Data Protection and Cybersecurity:Addressing the Risks and Costs

5 September 2019

3 QUESTIONS

2This briefing is proprietary information and shall not be released without the express permission of Tier 1

What does this mean for small businesses?

$3.92M average cost of a data breach for small- and mid-sized companies (all sizes businesses is $8.19M average excluding mega breaches in U.S.)

90% of small businesses do not have data protection measures in place for company or customer information

71% of ransomware attacks targeted small businesses with an average cost of $116,000

66% of small to medium-sized businesses do not believe they are vulnerable to cyber attacks – yet, 67% of SMBs experienced a cyberattack in the last year

60% of small businesses go out of business within 6 months of a data breach

Likelihood of experiencing a data breach is growing….29.6% and increasing each year

Why do hackers target small- and medium-sized?• Less mature IT processes and procedures (GRC)• Less secure data architecture• Limited ability to detect when a breach occurs• Very limited data breach response capabilities or

procedures

This briefing is proprietary information and shall not be released without the express permission of Tier 1

Cyber-Fraud e.g., illegitimate financial transfer is made as a result of social engineering

FinancialIncident response costsDirectors’ and Officers’ liability

Cyber-Extortion e.g., ransomware that impedes access to data or a network until a ransom is paid

FinancialBusiness interruptionIncident response costsReputational damageDirector’s and Officer’s liabilityData and software loss

Data Breache.g., unauthorized disclosure of third party personally identifiable information, violation of data privacy requirements, or proprietary / controlled information

Incident response costsBreach of privacy compensation Defense costFines and penaltiesReputational damageDirector’s and Officer’s liabilityData and software loss

Potential lossesMost common cyber events

This briefing is proprietary information and shall not be released without the express permission of Tier 13

Who are the Actors?

Criminal Organizations & Hackers / Script Kiddies

Criminal groups are promising salaries averaging the equivalent of $360,000 per year to hackers w/ bonuses

Targeting high-worth individuals, such as company executives, financial investors, lawyers and doctors with extortion scams

Utilize social engineering, malware, wireless / IoT attack vectors

Insider Threat $513,290 average cost per incident

$283,281 average cost for negligence

Doubles to $648,845 for credential theft

53% companies reported remediation costs of $100,000+ and 12% reported remediation costs of over $1M in addition to initial financial losses

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber

HacktivistsCyber attacks are designed to punish or make a point

• Exposing corporate / CEO practices• Exposing corporate / CEO political support• Legal exposure• Pressure shareholders• Doxing of corporate officers

Exposure of corporate data & information• Business Clients (e.g. Federal Contracts)• Proprietary data• Controlled Unclassified Data

4

Advanced Persistent ThreatsAchieve and maintain ongoing access to the targeted network

Theft of intellectual property, classified, controlled unclassified information

Defense program intelligence collection

Utilize social engineering, malware, wireless / IoT attack vectors

What is the threat?External Threat Categories – mostly out of your control

Social Engineering

Malware Regulation / Litigation

Wireless / Mobile Tech

Cloud / IoT Industrial Espionage

Cryptojacking

Internal Threat Categories – within your control with proper risk management

Governance Security Controls

Training Outsourced Contracts

Networks / Architecture

Business Planning

Personal Device Use

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber5

Tier 1 SecureTM Cybersecurity Model:

Legal Requirements

Information Technology

BusinessRequirements

Cybersecurity must be tailored to business goals, objectives, and strategy

Business Requirements

Any effort to design and implement an effective security strategy must be built on a foundation of legal and regulatory requirements

Information TechnologyYou can only transfer the financial impact of a cyber event…the legal responsibility for consequences can almost never be transferred

Legal Requirements

Business Systems

Corporate Law

Cyber Law

Integrated Governance(Executive Team)

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber 15

Develop & implement a risk-based cybersecurity program

Integrate Governance, Risk Management, & Compliance

Tailored security to business goals, objectives, & strategy

Security controls aligned to the laws & regulations specific to your services

Establish Business Continuity and Disaster Recover Plans

Cyber Insurance to mitigate cost of a cyber event

Tier 1 SecureTM

What is your data protection and privacy posture?

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber (graphic source – Cyberisk)14

Government Contracting Regulatory Compliance:Requirements:• FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems• DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls• DFARS 252.204-7009: Limitations on the Use of Disclosure of Third-Party Contractor Information• DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting• NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems

Compliance: System Security Plan (SSP)

• Government (DCMA) reserves right to request a copy

Plan of Action & Milestones (POA&Ms)• Remediation Plans to address approx. 140 NIST 800-171 controls (technical and non-technical controls)

Audit (currently self-assessment)

Incident Reporting• Upon discovery / NLT 72 hours to DoD and Must report to Prime / Higher Tier Subcontractor• Must preserve and protect images, data, and system for 90 days • Must provide DoD additional information, equipment, forensics upon request• Must submit malicious software to Defense Cyber Crime Center (DC3)

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber

Cybersecurity Maturity Model Certification (CMMC)• Next stage in DoD’s efforts to properly secure the Defense Industrial Base (DIB)❑ Each RFP will have a minimum CMMC level for award (Level 1 – 5)❑ All future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI)❑ Cybersecurity added to preexisting acquisition criteria (cost, performance, and schedule).❑ CMMC will be a “Go / No-Go Decision” as part of source selection (RFP Section L&M)

• Criteria applies to both Prime and Subcontractors (flow down)

• 3rd Party Audit based upon the implementation of actual technical controls, policies, procedures • SSP, POA&M, and Self-Assessment as compliance for DFARS 252.204-7012 no longer meet the requirement• Rating based on sophistication of controls implemented and institutionalization of processes

• Certification Implementation approx. June 2020

• Existing work will be up for grabs depending upon which CMMC level is required by the contracting authority

• Teaming and subcontracting will be impacted

• IT Security costs are going to be an allowable charge on contracts moving forward and will be an element of your best value proposals (PENDING)

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber

Government Contracting Regulatory Compliance:

Cyber Exposure – Protect Your Data

•Do you collect or store data?•Personally Identifiable Information (PII)•Payment Card Information (PCI)•Personal Health Information (PHI)

•Whose Data?•Employees•Clients

Lowering Your Exposure

•Why is this valuable?• Fewer cyber losses• Safer place to work• Lower Insurance Premiums

•Cyber Security Limitations• Not every threat is within your control• Nothing can reduce your exposure to zero

THE SOLUTION?

Insurance

•Several policies work together•Cyber•Professional Liability•Crime

•Safety net if there is a breach

SAFETY

What Happens If There Is A Breach?

• Required by State and Federal Laws• You must know the requirements for each state• Notification to affected individuals or entities• Notification to Consumer Reporting Agencies• Provide Credit Monitoring to affected individuals• Other Compliance Issues

• How it affects your business• Investigation of the cause of breach• Remediation• Potential lawsuits

Cyber Insurance

Viruses, Malware, Rogue Employees, Denial of Service Attacks, Cyber Extortion

• Responds to First Party Claims• Notification• Credit Monitoring• Public Relations• Business Income

• Responds to Third Party Claims• Cost for defense• Damages

Crime Insurance

Social Engineering/Deception Fraud, Computer Fraud, Funds Transfer Fraud

•Cyber crime is more common• Criminals are getting smarter• Banks do not always catch this

•Most insurance programs do not cover Social Engineering/Deception Fraud

Professional Liability

Breach of Contract, Professional Error, Omission, Accidental Negligence

•Could you expose a vulnerability in your client’s network?• Products• Services• Advice

•Responds to lawsuits• Cost for defense• Damages

How Will Insurance Respond

•Professional Liability, Cyber Liability, Crime Insurance are not standardized

•Ensure you know how your policy will respond

•Does your coverage apply to your current exposures?

ABOUT USGovernment Technology Insurance Company (GovTech)GovTech is Operational in all 50 states and the District of Columbia. Chartered under the Federal Liability Risk Retention Act of 1986. GovTech is the only insurance company in the country that specializes in liability coverage for IT Services and related companies whose primary focus is Federal and State Government contracts.

Government Technology Association (GTA)GovTech is owned by the non-profit Government Technology Association (GTA) and managed by the GovTech Agency. GTA is headquartered in Bethesda, Maryland, and owned by GTA members who are the policyholders of GovTech. GTA is comprised of IT companies and contractors whose primary mission is service for Federal and State Governments.

Experience the GovTech DifferenceReliably managed by the industry’s leading insurance professionals and underwriters, GovTech is uniquely prepared to provide its policyholders with IT specific insurance coverage and notable savings. The GovTech Agency is reinsured by Lloyds of London and its largest syndicates. GovTech offers timely service extending beyond the client/carrier relationship with the advantage of direct savings to each policyholder.

The GovTech Difference

GovTech Services a Single Community

All GovTech policy holders are involved in providing the Federal and State Governments with IT and related services.

GovTech Policyholders Enjoy Premium Savings As Much As 40%

Federal and State IT and related Service Providers have had a long history of below average claims, yet have not been rewarded by the large insurance carriers with premiums that properly reflect the lower level of risk within their community.

Ryan Copenhaver, Partner Andrew Beardall, COO / General Councilrcopenhaver@govtechinsurance.com abeardall@govtechinsurance.com301.214.7682 301.907.7022

This briefing is proprietary information and shall not be released without the express permission of Tier 1 Cyber

GovernanceRisk ManagementRegulatory ComplianceSecurity AuditingPrivacy Assessments

Security Solutions Cyber TrainingDisaster Recovery / COOPV|CISO Services3rd Party Due Diligence

Tier 1 SecureTM: Cyber Security Certification program enables your organization to

exceed technical, legal, and regulatory requirements that significantly reduce the impacts and costs of cyber events. The Tier 1 certification process begins with a 1,000-point comprehensive assessment, derived from the latest U.S. and International best practices to provide a complete cybersecurity program.

Joe UrbaniakCOO / CISO

jurbaniak@tier1cyber.com703.587.7592