.3)

$(5.8)

$(5.1)

$6.9

$5.9

$7.5

$8.2

$8.6

$9.5

$11.6

$13.3

$15.4

$18.9

$25.8

$(50) $(30) $(10) $10 $30

Third party involvementExtensive cloud migration

Rush to notify

Lost or stolen devices

Consultants engagedProvision of ID protection

Insurance protection

Data classi�cation schemaBoard-level involvement

CISO appointed

Extensive use of DLP

Participation in threat sharing

BCM involvementEmployee training

Extensive use of encryptionIncident response team

Source: Research Report, 2016 Cost of Data Breach Study: United States, Ponemon Institute (2016)

E. Factors that in�uence the cost of data breach—certain factors decreased the cost of data breach while others increased it



7

Probability of a Data Breach Involving a Minimum of 10,000 to 100,000 Records


F. Inverse relationship between the probability of a data breach and the size of records—the probability of a data breach decreases as the size of records increases

0.256

0.164

0.111 0.095

0.065 0.050

0.028 0.019 0.015 0.012

0.000

0.050

0.100

0.150

0.200

0.250

0.300

10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000

Prob

abili

ty

Number of breached records

Consolidated view (n=383)



8

Relationship Between Mean Time to Identify and Total Average Cost


G. Time to identify and contain data breaches impact cost—the longer it takes to identify and contain data breach, the more it costs the organization

$3.23

$4.38

$-$0.50$1.00$1.50$2.00$2.50$3.00$3.50$4.00$4.50$5.00

MTTI < 100 days MTTI ≥ 100 days

Consolidated view (n=383), measured in US$

Relationship Between Mean Time to Contain and Total Average Cost


$3.18

$4.35

$-$0.50$1.00$1.50$2.00$2.50$3.00$3.50$4.00$4.50$5.00

MTTC < 30 days MTTC ≥ 30 days

Consolidated view (n=383), measured in US$



9

Indirect costs of data breach costs in US $(in millions)

$0.79$0.59

$-

$0.50

$1.00

$1.50

$2.00

$2.50

$3.00

$3.50

$4.00

$4.50Consolidated view (n=383), measured in US$

US

Dol

lars

(in

mill

ions

)

$1.72

$3.97

Average Indirect Costs: $145/recordAverage Direct Costs: $76/record

Indirect Costs Include:• Time employees spend on data breach noti�cation e�ort or investigations of the incident• Loss of brand value and reputation• Customer churn

Direct Costs Include:• Forensic Experts• Legal Fees• Identity/Credit monitoring services to victims

Description and Escalation

Noti�cationCosts

Post-breach Costs Lost Business



66% of the Cost of Data Breach Are Indirect Costs

10

TIE Framework

CyberRisk

Technology Solutions

Enterprise-wide Risk Oversight

Insurance

Health Care Industry Risk Heat Map

3.0

4.0

5.0

0

FINANCIAL IMPACT

PRO

BAB

ILIT

Y O

F O

CC

UR

RE

NC

E

HIGHLOW

HIG

HLO

W

CyberRisk

3.0 4.0 5.0

Cyber Risk

Very High Risk

Number

Risk Legend

45

HighVery High

≥$20,000,000 but < $40,000,000≥ $40,000,000

Meaning of Probability Range of Financial Capacity


Game Prep—Coming Together to Create a Cyber Ecosystem

11

A. Executive information technology o�cer (CIO, CTO, etc.) responsible for Technology Solutions

B. Executive risk o�cer (CRO, VP ERM, etc.) responsible for Insurance and Enterprise-wide Risk Oversight

C. Expert cyber risk consultant (Cyber consultant, VP Sales, etc.) responsible for the e�ective integration of People, Process, and Technology Solutions

D. Cyber attorney (Partner) responsible for Legal Advice


Team Roster and Responsibilities

12

Cyber Aggregate limit and retention

Model for Estimating Aggregate Cyber Liability Limits & Retention

A. Insurance: Cyber, Fiduciary, & D&O

Exposure basis

Number of data type(PCI/PHI/PII, non-card �nancial)or records

500,000

Total insurable cyber loss and liabilities ($402a per exposure basis)201,000,000$

51,456,000$

Less Robust IT security and cyber response program discount (40%)20,582,400$

Net potential insurable cyber losses and liabilities30,873,600$

Retained potential insurable cyber losses and liabilities (varies by risk appetite: 5%)1,543,680$

Aggregate limit of cyber insurance that should be purchased (95%)29,329,920$

Notes:a Average cost of data breach for healthcare organization based on Ponemon study is $402b Probability of data breach involving a minimum of 10,000 to 100,000 records is between .256 and 0.012 based on Ponemom study

Estimating Cost of Cyber Risk for Healthcare Organization

Potential insurable cyber losses and liabilities (based on probability of 0.256b)


Playbook—Executive Risk Officer

13

Insurance sub-limits

Control Group De�nition Panel law �rm and vendors for privacy breach response services Credit monitoring services Identity theft prevention and information disposal programs PCI exclusions First party computer security coverage endorsement Fiduciary & D/O Potential for Ds/Os to be subject to shareholder suits alleging breaches of �duciary duties in the wake of system breaches—ensure Board provides oversight of cyber program Palkon ex rel. Wyndham Corp. v. Holmes

Determining Cyber Insurance Sublimits

Exposure basisNumber of data type (PCI/PHI/PII, non-card �nancial) or records 500,000

US Industry Averages* Sublimits

$0.73 $365,000

$0.59 $295,000

$1.72 $860,000

$3.97 $1,985,000

Note: * Need to compute your speci�c industry average as average costs vary by industry

Detection and escalation: forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors

Noti�cation and compliance: IT activities associated with creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and in-bound communication set-up

Post-breach: help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions

Uninsurable lost business: abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill


Playbook—Executive Risk Officer (cont.)

14

B. Enterprise-wide risk oversight Ensure board-level and enterprise-wide involvement through ERM program Manage and monitor cyber risk through risk reporting tools

Business Continuity Management Program (BCMP) should include breach response and noti�cation plan (team), IT disaster recovery plan, and continuity plan for each business operation

TOOL 2Risk Register

TOOL 3Risk

Dashboards

TOOL 4Risk Tolerance

Policy

TOOL 5Risk Appetite

Statement

Risk ToolsCreation Cycle

See Appendices for sample tools

TOOL 1Risk Heat Map


Playbook—Executive Risk Officer (cont.)

15

A. Technology Solutions 1. Executive planning approach—service excellence

Business Opportunities

Manage:

• Schedule

• Value ROI

• Usability

• Risk

• Cost

• Quality

SystemsContinuous Improvement

• People

• Process

• Technology

Disruptive Events

Regulatory

Release Management

TQI

Other Project Resource CompetitionCommon Requests / Uncommon Requests / Incidents / Projects


Playbook—Executive Information Technology Officer

16

2. Understand current state of organization’s network infrastructure Conducted physical and �rmware assessment

Conducted comprehensive security reviews and vulnerability assessments using vendors: Coal�re, Delta Risk, and Mandiant

Learned more about IT general controls from Model Audit Rule (MAR) implementation

3. Developed and began to implement solutions to address identi�ed gaps Redesigned network infrastructure to improve uptime and availability 1. Equipment covered by 24X7 support, 4-hour response 2. Redundant network equipment in case of equipment failure 3. Updated uninterruptable power 4. Installed climate control

Worked with third-party data center operator to tighten security with Web �ltering, con�guration of servers and updated McAfee to include current patches

©2017 Foley & Lardner LLP17

Playbook—Executive Information Technology Officer (cont.)

4. Adopted new framework for administering IT functions and operations

5. Operationalized new IT framework

Active Eye24/7 coverageManaged Security Information and Event Management (SIEM)

Privacy IncidentsSecurity IncidentsBusiness Continuity Plan

Training BulletinsExecutive Expectations

Monitor

Respond

Awareness

Awareness

Monitor Respond

Frame



18

B. Bene�ts we are experiencing from operationalized framework 1. Robust incident response and team—business continuity

2. Continuous corporate-wide employee awareness of ways to help organization manage and monitor cyber risks

3. Corporate training on how to spot cyber threats, report threat—participate in threat sharing

4. Extensive use of encryption to protect data—lost or stolen devices

5. Provision of ID protection

6. Scaled-back on cloud migration to provide control over data unless SOC report indicates robust cloud security

7. Reduced number of data in motion through reduction in number of IT-related third party involvement

8. Extensive use of DLP and data classi�cation schema

©2017 Foley & Lardner LLP19


A. Technology Solutions 1. Support IT and organization with best-in-class cyber risk management practices and solutions

2. Active network monitoring—Delta Risk Active Eye

3. Integration of organization’s employees and business partners into the organization’s cyber risk management

4. Lead the development of the organization’s cyber risk response program


Playbook—Cyber Risk Consultant

20

A. Legal Cyber Related Counseling 1. Involve Legal Counsel to Enhance Attorney Client Privilege and Control Communications

2. Cybersecurity and Privacy Program Documentation and Policy Review

3. Board of Director Training

4. Data Breach Preparation and Response

5. Hiring of Outside Security and Other Vendors

6. Government Investigations and Litigation Assistance

7. Vendor Management/Contract Review and Other Transactional Assistance

8. Cyber Insurance Review©2017 Foley & Lardner LLP

Playbook—Cyber Attorney

21

A. Ecosystem in which CRO, CIO, cyber attorney and cyber consultant collaboratively manage and monitor riskB. Ongoing Board, senior management and organization-wide involvement in cyber risk management and monitoring


Goal Line Themes

22

©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • 777 East Wisconsin Avenue, Milwaukee, WI 53202 • 414.271.2400

Appendices

Continued on next page

3.0

4.0

5.0

0

FINANCIAL IMPACT

PRO

BAB

ILIT

Y O

F O

CC

UR

RE

NC

E

HIGHLOW

HIG

HLO

W

CyberRisk

3.0 4.0 5.0

Cyber Risk

Very High Risk

Number

Risk Legend

45

HighVery High

≥$20,000,000 but < $40,000,000≥ $40,000,000

Meaning of Probability Range of Financial Capacity


Appendix A—Healthcare Industry Risk Heat Map: Sample

24

Risk Name

Description of Risk

Risk Owner(s)

Key Drivers of Risk

Probability of Risk

Data loss/privacy

Data loss may expose us to privacy breaches which may negatively impact our reputation

Chief Technology Officer (First name, Last name)

Vendor securityEmployee security practicesHackers

Airlines/operators withdrawingDecline in the number of flights that land

Implement IT security management and controls by February XX, 20XXImplement software that monitors emails real time by March XX, 20XX

Number of vendors reviewed for data security compliance by IT per monthNumber of unsuccessful hacking attempts per month

Number of hacking threats per monthNumber of successful threats per monthNumber of employee non-compliance with IT security practices per month

IT Security PolicyVendor IT security SLAsFirewallsData encryption

Potential Financial Impact of Risk 3 ($12 million to $20 million)

Potential Operational Impact of Risk

Key Performance Indicators (KPIs)

Key Risk Indicators (KRIs)

Risk Control/Mitigating Measures

Actions Required

KEY ASPECTS OF RISK

4 (Moderate to High: 35% to 50% chance of occurring)


Appendix B—IT Risk Register: Sample

25

AcceptableLevel

ConcernLevel

UnacceptableLevel

Decreasing RBC

Brand-Making andReputational Risk

OWNERHead ofFinance

Actions Required and Corrective Actions

Update Overall Status460% 400% 530%

OWNERHead of

Communications

Update Overall Status99.6% 95% 100%

Current Value Policy Minimum Policy Maximum

Current Value Policy Minimum Policy Maximum

Actions Required and Corrective Actions

Subsidiary results, losses and cost overruns continue to negatively impact our RBC = (TAC / ACL RBC)

Experience reputational incidents that tarnish our brand image (Health of brand = Customer Satisfaction (CSAT) score)

Work with Head of HR to refine Employee Expense Reimbursement approval process and Terms of Employment policyContinue to monitor brand image real time using Street Smart ResearchDevelop and implement transparent communication messaging that conveys to the public how company is managing reputational incidents

•

••

Head of Finance to develop policies and procedures for Finance sign-off on new initiatives that require an investment of over $200,000Board and Management to revisit corporate governance of subsidiary operations to provide appropriate oversight and controlsHead of Finance to develop reports that track intercompany balances and budget variances

• On July 9, 2014, policies and procedures for Finance sign-off was completed and discussed with New Business DevelopmentReports that track intercompany balances expected to be completed by July 10, 2014

•

•

On June 27, 2014 completed refining expense reimbursement approval processConduct Street Smart Research in July 2015

•

•

•

•


Appendix C—Risk Dashboard: Samples

26

Description of RiskKey Risk/Performance Indicators (KRIs/KPIs)

MinimumThreshold

MaximumThreshold Risk Owner

Underwriting health insurance inpost-ACA market

Quarterly loss ratio 75% 90% Head of Actuary

Data loss and privacy breaches Total number of successful hackingattempts per month

35 60 Head of IT

Brand-making and reputational incidents Customer satisfaction (CSAT) score 95% 100% Head of Communications

Decreasing RBC Quarterly ratio (%) of TAC / ACL RBC 530%400% Head of Finance

Comprehensive people strategy Monthly employee turnover(voluntary)

10% 25% Head of Human Resources

IT unable to support operations Monthly systems uptime 200 hours 350 hours Head of IT

Inability to accomplish risk-based audit Total monthly hours available toaudit

600 hours 750 hours Head of Audit and/or Risk Management

Regulatory non-compliance Number of regulatory warnings 10 20 Head of Legal or Risk Management

Subsidiary cost overruns Subsidiary budget variance $200,000 $400,000 Head of Finance

Substantial increase in Workers’Compensation reserves

Percentage change in WC reserves 3% monthly 8% monthly Head of Audit and/or Risk Management

Declining investment portfolio Monthly change in value of portfolio 3% monthly 7% monthly Head of Finance

Decreasing COBRA benefits Percentage change in COBRAbenefits administered

5% monthly Head of Business Unit8% monthly


Appendix D—Risk Tolerance Policy: Sample

27

Risk Elements Our Assertions Additional SupportGuiding Statement

Brand-making andreputation

Contribution to Surplus

Network ProviderPenetration

Operational RiskParameters

Human Resources Risk Parameters

Capital Adequacy

This Formal Risk Appetite Statement is drafted solely for the purpose of providing Company XYZ, its subsidiaries and affiliates guidance on how to manage enterprise-wide risks. No statements made herein bind Company XYZ, its subsidiaries and affiliates to any contemplated contracts or agreements. Company XYZ, its subsidiaries and affiliates reserve the right to change any statements made herein with or without notice to any third parties.

Company XYZ is an insurance company that exists for the benefit of its policyholders. We protect our brand, maintain adequate capital, run sustainable subsidiary and affiliate operations, carry-out core operations and leverage our market share to ensure we return value to our policyholders.

Brand protection and enhancements: We strive to proactively avoid any situation or action that has the potential to unnecessarily impair our brand and reputation. This involves ensuring our employees, business partners and policyholders are committed to our values and that their actions and behaviors reflect these values. We believe this is what would allow us to take appropriate actions to preserve the strength of our brand and reputation in the areas of corporate compliance, customer privacy, corporate information security, governance and positive public image.

Risk-based capital: We will strive to grow to an RBC level appropriate to the risk of our core operations to ensure our sustainability in our market.(1) Controlled subsidiaries: Controlled subsidiaries are expected to manage their businesses and operations with the best interest of the shareholder and other appropriate stakeholders in mind. This expectation includes analysis and understanding of the risks associated with business initiatives to be undertaken by the controlled subsidiary. Further, controlled subsidiaries should comply with defined agreements (e.g. inter-company agreements, dividend policies, etc.) and governance processes as established with their shareholder.(2) External Portfolio risk: Must contemplate the risk profile of our controlled subsidiaries, the risk profile of our core business and Company XYZ's capital position.

Income/earnings: In order to remain viable in our market, we target an annual operating margin of 5% across all core operations. Product segments (both core and non-core) are expected to have a positive contribution to RBC.

Provider reimbursements: We will maintain adequate market share to provide the best value to our policyholders. We target no less than 50% of aggregate California health care providers' private payer revenue.

Contract management and bid and proposal review: No projects or bids will be pursued without appropriate review and analysis based on defined governance processes, which should include an assessment of material risks and financial impact.

Human Capital: We will ensure Company XYZ has identified key talent and leadership to develop new leaders through defined succession plans and development. We will maintain the resources and tools to attract, develop and retain the employees necessary to fulfill our mission.

Vision andMission Statements

Employee Expenses Reimbursement Policies Employment Policies

Investment Policy Intercompany Agreements and Dividend Policies with Subsidiaries

Human Resources Policies


Appendix E—Formal Risk Appetite Statement: Sample

28

Date post:	08-Jun-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Cybersecurity – A Team Sport · 1/12/2017 · Probability of a Data Breach Involving a Minimum...

Documents