Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

CybersecurityNYDFS Cyber Security Rule + More

March 24, 2017

1

Learning objectives

1. Developments in cybersecurity disclosure and

assurance requirements

2. Reduce the FUD: advanced threats in today’s

business context

3. Tried and true fundamentals to protect against

advanced threats

2

Cybersecurity is a hot topic

of organizations

rated cyberattacks

as a top three

threat

83%

organizations have

experienced at least one

security incident in the

past year – 60% were

serious

CompTIA’s 2016 International Trends in

Cybersecurity

3 out

of 4

How do we protect ourselves from a data

breach?

Is our organization prepared to identify and

respond to a data breach?

Are we doing enough to mitigate

cybersecurity risks?

Many organizations are

now wondering:

3

What is happening?

> For many companies, business value resides in its data and network systems.

> A sophisticated community of “hacktivists”, cyber criminals, and organized crime

syndicates wants to cause competitive harm and financial loss by exploiting

technical and social vulnerabilities of information assets.

> This combination leads to a high-likelihood of data breaches.

“It is not a matter of if, but when …”– Countless leaders and security professionals

4

1934SEC Act

1974Privacy Act

1996HIPAA

1998Safe HarborEuropean Union

2000CFR17 Part 248 Brokers Consumer

Protection

2001Cybersecurity Enhancement Act

2006Wisconsin

Data Breach Law

2006PCI DSS

2009HITECH

2010Massachusetts

Privacy Law

NERC CIP 2012FINRA

2013Executive Order

Cybersecurity

2013FFIEC

Social media guidance

4

Regulatory response over

time

5

2014SEC OCIE

Cybersecurity

Guidance

2015SEC

Investment Manager

Cyber Guidance

2015FINRA & SEC

Survey Results

2015FFIEC

Cybersecurity

Assessment

Tool

2015FTC

Start with Security

2016NAIC

Data Security

Model Law

2016NY DFS

23 CFR 500Cybersecurity Rule

2017SWIFT

Mandatory

Cybersecurity Controls

5

Regulatory response over

time

6

Developing disclosure and

assurance requirements

7

Section Description

Section 500.02 Cybersecurity Program

Section 500.03 Cybersecurity Policy

Section 500.04 Chief Information Security Officer

Section 500.05 Penetration Testing and Vulnerability

Assessments

Section 500.06 Audit Trail

Section 500.07 Access Privileges

Section 500.08 Application Security

Section 500.09 Risk Assessment

Section 500.10 Cybersecurity Personnel and Intelligence

Section 500.11 Third Party Information Security Policy

Section 500.12 Multi-Factor Authentication

Section 500.13 Limitations on Data Retention

Section 500.14 Training and Monitoring

Section 500.15 Encryption of Nonpublic Information

Section 500.16 Incident Response Plan

Section 500.17 Notices to Superintendent

> [23 NYCRR Part 500 (Financial Services

Law)]

New York Department of

Financial Services

8

Compliance timeline

9

What’s in effect now?

10

Changes from proposed

to final regulation:

Effective March 1, 2017

Section Key changes Key considerations

500.01

Definitions

Addition of definition of third party service provider.

Change in the definition of nonpublic information.

While the definition of non-public

information has narrowed, entities need

to clearly understand all definitions when

they evaluate compliance with the law.

500.02

Cybersecurity

Program

Ability to leverage the cybersecurity program of an

affiliate so long as that program covers the entity

and all information / documentation is available to

the superintendent upon request.

While it may be advantageous to

leverage the cybersecurity program of an

affiliate, entities must make sure all

provisions are applicable and still make

adjustments as appropriate for their

specific environment and risks.

500.03

Cybersecurity

Policy

Inclusion of concept that policy is based on the

cybersecurity risk assessment.

Addition of “asset inventory and device

management” as a required covered area and the

removal of “capacity and performance planning.”

An effective cybersecurity policy

addresses key risks that an entity faces.

As such, the foundation of the policy

should be the entity’s risk assessment.

500.07

Access

Privilege

Removal of the words “solely to those individuals

who require such access to such systems in order to

perform their responsibilities” as it relates to user

access to a more relaxed burden “shall limit user

access privileges.”

While this appears to have been a

relaxed requirement, entities will still

need controls in place to manage all

users to key systems, which should be

based on their specific needs given their

role within the organization.

11

Changes from proposed

to final regulation:

Effective March 1, 2017

cont.

Section Key changes Key considerations

500.10

Cybersecurity

Personnel and

Intelligence

Training for cybersecurity personnel changed from

required to “must provide for.”

Language has been added to accept a third party be

used as cybersecurity personnel; previously, it was

written that resources had to be “employed.”

It can be challenging for many

organizations to maintain the requisite

cyber knowledge to ‘keep up’ with the

constantly changing landscape. Entities

should seriously consider looking to

outside third party providers to

complement their talent in-house.

500.16

Incident

Response Plan

Nominal verbiage changes, no material impact. Incident response plans are a critical

piece of an effective cybersecurity

program. Similar to business continuity

and disaster recovery plans, incident

response plans should be tested often to

ensure the ability of the entity to execute

the plan.

500.17

Notices to

Superintendent

Addition of a notification requirement, in addition to

those required by a governmental or regulatory

body, also included are cybersecurity events which

“have a reasonable likelihood of materially harming

any material part of the normal operation(s) of the

covered entity.”

The Jan. 15 certification filing deadline for each year

has been moved to Feb. 15 of each year.

In order for entities to certify their

compliance, all the considerations in this

law need to be addressed, tested and

monitored on an ongoing basis.

Governance of the cybersecurity program

will be a critical component to ensuring

ongoing compliance.

12

Transition period:

Effective March 1, 2018

13

Transition period:

Effective March 1, 2018

cont.

Section Key changes Key considerations

500.04 (b)

Chief

Information

Security Officer

(CISO)

New verbiage indicating CISO may be employed by

an affiliate and authorization to utilize a third party in

addition to an employee of the covered entity.

The reporting requirements to the Board of Directors

(BOD) or governing body changed from bi-annual to

annual.

Reporting on the confidentiality provision of the

program has been restricted to confidentiality of

non-public information from all information systems

and a materiality consideration has been added to

reporting on risks.

Even though the provision allows for

flexibility in who can serve the CISO role,

the covered entity is still fully responsible

for compliance. Consistency in annual

reporting will be critical to ensure the

BOD or governing body can understand

changes in the risk environment.

500.05

Penetration

Testing and

Vulnerability

Assessments

Penetration testing was originally required annually

and vulnerability assessment quarterly. This has

been softened to annually and bi-annually based on

the risk assessment.

Ongoing management of the

vulnerabilities identified in the

assessments will be the largest challenge

of meeting the spirit of this requirement.

14

Transition period:

Effective March 1, 2018

cont.

Section Key changes Key considerations

500.09

Risk

Assessment

Changed annual requirement to periodic.

Risk assessment went from being a component to

the foundation of the cybersecurity program. Is now

the basis for: Cybersecurity program, the

cybersecurity policy, penetration testing and

vulnerability assessments, audit trails, third party

service provider security polices, multi-factor

authentication and encryption.

The basis for many of the law’s other

requirements starts with an entity’s risk

assessment. As the foundation of the

cybersecurity program, entities should

not underestimate the level of effort

required to perform an appropriate

assessment.

500.12

Multi-Factor

Authentication

(MFA)

Addition of risk based approach for MFA.

Flexibility of increased reliance on effective internal

controls.

Required use of MFA for database servers has been

removed.

Required use of MFA for accessing systems or data

from an external network has been softened to

required use to access internal networks from

external networks, unless the CISO has approved

the use of “reasonably equivalent” or more secure

controls.

While MFA is not specifically required,

entities should consider implementing

MFA for key systems to strengthen their

security posture.

500.14 (b)

Training and

Monitoring

Required regular cybersecurity training has been

changed such that the entity must provide for

regular cybersecurity training based on their risk

assessment.

Regular training of staff, IT personnel and

executives remains paramount to

maintain effective cybersecurity program.

15

Transition period:

Effective Sept. 1, 2018

16

Transition period:

Effective Sept. 1, 2018

cont.

Section Key changes Key considerations

500.06

Audit Trail

“Reconstruct all records” became “to the extent

applicable based on risk.”

Addition of the word “material” relating to financial

transactions.

Elimination of requirements relating to forensic

reconstruction, specifically over: Data logging,

protection from tampering, logging of physical

access to hardware and logging of system events.

Reduction of six year retention period to five.

While the regulation now bases the

requirement on the entity’s risk

assessment, 500.06.(a).2 still requires

entities to maintain audit trails that will

enable effective cyber event detection

and response. This will continue to be a

challenge for many organizations.

500.08

Application

Security

Evaluating and assessing all externally developed

changed to evaluating or assessing of externally

developed (changed “and” to “or” and removed

“all”).

Changed annual review requirement to periodic.

The requirement will still be challenging

for many entities. Secure in-house

development is a critical control to

ensuring system security. For third party

developed applications, it will be

important for entity’s to obtain assurance

from their vendors that security testing

has been performed.

500.13

Limitations on

Data Retention

Timely destruction of data has been changed to

periodic. Adherence to applicable laws and

regulations still applies.

Many organizations will struggle with this

requirement as the proliferation of data

across distributed networks and systems

will make it challenging to ‘prove’ secure

destruction of all of the data.

17

Transition period:

Effective Sept. 1, 2018

cont.

Section Key changes Key considerations

500.14 (a)

Training and

Monitoring

Entities must implement procedures and controls to

monitor authorized and unauthorized access to non-

public information.

Monitoring of access to nonpublic data

will still be challenging and entities will

need to consider the implementation of

systems to ensure compliance with this

requirement

500.15

Encryption of

Nonpublic

Information

Encryption of all data has been softened to “shall

implement controls including encryption.” The word

“all” has been removed and it is now based in the

entity’s risk assessment.

The expiration date of reliance on compensating

controls for a period of one year (data in transit) and

five years (data at rest) has been removed and is

now indefinite hinging on the approval of

compensating controls by the CISO at least

annually.

While the law does not require encryption

if it is deemed infeasible, organizations

still need to evaluate the feasibility and

develop / implement compensating

controls to protect the data if they can’t

encrypt the data. While this may sound

easier said than done, it will be important

for entities to document their assessment

and not just jump to the conclusion that

compensating controls are the most

appropriate solution given their systems,

architectures and data being processed.

18

Transition period:

Effective March 1, 2019

Section Key changes Key considerations

500.11

Third Party

Service Provider

Security Policy

Reduction of annual requirement to periodic and

based on risk assessment.

Removal of the word “prompt” notification relating to

cybersecurity events at / with third parties.

Allowance of reliance on the policy of an affiliate

which is also a covered entity.

Introduction of the words “to the extent applicable.”

This will be a challenge for many

organizations and is reflected in the two

year transitional period. To ensure

success, the development of a formal

vendor management program may be

required to demonstrate compliance.

19

NY DFS - Section 500.03

Cybersecurity policy

Each covered entity shall implement and maintain a written cybersecurity

policy setting forth the covered entity’s policies and procedures for the

protection of its information systems and nonpublic information stored on

those information systems. The cybersecurity policy shall address, at a

minimum, the following areas:

Information securityData governance and classification

Access controls and identity

management

Business continuity and disaster

recovery planning and resources

Systems operations and availability

concerns

Systems and network security

Systems and network monitoring

Systems and application

development and quality assurance

Physical security and environmental

controls

Customer data privacy

Vendor and third-party service

provider management

Risk assessment Incident response

20

Cybersecurity attestation

examination engagement

> Current ASEC (Assurance Services Executive Committee)

project to develop an approach for CPA firms to perform

attest engagements related to cybersecurity

> Two primary objectives of the engagement:

o Provide a broad range of users information about the entity’s

cybersecurity risk management program that may be useful in

their decision making

o Address the needs of external users (investors, analysts,

vendors and business partners) who need information to help in

the evaluation of management’s process for managing cyber

risks

> Broader than SOC 2 – covers all aspects of an entity’s

cybersecurity management program

> Likely to be a general use report

21

SOC trends:

AICPA ASEC - cybersecurity

> Key Premises− Acknowledges the fundamental reality of cybersecurity: an entity that

operates in cyberspace is likely to experience one or more security

events or breaches at some point in time, regardless of the

effectiveness of the entity’s cybersecurity controls

− This acknowledgment is essential to dispel potential misconceptions

that an unqualified practitioner’s opinion in the proposed cybersecurity

examination engagement report implies that the entity’s controls would

prevent all security events from occurring within the organization

− Instead, when such events occur, an effective cybersecurity risk

management program focuses on the controls the entity has designed,

implemented and operated to detect, respond to, mitigate and recover

from, on a timely basis, those events

22

SOC trends:

SSAE18

> SSAE18− Released April 2016 and Effective May 2017

− Supersedes Statement on Standards for Attestation

Engagements No. 16 (SSAE16)

> Highlights− Clarity on IPE (Information Provided By Entity)

− Monitoring the Effectiveness of Controls at Subservice

Organizations

> Includes mapping of controls to address their complementary user

entity controls (CUECs)

− Require Identification of material 4th Parties (AT-C.320.A9)

23

NAIC Cybersecurity Task Force

NAIC Cybersecurity Task Force: > The mission of the Cybersecurity (EX) Task Force is to consider issues

concerning cybersecurity as they pertain to the role of state insurance

regulators.

Adopted cybersecurity principles document

> 12 Principles

Insurance Data Security Model Law

24

NAIC 12 principles guidance:

Company

• Confidential and/or personally identifiable consumer information collected, stored or transferred should be appropriately safeguarded

• Planning for incident response by insurers and other regulated entities is an essential component to an effective cybersecurity program

• Insurers should take steps to ensure that third parties and service providers have controls in place to protect data

• Cybersecurity risks should be incorporated into ERM processes

• Cybersecurity must include all facets of an organization

• IT internal audit findings should be reported to the board of directors (or a committee thereof)

• Insurers should engage in an information-sharing and analysis organization (ISAO) to stay informed of emerging threats

Principle 2

Principle 8

Principle 10

Principle 7

Principle 9

Principle 11

• Provide periodic and timely training (inclusive of an assessment) regarding security and cybersecurity threat awareness and protectionPrinciple 12

25

NAIC 12 principles guidance:

Regulators

• Insurance regulators have responsibility to ensure customer data is secure

• Regulators should mandate insurers have systems in place to alert consumers in a timely manner of a breach

• State insurance departments and the NAIC are also responsible for ensuring consumer information sent to NAIC/Departments is secure

• Guidance must be flexible, scalable, practical and consistent with nationally recognized efforts (i.e., NIST)

• Guidance should include a minimum set of standards, but be risk-based and consider the resources of an individual insurer

• State regulators should provide regulatory oversight, which would include cybersecurity considerations into Financial and Market Conduct exams

Principle 1

Principle 4

Principle 6

Principle 3

Principle 5

26

NAIC Cybersecurity Model Law

> Key Components

o Information security program

o Risk assessment

o Risk management

o Oversight by board of directors

o Oversight of third parties

o Notification of data breach

27

Reduce the FUD

Threats explained, simple and foundational solutions

28

Phishing

Source: Verizon 2016 Data Breach Investigations Report

DefinitionA form of social engineering in which a message, typically an email, with a

malicious link or attachment is sent to a victim with the intent of tricking the

recipient to open an attachment.

Actions to take now

Email filtering

Awareness training

(simulated phishing)

Network segmentation

Strong authentication

Monitoring of outbound traffic

Phishing…is a means to

install

persistent

malware

Email leads

to a phony

site to

capture user

input

29

Web application attacks

Source: Verizon 2016 Data Breach Investigations Report

DefinitionAny incident in which a web application was the vector of attack. This

includes exploits of code-level vulnerabilities in the application as well as

thwarting authentication mechanisms.

Actions to take now

Patch – especially CMS platforms

and third party plug-ins

Validate inputs

Strong authentication

95% of

confirmed

web app

breaches

were

financially

motivated

30

Vulnerabilities

Source: Verizon 2016 Data Breach Investigations Report

InsightsOlder vulnerabilities are still heavily targeted; a methodical patch approach

that emphasizes consistency and coverage is more important than

expedient patching.

Actions to take now

Patch applications

(browsers)

Whitelist executables

Back-ups

Cyber-

espionage

features

external

threat.Actors

infiltrating

victim

networks

seeking

sensitive

internal data and trade

secrets

31

Social Engineering In Depth

Bruce Schneier – ‘Amateurs hack systems,

professionals hack people.’

32

Social Engineering

• Social engineering is the

attempt by an attacker to trick

prospective victims into

performing actions that will

benefit the attacker.

• Social engineering preys upon

four qualities of human nature:

Our tendency to trust people and

familiar things

Our desire to be helpful to other

people

Our fear of getting into trouble

Our carelessness

“Maquette Trojan Horse”, a gift from

Brad Pitt to the Turkish town Canakkale,

used in the movie, “Troy”

(Source: Wikipedia)

33

Social Engineering Used To

Facilitate A Data Breach

> Social engineering is increasingly used as a

tactic in the commission of a larger cyber attack

leading up to a data breach.

SE SE SE SESE

Points in the cyber attack chain

where social engineering (SE)

tactics may be employed.

34

Social Engineering

Attacks and Techniques

Whaling

Pretexting

> Tactics: impersonation,

coercion, sympathy,

playing to victim’s ego

35

Phishing, Smishing, Vishing and Whaling

Social Engineering

Attacks and Techniques

Smishing

Whaling: Spear phishing for the BIG fish

36

Social Engineering

Attacks and Techniques

Watering-Hole Attack

Dropped USB Stick

Attacking When It Is Least Expected

37

Social Engineering

Attacks and Techniques

Harvesting Publicly Available Information

38

Best Practice Recommendations

To Address The Social

Engineering Threat

1. Use technology and tools to limit the exposure to social

engineering attacks.

2. Train employees to recognize and correctly respond to

phishing attempts that tools do not catch.

3. Have an incident response plan in place to discover,

contain, eradicate and recover from the damage that

caused by a successful phishing email attack.

39

Subcontractors and vendors

Trends:

Source: Verizon 2016 Data Breach Investigations Report

According to Soha Systems Survey on Third Party Risk

63%of all data breaches can be

attributed to a third party

vendor

800-171

(DFARS)

40

Ransomware: emerging threat

According to FBI statistics, $209 million in

ransomware payments have been extorted from

businesses and institutions during the first three

months of 2016.

1 Billionevents per year

if this pace

continues

50%of employees open

phishing emails

different types of

ransomware100

of recently surveyed

companies hit

23%

41

Ransomware lifecycle

ONGOING

COMMUNICATION

CONTINUOUS PROTECTION | Network | Systems | People

ATTACK CONTAIN REMEDIATE

• Email

• Web

browsing

• Free

downloads

Unplug devices

Research and

identify

Scope infected

systems

Shrink attack

footprint

Options include:

• Pay

• Decrypt

• Restore data

42

Key actions

Know your “crown jewels”

Implement security awareness and training

Collaborate with IT and security staff on response

Lines of communication and decision authority

Post-recovery verification of systems and data

43

Tried and true security

measures

44

Interesting statistics

> More than 90 percent of breaches were avoidable

through simple or intermediate controls:

o Eliminate unnecessary data

o Patching of systems

o Actually look at your logs

> Companies go back to the basics once breached:

o 53 percent training and awareness

o 49 percent additional manual controls

o 52 percent expand use of encryption

o 19 percent security certification or audit

45

Lessons learned from Anthem

> Better and more frequent employee security awareness

training

> Multi-factor authentication

> Encrypted data at rest

> Response speed and process

o Incident response plan and testing

Source: NAIC CyberSecurity Taskforce meeting with Anthem CIO, 3/29/15.

46

A robust cybersecurity program is critical

46

GOVERNANCE AND POLICIES

Governance practices

Policies and procedures

Change management

Performance measurement

Enterprise risk management

Business continuity management

CYBERSECURITY PROGRAM

TRAINING &

COMMUNICATION

Communication with industry groups

Awareness training

Cross-area training (IT security,

audit, engineering)

Skill building:

Security

Security testing

Audit

INCIDENT RESPONSE

MANAGEMENT

Response plan

and team

Crisis management

Investigation team

Collaboration with:

Component manufacturers

Service providers

Incident response teams

Law enforcement

CYBER RISK

ASSESSMENT

Cybersecurity risk assessments

Enterprise risk management linkage

Red team technical assessments

Standards compliance/readiness assessments

CYBERSECURITY

COUNTERMEASURES

Access management

Network/infra. security

Change controls

Physical security

Backup

Real-time monitoring

Threat intelligence

Encryption

Secure development

Third-party control

Personnel security

Antimalware tools

Component cert.

Vulnerability assessment

MONITORING

Controls assessment

Performance metrics

Systems monitoring

Compliance/certification

External audit

External reporting

Internal audit

Audit committee

47

Five principles boards should consider

Directors should understand the legal implications of cyber risks as they related to their company’s specific circumstances.

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

Board-management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

V

IV

III

II

I

48

Keys to Executive Cyber Risk Oversight

49

Thank you

Chris TaitPrincipal, Risk Services

MBA, CISA, CFSA,CCSK,CCSFP

Christopher.Tait@bakertilly.com

414.777.5515