Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

43  Download (0)

Full text


Ten Questions Your Board Should be asking

about Cyber Security


Eric Wright, CPA, CITP

• Started my career with Schneider Downs in 1983.

• Responsible for all IT audit and system implementations services provided by the firm.

• I have had the fortune of supporting a wide variety of clients in all industries.

• Graduated from Waynesburg College ,magna cum laude with a BS in Mathematics and Computer Science.

• Chair the PICPA IT Assurance Committee.

• Member of the AICPA sub-committee on privacy.



• Recent History • Fun Facts

• Risks facing Financial Institutions

• 10 Questions your Board should be asking • What can you do


2014 Year of the Mega Breach

• Sony – Shut down the company’s IT systems for 2 weeks

• Target – 40 million credit cards stolen

• JP Morgan Chase – 83 million customers’ data was stolen

• eBay – 145 million records compromised • Home Depot – 56 million credit cards


Ponemon Security Study

• The average cost of a data breach has increased 15% to 3.5 million

• The average cost paid for each lost or stolen record that contained sensitive

information increased more than 9% from $136 to $145


Fun Facts

• 1 in 10 US citizens are subject to identity theft

• If you make more than 70K, you are 2x more likely to be targeted

• In 2013, 13.1 million consumers were victims of identity theft

• 52% of all fraud involved on-line transactions


2009 Breaches by Type


2013 Breaches by Type

3% 4% 12% 6% 13% 14% 16% 33% Stolen Documents Improper Disposal Email disclosure Unknown

Web- Based Hacks Stolen Computer Social Engineering Hacking


The Black Market Value of Data We Process

• Health Care Record - $50

• Credit Card - $2 - $15

• Social Security No. - $5 when packaged

with a name

• Name and password to Bank Account - $1,000




1998 2000 2002 2004 2006 2008 2010 2012 2014

Emerging e-Banking Technologies 7/15/1998

Technology Services Supplied by Outside Firms


Revised e-Banking and (IT) Audit Guidance 10/21/2004

Business Continuity Planning Released 3/19/2008

Remote Deposit Capture Technology 1/14/2009


Risks that Financial Institutions Face

• Financial – Forensics

– Public Relations – Credit Monitoring – Penalties and Fines

– Loss of Customers/Revenue – Lawsuits and Legal Cost

– Drop in Stock Price • Reputational


Reputational Damage

• Front page news

• Notifying customers, employees, government agencies

• Public outcry

• Loss of customer trust


Question 1


So, What is the Industry Recommending?

• On June 30th, the FFIEC released their cyber security assessment tool

– Help institutions identify their risks and determine their cyber security maturity

– It is a repeatable and measurable process to keep management informed of their


Cyber Security Assessment Tool

• The tool has two components

– Inherent Risk Profile – fancy name for risk assessment

– Cyber Security Maturity Evaluation • The adoption of the tool is strictly

“voluntary” at this time

• The FFIEC has targeted June of 2016 as the timeline to include in their


Inherent Risk Profile Categories

• Technologies and Connection Types • Delivery Channels

• Online/Mobile Products and Technology Services


Cyber Security

1. Cyber Risk Management &


2. Threat Intelligence & Collaboration

3. Cyber Security Controls

4. External Dependency


5. Cyber Incident Management & Resilience

• Governance

• Risk Management • Resources

• Training and Culture

• Intelligence Sourcing • Monitoring and Analyzing • Information Sharing • Preventative Controls • Detective Controls • Corrective Controls • Connections • Relationships Management


Question 2


Question 3


Where is our data

• Which Servers and workstations

• Which Databases

• Which Applications


Question 4

• Have we inventoried all of the third party vendors that have access to our systems and have we


Question 5


Annual Security Reviews

• External Vulnerability Scans • External Penetration Testing


Question 6

• What procedures have we implemented to protect our sensitive information that is stored and


Question 7


Question 8


Cyber Insurance - Do I Need a Policy?

• Need to evaluate the information that you collect, process and store to determine the marketability of this data, if it was to fall

into the hands of thieves.

• Need to evaluate your social profile. Are you a target of social activist?


First Party Coverage

• Theft and fraud. Covers destruction or loss of the

policyholder’s data, as the result of a criminal or

fraudulent cyber event, including theft and transfer of funds.

• Forensic investigation. Covers the legal, technical or

forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack.

• Business interruption. Covers lost income and related


First Party Coverage (continued)

• Extortion. Provides coverage for the costs associated

with the investigation of threats to commit cyber attacks against the policyholder’s systems and for payments to extortionists who threaten to obtain and disclose sensitive information.

• Computer data loss and restoration. Covers physical


Third Party Coverage

• Litigation and regulatory. Covers the costs associated

with civil lawsuits, judgments, settlements or penalties resulting from a cyber event.

• Regulatory response. Covers the legal, technical or

forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a

cyber attack, and provides coverage for fines,

penalties, investigations or other regulatory actions.

• Notification costs. Covers the costs to notify customers,


Third Party Coverage (continued)

• Crisis management. Covers crisis management and public relations expenses incurred to educate customers

concerning a cyber event and the policyholder’s response, including the cost of advertising for this purpose.

• Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event.

• Media liability. Provides coverage for media liability,

including coverage for copyright, trademark or service mark infringement resulting from online publication by the



What is Not Covered by Cyber Insurance?

• Reputational harm

• Loss of future revenue

• Cost to improve internal technology safe guards

• Lost value of intellectual property


Question 9

• Do we have a formal incident response


Question 10


What Actions Should I be Taking?

• Accept that security is an enterprise-wide risk, not just an IT issue. Create an awareness from the mailroom to the boardroom.

– Stakeholders include, but are not limited to, the Boardroom, HR, Audit, IT and Legal

• Establish awareness that controls and processes have been specifically designed to prevent


– New hire orientation

– Ongoing awareness and communication


What Actions Should I be Taking?

• Integrate cyber risk strategy into the organization’s strategic plan

• Have a team dedicated to managing cyber threats and your incident response plan • Identify your organization’s most critical

data assets


What Actions Should I be Taking?

• Implement a layered defense

• Assess your cyber security maturity • Identify vendors used for business

functions involving critical data assets – Make sure you understand their security

policies and procedures


Your Role in Combatting Threats

• Be diligent – Always Assume the Worst

• Understand and Follow Policies and


• Report Suspicious Activity

• Avoid Malicious Web Sites

• Don’t Click on Suspicious E-mails

• Ask for Identification

• Require Authorization for Access

• Safeguard Social Media Content

• Educate/Inform Customers





Related subjects :