The Changing Face of Cyber Security Risk and Regulation Thursday, - - PowerPoint PPT Presentation

The Changing Face of Cyber Security Risk and Regulation

Thursday, March 23, 2017 Time: 2pm – 3pm

For your convenience, you may download today’s presentation, Index of Topics, and Glossary of Key Terms from the Resource List widget in the lower right section of your console before the event begins. A Housekeeping video will show at before today’s presenters begin. If listening with computer speakers please follow along with the audio. If listening by phone, please follow along with the instructional slides. If you experience any issues with slide advancement, hit F5 for PCs or CMD R for Macs.

Page  2

Welcome and Housekeeping

• Welcome
• Chris Mason – Producer, e-Learning Committee
• Housekeeping Video
• Conference Video

Page  3

Session Overview

Cyber security is at the forefront of everyone’s minds. With more digital and so- called “Insurtech” initiatives comes more pressure to keep customers’ information safe. The magnitude / likelihood of data breaches involving insurance companies has led to significant regulatory inquiries and reputational damage. Governmental bodies have been creating regulations to crack down on these breaches and ensure that companies have cyber security programs in place.

• Welcome our Moderator and Panelists:

– Jerry Ravi – Moderator (Internal Audit and Risk Consultant)

• Partner, EisnerAmper LLP
• IASA Metro NY/NJ Chapter President

– Venkat Rao – Panel Member (Global Regulatory / Compliance Consultant)

• Director, EisnerAmper LLP

– Jack. Hewitt (Regulatory / Legal Expert)

• Partner, Pastore & Dailey LLC

Page  4

• Identify the six key aspects of the cybersecurity threat and

regulatory landscape.

• Recognize key components surrounding the newly adopted

New York State Department of Financial Services (NYS DFS) cybersecurity regulations

• Recognize how insurers have implemented risk-based,

cyber security programs and solutions designed to properly manage and monitor cybersecurity threats, and to address the NYS DFS regulations.

Session Objectives

Page  5

Overview of Topics (in order from top dow n, left to right columns)

Always on your mind Key FINRA Enforcement Case Risk Assessment -500.09 The Data Model is Changing Key Areas of Focus for Insurers and Financial Institutions Access Policy Emerging Preventative Technologies NYDFA Cyber Security Rules and Regulations Data Loss Protection Policy Adjusting at a Slow Rate Summary of NYS DFS Rules Third Party Service Providers – Vendors –

• Sect. 500.11

Rising Costs of Insecurity Cybersecurity Definitions – Non-public Information-500.01 (g) Training – 500.14 12 Common Reasons for Data Breaches New York State Information Security Breach and Notification Act Incidence Response Plans – 500.16 Two Factors Account for Most Theft and Loss Cybersecurity Program - Sect. 500.02 Notices – 500.17 Evolution of Cybersecurity Regulation Cybersecurity Policy – Sect. 500.03 Exemptions What is the Main Regulatory Framework Information Security Program Key Takeaways Framework for Improving Cybersecurity Cybersecurity Sources Key Insurance Industry Themes Sample NIST Risk Assessment – Heat Map Chief Information Security Officer (CISO) –

• Sect. 500.04

Perform a Continuous Assessment Key SEC Enforcement Cases Governance Policy Preventative Measures

Page  6

Today’s Speakers

Jerry Ravi, Partner, EisnerAmper LLP

Jerry Ravi is a Partner in the Consulting Services Group. Jerry has over 15 years of business advisory and audit experience, with a unique ability to bring clarity and forward movement to the decision-making

• process. Combining advisory, facilitation and coaching, his work results in positive and sustainable

business growth and risk management programs. Jerry helps clients translate complex challenges and regulatory requirements into sound strategies, providing the catalyst for change and the capacity to take action. Jerry partners with management, audit executives and board members to effectively manage and monitor risks facing their organizations. Through the role of internal auditor, compliance and enterprise risk specialist, he provides value-added assurance and consulting services. Jerry’s credo is to protect value and enhance outcomes and performance through practical and cost-effective solutions, including the coordination and utilization of people, process and technology. Jerry’s primary focus has been on managing Enterprise Risk Management (ERM) and internal audit and compliance engagements, which entails assisting and educating clients in designing an enterprise-wide risk management program. This includes deploying risk-based internal audit plans to enhance governance processes and monitor ongoing compliance with key controls in key risk areas. Jerry serves clients in a variety of highly regulated industries, maintaining a focus on the financial services sector where he helps companies address financial, operational, technology and regulatory risk and assists with operational excellence to overcome market and regulatory challenges.

Page  7

Today’s Speakers

Venkat, Rao, Director, EisnerAmper LLP

Venkat Rao is a Director with EisnerAmper’s Global Compliance and Regulatory Solutions. He has nearly 15 years of experience working with hedge funds, private equity funds, commodity pool operators, registered investment advisors, broker-dealers, investment banks, and insurance companies. Venkat provides value added solutions to enhance compliance programs, such as creating compliance manuals and anti-money laundering (“AML”) procedures, performing mock regulatory examinations, and conducting risk assessments and annual reviews. He has conducted AML risk assessments pursuant to requirements under the Bank Secrecy Act, and tested compliance with a firm’s AML program to identify

• deficiencies. Venkat also advises clients on the latest regulatory developments from the SEC and CFTC.

Venkat has worked extensively with various members of large and small organizations in addressing regulatory needs, including cybersecurity matters. He has overseen compliance departments, including AML compliance programs, and created, developed and tested policies and procedures in advance of and preparation for regulatory exams. Prior to joining the firm, Venkat was a Chief Compliance Officer for broker-dealers and investment advisors

• f hedge funds and private equity funds. Venkat headed the examination program for registered investment

advisors and broker-dealers for a global professional services firm. In addition, he served as a risk and regulatory consultant in a Big Four accounting firm’s Advisory Services Practice, and advised many financial institutions of various sizes.

Page  8

Today’s Speakers

John R. (“Jack”) Hewitt, Partner, Pastore & Dailey LLC

John R. ("Jack") Hewitt is a securities lawyer and focuses his practice on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and investment advisers. His work involves virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registration issues. Cybersecurity is a major part of Mr. Hewitt’s practice, and he is a recognized national authority in this field. Among other things, he advises firms on their development of information security programs, guides them through cyber incidents and represents them in any resultant regulatory inquiry.

• Mr. Hewitt regularly

conducts cybersecurity audits for broker-dealers and investment advisers, and was the SEC appointed independent outside consultant in the first major SEC cybersecurity enforcement action, In the Matter of LPL Financial Corp., Respondent Admin. Proc. File No. 3-13181 (2008).

• Mr. Hewitt has written extensively on the regulation of electronic technology in the securities markets,

including a series of articles for the New York Law Journal, and has chaired and spoken at numerous seminars on it. Mr. Hewitt is the author of Cybersecurity in the Federal Securities Markets, a Bloomberg BNA treatise, and is the editor and author of Securities Practice & Electronic Technology, an ALM

• publication. He is also the author of the Record Keeping and Advertising Chapters of the PLI Broker-Dealer

Regulation treatise.

• Mr. Hewitt is currently the Co-Chair of the American Bar Association, Business Section Subcommittee on
• Cybersecurity. He is a recipient of the Compliance Reporter Compliance Person of the Year award for his

work in electronic technology regulation, was a participant in the Securities and Exchange Commission’s roundtable discussions on internet issues and is listed on the International Who’s Who of e-Commerce lawyers.

Page  9

It’s an evolving threat Digital initiatives, greater connectivity, greater risk Balancing cybersecurity with profitability Alw ays on your mind?

AN ONCE OF PREVENTION IS WORTH A POUND OF CURE

Page  10

THE DATA MODEL IS CHANGING…

Page  11

Emerging Preventative Technologies

There are a number of emerging technologies being introduced into commercial markets and the insurance industry, some are restructuring many industries: – Blockchain Technology – Mobile Micro-insurance – Wearables – Smart Contracts – Commercial Drone Usage According to a study produced by Accenture, only 0.2% of annual premiums were spent by insurance companies on digital initiatives.

Page  12

Adjusting at a Slow Rate

• The level of investments and projects regarding blockchain are

relatively low in the insurance industry at 3% participation

• 75% of World’s leading financial institutions have partnered

seeking to create a ledger system based on blockchain technology

• 87% of insurance respondents say we have entered an era that

is marked by exponential rate of change

Page  13

Rising Costs of Insecurity

13

Source: 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute

• The average consolidated total

cost of a data breach is $4 million.

• The cost incurred for each lost or

stolen record containing sensitive and confidential information increased from a consolidated average of $154 to $158.

• In addition to cost data, the

likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months is estimated to by 26 percent.

Page  14

1. Loss or theft of data is up sharply 2. Insider Negligence is the number one internal threat 3. Ransomware and phishing attacks are a growing threat 4. Employees’ jobs require them to access more proprietary data 5. Companies need to track employees’ access to confidential data 6. Progress in combating these threats is not being encouraged

12 Common Reasons for Data Breaches

According to the new Ponemon Institute study, “Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations,” 76 percent of

• rganizations experienced the

loss or theft of data last year.

Page  15

7. Many organizations have no searchable records of file system activity 8. Companies are slow to detect unauthorized file access 9. End users are not deleting files, thus exacerbating vulnerability

• 10. Moving to the cloud is happening

much more slowly than expected

• 11. Two troubling factors account

for most data theft and loss (to be discussed)

• 12. Too many companies aren’t

taking security seriously enough

12 Common Reasons (continued)

The study looks into the most common and detrimental factors behind those incidents, and briefly touches upon ways in which these harmful data breaches could be avoided, treated, or act as lessons that can be learned from.

Page  16

The continuing increase in data loss and theft is due in large part to two troubling factors:

– Compromises in Insider Accounts- Exacerbated by far wider employee and third-party access to sensitive information than is necessary. – Failure to monitor- Access and activity around email and file systems is not monitored as thoroughly, where most confidential and sensitive data moves and lives.

Tw o Factors Account for Most Theft and Loss

Page  17

REGULATORY LANDSCAPE

Venkat Rao Director, EisnerAmper LLP

Page  18 April 2014, SEC

issued first Risk Alert announcing cyber security initiative for broker-dealers and investment advisers.

2016, FinCEN

issues FAQs related for cyber- SARs.

March 2017,

NYS DFS new cybersecurity rules for covered financial institutions take effect.

Key Themes From Cybersecurity Regulatory Initiatives

Governance and Risk Assessments

• Regulators expect firms to perform risk assessments to understand the cyber threats to their organization, and

involve board and senior management cyber risk discussions. Safeguard Customer Data

• SEC registrants are required to follow Regulation S-P of the Securities Act, mandating protection of customer data

Breach Reporting

• In the event of a cyber breach, many states required reporting of breaches to state regulators. With many public

incidents, firms may also be required to notify customers if their information has been compromised. Periodic Testing

• Penetration and vulnerability tests are examples of probing the effectiveness of firm’s information security system. To

meet key regulatory requirements, firms are expected to periodically conduct such tests, either internally or through third parties. Potential AML Implications

• Certain incidents that involve cyber crimes may trigger SARs filing requirements. Financial institutions will be

expected to include cyber-related information and identifiers when filing such SRAs. Training

• Employee conduct (intentional or unintentional) tends to expose firms to cyber threats. Training and table top

exercises can mitigate this threat. February 2015, FINRA issues its report on

cybersecurity practices.

April 2015, NAIC adopts cybersecurity principles. August 2015, NFA adopts compliance rules around

information security systems.

September 2015, SEC issues Risk Alert identifying

areas of examination focus related to cybersecurity.

2000-2013,

Passage GLB, enactment and enforcement of Regulation S-P.

Evolution of Cybersecurity Regulation

Regulators initially addressed cybersecurity through risk alerts, guidance and examinations. More recently, regulators have issued formal cybersecurity rules for financial services firms

Page  19

What is the main regulatory framew ork?

• The National Institute of Standards and Technology (NIST)

provides a cybersecurity framework adopted by much of the financial services industry and the Securities and Exchange Commission (“SEC”). The NIST Framework consists of 3 parts:

– Framework Core – set of cybersecurity activities, desired

• utcomes, and applicable references that are common across

critical infrastructure sectors. – Framework Implementation Tiers - the degree to which an

• rganization’s cybersecurity risk management practices exhibit the

characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive) – Framework Profile - the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.

• Distancing the money from

its criminal source

• Designed to create

confusion (most difficult stage to detect)

Page  20

Framew ork for Improving Cybersecurity

Page  21

Sample NIST Risk Assessment - Heat Map

• Create a short and longer term

action plan based on overall risk score

High Medium Low High 2 2 Medium 4 17 9 Low 2 25 37 Impact Score Likihood Score

Function Overall Risk Score Count High

2

Medium

9

Low

13

High

3

Medium

4

Low

28

High

1

Medium Low

17

High Medium

2

Low

13

High

2

Medium

4

Low DETECT (DE) RESPOND (RS) RECOVER (RC) IDENTIFY (ID) PROTECT (PR)

Page  22

R.T. Jones: In September 2015, the St. Louis-based investment adviser settled charges with the SEC that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (“PII”) of approximately 100,000 individuals, including thousands of the firm’s clients. According to the SEC’s order*:

• The Firm stored sensitive PII of clients and others on its third party-hosted web for nearly 4 years;
• During this time, the firm’s web server was attacked by an unknown hacker who gained access and copy

rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft;

• The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard

customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents;

• After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm

to confirm the attack, which was traced to China, and determine the scope; and

• Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have

been compromised and offered free identity theft monitoring through a third-party provider.

KEY TAKEAWAY: Policies and procedures must be reasonably designed and effectively implemented to protect customer data, and effective remediation measures must be in place in the event of a breach. Based on the foregoing facts, the SEC found that the firm violated Rule 30(a) of Regulation S-P of the Securities Act of 1933 for failing to adopt written policies and procedures to safeguard customer data. * In the Matter of R.T. Jones Capital Equities Management, Inc., SEC Release No. 4204, September 22, 2015.

Key SEC Enforcement Cases

Page  23

Morgan Stanley: In June 2016, Morgan Stanley Smith Barney LLC agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online. According to the SEC’s order*:

• Morgan Stanley’s policies and procedures were not reasonably designed to protect customer records

and information; two (2) internal web portals allowed its employees to access customers’ confidential account information;

• For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to

restrict employees’ access to customer data based on each employee’s legitimate business need;

• Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or

analyze employees’ access to and use of the portals.

• Consequently, a previous employee downloaded and transferred confidential data to his personal server at

home between 2011 and 2014.

• A likely third-party hack of the employee’s personal server resulted in portions of the confidential data

being posted on the Internet with offers to sell larger quantities.

KEY TAKEAWAY: Firms must review policies and procedures around authorization of employee access to confidential customer data, and periodically review and test such authorization. Based on the foregoing facts, the SEC found that the firm violated Rule 30(a) of Regulation S-P of the Securities Act of 1933 for failing to adopt written policies and procedures to safeguard customer data.

* In the Matter of Morgan Stanley Smith Barney LLC, SEC Release No. 78021, June 8, 2016.

Key SEC Enforcement Cases (cont’d)

Page  24

Sterne Agee & Leach, Inc.: In May 2015, the Alabama-based self-clearing broker-dealer was censured and fined $225,000 for failing to protect confidential information and maintain adequate written compliance and supervisory procedures. According to the FINRA Action:

• The firm placed personal and confidential information of more than 350,000 customers was placed at risk when

“an Information Technology employee inadvertently left an unencrypted laptop in a restroom and it was lost”

• FINRA cited Regulatory Notice 05-49 which provides guidance regarding safeguarding confidential customer

information and “whether the member's existing policies and procedures adequately address the technology currently in use," and "whether the member has taken appropriate technological precautions to protect customer information.“

• The firm purchased encryption software, but failed to fully implement the encryption solution by not allocating

sufficient funds.

• Sterne Agee failed to adopt written supervisory procedures to insure the security of customer information of

sensitive customer information.

KEY TAKEAWAY: Firms must fully implement policies and procedures to safeguard customer data, and not delay allocation of funding for such critical resources. Based on the foregoing facts, FINRA found that the firm violated Rule 30(a) of Regulation S-P of the Securities Exchange Act of 1934, NASD Conduct Rule 3010, and FINRA Rule 2010 for failing to adopt adequate written policies and procedures to safeguard customer data.

* Sterne Agee & Leach, Inc., FINRA Letter of Acceptance, Waiver and Consent No. 2014041619501, May 22, 2015.

Key FINRA Enforcement Case

Page  25

Key Areas of Focus for Insurers and Financial Institutions:

Governance and Risk Assessment

• Evaluate cybersecurity

risks and level of communication

Access Rights and Controls

• How firms control onsite

and offsite access to systems and data

Data Loss Prevention

• How firms monitor
• utbound communication

and data transferred

Vendor Management

• How firms conduct level of

due diligence to conduct

• n a vendor

Employee Training

• How firms train

employees and third party vendors

Incident Response

• Whether firms have

established proper protocols

Its imperative to develop policies and procedures for all focus areas, including:

Page  26

NYDFS CYBER SECURITY RULES AND REGULATIONS

Jack Hewitt Partner, Pastore & Dailey LLC

Page  27

Summary of NYS DFS Rules

Information Security is at the forefront of everyone’s minds. Breaches across multiple industries with major corporations being involved have caused NYS DFS to update their cyber security regulations. New Regulations will include:

• A risk assessment will be included to allow organizations to evaluate

and categorize risks and threats, as well how to mitigate these risks.

• Designating a Chief Information Security Officer (CISO) for
• verseeing and implementing the cyber security program.
• Conducting annual penetration tests based on relevant risks.
• Maintaining systems that are able to reconstruct material financial

transactions and retaining those records for a minimum of five years.

• Designing policies and procedures for management of third party

service providers based on the risk assessment of the covered entity.

27

Page  28

Cybersecurity Definitions – Non-public Information – 500.01(g)

Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business,

• perations or security of the Covered Entity.

Page  29

Cybersecurity Definitions – Non-public Information – 500.01(g) Any information which because of name, number, personal mark, or other identifier can be used to identify an individual, combined with: (i) social security number (ii) drivers’ license number or non-driver identification card number (iii) account number, credit or debit card number (iv) any security code, access code or password permitting access to a financial account; or (v) biometric records.

Page  30

Rule 500.01(g) is very similar to the Definition of Personally Identifiable Information in the New York State Information Security Breach And Notification Act https://ag.ny.gov/internet/data-breach

New York State Information Security Breach and Notification Act

Page  31

Cybersecurity Program - Sect. 500.02

Shall be designed to: 1) Identify and assess internal and external cybersecurity risks; 2) Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; 3) Detect Cybersecurity Events; 4) Respond to identified or detected Cybersecurity Events to mitigate any negative effects; 5) Recover from Cybersecurity Events and restore normal

• perations and services; and

6) Fulfill applicable regulatory reporting obligations.

Page  32

Cybersecurity Policy – Sect. 500.03

Covered Entities are required to implement and maintain a written policy that address the following: 1) Information security; 2) Data governance and classification; 3) Asset inventory and device management (Risk Assessment

• 500.09);

4) Access controls and identity management (Access Privileges -500.07); 5) Business continuity and disaster recovery planning and resources; 6) Systems operations and availability concerns;

Page  33

Cybersecurity Policy – Sect. 500.03

7) Systems and network security; 8) Systems and network monitoring; 9) Systems and application development and quality assurance; 10) Physical security and environmental controls; 11) Customer data privacy; 12) Vendor and Third Party Service Provider (TPSP) management (Third Party Service Provider Security Policy - 500.11); 13) Risk assessment (Risk Assessment - 500.09); and 14) Incident response (Incident Response Plan - 500.16).

Page  34

34

Properly structured ISP should address the following cybersecurity requirements:

• Governance
• Risk Assessment
• Access Rights and Control
• Data Loss Prevention
• Vendor Management
• Training
• Incident Response

Information Security Program

Page  35

Cybersecurity Sources

• NIST – Framework for Improving Critical

Infrastructure Cybersecurity (Vers. 1.0,2014)

• FINRA Report on Cybersecurity Practices

(February 2015)

• SEC National Exam Program Risk Alert, 2015

Cybersecurity Examination Initiative, Vol. IV, Issue 8 (Sept. 15, 2015).

• Cybersecurity in the Federal Securities

Markets, 383 Securities Practice Portfolio Series (BNA) (2016)

Page  36

Chief Information Security Officer (CISO) – Sect. 500.04

Qualified individual responsible for developing, overseeing and implementing the Governance Policy. CE may use a Third Party Service Provider to address this

• bligation but retains responsibility.

Must file an Annual Report with the Board on cybersecurity status

• f firm.

Page  37

Governance Policy FINRA Cybersecurity Practices Report:

• Development of an internal cybersecurity

governance framework appropriate to the

• rganization’s size and business.
• Originating at and directed by the Board and

senior management.

• It should specify the departments and firm
• fficers responsible for cybersecurity-related

matters, their roles and responsibilities and their position within the firm’s organization.

• Regular CISO briefings of the Board and senior

management.

Page  38

Risk Assessment – 500.09

Initial and periodic risk assessment of information systems to allow for design, implementation and revision of ISP. NIST Framework provides that a risk assessment should:

• identify and document asset vulnerabilities;
• review threat and vulnerability information from information

sharing forums and sources;

• identify and document internal and external threats;
• identify potential business impacts and likelihoods;
• use threats, vulnerabilities, likelihoods and impacts to

determine risk; and

• identify and prioritize risk responses.

Page  39

Access Policy

• Pre-employment Procedure
• Employee Access Procedure

– Principle of Least Privilege – Separation of Duties

• Access Modification and Revocation
• Access Lists, Monitoring and Annual

Recertification

• Password Policy
• Employee Termination Procedure (24hrs)
• Employee Security Training

Page  40

Data Loss Protection Policy

Protect a firm's confidential and sensitive data through a defense-in-depth strategy, i.e. the layering of multiple independent security controls strategically throughout their information technology systems:

• Firewalls and new Firewalls
• Intrusion Detection Systems
• Intrusion Protection Systems
• Monitoring and Auditing Devices
• Encryption

Page  41

Third Party Service Providers – Vendors -

• Sect. 500.11

Each Covered Entity shall implement TPSP written policies and procedures based on its Risk Assessment and shall address:

• the identification and risk assessment of TPSP;
• minimum cybersecurity practices required to be

met;

• due diligence processes; and
• periodic assessment.

FINRA Cybersecurity Study – Vendor Management Section

Page  42

Training – 500.14

Covered entities should provide for regular cybersecurity awareness training for all personnel that is updated to reflect its current risks. The FINRA Cybersecurity Practices Report lists the following as key topics for a firm's training program:

• Recognizing Risks
• Social Engineering Schemes and Phishing
• Handling Confidential Information
• Password Protection
• Escalation Policies
• Physical Security
• Mobile Security
• Application Security
• Emerging Technology Issues
• Software Vulnerabilities

Page  43

Incident Response Plans – 500.16

Designed to promptly respond to, and recover from, any Cybersecurity Event Incident response plans should address: (1) The internal processes for responding to a Cybersecurity Event; (2) Definitive goals; (3) Clear roles, responsibilities and levels of decision-making authority; (4) External and internal communications and information sharing; (5) Remediation of any identified ISP weaknesses; (6) Documentation and reporting r Cybersecurity Events and related incident response activities; and (7) Evaluation and revision of the incident response plan following a Cybersecurity Event.

Page  44

Notices – 500.17

Event Notification Notify the superintendent as promptly as possible but in no event later than 72 hours from a determination of a:

• Cybersecurity Event of which notice is required to be provided to any

government body, self-regulatory agency or any other supervisory body; and

• Cybersecurity Event that has a reasonable likelihood of materially

harming any material part of the normal operation(s) of the Covered Entity. Annual Statement

• Commencing February 15, 2018, covered entities will be required to

annually prepare and submit to the superintendent a Certification of Compliance with NYS DFS Cybersecurity Regulations. Document requirements for material improvement, updating or redesign.

Page  45

Exemptions

• Exemptions include those with:

– Fewer than 10 employees including any independent contractors. – Less than $5,000,000 in gross annual revenue in each of the last three fiscal years. – Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.

• An entity that qualifies for an exemption must file a “Notice of

Exemption.” In the event that an entity, as of its most recent fiscal year- end, ceases to qualify for an exemption, it shall have 180 days from such fiscal year-end to comply with applicable requirements.

Page  46

KEY TAKAWAYS

Enhance Cyber Awareness Be Proactive (Defense / Offense) Identify & Monitor Risks

Enhance Your Business Protect Your Brand

Page  47

Key Insurance Industry Themes

Information Security and Risk Needs to be a Top Priority

• Carriers must be cognizant and vigilant of the risk to their entire infrastructure
• New services, market opportunities, and creative mobility solutions are creating

challenges to stay ahead

• Damage to insurer’s reputation was biggest concern among executives, employees,

and customers

You Never Know Which Next Big Idea Will Stick (EMERGING TECHNOLOGIES)

• Insurance technology startups are increasing at a rapid rate, but an estimated 9 out of

10 will fail

• Companies that will prosper are very likely to include some that transform the industry
• Opportunities for investing, partnering, or learning lessons from these companies

should be considered in strategic planning initiatives

Page  48

Perform a Continuous Risk Assessment Cyber Security Risk Assessment

48

Page  49

• There are a number of ways in which loss or theft of data can be

prevented and avoided:

 Look beyond IT security when assessing your company's data breach risks  Establish a comprehensive data loss protection plan  Educate employees about appropriate handling and protection of sensitive data  Conduct a periodic risk assessment  Provide training and technical support to mobile workers  Don’t rely on encryption as your only method of defense  Keep current with security software updates or patches  Hold vendors and partners to the same standards

Preventative Measures

Page  50

CLOSING REMARKS

Page  51

CONTACT INFORMATION

Jerry Ravi Partner, Consulting Services Group EisnerAmper LLP (732) 770-3519

jerry.ravi@eisneramper.com

Venkat Rao Director, Global Compliance & Regulatory Solutions EisnerAmper LLP (347) 735-4761

venkat.rao@eisneramper.com

John R. (“JACK”) Hewitt Partner Pastore & Dailey LLC (646) 549-9551

JHewitt@psdlaw.net

IASA Metro NY/NJ CHAPTER

Page  52

Upcoming Webinars

• See the e-learning landing page at www.iasa.org/e-learning for more

information. (All times are 2:00pm EDT/EST unless otherwise noted)

• May 2 – 2017 NAIC Spring Meeting Review
• May 9 – Economic Outlook 2017
• Today’s presentation will be archived on the IASA website at www.iasa.org/e-

learning and will be available tomorrow afternoon.

• Archived webinars:
• February 21: The War for Talent: How to Engage and Retain
• January 24: The Life Insurance Industry: A Solution Provider Overview
• January 12: 2016 NAIC Fall Meeting Review
• IASA’s 5th Edition Life/Accident/Health Textbook is now available in both

eBook and Print! Visit www.iasa.org/publications for details!

Page  53

Thank you for joining us!

Thank you for joining us! We are interested in your thoughts about this presentation and topics you may want to see covered in the future. REMEMBER: Please use the SURVEY and TEST widgets to complete your “Survey” and “Request for CPE” to validate your requirements for CPE credit and then print your certificate using the CERTIFICATION widget at the bottom of your console before exiting today’s event. All three widgets are required to meet your requirements for CPE. Again, we appreciate your attention as we evolve the process to meet your educational needs. The console will remain open for 30 minutes following the event to allow time to complete these requirements. You will also be able to complete these requirements within 24 hours if additional time is needed to complete your survey, test or print your certificate. If you have difficulty viewing the archived presentation, or would like further information about this and future topics to be covered, please contact: Tricia Stillman AVP – Membership and Marketing – IASA tstillman@iasa.org 984-244-7039