Presentation is loading. Please wait.

Presentation is loading. Please wait.

#IASACFO.

Published byPosy Murphy Modified over 6 years ago

Similar presentations

Presentation on theme: "#IASACFO."— Presentation transcript:

1 #IASACFO

2 Moderator Shawn R. Grotte, CPA Partner, BKD LLP
Lessons from the Trenches: What Boards and Management Need to Know about Cybersecurity Moderator Shawn R. Grotte, CPA Partner, BKD LLP

3 THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE
Session Presenters Shawn R. Grotte, CPA Partner BKD LLP Devin Shirley, CISSP, GISP Chief Information Security Officer Arkansas Blue Cross and Blue Shield Philip Sherrill, CPA, CIA, CHIE Vice-President and Chief Audit Executive Arkansas Blue Cross and Blue Shield

4 NAIC Insurance Data Security Model Law adopted October 24th, 2017
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Comprehensive Written Information Security Program Considers the size and complexity of the organization Considers the nature and scope of activities Considers the sensitivity of information the organization governs Objectives of an Information Security Program Protect the security and confidentiality of sensitive information Protect against any threats or hazards Protect against unauthorized access or use; minimize the risk of harm Process for retention and destruction of sensitive information

5 NAIC Insurance Data Security Model Law adopted October 24th, 2017
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Risk Assessment Identify reasonably foreseeable internal and external threats Access the likelihood and potential impact of those threats Assess the sufficiency of policies and procedures Assess the effectiveness of key controls (no less than annually) Program Adjustments Monitor, evaluate and adjust, as appropriate, to relevant changes in: Technology and Information System infrastructure Sensitivity of information Internal or external threats Changing business arrangements, i.e. M&A, partnerships, outsourcing, etc.

6 NAIC Insurance Data Security Model Law adopted October 24th, 2017
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Board Governance Structure The Board or an appropriate committee of the Board shall require management to: Develop, implement and maintain an Information Security Program Report on the overall status of the program and compliance with the Model Law Report on material matters related to the program Oversight of Third-Party Service Providers Demonstrate due diligence in the selection of third-party service providers Require appropriate administrative, technical and physical measures

7 NAIC Insurance Data Security Model Law adopted October 24th, 2017
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Risk Management and Controls Appropriate Security Measures, based on assessed risk Integration in an organization’s Enterprise Risk Management process Awareness of emerging threats and vulnerabilities Cybersecurity awareness training Incident Response Plan Written Incident Response Plan designed to: Define the internal process for responding to an event Define roles, responsibilities and decision-making authority Define internal and external information sharing Requirements for remediation

8 NAIC Insurance Data Security Model Law adopted October 24th, 2017
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Law adopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” Annual Certification Submitted to the Commissioner in writing by February 15th certifying compliance Notification (Licensee, Third-Party, Reinsurers) Notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that an event has occurred The Licensee reasonably believes that the information involved is of 250 or more consumers residing in the State and either: An event requires notice to be provided to any government, regulatory or supervisory body There is reasonable likelihood of material harm impacting a consumer in the State or a material part of the normal operations of the Licensee

Download ppt "#IASACFO."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Control and Accounting Information Systems

Control and Accounting Information Systems
Environmental Management System (EMS)

Environmental Management System (EMS)
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Internal Control and Internal Audit

Internal Control and Internal Audit
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
ADB Project TA 3696-PAK, Regulation for Corporate Governance 1 REGULATION FOR CORPORATE GOVERNANCE IN PAKISTAN CAPITAL MARKETS.

ADB Project TA 3696-PAK, Regulation for Corporate Governance 1 REGULATION FOR CORPORATE GOVERNANCE IN PAKISTAN CAPITAL MARKETS.
System of Governance Articles 41 to 49 of Directive 2009/138/EC 11 th May 2010 Eamonn Henry.

System of Governance Articles 41 to 49 of Directive 2009/138/EC 11 th May 2010 Eamonn Henry.

Similar presentations

Ads by Google