Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Axtell Todd Martin Stinson Leonard Street, LLP

Published byJanel Cox Modified over 6 years ago

Similar presentations

Presentation on theme: "David Axtell Todd Martin Stinson Leonard Street, LLP"— Presentation transcript:

1 David Axtell Todd Martin Stinson Leonard Street, LLP
Cybersecurity Update American Fraternal Alliance Spring Symposium May 23, 2018 David Axtell Todd Martin Stinson Leonard Street, LLP

2 Agenda Developments in Cybersecurity Threats
NY Cybersecurity Law Update NAIC Insurance Data Security Model Law Update Next Steps for Your Cybersecurity Program

3 Developments in Cybersecurity Threats
Record High 1,579 Breaches in 2017* 44.7% Increase Over 2016 Record High Some of Increase Based On Growing Threats Some On Better Reporting Numbers still Significantly Underreported *All Data from Identity Theft Resource Center

4 Breaches Over Time January 1, 2005 – May 17, 2018* 2018 through May 14
Number of Breaches: 8,989 Number of Records Exposed: 1,096,676,098 2018 through May 14 Total Breaches: 441 Records Exposed: 14,958,141 Definition for above: Name + Social Security Number, DL Number, Medical Record or Financial Record (credit/debit included) is potentially at risk (this is fairly consistent with state data breach laws) Roughly ½ involve SS#s, 10-20% involve financial account numbers *All data from Identity Theft Resource Center,

5 Breakdown of 2018 Breaches By Industry
Entity # of Breaches Number of Records Business 190 (43.1%) 9,434,324 (63.1%) Educational 34 (7.7%) 499,728 (3.3%) Military/Government 37 (8.4%) 1,387,535 (9.3%) Health/Medical 125 (28.3%) 1,963,261 (13.1%) Banking/Credit/Financial 55 (12.5%) 1,673,293 (11.2%)

6 A Few Common Types of Social Engineering Intrusions
Phishing – tricking victims into sharing sensitive information Spear-Phishing – tricking a victim into thinking the information request is coming from a specific person the victim knows (CEO, CFO, etc.) Pretexting – intruder builds trust over time with victim, often through a form of spear-phishing

7 Some Statistics 64% of Americans willing to pay a ransom if victim to rasomware; Average demand = $1,077/victim; WannaCry and Petya notable Organizations with employees had a malware rate of 1 out of every 202 s (1/273 for smaller organizations) 1/2,644 s were phishing Approximately 50 million malware variants 300% increase in ransomeware since ( After an attack, 52% aren’t making security changes and only 38% expect to increase their IT budget ( Source: unless otherwise noted

8 Developments in Cybersecurity Law

9 Applicable Laws GLB HIPAA State Laws GDPR (EU)?

10 New Environment for Cybersecurity Regulation
Broader focus than just privacy and security Three Key Elements Privacy/ Security Integrity Access

11 New York Cybersecurity Regulation
Applies To Individuals and Entities Licensed to Do Business in NY (would include fraternals and fraternal agents if licensed in NY) Covered entities required to maintain cybersecurity program designed to protect information systems: Confidentiality Integrity Availability

12 New York Cybersecurity Regulation
Cybersecurity Program based on Risk Assessment Identify and assess internal and external risks Use defensive infrastructure and implementation of policies and procedures to protect Detect cybersecurity events Respond to identified or detected cybersecurity events Recover from cybersecurity event Reporting to Superintendent

13 New York Cybersecurity Regulation
Other requirements Written policies and procedures Chief information security officer Penetration testing and vulnerability assessments Audit trail Access privileges Application security Risk assessment Qualified personnel Third party compliance Multi-factor authentication Data retention/ disposal Testing/ monitoring Encryption Written incident response plan

14 New York Cybersecurity Regulation
Cybersecurity Program based on Risk Assessment Identify and assess internal and external risks Use defensive infrastructure and implementation of policies and procedures to protect Detect cybersecurity events Respond to identified or detected cybersecurity events Recover from Cybersecurity Event Reporting

15 New York Cybersecurity Regulation
Key Dates: August 28, covered entities required to comply Feb. 15, first certification March 1, 2018 – 1 year transitional period ends – additional requirements apply March 1, 2019 – 2 year transitional period ends – full compliance required

16 NAIC Cybersecurity Model Law
Similar to NY Regulation Applies to individual or organization required to be licensed under the insurance laws of the state Required to develop information security program in compliance with requirements Protect security and confidentiality Protect against threats to security or integrity Protect against unauthorized access or use and minimize harm to consumer Define schedule for retention and destruction

17 NAIC Cybersecurity Model Law
Risk assessment Risk management Board oversight Service provider oversight Program adjustments Incident response plan Commissioner certification

18 NAIC Cybersecurity Model Law
Security Incident Response Investigation Reporting To the commissioner To consumers

19 NAIC Cybersecurity Model Law
Differences From NY Law: Narrower Focus (only insurance entities) Definition of protected information to include business information Drafter’s notes say that compliance with NY regulations should be deemed compliance with NAIC Model (but may or may not be implemented in a particular state) Introduced In: Rhode Island South Carolina Other states expected to introduce very soon.

20 Key Elements of Effective Cybersecurity Program
Governance oversight Broad scope – including service providers Risk assessment and monitoring Incident response planning Reporting & compliance Insurance

21 Vendor/Internal Audits and Testing
Oldest Audit – SAS 70, replaced by SSAE 16, 2011 (with System Organization Controls “SOC”) SOC 1 – Report on controls regarding financial reporting SOC 2 – report on IT systems security, availability, integrity, confidentiality, privacy SOC 3 – Like SOC 2, but really just for marketing SSAE 16 replaced by SSAE 18 (2017) Adds third party vendor management component Implement formal yearly risk assessments None of the above is the same as penetration testing and other code/network security quality reviews

22 Specialty Indemnification – Defining Breach
"Data Breach” shall mean an incident in which personally identifiable information or PHI regarding customers, employees, job applicants, or other individuals or Company’s Confidential Information has been potentially viewed, acquired, stolen, copied, or used by an individual or entity who is without authority to do so, or exceeds their authority in doing so, or is rendered inaccessible or inoperative due to malicious activity or code, such as, without limitation, through ransomeware. 22

23 Specialty Indemnification – Defining Remedy
"Losses" for purposes of indemnification for a Data Breach shall additionally include any and all costs and fees (including but not limited to attorney and vendor fees) associated with identifying the root cause of a Data Breach, remediating the Data Breach, identifying lost data or data that was accessed without or by exceeding authority, identifying victims, notifying victims and providing call center support for victims, public relations efforts to mitigate damage to good will, all fines, all amounts paid in ransom, and victim identity theft and credit monitoring and other commercially standard and reasonable courses of action. 23

24 Insurance – What to Look For
Vendor choice Coverage at least for: Forensic Investigation Breach notification, call center, credit monitoring Litigation defense, investigations, fines, settlements Ransome Attorneys PR firms Limits and deductibles Less likely covered/will be paid out: Internal losses of time Good Will losses/lost business Security hardening

25 Todd Martin David Axtell

Download ppt "David Axtell Todd Martin Stinson Leonard Street, LLP"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
2015 ANNUAL TRAINING By: Denise Goff

2015 ANNUAL TRAINING By: Denise Goff
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.

IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Similar presentations

Ads by Google