CYBER SECURITY & ITS IMPACT ON FINANCIAL STATEMENTS AUDITS BOB WAGNER TUESDAY, NOVEMBER 10 2015 FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE.

Slides:

Advertisements

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

© 2015 Sherman & Howard L.L.C. TO B OR NOT TO B YOD Emily Keimig, Esq

How JCPenney is Managing Corporate Risk

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL

Security Controls – What Works

© 2002 Association of Certified Fraud Examiners. All rights reserved. The Certified Fraud Examiners’ Fraud Prevention Checkup - An Introduction Toby J.F.

ISO General Awareness Training

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Risk Management for Law Firm Executive Management.

A Coherent Strategy for Data Security through Data Governance Roland L. Trope E. Michael Power Vincent I. Polley Bradford C. Morley Presented by Barry.

Implementing and Auditing Ethics Programs

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

A PM’s Guide to Surviving A Data Breach. Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Briefing to the Portfolio Committee on Service and Administration and Planning, Monitoring and Evaluation on the audit outcomes 14 October 2015.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

New A.M. Best Cyber Questionnaire

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

FFIEC Cyber Security Assessment Tool

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Albany Bank Corporation Security Incident Management Program.

Confidentiality, Integrity, Awareness What Does It Mean To You.

NCBFAA Annual Conference 2015 Orlando Converging Logistics: Realities vs. Possibilities Cyber Insurance Bernie Cissek, Chairman.

Information Security January What is Information Security?  Information Security is about the physical security of our equipment and networks as.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Cyber Attack – Not a case of if, but when! Housing Technology 2016 Kevin Doran – Chief Technology Officer Tim Cowland – Principal Consultant.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

Welcome to the ICT Department Unit 3_5 Security Policies.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Cyber Insurance Risk Transfer Alternatives

Cybersecurity as a Business Differentiator

Michael Wright • Chief Security Officer • Tech Lock

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

New A.M. Best Cyber Questionnaire

Healthcare Cybersecurity: State of Industry

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Data Minimization Framework

The Internal Audit Role in assessing Cybersecurity

Current ‘Hot Topics’ in Information Security Governance Auditing

Chapter 3: IRS and FTC Data Security Rules

Information Security: Risk Management or Business Enablement?

Red Flags Rule An Introduction County College of Morris

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber Risk & Cyber Insurance - Overview

Data Security Julie D. Wilson Sr

Forensic and Investigative Accounting

Cyber Security: What the Head & Board Need to Know

Cyber Security in a Risk Management Framework

Anatomy of a Common Cyber Attack

Presentation transcript:

CYBER SECURITY & ITS IMPACT ON FINANCIAL STATEMENTS AUDITS BOB WAGNER TUESDAY, NOVEMBER FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE

CORPORATE BOARDS RACE TO SHORE UP CYBERSECURITY Wall Street Journal June 29, 2014

CHINA’S HACKERS ACCUSED OF A SPYING CAMPAIGN Wall Street Journal April 13, 2015

WSJ, 2015

WHO IS THIS GUY? CTO For Tupperware Brands Past 14 years Previous Technology Consultant for Ernst & Young Developed Cyber Security Program for Tupperware Brands Sox & Audit Compliance Experience MBA-UCF

WHY SHOULD WE CARE ABOUT CYBER SECURITY? Financial impact depends on many factors Target pay load compromised (e.g. credit cards or social security numbers) Length of intrusion and theft Intent of hackers Disruption or Destruction Political Environmental Anonymous Because a CS breach can impact your financial statements

WHY SHOULD WE CARE ABOUT CYBER SECURITY? Ransom Ware Direct Dollar Impact How much & how often

IMPACT OF THE CYBER SECURITY BREACH For some companies, it could be a going out of business situation Significant dollar expenditures to remedy situation Loss of client confidence Legal fees & lawsuits Media humiliation Employee attrition

WHAT CAN YOU DO TO GET STARTED? Keep up with software patches Close your online doors (within reason) Encrypt data when it makes sense Cost Speed Consider new password methods Finger prints Change password policy; 10 vs 5 Evaluate third party vendors access Target hit through heating/ac vendor equipment ISO Family of standards to help secure data Includes people, processes, and IT systems Source WSJ Begin with the Basics

FRAMEWORK FOR IMPROVING CYBER SECURITY National Institute of Standards and Technology (NIST) 5 Core Functions 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover

IMPACT OF A CYBER SECURITY BREACH Two main areas of CS oversight Risk Management Security is not just an IT issue Senior Management needs to drive the effort CS is one element of overall company risk Don’t fret about the technical aspects! Cyber liability insurance Employee security education

IMPACT OF A CYBER SECURITY BREACH Response Management or Crisis Management Who wants to talk to the Chanel 9 reporter? Who put us in “the Cloud” Response Team (C-level, legal, IT, HR, PR) Have a documented Response Plan

SUMMARY In short, this is a nightmare in your future You could spend millions and still not be 100% protected This is the new “Cost of doing Business” A breach could significantly damage the financial health of any company Recommendation is to take steps NOW to show due diligence in this area

AUDIT & BUSINESS RISK OF IT BOB WAGNER TUESDAY, NOVEMBER 10, 2015 FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE

AUDIT & BUSINESS RISK OF IT Our business depends on technology working everyday Technology is growing more complicated More devices attached “Internet of Everything” Millions of lines of code Internal associates and clients, are increasingly demanding Access from any place, any time, any device This all adds to risk- lots of moving parts IT holds the keys to the kingdom Heavily dependent on a strong IT team to keep business going Risk element of IT employee who goes bad Risk of outsourcing

AUDIT & BUSINESS RISK OF IT If is down business is down If clients can’t place orders the cash cycle stops If distribution software is slow trucks are backed up at dock If the local server is down We can not deliver the promised proposal to clients So… OUR BUSINESS CAN NEVER BE DOWN!

HOW TO MITIGATE RISK? Senior Management involvement and understanding; not just an IT function What level of engagement do they have? This is the red flag you are looking for Each company should have an overall risk assessment IT can be one of the larger risks (both business & audit) Review IT Policies Look for lax policies or no policies Each company should have a risk team that sets policies Segregation of duties is huge, but many companies are too small, so… One IT person can cause lots of problems

HOW TO MITIGATE RISK? Companies are trying to do too many IT things at the same time The business can’t digest all of it Money is wasted on failed projects IT is typically not the stumbling block Even if business folks think they are Consideration should be given to forming an IT Steering Committee Made up of mostly business executives & the top IT person Look for regular meetings Monthly or quarterly Minutes taken with decisions reached Do they communicate the decisions? In short, companies need to ensure the processes are in place to mitigate IT business risk