Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Slides:

Advertisements

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

SA Constitution Sec 14 – Privacy – RICA – POPI Sec 32 – Access to Information – PAIA – POPI.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

Information Systems Security Officer

1 Risk management and Investigation Peter Roberts

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Session 3 – Information Security Policies

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Information Security Technological Security Implementation and Privacy Protection.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

HIPAA PRIVACY AND SECURITY AWARENESS.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Cyber Security & Fraud – The impact on small businesses.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Advanced Program in Auditing and Accounting Regulation Module 12 Enhancing Statutory Audit Quality from a Financial Regulator’s Perspective Presenter:

13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.

© MISHCON DE REYA MAY 2014 RECRUITMENT INTERNATIONAL FINANCIAL DIRECTORS’ FORUM Protecting your business from unlawful competition.

Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.

© Copyright 2010 Hemenway & Barnes LLP H&B

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Session 13 Cyber-security and cybercrime. Contents  What’s the issue?  Why should we care?  What are the risks?  How do they do it?  How do we protect.

Legal framework Look at the legal compliance and framework a business is subject to.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

Financial Times Matheson is ranked in the FT’s top 10 European law firms Matheson has also been commended by the FT for corporate law,

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Welcome to the ICT Department Unit 3_5 Security Policies.

Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.

Cyber Insurance Risk Transfer Alternatives

Law Firm Data Security: What In-house Counsel Need to Know

Chapter 17 Audit Corporate Governance.

Cybersecurity - What’s Next? June 2017

Data Minimization Framework

Learn Your Information Security Management System

Data protection headaches: GDPR, brexit AND perimeter risk

Responding to Intrusions

Explorative Analysis of the Implications and Compliance of the Protection of Personal Information (POPI) Act in a Open and Distance Learning (ODL) Institution:

Chapter 3: IRS and FTC Data Security Rules

Unit 7 – Organisational Systems Security

People Responsible For Health and Safety

I have many checklists: how do I get started with cyber security?

GDPR - Individual’s Rights

Reporting personal data breaches to the ICO

General Data Protection Regulation

Cybersecurity compliance for attorneys

Understand Risks to IT Security

Chapter 8 Developing an Effective Ethics Program

Neil Kirton and Zoë Newman

Upcoming PIPEDA Changes

Briefing to the Portfolio Committee on Police Audit outcomes of the Police portfolio for the financial year 13 October 2015.

Anatomy of a Common Cyber Attack

SADC PPP Network PPPs in SADC

Presentation transcript:

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014

Overview of this presentation International & local public & private entities that have had incidents. Examples of cybersecurity breaches: Act now! A brief overview of legislation you should be familiar with. Legislation to consider: Consequences if you don’t! Preparing for a cybersecurity breach A breach has happened: first steps & considerations Sharing information in your industry: strength in numbers After the cybersecurity breach: fixing and fighting back A cybersecurity breach game-plan: Mitigating risk!

Breaches: It happened to them, it will happen to you! Estimated annual cost of cybercrime to global economy – US$400 million – McAfee, June 2014; Estimated value of cybercrime in SA – 0.14% of GDP, McAfee, June 2014 Sony Corporation PlayStation breach – US$171 million so far, 12% off share price – Booz & Co, 2014 Target breach – US$148 million in costs, CEO resignation – Forbes, September 2014 South African Police Service website – Cost unknown, major reputational damage Payment Association of South Africa, card hack – cost unknown, major reputational damage

Why bother with cybersecurity…surely it’s something for the geeky IT guys to deal with? MFM Act Companies Act POPI Act ECT Act RIC Act King III Report South Africa Connect: The National Broadband Policy The National Integrated ICT Policy Green Paper The White Papers on Transforming Public Service Delivery The Minimum Information Standards Policy The Minimum Interoperability Standards Policy Free and Open Source Software Policy Organisation leaders: it’s no longer just the IT guys’ problem, its your responsibility!

A basic guideline for cybersecurity: condition 7 of POPI A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information Condition 7: Security safeguards – Part 1

Chapter 3: Conditions for lawful processing of personal information A responsible party must take reasonable measures to: identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. Condition 7: Security safeguards – Part 2

Chapter 3: Conditions for lawful processing of personal information Where the responsible party appoints an operator: This must be under proper authority and respect confidentiality; Must be governed by a contract which enforces confidentiality and security. Where security breaches occur, data subject and Regulator must be notified. Condition 7: Security safeguards – Part 3

Preparing for a cybersecurity breach Categorise data & define access Use smart network design Protect super-sensitive data Audit and test your network Be aware of: your network & data and implement protection procedures Cybersecurity breach management plans Get consents to use of your network Have best practice policies & procedures Supply chain matters Client and customer matters Be aware of and evaluate cyber threats Be aware of cybersecurity risks of business relations

A breach has happened! First steps and considerations Directors, lawyers, IT and PR Internal processes & governance after breach Considerations whilst conducting an investigation Conduct an extensive internal investigation Statutory reporting obligations Contractual reporting obligations Shareholder / stakeholder reporting obligations Should all breaches be investigated: investigation thresholds & reporting

Sharing information in your industry: strength in numbers Why sharing may be good Competition law considerations

After the cybersecurity breach: fixing and fighting back Effective breach response methods Exercising patience may help Don’t overreact or break the law – liability concerns

Practical tips & recommendations Read the legislation. Consider POPI’s Condition 7 as a minimum; Do your operations warrant information security awareness training for staff. Put procedures in place to limit who can access certain information on your organisation's computer system. Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Physical security of the premises where you store sensitive information. Put proper contracts in place that compel your service providers to give you assurances that they will comply with some sort of cybersecurity standard. Consider whether securing cyber insurance is necessary. Your current "generic" insurance not likely to provide cover. Have a technical and legal information/cyber security gap analysis done…it will make shareholders or the Auditor-General happy! Develop a comprehensive strategy, but consider these now

Any questions? Follow us on: