Spence Hoole Cyber Panel Presentation 2015 Summit

THE CYBER SECURITY PLAYBOOK FOR EXECUTIVE OFFICERS AND BOARDS

December 3, 2015

Panel Members:Spencer Hoole Jennifer Archie

Jeff SanchezLauri Floresca

Difference Between a Data Breach & a Security Incident?

‣ Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers, PCI data and personal health records.

‣ There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance.

‣ Organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches.

Most Recent Data Breaches

The Kill Chain - Is the high-level framework that advanced threat actors employ in their efforts to compromise the target.

Profile of Current Threat

Reconnaissance

Exploitation Installation Command & Control

Development Weaponization Delivery

Actions on Objective

Ponemon Institute2015 Cost of Data Breach Study

SUMMIT 2015PREVENTING A DATA BREACH

JEFFREYSANCHEZ

CORRELATIONBETWEENDIRECTORINVOLVEMENTANDGOODSECURITY

DIRECTORS INVOLVEMENT WITHOUT DIRECTORS INVOLVEMENT

MONITOR, DETECT & ESCALATE POTENTIAL SECURITY INCIDENT

PREVENT TARGETED EXTERNAL ATTACK

PREVENT BREACH BY A COMPANY INSIDER

*Scale: 1-10 High Confidence – 10 Low Confidence - 1

SECURITYSTANDARDS

INFORMATION SECURITY STANDARDS

FOLLOWPICK MEASURE

FUNCTIONS CATEGORIES SUBCATEGORIES

INFORMATIVEREFERENCES

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

NIST CSF SANS Top20• InventoryofAuthorizedand

UnauthorizedDevices• InventoryofAuthorizedand

UnauthorizedSoftware• SecureConfigurationsfor

HardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers

• ContinuousVulnerabilityAssessmentandRemediation

• ControlledUseofAdministrativePrivileges

• Maintenance,Monitoring,andAnalysisofAuditLogs

• EmailandWebBrowserProtections

• MalwareDefenses• LimitationandControlof

NetworkPorts,Protocols,andServices

• DataRecoveryCapability• SecureConfigurationsfor

NetworkDevicessuchasFirewalls,Routers,andSwitches

• BoundaryDefense• DataProtection• ControlledAccessBasedon

theNeedtoKnow• WirelessAccessControl• AccountMonitoringand

Control• SecuritySkillsAssessment

andAppropriateTrainingtoFillGaps

• ApplicationSoftwareSecurity

• IncidentResponseandManagement

• PenetrationTestsandRedTeamExercises

ISO 27000 MODEL

BUSINESS CONTINUITY

MANAGEMENTSYSTEM

PHISHING

VERIFICATION

IS YOUR SECURITY AS GOOD AS YOU THINK? MOST OF THE TIME IT ISN’T.

InsuranceServices|RiskManagement|EmployeeBenefits

ANASSUREXGLOBAL&IBNPARTNER CALicense0329598COLicense448197ORLicense0100167994

Summit 2015Cyber Insurance

LauriFloresca

December3,2015

www.wsandco.com|

Theinformationcontainedhereinisproprietary&confidentialandnottobedistributedwithouttheconsentofWoodruff-Sawyer&Co.

Why you need Cyber Liability Insurance

www.wsandco.com|

Components of a Cyber Policy

www.wsandco.com|

First-Party v. Third-Party Coverage

www.wsandco.com|

What is Typically Not Covered

www.wsandco.com|

Cyber/E&O Limit Decision Factors

www.wsandco.com|

Models Provide Insight, but Many Variables to Consider

www.wsandco.com|

Cyber is a Board-Level ConcernIn October 2011, the SEC published guidance for companies that suggested issuers should consider

• the“probabilityofcyberincidentsoccurring”

• “thequantitativeandqualitativemagnitudeofthoserisks”

• thatappropriatedisclosuremayincludea“descriptionofrelevantinsurancecoverage.”Significant Data Breaches Can Lead to D&O IssuesCompany CyberEvent D&OMatter Status

ChoicePoint (2005)500,000PIIexposedviaadatawarehouser. (2005)ClassAction (2008)Settled$10M

TJX (2006-2007)45M+customercreditcarddataandotherPIIhacked;cost$171M.

(2007)Books&Records

(2007)DerivativeSuit(breachoffiduciaryduty)

(2010)Settled$595Kplaintiffsfeeaward&therapeutics

HeartlandPayment

(2009)130Mcardsatpaymentprocessor;cost$140M. (2009)ClassAction (2009)Dismissed

Target (2013)70M+credit/debitcardsbreachatPOSsystem;estimatedcostover$1billion.

(Jan2014)DerivativeSuit(breachoffiduciaryduty)

Pending

Wyndham(2008-2010)Threebreaches;619,000customersimpacted.

(Feb2014)DerivativeSuit(breachoffiduciaryduty)

(Oct2014)Dismissed

HomeDepot (2014)56M+credit/debitcardsbreachatPOSsystem (June2015)Books&Records(August2015)DerivativeSuit(breachoffiduciaryduty)

Pending

Woodruff-Sawyer & Co.50 California Street, Floor 12San Francisco, CA 94111

www.wsandco.com

Insurance Services | Risk Management | Employee Benefits

Spence Hoole Cyber Panel Presentation 2015 Summit

Business

Hoole Roundabout March 2013

Spence - Reguladores

Hoole Roundabout July 2012

Spence SRVs

Hoole Roundabout July 09

Hoole Roundabout May 2011

Maggie Spence

Hoole Roundabout July 2010

Spence Strainers

S. Ratnajeevan H. Hoole

Hoole Roundabout Magazine August 2009

Hoole Roundabout Magazine September 2009

Hoole Roundabout November 2012

Hoole Roundabout November 2010

Minera Spence

Hoole Roundabout magazine March 2009

Hoole Roundabout Dec 2010

Spence 1984

Hoole Roundabout Nov 2011

Hoole Roundabout Oct 2011