DEFENSIBLE

CYBERSECURITY

James Goepel
CEO and General Counsel
Fathom Cyber, LLC

© 2019 Fathom Cyber

 Latest News

Marriott Breach – 500,000,000 records, Collection 1 – more than 1 billion unique E-

including 5,250,000 unencrypted passport mail addresses and passwords have been
numbers and another 20,300,000 encrypted released, purportedly from multiple breaches
passport numbers and services, including 2,000 databases

2
 Recent Legislative and
Regulatory Reactions
Data Privacy Cybersecurity
• EU’s General Data Protec • California AB 327
tion Regulation (“GDPR”) • Colorado HB 18-1128
• Canada’s PIPEDA • Connecticut cybersecurit
• California’s AB 375 y action plan
(“CCPA”) • New York State Departm
• Every state’s unique dat ent of Financial Services
a breach notification law Rule 500
s • SEC Cybersecurity Guida
nce
• USA National Cybersecur
ity Strategy
3 • Chile’s National
 General Industry-specific

California Consumer Privacy Act
General Data Protection Regulation
Massachusetts Cybersecurity Law
Securities and Exchange Commission
South Carolina and Ohio recently adopted
modified versions of
NAIC model cybersecurity law, which is based on
New York State’s 23 NYCRR 500.

Legal Obligations are

Constantly Evolving
4
 Consistent
Vagueness
Typically Focused on
Protecting Consumers and PII

5
 LOST CORPORATE LOST PARTNER DISCLOSURE OF PENDING
INTELLECTUAL PROPERTY INTELLECTUAL PROPERTY DEALS

Cybersecurity Incidents can Impact

more than Personal Information

6
 Demonstrate to regulators,
shareholders, and a jury that you
were doing the right thing.
Ultimate
goal:
Defensibil
ity This requires not merely a written
plan, but a plan that is well
architected and that addresses the
appropriate topics.

7
 This Includes Required
Legal Duties

Duty to disclose Duty to attest Duty to protect

* This typically focuses on privacy
violations
* Exceptions: Securities and
Exchange Commission, New York
State Department of Financial
Services
* This doesn’t happen often (so
far).
* Typically only in specific,
consumer risk industries (e.g.,
banking, insurance, healthcare).
* Frequently vague (“reasonable
cybersecurity plan”,
“comprehensive cybersecurity
plan”, etc.)
* Occasionally a few technology
requirements/recommendations

8
 How do you prove your
plan is comprehensive
and reasonable?

Use industry standards and best practices.

9
Cybersecurity is more than just Technology
Implementation

10
 What 1 2 3
best
practice General strategic Industry-specific Operational/implementati

should
frameworks (e.g., NIST frameworks (e.g., on best practices (e.g., CIS
CSF) HITRUST for healthcare) Top 20 Controls)
and requirements (e.g.,
Payment Card Industry

you use? (“PCI”) for those

processing payment card
data)

11
 The Federal
Governmen
t Uses NIST
CSF
It is hard to argue that the
NIST CSF isn’t appropriate for
your organization. Harder
argument is why you didn’t
use it.

12
 “But my organization’s
executives think
technology is confusing.
They will never get
involved!”
13
  The SEC’s recent cybersecurity guidance casts as suspect
any trades made while there are unreported
cybersecurity/privacy issues. Acting improperly can
have significant consequences, including jail.
 NAIC model law, 23 NYCRR 500, and other regulations
require senior management to attest to their
They don’t involvement in cybersecurity.

have a  Proxy firms are pushing for removal of board members

who resist (see, e.g., Target and Equifax).
choice.  Investors know that
60% of small and medium businesses are out of business
within 6 months of a data breach
, and that incidents
can have long-lasting impacts on the bottom-lines of larg
e companies for many years
. They are no longer tolerating executive inaction.
 Boards are removing executive staff for not protecting
the company (including Yahoo!’s General Counsel).
14
 Recent SEC guidance says that
cybersecurity and data privacy
issues can have material • Fraud can rise to the level of criminal
impacts on share price, and
withholding such information activity and is punishable by jail time.
could be seen as defrauding
investors.

The SEC’s guidance also

suggests that insider trades
conducted after an incident
occurs but before it is publicly
reported are suspect as insider
trades.
• Insider trading can result in criminal
charges and is punishable by up to 20
years in prison.

Seriously? Jail
time?
15
 We can make it
easier for the
executives
 Integrate cybersecurity and data privacy into
the organization’s risk management processes.
 Position IT issues from a business perspective
(e.g., customer impact, business
delivery/operations impact, employee safety,
etc.).
 Use industry standards for consistency.
 Standardize the way information is presented
(e.g., scores of 1-10, 1-100, etc.).
 Hold special, executives-only education
sessions.

16
 Walk-through of how Facebook’s GRU modifications to BadRabbit
privacy policy has changed over to work against ICS targets

Topics for
the past 5 years

today:

New key sharing techniques in How to grab session keys to

WPA3 capture PII from Google+

17
 “The 25 amp P-channel
MOSFET on the analog to
digital conversion board is
shorting out, causing a
feedback loop.”

“One of the transistors in the

stereo system is shot. The part is
$0.50, and it’s about an hour for
me to fix it.”
“The check engine light is on because
car sensed that there was trouble in an
electronic switch. If the switch fails, the
car may stall on the highway. The total
repair cost will be $230.”

18
 Focus on:

BUSINESS RISK COST/RESOURCES TIME ALTERNATIVES

19
 Example Business Risks/Impacts

LOST SHAREHOLDER LOST COMPETITIVE LOST INTELLECTUAL LOST CUSTOMER

VALUE ADVANTAGES PROPERTY CONFIDENCE/
INVESTMENTS REPUTATION

MASSIVE FINES BUSINESS EXECUTIVES CAN GO

INTERRUPTION TO JAIL

20
 Bottom-line Impacts

The average cost of a lost or stolen The average data breach costs U.S. 60% of small- and mid-size
record in the U.S. is $258.1 companies $7.91 million. 1 companies are out of business
within 6 months of a data breach. 2

1. Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute, IBM Security, https://www.ibm.com/security/data-breach.
2. Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), available at
http://docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-SD003-U4.pdf. Although Dr. LeClair does not provide a citation for this statistic, it appears to come from a 2012 study by the National Cyber Security Alliance, which found that
60 percent of small firms go out of business within six months of a data breach. National Cyber Security Alliance, America’s Small Businesses Must Take Online Security More Seriously (Oct. 2012), available at
www.staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic.

21
 Five no/low-cost ways to reduce
bottom-line impact

01 02 03 04 05
Create an Extensively use Increase Participate in Board-level
incident encryption - employee threat sharing - involvement -
response team - $13.11 awareness - $8.71 $6.51
$141 $9.31

$52.20 per record: a 20% savings

22
 Average CISO Tenure is
18-24 months

23
 Why don’t CISOs last longer?

THEY ARE ACTIVELY RECRUITED THEY GET FRUSTRATED WITH THEIR EMPLOYER IS BREACHED
AWAY MANAGEMENT AND LEAVE AND THEY ARE BLAMED

24
 Demonstrates that you not only had a plan, but were acting
on it

Documents decisions made

May show flawed thinking, but helps refute negligence

Adding Governance and

Oversight
25
 Cybersecurity and data privacy are business issues, and the
planning team needs to include more than just technology people

Human Legal Accounting

Resources

Information Internal Audit Engineering/

Technology Development

26
  Use industry standards (e.g.,
NIST Cybersecurity Framework and
Center for Internet Security Top 20 Controls) to
Defensible create policies and procedures.
cybersecurit  Document everything. Executive-level actions,
day-to-day cyber hygiene tasks, and everything
y requires in between.
prioritization  Enforce the rules.

of privacy  Make cybersecurity and data privacy part of the

organization’s culture (e.g., privacy by design
and security. and security by design).
 Management/executives need to be actively
involved in cybersecurity and data privacy
planning and decisions, not simply passively
receiving data.

27
 Mitchell Martin Technology
Division

 Mitchell Martin, Inc. (MMI) is a leader in Talent Acquisition Solutions, providing

information technology staffing, healthcare staffing and payroll solutions
nationwide
 We operate a specialized niche practice in cybersecurity with a focused pipeline
of top candidates
Corporate Headquarters
 Founded in 1984, we now serve clients in 34 states across eight regional offices 
307 West 38th Street
 US Office Locations in NY, NJ, PA, NC, TX, IL, FL, GA and offshore locations in Suite 1305
India and the Philippines New York, NY 10018
 Consistently ranked in the Top 100 Largest Staffing Firms in U.S. by Staffing Phone: 212-943-1404
Fax: 646-355-0229
Industry Analysts

28