rims erm conference 2016 · rims risk forum middle east 2016 december 13-14, 2016 dubai, uae rims...
TRANSCRIPT
![Page 1: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/1.jpg)
RIMS ERM
CONFERENCE 2016
Enterprise Best Practices in the Cyber World
Drew Graham, Partner, Hall Booth Smith, P.C.
Patrick Powell, Attorney, Hall Booth Smith, P.C.
Rich Magrath, Regional Director Western US, Lloyd's
Grace Crickette, Interim AVP Business Operations, SFSU
![Page 2: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/2.jpg)
HEALTH & SAFETY
• For your safety and security, it is required
that you wear your RIMS name badge to
all functions.
• Be safe! Locate your nearest exit(s), fire
equipment, etc.
• If you see something suspicious, say
something.
![Page 3: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/3.jpg)
STAY CONNECTED
• Twitter: Follow @RIMSorg and tweet with
#RIMSERMCONF
• Facebook: “like” us at facebook.com/RIMSorg
• Instagram: Follow us @RIMSorg and tag photos with
#RIMSERMCONF
• LinkedIn: connect your presenters and join the official
RIMS group, compromising 55,000+ global members
• You’re challenged to meet at least 3 new people in this
room today to grow your professional network.
![Page 4: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/4.jpg)
DON’T FORGET THE ATTENDEE
SURVEY!
• Download the mobile app to take the
attendee survey, as well as download
speaker handouts.
• Search for “RIMS Events” on your mobile
device.
![Page 5: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/5.jpg)
CONTINUING EDUCATION
CREDITS
• This session qualifies for education
credits.
• Be sure to record this session on your
tracking sheet.
• To sign up, please visit the registration
area in the Great Room Foyer.– US $49 for RIMS members; $99 for non-members.
![Page 6: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/6.jpg)
BECOME A RIMS MEMBER
• Join RIMS today – add value to your
organization and build lasting relationships
with a global network of risk professionals.
• Attendees are eligible for a US $100
discount off new Organizational or
Associate membership. Visit the
registration area in the Great Room Foyer
for details.
![Page 7: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/7.jpg)
MARK YOUR CALENDAR!
RIMS RISK FORUM MIDDLE EAST 2016
December 13-14, 2016
Dubai, UAE
RIMS 2017 ANNUAL CONFERENCE &
EXHIBTION
April 23-26, 2017
Philadelphia, PA, USA
RIMS NEXTGEN SUMMIT 2017
June 5-6, 2017
Austin, TX, USA
RIMS CYBER RISK FORUM 2017
September 7-8, 2017
Las Vegas, NV, USA
RIMS RISK FORUM AUSTRALASIA 2017
August 21-22, 2017
Sydney, Australia
RIMS ERM CONFERENCE 2017
November 6-7, 2017
Los Angeles, CA, USA
![Page 8: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/8.jpg)
THANK YOU TO OUR PLATINUM SPONSORS!
![Page 9: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/9.jpg)
RIMS ERMBest Practices in the Cyber World
![Page 10: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/10.jpg)
This Presentation has been Hacked!
Using Strategic Scenarios to Understand Cyber Risk
![Page 11: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/11.jpg)
![Page 12: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/12.jpg)
![Page 13: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/13.jpg)
#Program Team => (
@Moderator:
:Drew Graham ||=> Partner, Hall Booth Smith, P.C.)
:Patrick Powell ||=> Attorney, Hall Booth Smith, P.C.
:Rich Magrath ||=> Regional Director, Western US, Lloyd’s of London)
:Grace Crickette||=> Associate Vice President of Business Operations, San Francisco State University
![Page 14: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/14.jpg)
From: Flyaway Sam <[email protected]> To: You <[email protected]> Cc: Subject: Unexplained customer complaints
Today our call center received phone calls from eight new customers of Traveltime online booking program. The callers said that after booking trips last week, they experienced unexplained withdrawals from their checking accounts. Do you think someone could have gotten into the credit card and bank account data stored on our server? I have tried to reach the IT Security Team, but got their voice mail. I hate to leave this hanging over the weekend, but am not sure what else to do. Please advise Flyaway Sam | Vice President Customer Service O: 1 (510) 396-1213 | M: 1 (209) 988-8216 [email protected]
![Page 15: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/15.jpg)
Activate Incident Command
![Page 16: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/16.jpg)
Scenario A
The IT manager confirms an outsider intrusion. System logs confirm:
Data gathered online from customers includes email, name, and zip code
Unauthorized access to servers, including one containing databases with HR and employee data
Credit and debit card numbers for 10,000 customers have been accessed, but the card numbers were encrypted
You thought, whew…this is not so bad, but then….
![Page 17: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/17.jpg)
Scenario A
System logs show that:
The last user to access the credit card numbers database had a company-issued username, password, and de-encryption key which is assigned to a member of your sales staff
Immediately following the user’s access, information was copied to a file which cannot now be located on your system
![Page 18: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/18.jpg)
![Page 19: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/19.jpg)
Scenario A Key Takeaways
Planning and preparedness are critical given the high levels of uncertainty, stress, and risk when the incident occurs.
Know in advance what laws apply to the data that you keep as the “rules” change depending on the type of information.
Limiting access to information is critical to minimizing risk and keeping the access management process streamlined.
![Page 20: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/20.jpg)
Scenario A Key TakeawaysWhen employee’s job duties change or they leave the company there should be a review of what they have access to and their privileges removed. Same goes for contractors/vendors that have our data.
Know who will providing notice to the counterparties and have a generic letter drafted in advance to avoid scrambling during the compromise or breach
Timely act to identify potentially responsive insurance, to notify brokers and insurers, to select vendors or have insurers do so (depending on policy language), etc.
![Page 21: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/21.jpg)
Scenario BReview of the system logs show an independent breach and unauthorized access to the source code of the underlying software Traveltime uses for its monitoring services. The following statement is posted on a blog:
WE HAVE JUST HACKED INTO TRAVELTIME AND TAKEN THEIR SOURCE CODE. WE WILL PUBLISH THEIR SOURCE CODE IF TRAVELTIME DOES NOT AGREE TO STOP SUPPORTING THE ANTI-AMERICAN FOUNDATION.-THE PROTESTOR
![Page 22: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/22.jpg)
![Page 23: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/23.jpg)
Scenario B Key Takeaways
Yes, you should call law enforcement anytime there is a threat made against your organization.
It is critical to preserve evidence in the case of a breach or even a potential breach. Not doing so can complicate insurance coverage and card brand investigation, create difficulties with law enforcement, and weaken your ability to prove that you did the right things and/or that the incident did not rise to the level that would require notification.
Look at not only your cyber policy, but also your executive insurance and fidelity policies. Many Special Crime policies may contain names of companies to utilize in the event of extortion.
![Page 24: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/24.jpg)
Scenario C
Immediately after receiving an email from Mr. Flyaway, you start investigating but cannot find any IT intrusions or problems.
Then, a few days later, the local police captain calls to say that hundreds of customer files, invoices and billing statements with credit card numbers and some medical data have been found at the dump. Codes on the paperwork indicate the records came from a Traveltime local office.
![Page 25: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/25.jpg)
![Page 26: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/26.jpg)
Scenario C Key Takeaways
Don’t forget that good old fashioned paper can result in a data breach. You need to minimize the retention of data whether electronic or on paper.
Ensure that any policies maintained take into account dumpster diving. CyberRisk is not the only risk, rather, consider Information Security.
![Page 27: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/27.jpg)
Scenario D1
You learn that a copy of the accessed database was given electronically to your auditing firm, who is engaged to audit your Accounting and Information Security Practices:
An auditing firm employee stored this database on his laptop, to work on it while he traveledTwo weeks ago, the laptop was stolen from his car at a rest stop
Your auditing firm had not notified you before now, because they were conducting their own investigation
![Page 28: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/28.jpg)
![Page 29: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/29.jpg)
Scenario D2
Into the cloud……
Independent of the current situation, you receive a call from CLOUD INC., Traveltime’s third-party cloud service provider that hosts your data in its cloud.
They inform you that their server was hacked; they are unable to confirm if your data was accessed.
![Page 30: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/30.jpg)
:detecting intrusion in a cloud computing environment is difficult||>>>>>>>>>>>
![Page 31: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/31.jpg)
Scenario D1&2 Key Takeaways
You want to ensure that you have contract language for your vendor’s that protects you from their errors and that they have the insurance coverage for a data breach.Vendor’s insurance should cover the indemnity obligations owed to you.
Discuss need to monitor compliance with contract Terms & Conditions and methods for doing so.
Just because you outsource a system and it is in the cloud does not mean that you are not responsible for the breach, in fact you are. It is the owner of the data who is responsible not the vendor for ensuring appropriate notification and any penalties. If you have the right contract language you may be able to get the vendor to be responsible for responding for to the breach and reimburse you for costs including penalties.
![Page 32: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/32.jpg)
Scenario D1&2 Key Takeaways
Even if you are not responsible for damages as a result of a breach, what reputational harm has this done? How do you account for a loss in market cap, client satisfaction, or shareholder comfort?
Consider insurance issues relating to such damages.
Know how best to respond to the public about a breach of a cloud through a vendor.
Conduct on site review of the vendor, even if providing cloud computing…to know what risks you see. You can tell much about an organization by being on-site annually to do an audit.
![Page 33: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/33.jpg)
:Where to learn more||=>
http://www.microsoft.com/atwork/security/
http://www.insurancejournal.tv/videos/8466/
http://privacyguidance.com/myblog.html The Privacy Professor Blog
http://www.ponemon.org/ PonemonInstitute
![Page 34: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/34.jpg)
Q&A
![Page 35: RIMS ERM CONFERENCE 2016 · RIMS RISK FORUM MIDDLE EAST 2016 December 13-14, 2016 Dubai, UAE RIMS 2017 ANNUAL CONFERENCE & EXHIBTION April 23-26, 2017 Philadelphia, PA, USA RIMS NEXTGEN](https://reader034.vdocument.in/reader034/viewer/2022052518/5f0beb4c7e708231d432dd78/html5/thumbnails/35.jpg)
RIMS ERM
CONFERENCE 2016
Thank You For Coming!