Compliance and a Culture of Integrity
Data and PrivacyOctober 29, 2014
www.pwc.com
PwC
• Increase in the Security and Privacy regulatory mandates in recent years, as well as expected changes in upcoming years
• Emerging technologies and reliance on third parties have created a borderless infrastructure
• Growing demand by business leaders to understand how privacy (“what” data is sensitive to the business) and security (“how” to protect the data deemed sensitive) is integrated
• Increase in threats and vulnerabilities to sensitive data and corporate assets
• Even companies that place great emphasis on securing their business processes can become the victim of cybercrime. Cybercrime can manifest in many ways
• Having a documented, demonstrated and regularly tested program helps in the event of regulator oversight
2
Cyber security and Privacy…..
. . . a Board level issue
PwC
. . . a strategic imperative
Global Business Ecosystem
Pressures and changes which create opportunity and risk 3
Traditional boundaries have shifted
• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.
• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.
• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.
Cyber security . . .
PwC
Nation State
Insiders
Organized Crime
Hacktivists
• Economic, political, and/or military advantage
• Immediate financial gain
• Collect information for future financial gains
• Personal advantage, monetary gain
• Professional revenge
• Patriotism
• Influence political and /or social change
• Pressure business to change their practices
MotivesAdversary
• Trade secrets• Business
information• Emerging
technologies• Critical
infrastructure• Financial / Payment Systems
• PII• PCI• PHI
• Sales, deals, market strategies
• Corporate secrets, IP, R&D
• Business operations• Personnel
information
• Corporate secrets• Business information• Information of key
executives, employees, customers, partners
Targets
• Loss of competitive advantage
• Disruption to critical infrastructure
• Regulatory inquiries and penalties
• Lawsuits• Loss of confidence
• Trade secret disclosure
• Operational disruption• Brand and reputation• National security
impact
• Disruption of business activities
• Brand and reputation• Loss of consumer
confidence
Impact
4
Motivated Adversaries
PwC 5
Current cybersecurity risks and trends
Even companies that place great emphasis on securing their business processes can become the victim of cybercrime.
• large organizations (those with gross annual revenues of $1 billion or more) detected 44% more incidents compared with last year.
Source: 2014 PwC Global State of Information Security Survey
PwC 62009 2010 2011 2012 2013 2014
The average number of annual detected incidents has increased, evidencing today’s elevated threat environment. As a result, total financial losses due to incidents has risen given the cost and complexity of responding to threats.
Current cybersecurity risks and trends
Source: 2014 PwC Global State of Information Security Survey
PwC 7
• Mobile security is an area of continued vulnerability. Mobility has generated a deluge of data, but deployment of mobile security has not kept pace
• Companies are increasingly sharing data with third parties. While services can be outsourced, accountability for security and privacy cannot
• Compromises attributed to third parties with trusted access increases while due diligence weakens:
• Very few organizations have true visibility into third party business partners
• Changing relationship between the organization and consumers- multiple channels/consumer touch points (e.g. website/mobile site/app/store) without centralized oversight and “control”
Current cybersecurity risks and trends
55% have security baselines for external partners, suppliers, and vendors (60% in 2013)
50% perform risk assessments on third-party vendors (53% in 2013)
PwC 8
• Current and former employees are the most-cited culprits of security incidents, but implementation of key insider-threat safeguards is declining:
• While less frequent, incidents attributed to nation-states, organized crime, and competitors increased sharply in 2014:
Current cybersecurity risks and trends
56% have privileged user-access tools (65% in 2013) 51% monitor user compliance with security policies (58%
in 2013) 51% have an employee security training and awareness
program (60% in 2013)
86% jump in incidents by nation-states
64% rise in compromises by competitors
26% increase in incidents by organized crime
PwC 9
Average cost of a compromised record: $188*
Average cost of a data breach: $5.4M *
Estimated annual losses to business from data and identity theft: $150B**
Publicized breaches of personal information:
1,097 1,631
2011 2012
1390
2013Estimates at $3M in lost business per incident*
Average cost of post breach response activities (legal fees, forensics) - $1.5M*
Each card brand can assess fines for PCI non-compliance. Examples include:• Visa (pre breach)$5K-$25K per
month• MasterCard (related to breach)
$100K for each PCI violation
*Source: Ponemon Institute’s “2013 Annual Study: U.S. Cost of a Data Breach”**Source: McAfee 2013 Study: “The Economic Impact of Cybercrime and Cyber Espionage”
Data breaches are costly and on the rise
PwC 10
State Breach Notification Laws
Generally, the laws mandate that if there is:• unauthorized access to
or disclosure of unencrypted personally identifiable information (PII) that
• threatens the security of such PII and
• creates a risk of identity theft
The person that "owns" such PII must notify affected:• state residents• state agencies and/or• consumer protection
agencies
Forty seven US states plus DC, Guam, Puerto Rico and the Virgin Islands
• Alabama, New Mexico and South Dakota have no law
PwC 11
State Security Breach Laws – a quick comparison
Scope of Personal Information covered
Key data such as name plus SSN< bank account number, credit card number (Illinois)
Passwords, PINS and other access codes (Alaska)
Date of birth, electronic signature (North Dakota)
Biometric data such as fingerprints, voice print and retinal images (Nebraska, North Carolina)
Trigger for notification obligation
No notice unless misuse of the data is likely (Colorado)
Notice if breach creates a substantial risk of ID theft or fraud (Maine)
Notice if there is reason to know that personal information was acquired (Mass)
Recipient of Notice
Impacted resident (all states)
Consumer reporting agencies if > 500 (Minnesota)
Consumer reporting agencies if > 1000 (Michigan, Nevada)
Consumer reporting agencies if > 10000 (Georgia)
Content of Notice
Describe nature of the incident (North Carolina)
Don’t describe nature of the incident (Mass)
Timing of Notice
As soon as practicable (Mass)
Five days (California)
After a reasonable investigation has been conducted (Arizona)
PwC 12
Most incidents are not cyber security or hacking events, for example:
• Lost or stolen employee laptop (encryption will help)
• HR employee accidentally sending spreadsheet to the wrong person
• Vendor accidentally uploading file to the wrong server
Even the small ones take time to address:
Typical Data Breach Legal Response
What data was involved?
Was it encrypted?
Who accessed it? How trustworthy are they?
How can it be used by the person who accessed it?
Is there a likelihood of harm? (some states don’t care)
Finding the individuals’ names and contact information
Drafting letters based on state requirements
PwC 13
Need to do analysis to determine if notice is required:
• Look at the various state laws
• Look at your customer contracts (for B to B)
• Comply with your privacy notices
Even if notice is not required, it may be appropriate:
• Is there an ethical responsibility to notify?
• If notify in one state, should you notify in all?
• Could it be a bad PR move not to notify, even if not required?
• But over-notification also has its issues
A robust Incident Response Plan is necessary to enable prompt reaction. Prompt reaction is key to a successful response.
Typical Data Breach Legal Response
PwC 14
How to monitor for data loss and potential threats
• While organizations have made significant security improvements, they have not kept pace with today’s determined adversaries – many rely on yesterday’s security practices to combat today’s threats
• Even the most advanced blocking techniques are inadequate against motivated and targeted attacks. Reduce reliance on prevention-only capabilities
• Spend less on prevention, invest in detection, response and predictive capabilities
• Assume a state of continuous compromise, necessitating continuous monitoring, response and remediation
• Architect for monitoring at all levels of IT stack – network, OS, application, content, transactions and user behaviors – and develop security operations center responsible for continuous monitoring, detection and response
• Chose context-aware network, endpoint and application security solutions that provide prevention, detection, prediction and response capabilities
PwC
Historical IT Security Perspectives
Today’s Leading Cybersecurity
Insights
Scope of the challenge • Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated • Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organized, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach
• Prioritize and protect your “crown jewels”
Defense posture • Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself • Public/private partnerships; collaboration with industry working groups 15
Evolving perspectives - adapting to the new reality
PwC
Building a Cyber Security & Privacy Program
16
PwC 17
1. An effective governance structure
2. A strong culture and attitude at all levels
3. An effective risk assessment process
4. A complete, dynamic, current lifecycle data inventory that includes third parties
5. Controls aligned with a selected framework
6. An effective training and awareness program
7. An effective team that ensures compliance with laws and regulations
8. An effective auditing and monitoring function
9. Policies and procedures that are current, communicated, and followed
10. An effective, documented, and tested incident response plan
11.An effective, documented, and tested Business Continuity and Disaster Recovery plan
17
• Creating a robust strategy that accounts for a complex, multi-regulatory & changing environment
• Managing individual concerns and perceptions across differing cultures
• Understanding the information the organization collects & processes
• Managing information across the data lifecycle, within and outside your organization
• Building secure networks and systems
• Standardizing practices across all entities and regions, including all channels
• Coordinating incident response
• Driving policy and controls into business practices and technology
• Adopting privacy values throughout the enterprise
• Ensuring Business Continuity & Disaster Recovery strategies are in place
Common challenges and keys to an effective program
PwC 18
C – Suite Focus Areas
Secure information is power
• Align with the business
Strategy, Governance & Management
• Security by design
Security Architecture &
Services
• Address threats & weaknesses
Threat, Intelligence & Vulnerability Management
• Enable Secure Access
Identity & Access
Management
• Adapt to the future
Emerging Technologies & Market Trends
• Manage risk and regulations
Risk & Compliance
Management
• Anticipate & respond to security crises
Incident & Crisis
Management
• Safeguard critical assets
Data Protection & Privacy
Cyber Security program components
PwC 19
4Assess cybersecurity of third parties and supply chain partners, and ensure they adhere to your security policies and practices
2Identify your most valuable information assets, and prioritize protection of this high-value data
1Ensure that your cybersecurity strategy is aligned with business objectives and is strategically funded
3Understand your adversaries, including their motives, resources, and methods of attack to help reduce the time from detect to respond
5Collaborate with others to increase awareness of cybersecurity threats and response tactics
Taking action: 5 steps toward a strategic cyber program
PwCPwC
Contacts
Bonnie L. YeomansVP, Assistant General Counseland Privacy OfficerCA Technologies(631) [email protected]
Ariel LitvinDirector - IT Risk & Security AssurancePwC(646) [email protected]
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Jacqueline T WagnerManaging Director – New York Privacy LeaderPwC(646) [email protected]
20