Rogers Enterprise Security Solutions Bracing for a Breach: Prepare for Cybersecuity Threats with Proper Planning Stewart Cawthray, CISSP, CISM, CRISC, CEH General Manager, Enterprise Security Rogers Communications May 2, 2017

The Breach… Are you prepared? It’s 3:00pm do you know where your data is? Cyber breaches happen to companies of all sizes, from all industries. No one is immune! How you handle the breach is what determines how you survive the breach. Are you prepared? 2 Rogers Enterprise Security | Communicating the Breach

Agenda 1. What constitutes a breach? 2. The Law & Breach Notification 3. Cybersecurity Playbook & Incident Response 4. Internal & External Communications 5. Summary & Recommendations 3 Rogers Enterprise Security | Communicating the Breach

Worlds Biggest Data Breaches Selected losses greater then 30,000 records Click to view full data visualization: www.informationisbeautiful.net 4 Rogers Enterprise Security | Communicating the Breach

What Constitutes a Breach Is every security incident a breach? • Does a breach only involve data loss? Does it matter what type of data? Quantity of data? • A textbook definition would be “Any unauthorised disclosure or loss of sensitive information due to intentional, accidental or malicious act.” • In general most consider a breach to involve “PII” personally identifiable information or Health Data. • But corporate data loss can also be a breach: Future plans, M&A information, Intellectual Property “The Secret Sauce”, etc. Anything which could be materially damaging to your business. 5 Rogers Enterprise Security | Communicating the Breach

Different laws exist across Canada and Globally Breach Notifications Laws Different laws exist across Canada and Globally Canada • No national disclosure law is in force currently. PHIPAA does require disclosure to impacted parties for loss of health information across Canada • Digital Privacy Act 2015 – The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. Not currently in effect - Consultation closed May 31, 2016 • Alberta is the only province with a provincial Disclosure law in effect USA • All but 5 states have mandatory breach notification laws in effect. CSOonline.com has an interactive map showing which states and links to the actual laws. • California was first in 2003 International • EU Data Protection Regulations includes requirements for notification in the event of a “Personal Data Breach” 7 Rogers Enterprise Security | Communicating the Breach

When do we need to disclose a breach? To Tell or not to tell… When do we need to disclose a breach? Whether you need to disclose that you were breached is dependant on several factors: Jurisdiction • Is there a law in the jurisdiction in which you are operating that requires disclosure? Remember this often means where the impacted parties reside not where your business resides Type/Classification of Data • What kind of data was lost PII, health records, sensitive corporate data. Most disclosure laws are applicable to PII and health records only. Brand Reputation • If the breach where to be discovered how would the corporate brand be impacted? Getting in front of a bad situation can often cool fires before too much damage is done Cyber Insurance Policy • Many cyber insurance policies require a disclosure to at least the impacted parties before a payout will be approved. Corporate Citizenship • In a highly connected business ecosystem disclosure of a breach which may impact peers, partners, suppliers or customers can be helpful for those organizations to protect themselves or detect their own breaches. 8 Rogers Enterprise Security | Communicating the Breach

Are you prepared? A playbook for cybersecurity incident response is essential for handling a breach. Do you have a playbook? Is it written down? Is it tested? The National Association of Corporate Directors (NACD) recommends five guiding principles: Understand and approach cyber security as an enterprise-wide risk management issue not just an IT issue. Understand the legal implications of cyber risks as they relate to the companies specific circumstances. Boards should have adequate access to cyber security expertise and discussions about cyber risk management and should be given regular time on the board meeting agenda. Make sure that management establishes an enterprise-wide risk management framework with adequate staffing and budget. The board and management should identify which risks to avoid, accept, mitigate, or transfer through insurance. As well as specific plans associated with each approach. Test your plan regularly and often; weekly within Security and quarterly with the broader company. The Actions you take before an incident are far more impactful then the actions you take during or after one. 10 Rogers Enterprise Security | Communicating the Breach

Before incident checklist Cybersecurity Playbook Before incident checklist Stay current on cybersecurity threats and best practices. Prepare the board and executives by establishing a committee and links between board and C-level executives like the CIO and CISO. Identify and know the firms security posture and risks. Assess systems, assets, data and capabilities. Research, design and deploy security technologies appropriate to the assessed risks. Develop and deploy detection systems to identify security events as soon as possible. Create and incident response plan, including whom to contact and when. Build in contingencies. Ensure the response plan covers communications, analysis, mitigation and other critical tasks like legal or customer support. Link incident response plan to recovery and Business Continuity plans. Discuss with counsel if security events should be disclosed and what should be disclosed. Obtain liability insurance for directors, officers as well as the corporation. 11 Rogers Enterprise Security | Communicating the Breach

During incident checklist Cybersecurity Playbook During incident checklist Oversee an incident response. Act as a conduit between incident responders and the company and external stakeholders Understand that news of the incident usually comes to the company from outsiders, such as law enforcement or partner companies. Keeping the event under wraps is likely not possible. Work closely with legal counsel and public relations to advise C-level about how to disclose incident details. Don’t disclose details until they are verified. Stay in touch with your response team right through the remediation. 12 Rogers Enterprise Security | Communicating the Breach

After incident checklist Cybersecurity Playbook After incident checklist After the breach has been repaired assist in damage control to fix companies infrastructure and reputation. Review incident response and assess how it performed. Determine where to make improvements and praise elements which went well. With guidance from legal counsel determine how to make customers whole if they were impacted by the incident. Monitor churn rate and offer remedies to minimise this churn. Legal counsel will advise if any remedies are required by law. 13 Rogers Enterprise Security | Communicating the Breach

Agenda 1. What constitutes a breach? 2. The Law & Breach Notification 3. Cybersecurity Playbook & Incident Response 4. Internal & External Communications 5. Summary & Recommendations 14 Rogers Enterprise Security | Communicating the Breach

What and who do you tell about a breach? Internal & External Communication of a Breach What and who do you tell about a breach? Who you tell of a breach depends on your playbook. Different levels of incidents will have different disclosure requirements. • Internal stakeholders; IT, Operations, Executives, department heads and/or employees. • External stakeholders; Government, shareholders, industry regulators, employees, and/or media. Have a plan prepared • Who is on point to speak about the incident? Who will prepare the talking points and brief spokes people? • What cadence will information be released? Who approved the release? Will legal review prior to release? • What are your contingencies? Manage the message • Focus your initial messages on the steps being taken to investigate the issue • Communicate in a clear and direct way – companies shouldn’t get overly technical. Provide people with the information they need and what they can do to protect themselves • Release of un-verified details can cause problems or contradictions down the road if details change. • The sense of urgency to get information out to customers needs to be overwritten with the pragmatic approach to only release verified information. After the breach • Create a hub where people can get updates • Monitor social media (in additional to traditional media) to understand the tone and volume of what company stakeholders and influencers are saying • Once the worst of the breach is behind you, it’s time to start repairing your company’s reputation – this starts with clear, direct communication around the steps your company is taking to ensure a breach doesn’t happen again Always be mindful that a breach will garner media attention 15 Rogers Enterprise Security | Communicating the Breach

If you remember nothing else for this session, remember this… Summary & Recommendations If you remember nothing else for this session, remember this… • Cyber security incidents will happen to you. • How prepared you are will determine their impact to your organization. • Know your legal and risk landscape. It is highly likely more then one jurisdiction applies. • Establish a plan with clear communication guidelines and procedures verified by legal, PR & the company leadership. • Test your response plan regularly and often. Weekly within security org, quarterly with broader company. • Seek help to prepare before an incident if needed. 17 Rogers Enterprise Security | Communicating the Breach

Thank You.

Your success is our business.