Cybersecurity & Data Privacy Attorney Shawn Tuma presented this session to The American Institute of Architects' Large Firm Round Table on March 15, 2018. For more of Shawn Tuma's presentations please visit: https://shawnetuma.com/presentations/
Comparison of GenAI benchmarking models for legal use cases
The Legal Case for Cyber Risk Management Programs and What They Should Include
1. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
Shawn.Tuma@solidcounsel.com
(214) 472-2135
@shawnetuma
The Legal Case for Cyber Risk
Management Programs and What
They Should Include
2.
3. Cybersecurity is no longer just an IT issue—
it is an overall business risk issue.
4. Security and IT protect companies’ data;
Legal protects companies from their data.
5. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Common
Cybersecurity
Best Practices
6. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
reasonable
cybersecurity?
In re Target Data Security Breach
Litigation, (Financial Institutions)
(Dec. 2, 2014)
F.T.C. v. Wyndham Worldwide Corp.,
799 F.3d 236 (3rd Cir. Aug. 24, 2015)
7. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
adequate
internal network
controls?
FTC v. LabMD, (July 2016 FTC
Commission Order)
8. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have
written policies
and procedures
focused on
cybersecurity?
SEC v. R.T. Jones Capital Equities
Mgt., Consent Order (Sept. 22, 2015)
9. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company have a
written
cybersecurity
incident
response plan?
SEC v. R.T. Jones Capital Equities
Mgt., Consent Order (Sept. 22, 2015)
10. 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
Does your
company
manage third-
party cyber risk?
In re GMR Transcription Svcs, Inc.,
Consent Order (August 14, 2014)
11. “GMR Transcription Services, Inc. . . . Shall . . . establish and
implement, and thereafter maintain, a comprehensive information
security program that is reasonably designed to protect the security,
confidentiality, and integrity of personal information collected from
or about consumers.” In re GMR Transcription Svcs, Inc., Consent
Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a
board of directors is discharging its risk oversight responsibility in
this increasingly important area.” SEC Statement and Guidance (Feb.
21, 2018)
“Each Covered Entity shall maintain a cybersecurity program
designed to protect the confidentiality, integrity and availability of
the Covered Entity’s Information Systems.” NYDFS Cybersecurity
Regulations § 500.02
“Taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk,
including …” GDPR, Art. 32
How mature is
your company’s
cyber risk
management
program?
12. Why have an attorney lead your cyber risk management program?
Our role as attorneys is to provide legal advice regarding the legal, regulatory
compliance, and overall defensibility of the company’s current cyber risk and
cybersecurity defense posture and then lead the company in developing,
implementing, testing, and maturing a comprehensive cyber risk
management program.
• In providing this legal advice, we will engage the services of other
professionals – consulting experts – to assist us in evaluating the current
status and moving towards a more defensible posture.
• Our work may be treated as attorney-client privileged and work-product.
• But, both attorney-client privilege and work-product are very uncertain
in this environment and are certainly no guarantees.
• Communicate as though there will be no privilege.
13. Too little –
“just check the
box”
Too much –
“boiling the
ocean”
What is reasonable
cybersecurity?
15. What should your company’s cyber risk management program look like?
• Based on a risk assessment1,2,3,4,5
• Implemented and maintained (i.e.,
maturing)1,2,3
• Fully documented in writing for both content
and implementation1,2,3
• Comprehensive1,2,3,4,5
• Contain administrative, technical, and physical
safeguards1,2,3
• Reasonably designed to protect against risks to
network and data1,2,3,4,5
• Identify and assess internal and external risks2
• Use defensive infrastructure and policies and
procedures to protect network and data1,2,3,4,5
• Workforce training2,3
• Detect events2
• Respond to events to mitigate negative impact2
• Recover from events to restore normalcy2
• Regularly review network activity such as audit
logs, access reports, incident tracking reports3
• Assign responsibility for security to an
individual3,5
• Address third-party risk2,3,5
• Certify compliance by Chair of Board or Senior
Officer or Chief Privacy Officer2
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
16. The most essential step?
• How do you protect against what you don’t know?
• How do you protect what you don’t know you have?
• How do you comply with rules you don’t know exist?
• Demonstrates real commitment to protect, not just
“check the box compliance.”
• No two companies are alike, neither are their risks,
neither are their risk tolerances.
Cyber Risk
Management
Program
Identify:
Assess Cyber Risk
“If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you
will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.” –Sun Tzu
17. Required by -
• FTC: “shall contain administrative, technical, and physical
safeguards appropriate to …” (GMR)
• HHS: “The Security Rule requires entities to evaluate risks and
vulnerabilities in their environments and to implement reasonable
and appropriate security measures to protect against reasonably
anticipated threats or hazards to the security or integrity of ePHI.
Risk analysis is the first step in that process.” (HHS Guidance on
Risk Analysis)
• SEC: “We expect companies to provide disclosure that is tailored
to their particular cybersecurity risks and incidents.” (SEC
Statement and Guidance 2/21/18)
• NYDFS: “Each Covered Entity shall conduct a periodic Risk
Assessment of the Covered Entity’s Information Systems sufficient
to inform the design of the cybersecurity program as required by
this Part. (NYDFS § 500:09)
• GDPR: “Taking into account the nature, scope, context and
purposes of processing as well as the risks of varying likelihood
and severity for the rights and freedoms of natural persons, the
controller shall implement appropriate technical and
organizational measures ….” (GDPR Art. 24 and 32)
Cyber Risk
Management
Program
Identify:
Assess Cyber Risk
18. Cyber Risk Management Program – Identify: Assess Cyber Risk
What are we assessing?
• What information it has, where is it, who has access to
it, how it moves into, through, and out of the
company2,6
• The company’s size and complexity, the nature and
scope of its activities, and the sensitivity of the
personal information it maintains1
• Workforce
• Industry risks4
• “Nature, scope, context and purposes of processing as
well as the risks of varying likelihood and severity for
the rights and freedoms of natural persons”5
• Technological developments and evolving threats2
• Availability and effectiveness of controls2 and limits on
ability to use controls4
• Documentation of how identified risks will be mitigated
or accepted and how the program will address the
risks2
• Third-party and nth-party risk2
• Prior incidents and probability of future incidents4
• Availability of insurance coverage for incidents4
• Potential for reputational harm4
• litigation, regulatory investigation, and remediation
costs associated with cybersecurity incidents4
• Jurisdiction and existing or pending laws and
regulations that may affect the requirements to which
companies are subject relating to cybersecurity and the
associated costs to companies4
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.09
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 24 and 32
6. FTC Protecting Personal Information
19. What laws and regulations are the company subject to?
• Types
• Security
• Privacy
• Unauthorized Access
• International Laws
• Privacy Shield
• GDPR
• Federal Laws & Regs.
• HIPAA, GLBA, FERPA
• FTC, SEC, FCC, HHS
• State Laws
• 48 states (AL & SD)
• NYDFS & Colorado FinServ
• Industry Groups
• PCI, FINRA
• Contracts
• 3rd Party Bus. Assoc.
• Data Security Addendum
20. What does strategy consider?
• Resources
• Risks & environment
• Who is your general? Who is on your team?
• Inside and outside
• Technical – MSP, MSSP, pen testing, forensics
• Strategic – CISO, outsource / fractional CISO, legal, CPO
• Risk transfer – cyber risk insurance
• Prioritization is critical: “you can’t boil the ocean”
• Evaluating risk = probability x loss x cost x time to implement x
impact on resources x benefits / detriments
• “where do we die first?”
• Don’t forget 3rd and Nth party risk
• Write out your Strategic Plan
Cyber Risk
Management
Program
Identify & Protect:
Strategic Planning
“Strategy without tactics is the slowest route to victory,
tactics without strategy is the noise before defeat.”
−Sun Tsu
21. “Gimme Action! Action! Action not words!” –Def Leppard
• Execute your Strategic Plan in order of priorities.
• Make sure to document this process (and all others).
• Execution will vary wildly, based on size and complexity
of company and Strategic Plan.
• Include redundancy (where appropriate – think Equifax
/ Apache Struts patch) and verification of execution
(example: recent W-2 case with DLP setting).
• If you have the assets, you must use them and respond
appropriately (Target Financial Case).
• Have appropriate procedures for quickly assessing
and responding to anomalies and incidents from
Detection in reasonable time.
Cyber Risk
Management
Program
Protect & Detect:
Implement Strategy &
Deploy Assets
“A good plan violently executed now is better than a
perfect plan executed next week.” –George Patton
22. Protect: Develop, Implement & Train on Policies & Procedures
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
23. Key points to consider in evaluating third-party risk.
• Focus on objectives: protecting, responding,
responsibility of data/network.
• Staff appropriately.
• Understand facts of relationship/transaction.
• Understand risks by thinking worst case scenario from
outset.
• Minimalize risks: do not risk it if you do not have to.
• Discuss objectives, facts, risks, protection with those
responsible.
• Assess third party’s sophistication and commitment.
• Agree upon appropriate protections.
• Investigate ability to comply.
• Obligate compliance, notification (to you), responsibility.
• Include in incident response planning.
• Cyber Insurance: transfer risk where possible.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
24. Use contracts and contractual rights to minimize
third-party risk:
• Minimize risk, including third-party risk; and
• Determine the process and responsibility for
incidents.
This risk can be reduced to two basic things:
protecting – wherever and however – and
responding to incidents concerning:
• Networks; and
• Data.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
25. In re GMR Transcription Svcs., Inc., Consent Order (Aug.
14, 2014). FTC’s Order requires business to follow 3 steps
when working with third-party service providers:
1. Investigate before hiring data service providers;
2. Obligate data service providers to adhere to the
appropriate level of data security protections;
and
3. Verify that the data service providers are
complying with obligations (contracts).
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
26. “It would be helpful for companies to consider the following
issues, among others, in evaluating cybersecurity risk factor
disclosure: . . . . the aspects of the company’s business and
operations that give rise to material cybersecurity risks and the
potential costs and consequences of such risks, including
industry-specific risks and third-party supplier and service
provider risks.” SEC Statement, February 21, 2018
In January 2014, SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks
and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due
diligence.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
27. New NIST Cybersecurity Framework adds “Supply Chain
Risk Management (SCRM)” as a “Framework Core”
function:
• Coordinate cybersecurity efforts with suppliers of IT
and OT (operational technology) partners;
• Enact cybersecurity requirements through contracts;
• Communicate how cybersecurity standards will be
verified and validated; and
• Verify cybersecurity standards are met.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
28. NYDFS § 500.11 Third-Party Service Provider Security Policy
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information Systems
and Nonpublic Information that are accessible to, or held by, Third
Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and address the following,
as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP by
such TPSP; and
• Periodic assessment of such TPSP based on risk they present and
continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence and/or contractual
protections relating to TPSP and applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI;
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P.
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
29. Third-Party Processing and Risk Under the GDPR
• Controller, individually or with other controllers (jointly and severally), is
responsible to the data subjects. Art. 26
• Processor only process on controller’s instructions. Art. 29
• Using a risk assessment, the controller must implement appropriate
technical and organizational safeguards (incl. P&P) to ensure personal
data is processed lawfully. Reassessment and maturation is required. Art.
24(1)
• Controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organizational measures to satisfy
GDPR. Art. 28
• Processor must have controller’s written authorization to engage
another sub-processor;
• Processor must have binding contract with controller specifying
particulars of processing;
• Processor must be bound to confidentiality;
• Processor must demonstrate compliance and agree to audits and
inspections; and
• Nth processors liable to upstream processor, which is liable to the
controller, which is ultimately liable.
• Non-regulated controllers and processors can contractually agree to be
bound. Art. 42
Cyber Risk
Management
Program
Protect:
Third-Party Risk
(into the weeds)
30. Preparation is the key to a successful incident
response.
• There is no magic size to an Incident Response Plan but it
must be written.
• Know who is on your IR team and have them involved.
• Understand your legal obligations, including contractual.
• Know the difference between an incident and a breach –
breach is a legal term.
• Make sure your legal counsel understands the meaning of
“non-reportable incident”!
• Put yourself in the incident and think through it from
there.
Cyber Risk
Management
Program
Respond:
Develop IR Plan &
Tabletop Testing
"Firms must adopt written policies to protect their
clients’ private information and they need to anticipate
potential cybersecurity events and have clear
procedures in place rather than waiting to react once a
breach occurs.” SEC v. R.T. Jones
32. Cyber Risk Management Program – Respond: Develop IR Plan & TT Testing
Incident Response Checklist
• Determine whether incident justifies escalation
• Begin documentation of decisions and actions
• Engage experienced legal counsel to lead process,
determine privilege vs disclosure tracks
• Notify and convene Incident Response Team
• Notify cyber insurance carrier
• Engage forensics to mitigate continued harm, gather
evidence, and investigate
• Assess scope and nature of data compromised
• Preliminarily determine legal obligations
• Determine whether to notify law enforcement
• Begin preparing public relations message
• Engage notification / credit services vendor
• Notify affected business partners
• Investigate whether data has been “breached”
• Determine when notification “clock” started
• Remediate and protect against future breaches
• Confirm notification / remediation obligations
• Determine proper remediation services
• Obtain contact information for notifications
• Prepare notification letters, frequently asked questions,
and call centers
• Plan and time notification “drop”
• Implement public relations strategy
• Administrative reporting (i.e., FTC, HHS, SEC & AGs)
• Implement Cybersecurity Risk Management Program
33. • There is no such thing as being “cyber secure.” Until
we fix human nature, bad people will do bad things
and cyber will be a weapon of choice until something
more efficient comes along.
• Just as hackers will continue to evolve in their
objectives and tactics, companies must evolve in how
they protect against them.
• Our goal is to have effective and defensible
cybersecurity that is reasonable—that is, that is
tailored to address the unique risks of the company
and appropriate based on the company’s resources.
Cyber Risk
Management
Program
Recover & Identify:
Reassess, Refine &
Mature
“Water shapes its course according to the nature of the
ground over which it flows; the soldier works out his
victory in relation to the foe whom he is facing.”
−Sun Tsu
34. “You don’t drown by
falling in the water;
You drown by staying
there.” – Edwin Louis Cole
35. • Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• PolicyCouncil, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportationSociety of America
• Practitioner Editor, Bloomberg BNA –Texas Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-17
• Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law)
• Council,Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, CollinCounty Bench Bar Conference
• Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American BarAssociation
• NorthTexas Crime Commission,Cybercrime Committee & Infragard (FBI)
• InternationalAssociation of Privacy Professionals (IAPP)
ShawnTuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com