Cybersecurity Watch

Wendy Young CarterVice President and Defined Contribution Director

The Segal Group

Defined Contribution Plan Responsibility and Risk Management Aspects

Jesse J. Greene, Jr. Member of Board of Directors, Caterpillar

Senior Fellow, Richman Center, Columbia University

Cyber Threat Today and Tomorrow

• More sophisticated attackers and criminal intent• Annual loss estimates $450B globally

– MSFT CEO estimate of value lost $3T annually• Reliance on IT tools, systems complexity growing

– Cloud, analytics• Rational spending on cybersecurity growing

– Global IT annual spend $3.5T (2017)– Cybersecurity $81.6B (2016)

• By 2020 $120B to $170B• Most IT spending is still on business growth and management – throwing money at

cyber risk is not the answer

How Much Should Be Spent on Cybersecurity?

IBM Ponemon Institute Research Report Survey

• Total cost per data breach = $3.62M

• Total cost per stolen record = $141

For DC Plans Who is Involved?

• Plan Sponsors

• Administrators

• Fiduciaries/Trustees/Actuaries/Auditors

• Insurers/Consultants

• Plan Participants/Beneficiaries

What is at Risk?

• DC Specific:• Participant/Beneficiary data – PII, SPI

– Personally Identifiable Information– Sensitive Personal Information

• Account information, birth dates, heirs, relationships• Bank account numbers, wire transfer data, credit card data• Social security numbers, bank account information used in payroll, tax data• Asset balances, loan balances• Permissions to transact

How Should Companies Address this Risk?

• Problem is technological and human• No technology solution available today

– No way to assure systems are not infected• Need constant vigilance

• Human behavior creates many exposures– Password management– What emails/notes to open and what not to– Intentional behaviors

• Therefore informed coherent evolving plan/actions are required

Board’s (Management’s) Responsibility

• Fiduciary to the shareholders– Duty of Care – understand the threat and action plan to deal with it– Duty of Candor – explain actions taken to deal with threat and

disclose exposures/events where required– Personal liability for failure to act

• Business judgement rule applies if risk is understood and action plan sufficient– Certainty is not possible

So What Should Boards (and Management) Do?• Take time to understand

– What the risks (threats) are– What data assets the companies have that are vulnerable– Value of each – Defense plan for major categories of assets

• Technological• Organizational, operating rules• Training

• Organize to sustain oversight– Committee assignment – audit, risk, technology– Scheduled reviews

• Apply risk management protocols

Things to look for

• Discussion of assets, vulnerabilities and defenses• Plan for testing of defenses by outside firms

• Report back to Board or committee• Rotate testing firm

• Ongoing training program for employees on cyber threats and actions to avoid allowing attacker in

• Company policies and procedures on these points• Use of internal audit to assure unit compliance• Risk management team assessment, CRO report• Response plan if a loss occurs

– Leader, investigators, staff assignments, decision makers (accounting, finance, legal, business, board)

– “Table top exercises”

Risk Management Approach

• Set priorities based on value at risk and probability of event– Cyber threat and actions weighed against other major risks being managed

• So boards need to– Know the assets exposed (money and information)– Know the value– Know the threats/defenses in place for major assets

• Can range from access monitoring and anomaly monitoring systems with automatic cut off to simple regular back up, depending on the value

– Assess appropriateness of plan given risk• Make Cyber Risk part of the Enterprise Risk Management (ERM) program to assure

focus is proportional to risk

A Few Key Points

• Malicious/Criminal attacks cause most breaches and are costlier• Hackers and criminal insiders cause the most data breaches• Faster data breach detection lowers costs

– Average 191 days for detection– Average 66 days to contain

• Compliance failures and mobile platforms increase security costs per compromised record• Deployment of security analytics lowers costs

Source: IBM Ponemon Institute Research Report

Conclusion

• We can’t eliminate cyber risk or avoid cyber crime attempts

• Our reliance on IT will only increase, so the risk will be ever present

• Technology may eventually reduce the risk, but it won’t eliminate it

• Our goal is reduce this from a five alarm fire to a nuisance, over time

Information Security Risk Management

David J. KalatDirector

Berkeley Research Group

Third Party InfoSec Risk Management

Framework for Third Party Information Security Risk Management:

1. Due diligence of third parties’ InfoSec policies and compliance

2. Periodic review

3. Cyber insurance

Due Diligence

• Many (financial institutions) will already be under regulatory requirements re cybersecurity compliance

• Some (consulting, actuarial, etc.) will not

• Many existing agreements silent on cybersecurity

Due Diligence: What to look for in Contractual Agreements

• Use of encryption for data in transit/at rest

• Secure data deletion

• Secure access controls and user authentication

• Notification obligations

• Liability for breaches

• Ability to terminate/impose damages in event of breach

Periodic Review: The Human Element

• Users are primary point of weakness

• Best technological solutions and controls in place mean nothing if users fail to comply

• Examples:– Sony breach– Case study: Midwestern Manufacturing Concern– The Dyn Attack

We Are Our Own Worst Enemies

• In 2016, user error was responsible for more system downtime than malicious activity

• 2016 Cost of Data Breach Study found malicious insiders and employee negligence responsible for 65% of incidents

• 95% of successful attacks originated with a spear phishing email

Social Engineering and “Loose Lips”

Prudent Digital Behavior

Technological Weaknesses:• Failure to install critical software patches

• Open ports

• Undetected malware

• Improper DNS configuration

• Misconfigured email SPF

• Improper or missing encryption

Human Weaknesses:• Poor password choice

• Not changing default passwords

• Reusing passwords

• Sharing passwords

• Writing passwords down

• Clicking on unknown links in email and online

• Installing insecure software

Cyber Insurance

• Underwriting challenges– Lack of stable long term actuarial data– Unusual risk profile — fires don’t think up new ways to burn

down your building

• Components in underwriting:– Existing security framework (technical)– Security culture (human)

• Cyber Risk Enterprise Security Score (FICO for cyber risk)– FICO/Quad Metrics, BitSight, SecurityScorecard, etc

Michael E. SlipskyPartner

Poyner Spruill

Employee Benefit Plan Data Breaches: Lessons Learned and Some Practical Advice

• Understand the data– Limit data collection and delete data that is no longer needed– Identify data flow– Control data flow

• Testing and updating– Monitor users (user behavior analytics)– Audit compliance

Check the Practices of Service Providers and Protect Yourself

• Often the weakest link in a data system is the third party

• Potential fiduciary responsibility

• Vet the service provider before you ever get to the contract

Ask Questions

• Does it have a program?

• What is the program?

• Who enforces the program?

• How does it respond to threats and actual breaches?

• How often does it review and rate its systems for security?

• What controls are in place for sensitive data?

Contractual Protections/ChecklistNote: TPA forms are generally old and don't reflect cybersecurity concerns – it's not to a TPA's benefit to offer you additional protections, so you have to negotiate.

Data Protection Warranties• Comply with TPA privacy/security policies (vet the same)

• Comply with applicable law

• Comply with industry standards (ISO 27001)

• Annual audits from nationally recognized independent third party (provide a copy of report)

• Fiduciary responsibility

Confidentiality of Data and Use Restrictions

• Use plan participant data solely to provide services

• Keep in USA (require advance approval otherwise; reserve termination right if don't approve)

• Vetting of subcontractors

Breach Response

• Promptly notify plan sponsor/administrator (24 hours – 3 days)

• Duty to mitigate and preserve evidence

• Cooperate to perform an assessment and develop action plan for remediation

• TPA responsible for remediating the breach and using all commercially reasonable efforts to prevent recurrence

• Keep plan sponsor/administrator up-to-date on breach response

Liability and Risk Allocation

• Hold the TPA responsible for cybersecurity breach

• TPA may carve out consequential damages, etc. limitation, but reasonable to require coverage of:• Reasonable investigative and legal costs, actual fines/penalties, compliance and

breach reporting costs, credit monitoring• Indemnification from participant (and other third party) claims• Any cap should be high enough to permit substantial recovery

• Insurance • Amount• Quality/rating of insurance company• Plan sponsor/administrator named as additional insured

Termination

• For data breach

• Post-termination data migration

• Destruction of records

Owen DaviesGlobal Managing Director,

Pension Transformation ServicesAccenture

DO YOUREMEMBER?

Copyright © 2017 Accenture All rights reserved.

MAY 2017

Source: http://news.softpedia.com/news/global-ransomware-attack-takes-down-british-nhs-company-networks-more-515677.shtml

A series of broad attacks began that spread the latest version of the WanaCrypt0r ransomware. These attacks, reportedly impacted systems of public and private organizations worldwide in more than 150 countries.

Copyright © 2017 Accenture All rights reserved.

A hacker using the name of National Security Agency takes to the dark web, offering for sale a dataset containing personal details and driver’s license information of more than 290,000U.S. citizens. The hacker discloses that he obtained the data after breaching the networks of several Louisiana organizations.

Source: http://news.softpedia.com/news/hackerputs-up-for-sale-290-000-us-driver-slicense-records-505161.shtml Copyright © 2017 Accenture All rights reserved.

JUNE 2016

JUNE 2015Leaked U.S. government log-in credentials—including data belonging to 705 government staff from 47 U.S. government agencies—are reportedly found on public paste sites. Although it is unclear how many of the credentials were active or how many passwords were current, the credentials were most likely stolen via malware-infected websites.

Source: http://www.scmagazine.com/analysis-of-17-paste-sits-uncovers-login-credentialsfrom-47-govt-agencies/article/422921 Copyright © 2017 Accenture All rights reserved.

38

BEING “SECURE”TODAY DOESN’T NECESSARILYMEAN AN AGENCYIS PROTECTEDTOMORROWCopyright © 2017 Accenture All rights reserved

WHY HAVE AGENCIESTHAT ARE SERVING THEPUBLIC BECOME SUCH ADESIRABLE TARGET?

Copyright © 2017 Accenture All rights reserved.

Copyright © 2017 Accenture All rights reserved.

PERSONALLY IDENTIFIABLE INFORMATIONCyber criminals are eyeing citizen data —from social security numbers and retirement financials to health and tax information. All of which are valuable on the black market.

EASY TARGETS WITH AGING INFRASTRUCTUREAs governments work to digitizeservices, many are doing so withan aging infrastructure and fundingconstraints

21TARGETS WITH SECURITY SKILLS SHORTAGESecurity skills are increasingly in demand by virtually every sector. Public agencies have to compete with private companies to attract new talent.

BUDGET CONSTRAINTUnder-investment in IT consolidation and security initiatives has left state and local governments vulnerable.

43

HACKERS LIKE:

1 0

0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 0 0 1 0 1 01 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 10 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0

1 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 00 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 0 0 1

0 0 0 0 1 1 1 0 0 0 0 1 0 0 1 0 0 1 0 0 1 00 0 0 0 0 0 1 1 1 0 0 0 0 1 0 0 1 0 0 1 0 00 0 0 0 0 0 1 1 1 0 0 0 0 1 0 0 1 0 0 1 0 00 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 1 0 0 0 0

0 0 0 1 1 0 0 1 0 1 0 0 1 0 1 0 1 0 01 0 0 0 0 1 1 0 0 1 0 1 0 0 1 0 1 0 1 0 0

00 0 0 1 0 0 0 0 1 0 0 0 0 1 1 0 0 1 0 1 0

0 0 00 0 0

HACKERS HAVE CHANGEDTHREAT SCENARIOS HAVE CHANGED DUE TO NEW CHANNELSSUCH ASE-GOVERNMENT, CLOUD ANDMOBILITY

Copyright © 2017 Accenture All rights reserved.

TOP CURRENT THREATS

DATA THEFT (IDENTITY, TAX)

FRAUDALENT REFUNDS

DENIAL OF SERVICE

RANSOMWARE / MALWARE

WEB DEFACEMENT

PHISHING ATTACKS

TOP THREATS AND WHAT AGENCIES ARE DOINGTO MITIGATE RISKS

CRITICAL THREATS TO PENSION AGENCIES

DATA THEFT (IDENTITY,

TAX)

FRAUDALENT REFUNDS

DENIAL OF SERVICE

RANSOMWARE/ MALWARE

WEB DEFACEMENT

PHISHING ATTACKS

Security awareness /

training, social engineering

Strong identity and access

controls (e.g. single sign on), data protection and encryption

Identity proofing/multi-factor

authentication

Infrastructure security / business

continuity and disaster recovery

Application security / business

continuity and disaster recovery

Identity and access

management, application

security

MITIGATION TECHNIQUES /METHODS

Copyright © 2017 Accenture All rights reserved.

Source: 2016 Accenture Cybersecurity report

44

Copyright © 2017 Accenture All rights reserved.

“When compared to the cybersecurity performance of 17 other major industries, government organizations ranked at the bottom of all major performers, coming in below information services, financial services, transportation and healthcare.” 4

WHAT IS THEIMPACT FOR YOURBENEFICIARIES?

Copyright © 2017 Accenture All rights reserved.

Source: Accenture Public Service Citizen Survey, 2017

of US citizens areconcerned aboutcybercrime

of US citizens are confidentin the ability of governmentto protect the privacyand security of their data

of US millennials feel theirfinancial and health data used by Social Security or public retirement agency are secure

82% 61% 36%

Copyright © 2017 Accenture All rights reserved.

WHERESHOULDYOU START?Copyright © 2017 Accenture All rights reserved.

PROTECT FROM THE INSIDE OUTPrioritize protection of the organization’s key assets and focus on the internal incursions with greatest potential impact.

2 3PRESSURE-TEST SECURITY CAPABILITIESEngage “white-hat” external hackers for attack simulations to establish a realistic assessment of internal capabilities.

1DEFINE CYBERSECURITY EFFECTIVENESSImprove alignment of cybersecurity strategies with business imperatives and improve ability to detect and prohibit more advanced attacks.

REBOOT YOUR APPROACH

Copyright © 2017 Accenture All rights reserved.

MAKE SECURITY EVERYONE’SJOB99% of breaches not detected by banks' security teams, are found by employees. Prioritize training for all employees.

LEAD FROM THE TOPChief Information Security Officers should materially engage with enterprise leadership and make the case that cybersecurity is a critical priority in protecting organization value.

KEEP INNOVATINGInvest in state-of-the-art programs to outmaneuver adversaries vs. investing more in existingprograms.

REBOOTING...

5 64

Copyright © 2017 Accenture All rights reserved.