Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hot Topics in the Financial Industry: Cybersecurity

Published byStephen Moody Modified over 6 years ago

Similar presentations

Presentation on theme: "Hot Topics in the Financial Industry: Cybersecurity"— Presentation transcript:

1 Hot Topics in the Financial Industry: Cybersecurity
PANELISTS: Douglas W. Henkin, Partner, BakerBotts L.L.P.  Maneesha Mithal, Associate Director, U.S Federal Trade Commission, Division of Privacy and Identity Protection David M. Ross, Assistant General Counsel, MetLife

2 Cybersecurity Background
Cybersecurity is the ability to maintain controls over information technology systems so that there is (i) no unintended access to or interference with those systems and (ii) no unintended exfiltration of data from those systems

3 Significance and Types of Cybersecurity Issues:
Hacking and data breaches are increasing, as are the methods hackers use — always assume someone smarter than you is attacking or trying to attack your systems Intentional malfeasance Cyberwarfare (i.e., kinetic attacks) Criminal activity (theft of data or IP, ransomware) Fun (joyriding kids who learn hacking from the Internet) Accidents Rogue employees/ex-employees

4 What Data is at Risk? Customer information (i.e., account-related information) Employee information Vendor information Intellectual Property Other confidential information

5 What Systems Are at Risk?
Customer-facing systems HR systems Third-party provided systems Finance systems Large-scale process control/industrial systems

6 State of the Law US Federal Law
Existing Statutes (HIPAA, G-L-B, FTC Act) Executive Order (February 9, 2016) establishing Commission on Enhancing National Cybersecurity within the Department of Commerce to “make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices … “

7 State of the Law US State Law (mostly focuses on PII and breach notification) State privacy laws and insurance laws Contract law Case law Self-regulatory approaches (i.e., Payment Card Industry)

8 State of the Law Rest of the World
EU Model — Focuses on data transfer restrictions Changing EU Model Privacy Shield New Data Protection Regulation (GDPR) New cyber statute Other rest-of-world concerns (i.e., how to integrate systems that need to communicate across jurisdictions)

9 MINIMIZING RISK — BEST PRACTICES
Corporate Governance Have regular discussions of data privacy, integrity, and security at board meetings, led by the GC, CIO, CTO, or other responsible party If you don’t already, consider having a Chief Information Security Office, whose only job is to address these sorts of issues and make sure the company is doing as much as it possibly can to avoid breaches Consider delegating responsibility for these issues to a board committee as well Periodically test the company’s systems and standards, pay attention to what the tests reveal, and document what’s done to fix any identified issues (or why they don’t need to be fixed). At least some of the testing should be done by outside entities that specialize in penetration testing Establish a team, with counsel involved, to function as a response team to investigate and respond to any incursion or breach

10 IT Security Policies and Procedures
Frameworks (NIST, COBOL, etc.) Training and evaluation policies (including, when necessary, restricting access to employees who don’t do training or learn what’s taught) Travel policies (i.e., restrictions on what devices can be taken to certain countries and how devices can be used when traveler returns) Risk-Based and Technology-Based Approaches Compared

11 Information Sharing Government/Private Sector February 2016 Executive Order establishing cybersecurity commission InfraGard ( DHS Private Sector/Private Sector Industry-specific information sharing and analysis groups (i.e., FS-ISAC —

12 Playbook Create the Program Train and Test Actively Monitor
Create Governance Structure Identify assets to be protected Conduct risk assessment Identify and select controls Test and Implement controls Use technology to enhance controls, where appropriate Implement incident response program Build Business Continuity/Disaster Recovery (BC/DR) Program Integrate Physical Security Create metrics to measure program effectiveness Training and awareness Require contractors and vendors to implement adequate security Periodically Test Incident Response and BC/DR Periodically test controls Periodically review the ESP and make necessary adjustments Use Metrics to measure effectiveness Actively monitor and adapt security controls and practices Use metrics to measure effectiveness

13 Exercises Testing your systems and training must be consistent and documented Tabletop exercises System and employee testing Reporting and followup to address issues

14 Contracts Scrub your most important contracts
Do your agreements with your customers have strong and enforceable venue, choice of law, and limitation of liability provisions? Do your agreements with your business counterparties contain the best indemnification and allocation of risks and responsibilities? Do they establish best practices as between you and your counterparties? Do you audit your vendors and counterparties’ compliance with your contracts and best practices and document those audits? For example, a breach at one of your vendors could enable a hacker to get information needed to attack your system, or even attack your systems through that vendor’s systems.

15 Insurance Consider discussing with your company’s insurance broker and counsel whether your existing insurance (including commercial crime policies) covers cyber risks — don’t assume a CGL policy covers cyber risks Cyber-specific coverage is available — more than 50 underwriters in the US and London insure risks like these, and it’s important to have a broker who understands the markets and what is available This type of insurance can be written to cover not only third-party liability claims, but also first-party losses (such as business interruption and extortion threats) as well as the often large (and unanticipated) crisis management fees and expenses All else being equal, the more you follow best practices, the less cyber-specific insurance will cost

16 Questions?

Download ppt "Hot Topics in the Financial Industry: Cybersecurity"

Similar presentations

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Implications of the Markets in Financial Instruments Directive (“MIFID”) Richard Thompson.

Implications of the Markets in Financial Instruments Directive (“MIFID”) Richard Thompson.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
The Third Annual Medical Device Regulatory, Reimbursement and Compliance Congress How to establish a Compliance Program that will Minimize the Impact of.

The Third Annual Medical Device Regulatory, Reimbursement and Compliance Congress How to establish a Compliance Program that will Minimize the Impact of.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
RISK MANAGEMENT : JOURNEY OR DESTINATION ?. What is Risk? “ Any uncertain event that could significantly enhance or impede a Company’s ability to achieve.

RISK MANAGEMENT : JOURNEY OR DESTINATION ?. What is Risk? “ Any uncertain event that could significantly enhance or impede a Company’s ability to achieve.

Similar presentations

Ads by Google