Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.

1. THE LEGAL CASE FOR CYBER
RISK MANAGEMENT
Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
@shawnetuma

3. Cybersecurity is no longer just an IT issue—
it is an overall business risk issue.

4. Security and IT protect companies’ data;
Legal protects companies from their data.

5. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Written incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
COMMON
CYBERSECURITY BEST
PRACTICES

6. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Written incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
DOES YOUR COMPANY
HAVE REASONABLE
CYBERSECURITY?
In re Target Data Security Breach
Litigation, (Financial Institutions)
(Dec. 2, 2014)
F.T.C. v. Wyndham Worldwide Corp.,
799 F.3d 236 (3rd Cir. Aug. 24, 2015)

7. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Written incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
DOES YOUR COMPANY
HAVE ADEQUATE
INTERNAL NETWORK
CONTROLS?
FTC v. LabMD, (July 2016 FTC
Commission Order)

8. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
DOES YOUR COMPANY
HAVE WRITTEN POLICIES
AND PROCEDURES
FOCUSED ON
CYBERSECURITY?
SEC v. R.T. Jones Capital Equities Mgt.,
Consent Order (Sept. 22, 2015)

9. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Written incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
DOES YOUR COMPANY
HAVE A WRITTEN
CYBERSECURITY
INCIDENT RESPONSE
PLAN?
SEC v. R.T. Jones Capital Equities Mgt.,
Consent Order (Sept. 22, 2015)

10. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature-based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Written incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
DOES YOUR COMPANY
MANAGE THIRD PARTY
CYBER RISK?
In re GMR Transcription Svcs, Inc.,
Consent Order (August 14, 2014)

11. “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and
thereafter maintain, a comprehensive information security program that is
reasonably designed to protect the security, confidentiality, and integrity of
personal information collected from or about consumers.” In re GMR
Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a board
of directors is discharging its risk oversight responsibility in this increasingly
important area.” SEC Statement and Guidance (Feb. 21, 2018)
“Each Covered Entity shall maintain a cybersecurity program designed to
protect the confidentiality, integrity and availability of the Covered Entity’s
Information Systems.” NYDFS Cybersecurity Regulations § 500.02
“Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons,
the controller and the processor shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk,
including …” GDPR, Art. 32
HOW MATURE IS YOUR
COMPANY’S CYBER
RISK MANAGEMENT
PROGRAM?

12. Our role as attorneys is to provide legal advice regarding the legal,
regulatory compliance, and overall defensibility of the company’s
current cyber risk and cybersecurity defense posture and then lead
the company in developing, implementing, testing, and maturing a
comprehensive cyber risk management program.
• In providing this legal advice, we will engage the services of
other professionals – consulting experts – to assist us in
evaluating the current status and moving towards a more
defensible posture.
• Our work may be treated as attorney-client privileged and work-
product.
• But, both attorney-client privilege and work-product are very
uncertain in this environment and are certainly no guarantees.
• Communicate as though there will be no privilege.
WHY HAVE AN ATTORNEY LEAD YOUR RISK MANAGEMENT PROGRAM?

13. Too little –
“just buy the
forms”
Too much –
“boiling the
ocean”
What is
reasonable
cybersecurity?

14. Identify: Assess
Cyber Risk
Identify &
Protect:
Strategic
Planning
Protect &
Detect:
Implement
Strategy &
Deploy Assets
Protect:
Develop,
Implement &
Train on P&P,
3rd Pty Risk
Respond:
Develop IR Plan
& Tabletop
Recover &
Identify:
Reassess,
Refine &
Mature
OVERVIEW:
CYBER RISK
MANAGEMENT
PROGRAM

15. • Based on a risk assessment1,2,3,4,5
• Implemented and maintained (i.e.,
maturing)1,2,3
• Fully documented in writing for
both content and
implementation1,2,3
• Comprehensive1,2,3,4,5
• Contain administrative, technical,
and physical safeguards1,2,3
• Reasonably designed to protect
against risks to network and
data1,2,3,4,5
• Identify and assess internal and
external risks2
• Use defensive infrastructure and
policies and procedures to protect
network and data1,2,3,4,5
• Workforce training2,3
• Detect events2
• Respond to events to mitigate
negative impact2
• Recover from events to restore
normalcy2
• Regularly review network activity
such as audit logs, access reports,
incident tracking reports3
• Assign responsibility for security to
an individual3,5
• Address third-party risk2,3,5
• Certify compliance by Chair of
Board or Senior Officer or Chief
Privacy Officer2
WHAT SHOULD YOUR
COMPANY’S CYBER
RISK MANAGEMENT
PROGRAM LOOK LIKE?
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
Cyber risk management program requirements:

16. The most essential step?
• How do you protect against what you don’t know?
• How do you protect what you don’t know you have?
• How do you comply with rules you don’t know exist?
• Demonstrates real commitment to protect, not just
“check the box compliance.”
• No two companies are alike, neither are their risks,
neither are their risk tolerances.
CYBER RISK
MANAGEMENT
PROGRAM
Identify:
Assess Cyber Risk
“If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.” –Sun Tzu

17. Required by -
• FTC: “shall contain administrative, technical, and physical safeguards
appropriate to …” (GMR)
• HHS: “The Security Rule requires entities to evaluate risks and
vulnerabilities in their environments and to implement reasonable and
appropriate security measures to protect against reasonably
anticipated threats or hazards to the security or integrity of ePHI. Risk
analysis is the first step in that process.” (HHS Guidance on Risk
Analysis)
• SEC: “We expect companies to provide disclosure that is tailored to
their particular cybersecurity risks and incidents.” (SEC Statement and
Guidance 2/21/18)
• NYDFS: “Each Covered Entity shall conduct a periodic Risk
Assessment of the Covered Entity’s Information Systems sufficient to
inform the design of the cybersecurity program as required by this
Part. (NYDFS § 500:09)
• GDPR: “Taking into account the nature, scope, context and purposes
of processing as well as the risks of varying likelihood and severity for
the rights and freedoms of natural persons, the controller shall
implement appropriate technical and organizational measures ….”
(GDPR Art. 24 and 32)
CYBER RISK
MANAGEMENT
PROGRAM
Identify:
Assess Cyber Risk

18. • What information it has, where is it,
who has access to it, how it moves
into, through, and out of the
company2,6
• The company’s size and complexity,
the nature and scope of its activities,
and the sensitivity of the personal
information it maintains1
• Workforce
• Industry risks4
• “Nature, scope, context and
purposes of processing as well as
the risks of varying likelihood and
severity for the rights and freedoms
of natural persons”5
• Technological developments and
evolving threats2
• Availability and effectiveness of
controls2 and limits on ability to use
controls4
• Documentation of how identified
risks will be mitigated or accepted
and how the program will address
the risks2
• Third-party and nth-party risk2
• Prior incidents and probability of
future incidents4
• Availability of insurance coverage for
incidents4
• Potential for reputational harm4
• litigation, regulatory investigation,
and remediation costs associated
with cybersecurity incidents4
• Jurisdiction and existing or pending
laws and regulations that may affect
the requirements to which
companies are subject relating to
cybersecurity and the associated
costs to companies4
CYBER RISK
MANAGEMENT
PROGRAM
Identify:
Assess Cyber Risk
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.09
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 24 and 32
6. FTC Protecting Personal Information
What are we assessing?

19. • Types
• Security
• Privacy
• Unauthorized Access
• International Laws
• Privacy Shield
• GDPR
• Federal Laws & Regs.
• HIPAA, GLBA, FERPA
• FTC, SEC, FCC, HHS
• State Laws
• 48 states (AL & SD)
• NYDFS & Colorado FinServ
• Industry Groups
• PCI, FINRA
• Contracts
• 3rd Party Bus. Assoc.
• Data Security Addendum
WHAT LAWS AND REGULATIONS ARE THE COMPANY SUBJECT TO?

20. • What does strategy consider?
• Who is your general?
• Who is on your team?
• Inside and outside
• Technical – MSP, MSSP, pen testing, forensics
• Strategic – CISO, outsource / fractional CISO, legal, CPO
• Risk transfer – cyber risk insurance
• Prioritization is critical: “you can’t boil the ocean”
• Evaluating risk = probability x loss x cost x time to
implement x impact on resources x benefits / detriments
• “where do we die first?”
• Don’t forget 3rd and Nth party risk
• Write out your Strategic Plan
CYBER RISK
MANAGEMENT
PROGRAM
Identify & Protect:
Strategic Planning
“Strategy without tactics is the slowest route to
victory, tactics without strategy is the noise before
defeat.” −Sun Tsu

21. “Gimme Action! Action! Action not words!” –Def Leppard
• Execute your Strategic Plan in order of priorities.
• Make sure to document this process (and all others).
• Execution will vary wildly, based on size and
complexity of company and Strategic Plan.
• Include redundancy (where appropriate – think Equifax
/ Apache Struts patch) and verification of execution
(example: recent W-2 case with DLP setting).
• If you have the assets, you must use them and
respond appropriately (Target Financial Case).
• Have appropriate procedures for quickly assessing
and responding to anomalies and incidents from
Detection in reasonable time.
CYBER RISK
MANAGEMENT
PROGRAM
Protect & Detect:
Implement Strategy &
Deploy Assets
“A good plan violently executed now is better than a
perfect plan executed next week.” –George Patton

22. CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Develop, Implement & Train on
Policies & Procedures
• 63% confirmed breaches from weak, default,
or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017

23. Key points to consider in evaluating third-party risk.
• Focus on objectives: protecting, responding, responsibility
of data/network.
• Staff appropriately.
• Understand facts of relationship/transaction.
• Understand risks by thinking worst case scenario from
outset.
• Minimalize risks: do not risk it if you do not have to.
• Discuss objectives, facts, risks, protection with those
responsible.
• Assess third party’s sophistication and commitment.
• Agree upon appropriate protections.
• Investigate ability to comply.
• Obligate compliance, notification (to you), responsibility.
• Include in incident response planning.
• Cyber Insurance: transfer risk where possible.
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk

24. Use contracts and contractual rights to minimize third-party
risk:
• Minimize risk, including third-party risk; and
• Determine the process and responsibility for incidents.
This risk can be reduced to two basic things: protecting –
wherever and however – and responding to incidents
concerning:
• Networks; and
• Data.
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

25. In re GMR Transcription Svcs., Inc., Consent Order (Aug.
14, 2014). FTC’s Order requires business to follow 3 steps
when working with third party service providers:
1. Investigate before hiring data service providers;
2. Obligate data service providers to adhere to the
appropriate level of data security protections; and
3. Verify that the data service providers are complying
with obligations (contracts).
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

26. “It would be helpful for companies to consider the following
issues, among others, in evaluating cybersecurity risk factor
disclosure: . . . . the aspects of the company’s business and
operations that give rise to material cybersecurity risks and the
potential costs and consequences of such risks, including
industry-specific risks and third-party supplier and service
provider risks.” SEC Statement, February 21, 2018
In January 2014, SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks and
data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due
diligence.
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

27. New NIST Cybersecurity Framework adds “Supply Chain
Risk Management (SCRM)” as a “Framework Core”
function:
• Coordinate cybersecurity efforts with suppliers of IT and
OT (operational technology) partners;
• Enact cybersecurity requirements through contracts;
• Communicate how cybersecurity standards will be
verified and validated; and
• Verify cybersecurity standards are met.
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

28. NYDFS § 500.11 Third-Party Service Provider Security Policy
“Each Covered Entity shall implement written policies and procedures
designed to ensure the security of Information Systems and Nonpublic
Information that are accessible to, or held by, Third Party Service
Providers.”
• P&P should be based on CE’s Risk Assessment and address the following,
as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP by such
TPSP; and
• Periodic assessment of such TPSP based on risk they present and
continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence and/or contractual
protections relating to TPSP and applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI;
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P.
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

29. Third-Party Processing and Risk Under the GDPR
• Controller, individually or with other controllers (jointly and severally), is
responsible to the data subjects. Art. 26
• Processor only process on controller’s instructions. Art. 29
• Using a risk assessment, the controller must implement appropriate technical
and organizational safeguards (incl. P&P) to ensure personal data is
processed lawfully. Reassessment and maturation is required. Art. 24(1)
• Controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organizational measures to satisfy
GDPR. Art. 28
• Processor must have controller’s written authorization to engage another
sub-processor;
• Processor must have binding contract with controller specifying particulars
of processing;
• Processor must be bound to confidentiality;
• Processor must demonstrate compliance and agree to audits and
inspections; and
• Nth processors liable to upstream processor, which is liable to the
controller, which is ultimately liable.
• Non-regulated controllers and processors can contractually agree to be
bound. Art. 42
CYBER RISK
MANAGEMENT
PROGRAM
Protect:
Third Party Risk
(into the weeds)

30. Preparation is the key to a successful incident response.
• There is no magic size to an Incident Response Plan but it
must be written.
• Know who is on your IR team and have them involved.
• Understand your legal obligations, including contractual.
• Know the difference between an incident and a breach –
breach is a legal term.
• Make sure your legal counsel understands the meaning of
“non-reportable incident”!
• Put yourself in the incident and think through it from there.
CYBER RISK
MANAGEMENT
PROGRAM
Respond:
Develop IR Plan & Tabletop
Testing
"Firms must adopt written policies to protect their
clients’ private information and they need to
anticipate potential cybersecurity events and have
clear procedures in place rather than waiting to react
once a breach occurs.” SEC v. R.T. Jones

31. CYBER RISK
MANAGEMENT
PROGRAM
Respond:
Develop IR Plan & Tabletop
Testing

32. CYBER RISK
MANAGEMENT
PROGRAM
Respond:
Develop IR Plan & Tabletop
Testing
Incident Response Checklist
• Determine whether incident justifies
escalation
• Begin documentation of decisions and
actions
• Engage experienced legal counsel to
lead process, determine privilege vs
disclosure tracks
• Notify and convene Incident Response
Team
• Notify cyber insurance carrier
• Engage forensics to mitigate continued
harm, gather evidence, and investigate
• Assess scope and nature of data
compromised
• Preliminarily determine legal
obligations
• Determine whether to notify law
enforcement
• Begin preparing public relations
message
• Engage notification / credit services
vendor
• Notify affected business partners
• Investigate whether data has been
“breached”
• Determine when notification “clock”
started
• Remediate and protect against future
breaches
• Confirm notification / remediation
obligations
• Determine proper remediation services
• Obtain contact information for
notifications
• Prepare notification letters, frequently
asked questions, and call centers
• Plan and time notification “drop”
• Implement public relations strategy
• Administrative reporting (i.e., SEC)
• Implement Cybersecurity Risk
Management Program

33. • There is no such thing as being “cyber secure.” Until
we fix human nature, bad people will do bad things
and cyber will be a weapon of choice until something
more efficient comes along.
• Just as hackers will continue to evolve in their
objectives and tactics, companies must evolve in how
they protect against them.
• Our goal is to have effective and defensible
cybersecurity that is reasonable—that is, that is
tailored to address the unique risks of the company
and appropriate based on the company’s resources.
CYBER RISK
MANAGEMENT
PROGRAM
Recover & Identify:
Reassess, Refine & Mature
“Water shapes its course according to the nature of
the ground over which it flows; the soldier works out
his victory in relation to the foe whom he is facing.”
−Sun Tsu

34. “You don’t drown by
falling in the water;
You drown by staying
there.” – Edwin Louis Cole

35. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
@shawnetuma
THANK YOU
P L E A S E F I L L O U T Y O U R E V A L U A T I O N S !