CYBER RISK What Not-for-Profit Management & Boards Need to Know - PDF document

9/20/2017 CYBER RISK What Not-for-Profit Management & Boards Need to Know September 20, 2017 Jan Hertzberg John Dougherty Director, BKD IT Director, Unbound jhertzberg@bkd.com johnd@unbound.org 1

9/20/2017 TO RECEIVE CPE CREDIT • Participate in entire webinar • Answer polls when they are provided • If you are viewing this webinar in a group  Complete group attendance form with • Title & date of live webinar • Your company name • Your printed name, signature & email address  All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar  Answer polls when they are provided • If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar RAPIDLY EVOLVING CYBERTHREATS – MOTIVATIONAL SHIFTS FRAUDSTERS HACKTIVISTS NATION-STATES THEFT DISRUPTION DESTRUCTION ADDITIVE MOTIVATION PROGRESSION LINE 4 2

9/20/2017 TOP CYBERCRIMES • Business email compromise • Ransomware • Corporate account takeover • Identity theft • Theft of sensitive data • Theft of intellectual property • Denial of service 5 DATA BREACHES IN THE NEWS 2016 2017 Muncie, Indiana-based not-for-profit organization breached, lost all financial & client data Breach of data for 550,000 individuals 2015 2014 Breach of 10,00 donors personal info between 2013–2015 309,000 university faculty, staff & students 6 3

9/20/2017 EXAMPLE: BUSINESS EMAIL COMPROMISE • University admin receives email from “CFO” requesting all employee W2s pursuant to an IRS inquiry • Needs it today (received in the afternoon) • Admin puts it all together into one PDF, alphabetized • Hacker responds, telling her “this is more than I had hoped for” • Compromised W2 information sold on the underground market • Numerous employees contacted by real IRS about issues with their returns, or why they submitted two returns 7 EXAMPLE: RANSOMWARE • Midsize health care provider sustained two consecutive attacks on EMR system; ransom paid in bitcoin  After first attack, hardware/software upgrades were identified but budgetary constraints delayed implementation  After second attack, provider performed forensic evaluation to verify breach extent & eradicate malware • Performed a cybersecurity assessment to identify vulnerabilities 8 4

9/20/2017 RANSOM LETTER 9 WHY ARE NOT-FOR-PROFIT ORGANIZATIONS SO VULNERABLE? • Given the quantity & variety of Personal Identifiable Information (PII), cyber risk is inherently high • Spending priority is often given to the organization’s mission rather than to “back-office”  Challenging to recruit & retain expensive resources  Infrastructure improvements may not be robust • Heavy reliance on third-party service providers • Reputational risk is critical 10 5

9/20/2017 POTENTIAL BREACH IMPACTS Regulator Deceptive or scrutiny unfair trade charges ! Regulatory Damage sanctions to brand Damaged employee Negative relationships publicity Fines Refusal Diversion of to share personal resources Legal information liability Damaged donor Lost productivity relationships 11 DARK WEB PRICING Credit Cards Price (2012–2014) Current Price Visa & Mastercard $4 $7 Visa & Mastercard with Track 1 & $23 (V); $35 (MC) $30 Track 2 Data Premium American Express $28 $30 Bank Account Credentials $15,000 for 500 $15,000 for 500 Email Accounts Price (2012–2014) Current Price Popular Email (Gmail, Hotmail, $100 per 100,000 $100 per 100,000 Yahoo) Corporate Email N/A $500 per Mailbox IP Address of Email User $90 $90 12 6

9/20/2017 WHAT DRIVES COST OF BREACHES? 13 Ponemon 2016 Cost of Data Breach Study INTERESTING STATISTICS • Timing  In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products easiest to hack; Mozilla the most difficult)  In 83% of cases, it took weeks or more to discover an incident occurred  Attackers take easiest route (63% leveraged weak, default or stolen passwords)  95% of breaches were made possible by nine patterns including poor IT support processes, employee error & insider/privilege misuse of access 14 7

9/20/2017 REGULATORY RESPONSE OVER TIME 2006 Indiana 2000 2017 Breach 1996 2003 CFR17 Part Executive Order Notification HIPAA California 248 Strengthening the Law 1934 Data Breach Brokers Cybersecurity of SEC Act Law Consumer Federal Networks & Protection Critical Infrastructure 1974 1999 2001 2018 Family 2013 Gramm- Cybersecurity 2009 General Data Educational HIPAA Leach-Bliley 2006 HITECH Enhancement Rights & Privacy Protection Regulation (Omnibus) Act PCI DSS Act Act (GDPR) (FERPA ) 15 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) • Covers  Health care providers  Health care payors  Health care clearinghouses  Employers who administer their own health plans • Protected health information (PHI)  Covered entities may only use or disclose PHI as permitted • Enforced by HHS Office for Civil Rights  State attorneys general • Introduced  HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013) 16 8

9/20/2017 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) • Covers  Businesses accepting credit & debit card payments  “Card Present” transactions (card swipes)  “Card Not Present” transactions (e-commerce) • Cardholder data  Storing, processing & transmitting by “merchants” • Enforced by  Credit card brands  “Acquiring Bank” responsible for processing payment transactions • Introduced  PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa, Mastercard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on three-year cycle 17 GRAMM-LEACH-BLILEY ACT (GLBA) • Covers  Financial services organizations including post-secondary educational institutions • Financial aid records  Develop, implement & maintain a written information security program  Designate employee responsible for coordinating the security program  Identify & assess risks to student information  Select appropriate services providers capable of maintaining appropriate safeguards  Periodically evaluate & update their security program • Enforced by  Federal Trade Commission (FTC) • Introduced  Dear Colleague Letter GEN-15-18 (July 29, 2015) 18 9

9/20/2017 CYBER RISK OVERSIGHT WHAT DO BOARDS WANT TO KNOW? What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets? Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected? Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker? Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion? 20 10

9/20/2017 FIVE PRINCIPLES OF CYBER RISK OVERSIGHT 1 Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue 21 FIVE PRINCIPLES OF CYBER RISK OVERSIGHT 2 Understand legal implications of cyber risks as they relate to their organization’s specific circumstances 22 11

9/20/2017 FIVE PRINCIPLES OF CYBER RISK OVERSIGHT 3 Have adequate access to cybersecurity expertise, & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda 23 FIVE PRINCIPLES OF CYBER RISK OVERSIGHT 4 Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget 24 12

9/20/2017 FIVE PRINCIPLES OF CYBER RISK OVERSIGHT 5 Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach 25 ASSESSING YOUR CYBERSECURITY PROGRAM 13

9/20/2017 NIST CYBERSECURITY FRAMEWORK (NIST CSF) • Background  Published February 12, 2014, by the National Institute of Standards & Technology (NIST)  Voluntary federal framework (not a set of standards) for critical infrastructure services  Provides common language for organizations to assess, communicate & measure improvement security posture • Controls  High-level controls provide framework of “what” but not “how”  Five functions, 22 control categories, 98 key controls derived from industry best practice & standards  Contains four maturity tier ratings 27 NIST CYBERSECURITY FRAMEWORK Asset Management Business Environment Governance Recovery Planning Risk Assessment Improvements Risk Management Communications Strategy Framework Access Control Categories Awareness & Training Data Security Information Protection Processes Communications Maintenance Analysis Protective Mitigation Technology Anomalies & Events Improvements Security Continuous Monitoring Response Planning 24 28 Detection Processes 14