Professional Documents
Culture Documents
CYBERSECURITY
James Goepel
CEO and General Counsel
Fathom Cyber, LLC
2
Recent Legislative and
Regulatory Reactions
Data Privacy Cybersecurity
• EU’s General Data Protec • California AB 327
tion Regulation (“GDPR”) • Colorado HB 18-1128
• Canada’s PIPEDA • Connecticut cybersecurit
• California’s AB 375 y action plan
(“CCPA”) • New York State Departm
• Every state’s unique dat ent of Financial Services
a breach notification law Rule 500
s • SEC Cybersecurity Guida
nce
• USA National Cybersecur
ity Strategy
3 • Chile’s National
General Industry-specific
California Consumer Privacy Act South Carolina and Ohio recently adopted
General Data Protection Regulation modified versions of
NAIC model cybersecurity law, which is based on
Massachusetts Cybersecurity Law New York State’s 23 NYCRR 500.
Securities and Exchange Commission
5
LOST CORPORATE LOST PARTNER DISCLOSURE OF PENDING
INTELLECTUAL PROPERTY INTELLECTUAL PROPERTY DEALS
6
Demonstrate to regulators,
shareholders, and a jury that you
were doing the right thing.
Ultimate
goal:
Defensibil
ity This requires not merely a written
plan, but a plan that is well
architected and that addresses the
appropriate topics.
7
This Includes Required
Legal Duties
8
How do you prove your
plan is comprehensive
and reasonable?
9
Cybersecurity is more than just Technology
Implementation
10
What 1 2 3
best
practice General strategic Industry-specific Operational/implementati
should
frameworks (e.g., NIST frameworks (e.g., on best practices (e.g., CIS
CSF) HITRUST for healthcare) Top 20 Controls)
and requirements (e.g.,
Payment Card Industry
11
The Federal
Governmen
t Uses NIST
CSF
It is hard to argue that the
NIST CSF isn’t appropriate for
your organization. Harder
argument is why you didn’t
use it.
12
“But my organization’s
executives think
technology is confusing.
They will never get
involved!”
13
The SEC’s recent cybersecurity guidance casts as suspect
any trades made while there are unreported
cybersecurity/privacy issues. Acting improperly can
have significant consequences, including jail.
NAIC model law, 23 NYCRR 500, and other regulations
require senior management to attest to their
They don’t involvement in cybersecurity.
Seriously? Jail
time?
15
We can make it
easier for the
executives
Integrate cybersecurity and data privacy into
the organization’s risk management processes.
Position IT issues from a business perspective
(e.g., customer impact, business
delivery/operations impact, employee safety,
etc.).
Use industry standards for consistency.
Standardize the way information is presented
(e.g., scores of 1-10, 1-100, etc.).
Hold special, executives-only education
sessions.
16
Walk-through of how Facebook’s GRU modifications to BadRabbit
privacy policy has changed over to work against ICS targets
Topics for
the past 5 years
today:
17
“The 25 amp P-channel
MOSFET on the analog to
digital conversion board is
shorting out, causing a
feedback loop.”
18
Focus on:
19
Example Business Risks/Impacts
20
Bottom-line Impacts
The average cost of a lost or stolen The average data breach costs U.S. 60% of small- and mid-size
record in the U.S. is $258.1 companies $7.91 million. 1 companies are out of business
within 6 months of a data breach. 2
1. Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute, IBM Security, https://www.ibm.com/security/data-breach.
2. Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), available at
http://docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-SD003-U4.pdf. Although Dr. LeClair does not provide a citation for this statistic, it appears to come from a 2012 study by the National Cyber Security Alliance, which found that
60 percent of small firms go out of business within six months of a data breach. National Cyber Security Alliance, America’s Small Businesses Must Take Online Security More Seriously (Oct. 2012), available at
www.staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic.
21
Five no/low-cost ways to reduce
bottom-line impact
01 02 03 04 05
Create an Extensively use Increase Participate in Board-level
incident encryption - employee threat sharing - involvement -
response team - $13.11 awareness - $8.71 $6.51
$141 $9.31
23
Why don’t CISOs last longer?
THEY ARE ACTIVELY RECRUITED THEY GET FRUSTRATED WITH THEIR EMPLOYER IS BREACHED
AWAY MANAGEMENT AND LEAVE AND THEY ARE BLAMED
24
Demonstrates that you not only had a plan, but were acting
on it
26
Use industry standards (e.g.,
NIST Cybersecurity Framework and
Center for Internet Security Top 20 Controls) to
Defensible create policies and procedures.
cybersecurit Document everything. Executive-level actions,
day-to-day cyber hygiene tasks, and everything
y requires in between.
prioritization Enforce the rules.
27
Mitchell Martin Technology
Division
28