Powerful Google developer tools for immediate impact! (2023-24 C)
Cyber risk reporting aicpa framework
1. CHALLENGES IN MANAGING CYBER RISKS
A DEVELOPING FRAMEWORK TO EXPLAIN HOW ORGANIZATIONS
ARE TRYING TO MANAGE CYBERSECURITY RISK
JAMES T DEIOTTE
AUGUST 2017
2. CURRENT CLIMATE
1 Losses from cyber-attacks increase
CHANGING CONDITIONS
2 Others changes taking place – may
have greater impact beyond costs
MOVING BEYOND COSTS
3 This shift has expanded the
stakeholder group
RESPONSE OF THE AICPA
4
Framework for reporting on cyber risk
management
TECHNOLOGY SOLUTIONS
5
Creating the cybersecurity
ecosystem
AGENDA
SECTION HEADINGS
4. CYBER RISK EXPANSION IS ON FIRE
• Fuel
• Complexity and interconnectivity that has created caused
stakeholder expansion
• Human nature
• Heat
• Press and political pressure
• Regulatory and legislative responses globally
• Oxygen
• Aggressive nature of hackers
• Expanding use of new products under IoT
• Prevention
• Need for improved risk management – a different and
holistic approach with focus on people
• Need for comprehensive and enabling technologies
5. COMPANIES ARE JUST LEARNING THEY
ARE UNDERINSURED
GAP BETWEEN COVERAGE AND DAMAGES WIDENS
• Target Corp announced that its 2013 will cost an estimated
$230 million; insurance coverage was $90 million
• Home Depot expects $232 million in expenses; insurance
coverage was $100 million
• Anthem ran into difficulties in coverage after an attack
compromised 70 million records; future insurance coverage
requires Anthem to pay the first $25 million in any future
attacks 5
6. VULNERABILITY
• “37.2% of U.S. organizations had a botnet grade of ‘B’ or lower", meaning these organizations have a higher
likelihood of experiencing a publicly disclosed data breach. Source: Global Security Performance: How Do Top
Nations Stack Up?
• “Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700
or more.” Source: BitSight Security Ratings Correlated To Breaches
• “Crypto-style ransomware grew 35 percent in 2015.” Source: Symantec 2016 Internet Security Threat Report
• “Education accounted for 6.6 percent of all reported cybersecurity incidents in 2015.” Source: 2016 Internet Security
Threat Report from Symantec
• “99% of computer users are vulnerable to exploit kits (software vulnerabilities).” Source: Heimdal Security
• “59% of employees steal proprietary corporate data when they quit or are fired.” Source: Heimdal Security
• “28% of organizations have experienced an advanced persistent threat attack, and three-quarters have failed to
update their third-party vendor contracts to include better protection against APTs.” Source: 2015 Advanced Persistent
Threat Awareness Study, as quoted in Trustwave Security Stats
• “63% of businesses don't have a ‘fully mature’ method to track and control sensitive data.” Source: 2014 State of Risk
Report, as quoted in Trustwave Security Stats
Page 6
7. BREACH STATISTICS
• In 2016, there have been 454 data breaches with nearly 12.7 million records exposed. Source: 2016 Identity Theft Resource Center
Data Breach Category Summary
• “In 93% of breaches, attackers take minutes or less to compromise systems.” Source: 2016 Data Breach Investigations Report from
Verizon
• “Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.” Source: 2016 Data Breach
Investigations Report from Verizon
• “In 7% of [breach] cases, the breach goes undiscovered for more than a year.” Source: 2016 Data Breach Investigations Report
from Verizon
• “30% of phishing emails are opened. And about 12% of targets goon to click the link or attachment.” Source: 2016 Data Breach
Investigations Report from Verizon
• “In 60% of cases, attackers are able to compromise an organization within minutes.” Source: 2015 Data Breach Investigations Report
from Verizon
7
8. COST STATISTICS
• “80% of analyzed breaches had a financial motive.” Source: 2016 Data Breach Investigations Report from Verizon
• “68% of funds lost as a result of a cyber attack were declared unrecoverable.” Source: Heimdal Security
• "Impact from trade secret theft ranges from 1% to as much as 3%of a nation’s GDP – using the World Bank’s GDP estimate
of $74.9trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually.“ Source:
Global State of Information Security Survey 2015 from PwC
• “The U.S. government has spent $100 billion on cybersecurity over the past decade, and has $14 billion budgeted for
cybersecurity in2016.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry
Statistics from Forbes
• “The cyber insurance market—mainly a U.S. market—has grown from $1 billion to $2.5 billion over the past two years, and
it is expected to grow dramatically and expand globally over the next five years.” Source: The Business of Cybersecurity:
2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes. See Also: Security Ratings For Cyber
Insurance
• “The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.” Source: 2015 Data Breach
Investigations Report from Verizon
8
9. CYBER INSURANCE COVERAGE ILLUSTRATED
Type of company Sector Revenues Limits Premium
% of
revenues
Limites % of
revenue
Coverage for
worst case
scenario
IT CONSULTING & DATA HOSTING PROVIDER IT 1,500,000 2,000,000 3,643 0.243% 133.333% (500,000)
HEALTHCARE SAAS PROVIDER HC 2,000,000 2,000,000 9,398 0.470% 100.000% 0
HEALTHCARE IT
PROVIDER/CONSULTING/PROJECTMANAGEMENT HC 4,500,000 5,000,000 34,600 0.769% 111.111% (500,000)
CALL CENTER
Communic
ations 20,000,000 5,000,000 19,800 0.099% 25.000% 15,000,000
FIBER OPTICS COMMUNICATIONS PROVIDER
Communic
ations 35,000,000 10,000,000 47,000 0.134% 28.571% 25,000,000
INDUSTRY: HEALTHCARE HC 25,000,000 1,000,000 12,900 0.052% 4.000% 24,000,000
INDUSTRY: EDUCATION ED 25,000,000 1,000,000 6,000 0.024% 4.000% 24,000,000
INDUSTRY: RETAIL RETAIL 50,000,000 1,000,000 26,000 0.052% 2.000% 49,000,000
INDUSTRY: E-COMMERCE IT 50,000,000 1,000,000 37,000 0.074% 2.000% 49,000,000
RESTAURANT MFG 50,000,000 1,000,000 10,000 0.020% 2.000% 49,000,000
HEALTHCARE IT PROVIDER HC 1,200,000 5,000,000 15,900 1.325% 416.667% (3,800,000)
HEALTHCARE SAAS PROVIDER (STARTUP) IT 1,500,000 5,000,000 30,420 2.028% 333.333% (3,500,000)
ELECTRONIC HEALTH RECORDS (EHR) PROVIDER HC 5,000,000 1,000,000 8,010 0.160% 20.000% 4,000,000
E-WASTE COMPANY MFG 1,500,000 2,000,000 3,564 0.238% 133.333% (500,000)
PSYCHOLOGIST’S OFFICE HC 1,000,000 1,000,000 1,600 0.160% 100.000% 0
DOCTOR’S OFFICE HC 1,700,000 1,000,000 1,800 0.106% 58.824% 700,000
SAAS PROVIDER IT 3,000,000 200,000 6,000 0.200% 6.667% 2,800,000
FAST FOOD Consumer 15,000,000 1,000,000 9,000 0.060% 6.667% 14,000,000
DATA STORAGE CENTER IT 15,000,000 20,000,000 120,000 0.800% 133.333% (5,000,000)
Source: https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/
11. OTHER CHANGES TO TAKE NOTE OF
• Business and relationship models will change
• Defense industry and auto industry
• Expansion of stakeholder responsibilities by regulatory authorities
Aggressive changes in penalty regimes
• European Union
• South Africa
12. BUSINESS MODEL CHANGES
• Push down demands into supply
chains impacting entire industries
over the next few years
• Accelerated by the introduction and
increasing use of products
considered by the Internet of Things
(IoT)
• Mobility transformation in the auto
industry will accelerate changes to
manufactures, suppliers and service
providers (e.g. repair shops)
14. GOVERNANCE IS CHANGING
NY'S FSO REGULATION (500.03) RECENTLY FINALIZED
THE CYBERSECURITY POLICY SHALL BE REVIEWED BY THE
COVERED ENTITY’S BOARD OF DIRECTORS OR EQUIVALENT
GOVERNING BODY, AND APPROVED BY A SENIOR OFFICER OF
THE COVERED ENTITY
THE CYBERSECURITY POLICY SHALL ADDRESS, AT A MINIMUM, THE
FOLLOWING AREAS:
INFORMATION SECURITY; DATA GOVERNANCE AND CLASSIFICATION;
ACCESS CONTROLS AND IDENTITY MANAGEMENT; BUSINESS CONTINUITY
AND DISASTER RECOVERY PLANNING AND RESOURCES;
CAPACITY AND PERFORMANCE PLANNING; SYSTEMS OPERATIONS AND
AVAILABILITY CONCERNS; SYSTEMS AND NETWORK SECURITY; SYSTEMS AND
NETWORK MONITORING;
SYSTEMS AND APPLICATION DEVELOPMENT AND QUALITY ASSURANCE;
PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS; CUSTOMER DATA
PRIVACY;
VENDOR AND THIRD-PARTY SERVICE PROVIDER MANAGEMENT; RISK
ASSESSMENT; AND INCIDENT RESPONSE.
15. ARE CHANGES TAKING PLACE FAST ENOUGH?
15
If you are in a
domain of losses
– will take more
risk
If you are in a
domain of gains
– will be more
risk adverse
16. EU RESPONSE – ATTEMPT TO CHANGE THE
PARADIGM
Yet, EU laws related to identity protections provide the following fine regime:
Non-compliance can lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to
2% of the total worldwide annual turnover of the preceding financial year, whichever is higher! (In some
cases – the penalty is raised to the greater of €20,000,000 or 4% of global revenues.
16
SailPoint Survey Confirms Enterprises have GDPR on their Mind
75 percent recognize the important role identity governance plays within GDPR compliance plans
LONDON, March 7, 2017 – SailPoint, the leader in identity management, surveyed customers and attendees at
this week’s Gartner IAM Summit about their plans for meeting compliance requirements associated with the
General Data Protection Regulation (GDPR) which goes into effect in 2018. Of approximately 100 survey
respondents, 80 percent see GDPR as a priority even if they don’t have a specific plan in place (only 25
percent of respondents have an established plan) to comply with the regulation. Of those who are planning
ahead for GDPR, most (75 percent) recognize the important role that identity governance plays in helping them
to be GDPR-ready by 2018.
17. ARE OTHER COUNTRIES FOLLOWING THE EU?
• YES – South Africa is leading and
has already enacted the Protection
of Personal Information legislation
(POPI) that has been signed by the
President.
• Failure to comply with the Act can
impose on the executive management
of public and private sector bodies a
personal liability.
19. APPRECIATING THE CYBER RELATED CHALLENGES
NOW AN AREA OF FOCUS AND SHARED CONCERNS WITH IT
STAKEHOLDERS
• Shareholders
• Board of directors
• Audit committee
• Chief Executive Officer
• Chief Financial Officer
• Chief Risk Officer
• Chief Information (CIO/CTO)
• Human Resources
• PR/Markets
• Capital markets
• Engineering and manufacturing floor
• Business partners
• Others (supply chain relationships)
MANAGE
COSTS
• Protection strategic information
• Improve insights through
analytics
• Manage stakeholder
relationships with greater
transparency
• Delivery self-provided
information with new tools for
savvy users
• Manage disruptions
• Help people better use their
technology based tools more
safely
• Manage cloud solutions
19
DELIVER VALUE
• Increase productivity of
employees through
connectivity and
collaboration
• Connect complex supply
chains across the world
• Agility
• Aligned and enabler of the
business model
• Control costs (server and
communication maintenance)
• Deliver actionable
information
• Protection of personal
information
PROTECT
ENTERPRISE
VALUE
20. STAKEHOLDER FOCUS OR AREAS OF CONCERN
SOME OF THE CHANGES - ILLUSTRATED
• Boards - Concern around reputational risk and overall enterprise value
• CEOs - Concerns about protecting their strategies and sensitive information
• Finance teams – Concern around reporting and compliance obligations (Sarbanes
Oxley, etc.)
• HR – Concerns around privacy protections
• Engineers – Concerns around connecting product to suppliers or customers
• Production – Concerns around automation and greater use of robotics
• Financial institutions – around use of BOTS, trading algorithms, regulatory and market
concerns 20
23. HOWEVER, THE INDUSTRY IS MOVING
• The cyber security market is growing
• Global budgets are increasing – but not even close to the increase in losses/insurance
• In 2013 - $1.5 billion in funding was allocated to 240 cyber security firms
• Combinations and consolidations will continue to evolve
• Dell/EMC/RSA – spin off
• Palantir in talks about an IPO
• Initiatives observed like Mach37 Cybersecurity accelerator
(https://www.mach37.com/) and interesting collaborations like Lockheed and
GE – opening a center in Israel
Page 23
24. TECHNOLOGY OFFERS A PROMISING FUTURE
• Simon Crosby, CTO at Bromium, calls machine
learning the pipe dream of cybersecurity,
arguing that “there’s no silver bullet in
security.” What backs up this argument is the
fact that in cybersecurity, you’re always up
against some of the most devious minds,
people who already know very well how
machines and machine learning works and
how to circumvent their capabilities. Many
attacks are carried out through minuscule and
inconspicuous steps, often concealed in the
guise of legitimate requests and commands.
• https://techcrunch.com/2016/07/01/exploiti
ng-machine-learning-in-cybersecurity/
26. AICPA FRAMEWORK
RELEASED MAY 1, 2017
The AICPA has developed a framework that will
serve as a critical step to enabling a consistent,
market-based mechanism for companies worldwide to
explain how they’re managing cybersecurity risk,”
Coffey explained. “We believe investors, boards,
audit committees and business partners will see
tremendous value in gaining a better understanding
of organizations’ cybersecurity risk management
efforts. That information, combined with the CPA’s
opinion on the effectiveness of management’s efforts,
will increase stakeholders’ confidence in
organizations’ due care and diligence in managing
cybersecurity risk.
https://www.aicpa.org/Press/PressReleases/2017/P
ages/AICPA-Unveils-Cybersecurity-Risk-Management-
Reporting-Framework.aspx
Prevention of security
events
Physical and
logical access
Authentication
•Credential
management
•Privileged user
management
Database security
•Data loss prevention
•Data destruction
•Data backup
Virus detection
and prevention
•Firewalls and
perimeter security
•Secure system
configuration
•Intrusion prevention
Change
management
•Application changes
•Patch management
Detection of
security events
• Response of events
• Mitigation and recovery