cybersecurity and credit risk management€¦ · cybersecurity and credit risk management march 19,...
TRANSCRIPT
1
Cybersecurity and
Credit Risk Management
March 19, 2018
AGENDA• Why should credit professionals care about cybersecurity?
• Why talk to lawyers about cybersecurity?
• Criminals go to work every day
• What is cyber diligence?
• What can you do?
• Questions
2
2
Why Should Credit Professionals Care About Cyber Incidents?
• Cyber attacks may immediately disrupt business ops and cut off income:– Stores with POS systems
–Manufacturers with SCADA/ICS systems
– E‐Commerce
3
Why Should Credit Professionals Care About Cyber Incidents?
• Cyber attacks on others can affect you, e.g.,– you extended credit, now they can’t pay;
– third party service providers can make you look bad
4
3
Why Should Credit Professionals Care About Cyber Incidents?
• Interconnected systems = additional challenges– access to your systems
(ordering, accounting, tracking)?
– shared systems?
– business by e‐mail?
5
Why Should Credit Professionals Care About Cyber Incidents?
Because there is a significant economic cost to ignoring cybersecurity
6
4
7
Why talk to lawyers about cybersecurity?
• Technology and law – 2gether 4ever
• Statutory, regulatory, contractual
• Litigation risk—liability, eDiscovery
• Relationships‐regulators and
law enforcement
• Cyber insurance
• Privilege protection
7
8
A Brief Detour: Privacy
• Privacy – Cybersecurity‐distinct but related concepts
• Privacy – Cybersecurity‐conundrum
8
5
What is Private or Personal Information?
Definition varies, but may include name and:•Social Security Number•Driver’s License Number•Health Information•Certain Personal Contact Information•Financial Data (such as Account Numbers)•Passwords or other Access Information•Educational Records•Employment Records•Consumer Preferences/History•Geo‐Locating Information
9
Privacy Pitfalls
Improper use or disclosure of
info, even if properly obtained•Blabbing at the bar about client (breach of attorney‐client privilege)
•Bragging about celebrity patient (breach of doctor‐patient privilege)
•Selling customer lists (potential breach of contract/deceptive practice)
•Marketing to a consumer based on tracking (Big Data)
10
6
Privacy Pitfalls
Obligations may extend to information in your “possession, custody or control”‐‐•What data do you get from your customers?
•Do you repossess/foreclose on collateral comprising/containing data?
•Are you responsible for funding another party’s maintenance of data?
11
Cybersecurity
• Cybersecurity concerns protection of the Confidentiality, Integrity and Availability of electronic data and systems
• A cybersecurity breach is typically a situation involving a successful attack on electronic systems and/or content (data), which could include access, destruction, control, manipulation, etc.
12
7
CIA Triad
13
Cybersecurity Pitfalls
Hacks of all shapes and sizes…an infinite and growing library of attacks (a/k/a “exploits”) including:• Malware (like Ransomware)
• Denial of Service
• Spoofing
• Phishing (and variations like Spear Phishing)
• Social engineering
• Advanced Persistent Threats
• Password Attacks
• Unpatched Systems Vulnerabilities
• SQL Injection
14
8
Obligations
• Federal (Sector‐by‐Sector Approach)
• State
• Self‐Regulating Organizations
• Industry Associations
• Contractual
• International
15
Summary of FTC’s Approach
FTC’s “Reasonableness” Standard
“The touchstone of the Commission’s approach to data security is reasonableness: acompany’s data security measures must be reasonable and appropriate in light of thesensitivity and volume of consumer information it holds, the size and complexity of itsbusiness, and the cost of available tools to improve security and reduce vulnerabilities.Through its settlements, testimony, and public statements, the Commission has madeclear that it does not require perfect security; reasonable and appropriate security is acontinuous process of assessing and addressing risks; there is no one‐size‐fits‐all datasecurity program; and the mere fact that a breach occurred does not mean that acompany violated the law.”
• FTC’s Statement Marking 50th Data Security Settlement, 1/21/14
16
9
17
New York
NYS Dept. of Financial Services (DFS)Cybersecurity Requirements for Financial Services Companies
•All DFS‐regulated entities are “covered entities” (i.e., banks, insurance companies, money transmitters)
•Covered entities and their vendors/partners, must “assess [their] specific risk profile[s] and design a program that addresses its risks in a robust fashion.”
•Broad definition of “non‐public information”
•Cybersecurity is a Board of Directors‐level responsibility•Written plans, evaluations and compliance certifications are required
•Covered entities must appoint a Chief Information Security Officer (CISO)
•Became effective on March 1, 2017, with phase‐in for compliance with certain provisions beginning August 28, 2017
17
Contractual Considerations
• Obligations and liabilities are often a contractual matter
• Three main considerations:1. Business‐to‐Business
• Vendor agreements to maintain certain standards
• Credit card association agreements
2. Business‐to‐Consumer• Express written contract (credit cards or loan agreements) or implied contract (posting of a privacy policy or other public statements/representations)
3. Employer‐to‐Employee• Employment agreement or employee manual/code of conduct
18
10
Criminals Go To Work Every Day
19
Going Beyond The Headlines
We are all too familiar with headline‐grabbing incidents in which massive amounts of personal information are compromised:
20
11
Going Beyond The Headlines
These are the tip of the iceberg; the vast majority of cyber‐incidents impacting businesses are never disclosed. They include:
‐insider threats activated
‐industrial espionage through hacking
‐state sponsored cyberattacks
‐unexplained outages (DoS)
‐other unrecognized or undisclosed
incidents
21
What Is Cyber‐Diligence and How Does It Relate To You?
• process for assessing business partner’s cybersecurity risk
• tool for evaluating likelihood of cyber event, but also level of cybersecurity maturity
• guides decision whether to enter business relationship, on what terms
22
12
How to Conduct Cyber Diligence
• Risk assessment methods and reporting
• Information gathering
• Standards and certifications
• Vulnerability assessments
• Penetration testing
• Contractual protections
23
You’ve Done Your Cyber Diligence, Now What?
• Negative cyber diligence report need not “kill” relationship
• Consider conditions to proceeding:
– Remediate issues highlighted
– Update on remediation progress
– Indemnify for losses from cyber
– Obtain cyber insurance
24
13
In Conclusion: A Cautionary Tale
Robert and Bethany Millard v. Patricia L. Doran
25
Lessons LearnedRobert and Bethany Millard v. Patricia L. Doran Hackers target all types
More robust email systems may be more secure
Simple verification procedures can help
Employ a healthy dose of skepticism
Do not ignore security in favor of a closing deadline
26
14
Cybersecurity Is Technical, But Comes Down To People
27
All Organizations Should Plan For Attack:The Question Is Not “If,” It Is “When”?
28
15
THANK YOU
For More Information:
Erik Weinick [email protected]
Adam Cohen [email protected] www.thinkbrg.com
Credit Research Foundation www.crfonline.org
29