Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Cyber Security 101: What Your Agency Needs to Know
1. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
CYBER SECURITY 101:
What Your Agency Needs to Know
PR Council Genome Series
May 4, 2017
2. PROPRIETARY & CONFIDENTIAL
PRESENTERS
Sandra Fathi, President, Affect
PR Council Board Member
sfathi@affect.com
@sandrafathi
Simon Russell
Managing Partner,
BeCyberSure
simonr@becybersure.com
Vince L. Martinez
Partner, K&L Gates LLP
Vince.martinez@klgates.com
3. PROPRIETARY & CONFIDENTIAL
I. Cyber Security 101: What you need to know about cyber security and threats in an
agency environment
II. Legal Ramifications: Cyber security and the law, the agency’s responsibilities and
liabilities
III. Crisis Communications: When it happens to you, a plan of action
AGENDA
March 4, 2010Affect
4. PROPRIETARY & CONFIDENTIAL
DEFENDING ENTERPRISE INTEGRITY
Making InfoSec Part of the Culture
Simon Russell, Managing Partner, BeCyberSure North America
5. PROPRIETARY & CONFIDENTIAL
Defending(Enterprise(Integrity(((
What is “Cyber Security”?(
• The(process(of(applying(security(
measures(to(ensure(
confiden9ality,(integrity,(and(
availability(of(data(
• Essen9ally,(protec9on(against(
Cyber(Risk(
What is “Cyber Risk”?(
• “Cyber(Risk”(means(any(risk(of(
financial(loss,(disrup9on(or(damage(
to(the(reputa9on(of(an(individual(or(
organiza9on(from(some(sort(of(
failure(of(their(informa9on(
technology(systems(
10. PROPRIETARY & CONFIDENTIAL
EXCUSES#FOR#NOT#ADDRESSING#CYBER#
Defending(Enterprise(Integrity(((
• Usually easier targetI’M TOO SMALL
• All data has value or you could be a stepping stoneNOTHING WORTH STEALING
• Every organization is of interest to the criminal – they do
not discriminate
MY TYPE OF BUSINESS IS NOT A
TARGET
• Not the point- there are other assets to stealI DON’T HANDLE MONEY
• You are still responsible - the responsibility is not
outsourced
I OUTSOURCE IT, PAYMENTS, ETC
• Not any more!
SOMEONE ELSE WILL PAY IF
SOMETHING GOES WRONG (e.g.
banks, insurance)
17. Basic Incident Response Steps
• Recognize the occurrence of an incident.
• Notify and assemble the incident response team to begin the investigation.
• The internal team can include IT, Security, HR, Counsel, Compliance,
business heads and IR.
• The external team can include outside counsel, technological consultancies
and crisis management / public relations firms.
• Identify and fix (or contain) the technological issue.
• Determine any legal obligations and comply.
• Determine if any public reporting obligations exist.
• Communicate with the public as appropriate.
• Eradicate remnants of the security incident and recover business operations.
18. Data Breach Notification Requirements
• The primary consideration is the exposure of personally identifiable
information (PII).
• All states except AL and SD require companies to notify affected
individuals when their PII has been compromised.
• There are variances in notification laws and the types of data considered PII.
• Most states require notice as soon as reasonably possible; a few require
notice within 30 to 45 days of discovery.
• Certain federal laws, such as HIPAA and GLBA, require companies to
notify affected individuals.
• Certain federal regulators, including the FTC and FCC, are active within
their jurisdictions.
• Breach notification can also be a function of contract, which should be
known before an incident occurs.
19. Notifying Law Enforcement
• Relevant federal law enforcement agencies include the FBI
and the Secret Service.
• The Department of Justice has issued guidance for interacting with
federal law enforcement authorities in the wake of a cybersecurity event.
• https://www.justice.gov/sites/default/files/criminal-ccips/legacy/
2015/04/30/04272015reporting-cyber-incidents-final.pdf
• State Attorneys General may also be required to be notified.
• It is a best practice to have pre-established contacts with law
enforcement before an event.
• Remember that law enforcement has different goals than you when
responding to a cybersecurity event, and the logistics and possible issues
surrounding law enforcement involvement should be understood beforehand.
20. Public Company Reporting Obligations
• The SEC’s Division of Corporation Finance offered guidance in 2011.
• https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
• The guidance gives context to materiality in several parts of periodic reports.
• Some incidents may be described generally in quarterly and annual filings.
• Filing a Form 8-K is most appropriate for events of immediate material
consequence to investors.
• The SEC has not yet brought an enforcement action for inadequate
cybersecurity disclosure, but has frequently indicated its interest in doing so.
21. Recent Regulatory Developments
• The New York Department of Financial Services recently implemented
regulations for certain financial institutions:
• http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
• Affects both businesses registered under the New York Banking, Insurance
and Financial Services Laws, as well as certain third parties that service those
businesses.
• Contains specific technological measures required of covered entities.
• The Colorado Division of Securities recently proposed enhanced
cybersecurity measures for broker-dealers and investment advisers:
• https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view
• Specifies what measures firms should consider in order to have “written
procedures reasonably designed to ensure cybersecurity.”
• Takeaway: More regulators are beginning to list specific measures required.
22. Consequences of a Cyber Incident
• Major damage to the company’s operations, customer loyalty, reputation
and financial results.
• Litigation, settlement, repair and remediation costs in recent
cases have reached into the tens of millions of dollars, including:
• Example: Target - breach related costs approaching $180 million per latest Form 10-K.
• Shareholder derivative actions, including against directors
• Customer class actions
• Litigation with (former) business partners
• Regulatory investigations, actions and remediation oversight
• Example: FTC v. Wyndham Worldwide Corp.
• Inadequate or misleading data security protections can be
charged as unfair and deceptive trade practices.
• Activist investor campaigns
23. Roles for Outside Counsel
• Extend attorney-client privilege to response advice.
• Extend work product protection to investigative documentation.
• Hire other third parties as agents of the legal engagement.
• Establish contact with law enforcement.
• Identify likely regulators and applicable standards and guidance.
• Identify legal and contractual obligations to notify or report.
• Ensure legal accuracy of public statements.
26. PROPRIETARY & CONFIDENTIAL
WHAT’S THE SCENARIO
• Scenario #1: A reporter tweets that they’ve broken a story about your data
breach – you were unaware that the press was aware.
• Scenario #2: IT department detects a breach and informs the PR department
that it has been mitigated.
• Scenario #3: The FBI calls to tell you that they are investigating your data
breach.
• Scenario #4: The IT department reports a breach to PR, but has no idea how
large it is or what the total impact will be.
• Scenario #5: A Hacker threatens to release your client’s data if you don’t pay
$100,000 in Bitcoin
You need a plan and you needed it yesterday.
27. PROPRIETARY & CONFIDENTIAL
THE THREAT IS REAL
• The Element of Surprise: breaches are often leaked to the media before full
investigations are complete
• Under Pressure: Customers, media, employees etc. demand information
• The Gift that Keeps on Giving: Data breach incidents tend to have more than
one news cycle
• Social Media Wildfire: False information spreads quickly on sites like Twitter,
Facebook and LinkedIn
If you are prepared for data breach response, you have a better chance of
controlling your message and preserving your reputation.
29. PROPRIETARY & CONFIDENTIALAffect
PHASE 1: READINESS
PREVENTATIVE MEDICINE
Anticipating a Crisis
1. Crisis Mapping (SWOT Analysis)
2. Policies and Procedures (Prevention)
3. Crisis Monitoring
4. Crisis Communications Plan
5. Crisis Action Plan
6. Crisis Standard Communications Template
30. PROPRIETARY & CONFIDENTIALAffect
THREAT MAPPING
RISK ASSESSMENT
Internal
• Employees
• Facilities
• Vendors/Suppliers
• Distributors/Resellers
• Product
External
• Acts of Nature
• Market
• Legal Restrictions/Law
• Customers
• Advocacy Groups
Anticipating & Understanding Threats to a Business
People, Products, Facilities, Environment, Information
31. PROPRIETARY & CONFIDENTIALAffect
INFORMATION THREATS
What’s in your files?
1. HR – Name, Address, Social Security
2. Payroll – Name, Address, Social Security & Bank Account
3. Customer – Name, Address, Credit Card & Bank Account
4. Vendor – Name, Address, Credit Card & Bank Account
5. Other – Medical Records, Demographic Information, Email, File Servers
etc.
32. PROPRIETARY & CONFIDENTIALAffect
CRISIS COMMUNICATIONS
ANTICIPATING THREATS
Create A Chart:
Potential Informational Threats to Your Business
HR Sales Marketing Finance
Rank Order
High Risk
to
Low Risk
33. PROPRIETARY & CONFIDENTIALAffect
CRISIS TOOLKIT
RESPONSE RESOURCES
1. Develop materials:
• Messages/FAQ
• Prepared statements
• Press release template
• Customer letters
2. Train employees
• Awareness
• Anticipation
• Organizational Preparation
3. Prepare channels:
• Hotline
• Dark site
• Social Media
4. Data Breach/Customer Assistance
Resources
• Microsite/Landing Page FAQ
• Identity Theft Remediation
Services
• Force Password/Account
Information Change
• Special Customer Advocate/Team
34. PROPRIETARY & CONFIDENTIALAffect
IMMEDIATE ACTION
BEST PRACTICES
Preparing a Response
1. Don’t delay
2. Acknowledge situation
3. Acknowledge impact and ‘victims’
4. Commit to investigate
5. Commit to sharing information and cooperation with relevant parties
6. Share corrective action plan if available
7. Respond in the format in which the crisis was received**
35. PROPRIETARY & CONFIDENTIALAffect
RESPONSE OUTLINE
CRITICAL INFORMATION
Prepare a Template Crisis Response:
1. What happened?
2. What do we know about it?
3. Who/what was impacted?
4. How do we feel about it? (How should we feel?)
5. What are we going to do about it?
6. When are we going to do it?
7. When/how will we communicate next?
36. PROPRIETARY & CONFIDENTIALAffect
CUSTOMER COMMUNICATION
Notice of Data Breach
1. Introduction: Why are we contacting you?
2. What happened?
3. What information was compromised?
4. What are we doing to remedy the situation?
5. What can you do to prevent/mitigate further risk?
6. Where can you find more information?
38. PROPRIETARY & CONFIDENTIALAffect
PHASE 3: REASSURANCE
DOSE OF MEDICINE
Who to Reassure? How to Reassure?
1. Develop full response plan
2. Put plan into action: Immediate remedy
3. Communicate results of plan and impact
4. Reaffirm commitment to correction
5. Demonstrate results of program
39. PROPRIETARY & CONFIDENTIALAffect
PHASE 4: RECOVERY
LONG-TERM TREATMENT PLAN
Rebuilding reputation, trust and customer loyalty
Implementing preventative measures for long-term crisis mitigation
and/or prevention
1. Review need for operational, regulatory, environmental and employee
changes
2. Develop long-term plan including policies and prevention tactics
3. Reassess crisis plan
4. Regain customer/public trust
40. PROPRIETARY & CONFIDENTIALAffect
1. Implement Policies to Address Potential Vulnerabilities
2. Establish a Regular Review Cycle for Information Security
3. Establish Inter-Departmental Cooperation
4. Establish a Framework for Response
5. Build a Data Breach Crisis Toolkit
10 KEY TAKEAWAYS
CRISIS COMMUNICATIONS FOR DATA
BREACHES
41. PROPRIETARY & CONFIDENTIALAffect
6. Know Where & How to Respond
7. Prepare Your Employees in Advance
8. Establish Assistance Services for those Impacted
9. Know the Law Regarding Reporting in All Regions of Operations
10. Be Honest, Be Transparent
10 KEY TAKEAWAYS
CRISIS COMMUNICATIONS FOR DATA
BREACHES