Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.
Relationship Between International Law and Municipal Law MIR.pdf
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk
1. Spencer Fane LLP | spencerfane.com 1
CYBERSECURITY IS A TEAM SPORT
Why Teams, Strategies, and Processes are
Essential for Managing Cyber Risk
Shawn E. Tuma
Co-Chair, Data Privacy & Cybersecurity Practice
Spencer Fane LLP
2. Spencer Fane LLP | spencerfane.com 2
You must take the
poll to get credit
for the CLE!
4. Spencer Fane LLP | spencerfane.com 4
Cybersecurity is a legal issue
• Types
– Security
– Privacy
– Unauthorized Access
• International Laws
– GDPR
– Privacy Shield
– China’s Cybersecurity Law
• Federal Laws and Regs
– FTC, SEC, HIPAA
• State Laws
– All 50 States
– Privacy (50) + security (25+)
– CCPA, NYDFS, Colo FinServ
• Industry Groups
– PCI
– FINRA
• Contracts
– 3rd Party Bus. Assoc.
– Privacy / Data Security /
Cybersecurity Addendum
5. Spencer Fane LLP | spencerfane.com 5
Common business objections
1.We have an “IT Guy”
2.We have an “IT Company”
3.We are “compliant”
4.We have cyber insurance
5.We are not a large company (or, “tech” company)
6.Our data is not that valuable
12. Spencer Fane LLP | spencerfane.com 12
Takeaway: Cybersecurity is no longer just an IT issue – it is an
overall business risk issue – indeed, the ONE risk...
13. Spencer Fane LLP | spencerfane.com 13
Since cyber is an overall business risk issue,
who is on the team?
14. Spencer Fane LLP | spencerfane.com 14
Who is on the cyber risk team, and when?
Internal team
• CISO
• IT
• Information Security
• Business
• Risk
• Legal
• Privacy
• CFO
• COO
• HR
• Audit
• Marketing
External team
• Legal
• MSP / MSSP
• Security Firm
• Forensics Firm
• Insurance
• Cyber, etc.
• Broker
• Carrier
• PR Firm
• Notification Vendor
• Law Enforcement
15. Spencer Fane LLP | spencerfane.com 15
Team considerations
Questions to consider
• Do you have a “cyber risk
committee”?
• Who is the “head coach”?
• Who are the “coordinators”?
• i.e., who takes the lead on and “owns”:
• Proactive risk management
• Incident response
• Chain of command
• Have you considered the team
members’ personalities, experience,
and other intangibles vis-à-vis the role
they play?
Planning considerations
• Who is on the field during which
situation?
• Do the players know their role?
• Are the players eligible to play?
• i.e., pre-approval of vendors,
engagements executed
• Can they communicate?
• Understand language
• Logistics for communicating
• How often do they practice?
• Do you play scrimmages?
16. Spencer Fane LLP | spencerfane.com 16
Takeaway: It takes a team of many different stakeholders within and
outside of the organization, working together as a team,
to effectively manage cyber risk.
18. Spencer Fane LLP | spencerfane.com 18
Common cybersecurity best practices
1. Risk assessment.
2. Policies and procedures focused on
cybersecurity.
– Social engineering, password, security
questions.
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention
systems.
16. Managed services provider (MSP) or managed
security services provider (MSSP).
17. Really top-notch battle-tested CISO.
18. Cyber risk insurance.
19. Spencer Fane LLP | spencerfane.com 19
Canary in the coal mine
• What is your role?
• How does your company (or
others) handle:
– P&P + Training
– MFA
– Phishing
– Backups
– IRP & IR Team
– Cyber Insurance
21. Spencer Fane LLP | spencerfane.com 21
How mature is the company’s cyber risk
management program?
• “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a
comprehensive information security program that is reasonably designed to protect the security,
confidentiality, and integrity of personal information collected from or about consumers.” In re GMR
Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
• “We believe disclosures regarding a company’s cybersecurity risk management program and how the board
of directors engages with management on cybersecurity issues allow investors to assess how a board of
directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement
and Guidance (Feb. 21, 2018)
• “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity
and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02
• “Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, the controller and the processor shall implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
“A business shall implement and maintain
reasonable procedures, including taking any
appropriate corrective action, to protect from
unlawful use or disclosure any sensitive personal
information collected or maintained by the
business in the regular course of business.”
– Ken Paxton
22. Spencer Fane LLP | spencerfane.com 22
What is reasonable
cybersecurity?
Too little – “just
check the box”
Too much –
“boiling the
ocean”
23. Spencer Fane LLP | spencerfane.com 23
Reasonable
cybersecurity is a
process, not a definition
24. Spencer Fane LLP | spencerfane.com 24
Takeaway: Reasonable cybersecurity is a process, not a definition: it
includes understanding your risks, prioritizing your efforts,
and executing your priorities in a systematic manner.
25. Spencer Fane LLP | spencerfane.com 25
Once you have your team in place and understand what
your risks are that you’re trying to manage, what do you do?
26. Spencer Fane LLP | spencerfane.com 26
What do you think?
What do you think is the most glaring thing missing when I look at substantial
incidents and data breaches I have handled over the past 20 years?
1. Lack of hardware, services, gadgets, and gizmos?
2. Lack of support from management?
3. Lack of funding?
4. Lack of talent?
5. Lack of skills and knowledge?
6. Lack of strategy?
29. Spencer Fane LLP | spencerfane.com 29
Strategic leadership and planning
“Strategy without tactics is the slowest route to victory, tactics
without strategy is the noise before defeat.” – Sun Tsu
What does strategy consider?
• Risk analysis – present and future
• Resources – present and future
• Who is on your team?
• For different situations, understand team capabilities – internal and external
• How is your team executing?
• Don’t forget 3rd and Nth party risk!
• Prioritize and execute for evolving threats
• Objectives – what is a “win”?
31. Spencer Fane LLP | spencerfane.com 31
Takeaway: Winning is withstanding the attacks so your company can stay
focused on its primary mission. Winning comes from
preparation, resilience, and continuously learning and adapting.
32. Spencer Fane LLP | spencerfane.com 32
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-20
• Best Lawyers in Dallas 2014-20, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)