SlideShare una empresa de Scribd logo

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

Shawn Tuma
Shawn Tuma

Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by: (1) Providing an overview of the legal and regulatory framework; (2) Examining the most likely real-world risks; and (3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds). Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).

Economía y finanzas
1 de 24
Descargar para leer sin conexión
Spencer Fane LLP | spencerfane.com Cybersecurity: Cyber Risk Management for Banks & Financial Institutions Texas Association of Bank Counsel 42nd Annual Convention Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP | @spencerfane spencerfane.com | @shawnetuma
Spencer Fane LLP | spencerfane.com The Problem for Law Firms • Cybersecurity and privacy are issues that most attorneys would prefer to ignore but are uniquely obligated to address. • Cybersecurity and privacy impact all lawyers and law firms alike. • Clients demanding adequate security (firms are their third-party risk). • Law firms are an increasingly popular target. – Value and sensitivity of data. – Data for multiple clients.
Spencer Fane LLP | spencerfane.com The Ethics for Law Firms “A lawyer should preserve the confidences and secrets of a client.” • Ethics Opinion 384 (Sept. 1975) • Canon No. 4, Code of Professional Responsibility • Disciplinary Rule (DR) 4-101 (A) and (B) • New duty of “technical competence” for lawyers
Spencer Fane LLP | spencerfane.com Cybersecurity is no longer just an IT issue—it is an overall business risk issue.
Spencer Fane LLP | spencerfane.com “Security and IT protect companies’ data; Legal protects companies from their data.” Security and IT protect companies’ data; Legal protects companies from their data.
Spencer Fane LLP | spencerfane.com
Spencer Fane LLP | spencerfane.com Laws & Regulations Types • Security • Privacy • Unauthorized Access International Laws • GDPR • Privacy Shield • China’s Cybersecurity Law Federal Laws and Regs • FTC, SEC, HIPAA State Laws • All 50 States – Privacy + security (some) • NYDFS, Colo FinServ, CaCPA Industry Groups • PCI • FINRA Contracts • 3rd Party Bus. Assoc. • Privacy / Data Security / Cybersecurity Addendum Banks & Financial Institutions • GLBA • Dodd Frank • FFIEC (Federal Financial Institutions Examination Council)
Spencer Fane LLP | spencerfane.com Banks & Financial Institutions
Spencer Fane LLP | spencerfane.com 2 Themes to Remember • Cyber law is an expedition • The “issues” usually aren’t really that new
Spencer Fane LLP | spencerfane.com The Real Threats • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017 Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017
Spencer Fane LLP | spencerfane.com Cybersecurity Best Practices • Risk assessment • Policies and procedures focused on cybersecurity – Culture – Social engineering, password, security questions • Train workforce on P&P, security • Phish all workforce • Multi-factor authentication • Internal controls / access controls to restrict unnecessary data risk • Data retention policy • Signature based antivirus and malware detection • No outdated or unsupported software • Patch management process • Backups segmented offline, cloud, redundant • Incident response plan • Encrypt sensitive and air-gap hypersensitive data • Adequate logging and retention • Third-party security risk management program • Firewall, intrusion detection and prevention systems • Managed services provider (MSP) or managed security services provider (MSSP) • Cyber risk insurance
Spencer Fane LLP | spencerfane.com Canary in the Coal Mine • What is your role? • How does your bank handle: – P&P + Training – MFA – Phishing – Backups – IR Team + IRP – Cyber Insurance
Spencer Fane LLP | spencerfane.com
Spencer Fane LLP | spencerfane.com
Spencer Fane LLP | spencerfane.com How mature is your bank’s cyber risk management program? “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) “Institutions should maintain effective information security programs commensurate with their operational complexities. Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” FFIEC Examination Handbook (Sept. 2016) “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
Spencer Fane LLP | spencerfane.com Too little – “just check the box” Too much – “boiling the ocean” What is reasonable cybersecurity?
Spencer Fane LLP | spencerfane.com Identify: Assess Cyber Risk Identify & Protect: Strategic Planning Protect & Detect: Implement Strategy & Deploy Assets Protect: Develop, Implement & Train on P&P Protect: Third Party Risk Protect & Respond: Develop IR Plan & Tabletop Recover & Identify: Reassess, Refine & Mature Cyber Risk Management Program Process
Spencer Fane LLP | spencerfane.com What should your bank’s cyber risk management program look like? • Based on a risk assessment1,2,3,4,5,6 • Implemented and maintained (i.e., maturing)1,2,3,6 • Fully documented in writing for both content and implementation1,2,3,6 • Comprehensive1,2,3,4,5,6 • Contain administrative, technical, and physical safeguards1,2,3,6 • Reasonably designed to protect against risks to network and data1,2,3,4,5,6 • Identify and assess internal and external risks2,6 • Use defensive infrastructure and policies and procedures to protect network and data1,2,3,4,5,6 • Workforce training2,3,6 • Detect events2,6 • Respond to events to mitigate negative impact2,6 • Recover from events to restore normalcy2,6 • Regularly review network activity such as audit logs, access reports, incident tracking reports3,6 • Assign responsibility for security to an individual3,5,6 • Address third-party risk2,3,5,6 • Certify compliance by Chair of Board or Senior Officer or Chief Privacy Officer2 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.02 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 32 6. FFIEC IT Examination Handbook
Spencer Fane LLP | spencerfane.com A few words about privilege • Great sales pitch → the magic wand! • Mature understanding → not so simple! • Prepare by doing everything possible to ensure the applicability of privileges but carry out the work as though there will be no privilege. – Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk management program. – List role in engagement agreement. – Develop communications protocol at the outset. • i.e., “if it doesn’t need to be in writing …” • Counsel must actively lead and stay engaged in the process. • Counsel should hire, direct, and receive info from consultants. • If incident, consider multiple tracks: – proactive risk management; – normal business investigation; – Investigation in anticipation of litigation. Photo credit: dave_7 Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/
Spencer Fane LLP | spencerfane.com A few words about privilege • Great sales pitch → the magic wand! • Mature understanding → not so simple! • Prepare by doing everything possible to ensure the applicability of privileges but carry out the work as though there will be no privilege. – Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk management program. – List role in engagement agreement. – Develop communications protocol at the outset. • i.e., “if it doesn’t need to be in writing …” • Counsel must actively lead and stay engaged in the process. • Counsel should hire, direct, and receive info from consultants. • If incident, consider multiple tracks: – proactive risk management; – normal business investigation; – Investigation in anticipation of litigation.
Spencer Fane LLP | spencerfane.com Without a magic wand, how does cyber legal counsel help?
Spencer Fane LLP | spencerfane.com Cyber Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sublimits? • Can you chose your counsel and vendors?
Spencer Fane LLP | spencerfane.com Cyber Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sublimits? • Can you chose your counsel and vendors?
Spencer Fane LLP | spencerfane.com Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law Board of Directors & General Counsel, Cyber Future Foundation Board of Advisors, North Texas Cyber Forensics Lab Policy Council, National Technology Security Coalition Cybersecurity & Data Privacy Law Trailblazers, National Law Journal SuperLawyers - Top 100 Lawyers in Dallas (2016) SuperLawyers (2015-18) D Magazine - Best Lawyers in Dallas (2014-18) Officer, Computer & Technology Section, State Bar of Texas Privacy and Data Security Committee, State Bar of Texas College of the State Bar of Texas Board of Directors, Collin County Bench Bar Conference Past Chair, Civil Litigation Section, Collin County Bar Association North Texas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals (IAPP) Shawn E. Tuma Spencer Fane LLP Partner & Co-Chair, Cybersecurity & Data Privacy Practice O 972.324.0317 M 214.726.2808 stuma@spencerfane.com web: spencerfane.com blog: shawnetuma.com @shawnetuma

Recomendados

Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
Quick Heal Technologies Ltd.
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
Semir Ibrahimovic
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial Sector
Farook Al-Jibouri
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Recomendados

Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
Quick Heal Technologies Ltd.
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
Semir Ibrahimovic
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial Sector
Farook Al-Jibouri
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 

Más contenido relacionado

La actualidad más candente

How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 

La actualidad más candente (20)

cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
cyber security
cyber securitycyber security
cyber security
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 

Similar a Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security Model
OnRamp
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 

Similar a Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (20)

Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security Model
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 

Más de Shawn Tuma

Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
Shawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Shawn Tuma
 

Más de Shawn Tuma (20)

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene Checklist
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid Them
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity Update
 
"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
 
The Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry ExpertsThe Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry Experts
 

Último

abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadhabortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
samsungultra782445
 
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
Call Girls Mumbai
 
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
hyt3577
 
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
hyt3577
 
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdfMASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
Cocity Enterprises
 

Último (20)

abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadhabortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
 
Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...
 
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
Bhubaneswar🌹Ravi Tailkes ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswar ...
 
Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdf
 
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
 
NO1 Verified Online Love Vashikaran Specialist Kala Jadu Expert Specialist In...
NO1 Verified Online Love Vashikaran Specialist Kala Jadu Expert Specialist In...NO1 Verified Online Love Vashikaran Specialist Kala Jadu Expert Specialist In...
NO1 Verified Online Love Vashikaran Specialist Kala Jadu Expert Specialist In...
 
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
 
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
In Sharjah ௵(+971)558539980 *_௵abortion pills now available.
 
Q1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdfQ1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdf
 
7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options
 
logistics industry development power point ppt.pdf
logistics industry development power point ppt.pdflogistics industry development power point ppt.pdf
logistics industry development power point ppt.pdf
 
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsMahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdf
 
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdfMASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
 
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
 
劳伦森大学毕业证
劳伦森大学毕业证劳伦森大学毕业证
劳伦森大学毕业证
 
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
 
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdf
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdfSeeman_Fiintouch_LLP_Newsletter_May-2024.pdf
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdf
 
Shrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdfShrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdf
 
Technology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechnology industry / Finnish economic outlook
Technology industry / Finnish economic outlook
 

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

  • 1. Spencer Fane LLP | spencerfane.com Cybersecurity: Cyber Risk Management for Banks & Financial Institutions Texas Association of Bank Counsel 42nd Annual Convention Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP | @spencerfane spencerfane.com | @shawnetuma
  • 2. Spencer Fane LLP | spencerfane.com The Problem for Law Firms • Cybersecurity and privacy are issues that most attorneys would prefer to ignore but are uniquely obligated to address. • Cybersecurity and privacy impact all lawyers and law firms alike. • Clients demanding adequate security (firms are their third-party risk). • Law firms are an increasingly popular target. – Value and sensitivity of data. – Data for multiple clients.
  • 3. Spencer Fane LLP | spencerfane.com The Ethics for Law Firms “A lawyer should preserve the confidences and secrets of a client.” • Ethics Opinion 384 (Sept. 1975) • Canon No. 4, Code of Professional Responsibility • Disciplinary Rule (DR) 4-101 (A) and (B) • New duty of “technical competence” for lawyers
  • 4. Spencer Fane LLP | spencerfane.com Cybersecurity is no longer just an IT issue—it is an overall business risk issue.
  • 5. Spencer Fane LLP | spencerfane.com “Security and IT protect companies’ data; Legal protects companies from their data.” Security and IT protect companies’ data; Legal protects companies from their data.
  • 6. Spencer Fane LLP | spencerfane.com
  • 7. Spencer Fane LLP | spencerfane.com Laws & Regulations Types • Security • Privacy • Unauthorized Access International Laws • GDPR • Privacy Shield • China’s Cybersecurity Law Federal Laws and Regs • FTC, SEC, HIPAA State Laws • All 50 States – Privacy + security (some) • NYDFS, Colo FinServ, CaCPA Industry Groups • PCI • FINRA Contracts • 3rd Party Bus. Assoc. • Privacy / Data Security / Cybersecurity Addendum Banks & Financial Institutions • GLBA • Dodd Frank • FFIEC (Federal Financial Institutions Examination Council)
  • 8. Spencer Fane LLP | spencerfane.com Banks & Financial Institutions
  • 9. Spencer Fane LLP | spencerfane.com 2 Themes to Remember • Cyber law is an expedition • The “issues” usually aren’t really that new
  • 10. Spencer Fane LLP | spencerfane.com The Real Threats • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017 Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017
  • 11. Spencer Fane LLP | spencerfane.com Cybersecurity Best Practices • Risk assessment • Policies and procedures focused on cybersecurity – Culture – Social engineering, password, security questions • Train workforce on P&P, security • Phish all workforce • Multi-factor authentication • Internal controls / access controls to restrict unnecessary data risk • Data retention policy • Signature based antivirus and malware detection • No outdated or unsupported software • Patch management process • Backups segmented offline, cloud, redundant • Incident response plan • Encrypt sensitive and air-gap hypersensitive data • Adequate logging and retention • Third-party security risk management program • Firewall, intrusion detection and prevention systems • Managed services provider (MSP) or managed security services provider (MSSP) • Cyber risk insurance
  • 12. Spencer Fane LLP | spencerfane.com Canary in the Coal Mine • What is your role? • How does your bank handle: – P&P + Training – MFA – Phishing – Backups – IR Team + IRP – Cyber Insurance
  • 13. Spencer Fane LLP | spencerfane.com
  • 14. Spencer Fane LLP | spencerfane.com
  • 15. Spencer Fane LLP | spencerfane.com How mature is your bank’s cyber risk management program? “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) “Institutions should maintain effective information security programs commensurate with their operational complexities. Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” FFIEC Examination Handbook (Sept. 2016) “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
  • 16. Spencer Fane LLP | spencerfane.com Too little – “just check the box” Too much – “boiling the ocean” What is reasonable cybersecurity?
  • 17. Spencer Fane LLP | spencerfane.com Identify: Assess Cyber Risk Identify & Protect: Strategic Planning Protect & Detect: Implement Strategy & Deploy Assets Protect: Develop, Implement & Train on P&P Protect: Third Party Risk Protect & Respond: Develop IR Plan & Tabletop Recover & Identify: Reassess, Refine & Mature Cyber Risk Management Program Process
  • 18. Spencer Fane LLP | spencerfane.com What should your bank’s cyber risk management program look like? • Based on a risk assessment1,2,3,4,5,6 • Implemented and maintained (i.e., maturing)1,2,3,6 • Fully documented in writing for both content and implementation1,2,3,6 • Comprehensive1,2,3,4,5,6 • Contain administrative, technical, and physical safeguards1,2,3,6 • Reasonably designed to protect against risks to network and data1,2,3,4,5,6 • Identify and assess internal and external risks2,6 • Use defensive infrastructure and policies and procedures to protect network and data1,2,3,4,5,6 • Workforce training2,3,6 • Detect events2,6 • Respond to events to mitigate negative impact2,6 • Recover from events to restore normalcy2,6 • Regularly review network activity such as audit logs, access reports, incident tracking reports3,6 • Assign responsibility for security to an individual3,5,6 • Address third-party risk2,3,5,6 • Certify compliance by Chair of Board or Senior Officer or Chief Privacy Officer2 1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014) 2. NYDFS Cybersecurity Regulations Section 500.02 3. HIPAA Security Management Process, §164.308(a)(1)(ii) 4. SEC Statement and Guidance on 2/21/18 5. GDPR Art. 32 6. FFIEC IT Examination Handbook
  • 19. Spencer Fane LLP | spencerfane.com A few words about privilege • Great sales pitch → the magic wand! • Mature understanding → not so simple! • Prepare by doing everything possible to ensure the applicability of privileges but carry out the work as though there will be no privilege. – Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk management program. – List role in engagement agreement. – Develop communications protocol at the outset. • i.e., “if it doesn’t need to be in writing …” • Counsel must actively lead and stay engaged in the process. • Counsel should hire, direct, and receive info from consultants. • If incident, consider multiple tracks: – proactive risk management; – normal business investigation; – Investigation in anticipation of litigation. Photo credit: dave_7 Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/
  • 20. Spencer Fane LLP | spencerfane.com A few words about privilege • Great sales pitch → the magic wand! • Mature understanding → not so simple! • Prepare by doing everything possible to ensure the applicability of privileges but carry out the work as though there will be no privilege. – Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk management program. – List role in engagement agreement. – Develop communications protocol at the outset. • i.e., “if it doesn’t need to be in writing …” • Counsel must actively lead and stay engaged in the process. • Counsel should hire, direct, and receive info from consultants. • If incident, consider multiple tracks: – proactive risk management; – normal business investigation; – Investigation in anticipation of litigation.
  • 21. Spencer Fane LLP | spencerfane.com Without a magic wand, how does cyber legal counsel help?
  • 22. Spencer Fane LLP | spencerfane.com Cyber Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sublimits? • Can you chose your counsel and vendors?
  • 23. Spencer Fane LLP | spencerfane.com Cyber Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sublimits? • Can you chose your counsel and vendors?
  • 24. Spencer Fane LLP | spencerfane.com Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law Board of Directors & General Counsel, Cyber Future Foundation Board of Advisors, North Texas Cyber Forensics Lab Policy Council, National Technology Security Coalition Cybersecurity & Data Privacy Law Trailblazers, National Law Journal SuperLawyers - Top 100 Lawyers in Dallas (2016) SuperLawyers (2015-18) D Magazine - Best Lawyers in Dallas (2014-18) Officer, Computer & Technology Section, State Bar of Texas Privacy and Data Security Committee, State Bar of Texas College of the State Bar of Texas Board of Directors, Collin County Bench Bar Conference Past Chair, Civil Litigation Section, Collin County Bar Association North Texas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals (IAPP) Shawn E. Tuma Spencer Fane LLP Partner & Co-Chair, Cybersecurity & Data Privacy Practice O 972.324.0317 M 214.726.2808 stuma@spencerfane.com web: spencerfane.com blog: shawnetuma.com @shawnetuma