hot topics in dealing with banking cyber security live webcast
DESCRIPTION
In a two hour live webcast, a panel of thought leaders and practitioners assembled by The Knowledge Group will discuss the significant and latest issues with respect to Hot Topics in Dealing with Banking Cyber Security. Key topics include: Digital Crime Threat Overload Case Studies Heightened Regulatory Oversight Threat Detection Cyber-Attack Triage Recent regulatory issues and updates To view the webcast go to this link: http://youtu.be/Igr7zAcKndE To learn more about the webcast please visit our website: http://theknowledgegroup.orgTRANSCRIPT
Speaker Firms and Organization:
United States Department of Homeland SecurityCarlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber Infrastructure Resilience
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email: [email protected]
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event. If you have more than one person from your company attending, you must fill out the group registration form. We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to [email protected] or call 646.202.9344.
Presented By:
June 19, 2014
1
Partner Firms:Kane Russell Coleman & Logan PC
Kenneth JohnstonShareholder
BAE SystemsPaul Henninger
Global Product Director
Bryan Cave LLPMaria Z. Vathis
Of Counsel
United States Department of Homeland Security
June 19, 2014
2
Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239.
You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your
screen. Questions will be aggregated and addressed during the Q&A segment.
Please note, this call is being recorded for playback purposes.
If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s
event, please send an email to: [email protected]. If you’re already logged in to the online webcast, we will post a link
to download the files shortly.
If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough
to
hear the presentations. If you do not have headphones and cannot hear the webcast send an email to
and we will send you the dial in phone number.
June 19, 2014
3
About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this
event
today - it's designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future
events. Your feedback is greatly appreciated. If you are applying for continuing education credit, completions of the surveys are
mandatory as per your state boards and bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We
will ask you to fill these words into the survey as proof of your attendance. Please stay tuned for the secret word.
Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to
read
the secret word. Pardon the interruption.
June 19, 2014
4
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).
Free CLE/CPE/CE Processing (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers). 6 Month Subscription is $299 with No Additional Fees Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
June 19, 2014
5
Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: [email protected] with “Unlimited” in the subject.
Partner Firms:
June 19, 2014
6
BAE Systems Applied Intelligence delivers solutions, which help clients to protect and enhance their critical assets in the intelligence age. Its intelligent protection solutions combine large-scale data exploitation,
‘intelligence-grade’ security and complex services and solutions integration. The company operates in four key domains of expertise:
cyber security, financial crime, communications intelligence and digital transformation.
Leading enterprises and government departments use the solutions to protect and enhance physical infrastructure, mission-critical systems, valuable intellectual property, corporate information, reputation and
customer relationships, competitive advantage and financial success.For more information, please visit www.baesystems.com/ai.
United States Department of Homeland Security
Partner Firms:
June 19, 2014
7
Kane Russell Coleman & Logan PC is a full service law firm with offices in Dallas and Houston. Formed in 1992 with five lawyers, today
KRCL has more than 80 attorneys. The firm provides professional services for clients ranging from Fortune 500 companies to medium-sized public and private companies to entrepreneurs. KRCL handles
transactional, litigation and bankruptcy matters throughout the U.S. and China.
Brief Speaker Bios:
Carlos P. Kizzee
Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement and Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational coordination, information sharing, and collaboration among government and private sector. In his position as Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber Education and Outreach Awareness, Federal and State Government Engagement, Industry Cyber Engagement, and Critical Infrastructure Stakeholder Risk Assessments and Mitigations.
June 19, 2014
8
Paul Henninger
Paul has worked with a wide range of public sector, global financial and commercial institutions to manage the fraud, compliance and security risks that have evolved rapidly over the last 10 years. He specializes in practical, innovative approaches to building and using technology to solve the real challenges faced by these organizations who are dealing with systematic attacks on their customers, data assets, and infrastructure. Paul specializes in digital crime and financial crime threats and is a frequent media and analyst commentator on digital criminality, security, technology and risk management. He advises financial institutions and government agencies around the world.
Brief Speaker Bios:
June 19, 2014
9
► For more information about the speakers, you can visit: http://theknowledgegroup.org/event_name/hot-topics-in-dealing-with-banking-cyber-security-live-webcast/
Kenneth Johnston
Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action and general commercial litigation with an emphasis on financial services, insolvency and creditor rights. He routinely represents financial institutions in a variety of matters including data breach issues, general bank operations, insolvency, material defensive litigation, and credit risk management. Kenneth was recently named as one of the Best Lawyers in Dallas in Banking and Finance by D Magazine and has been ranked as one of the top banking attorneys in Texas by Super Lawyers magazine since 2006.
Maria Z. Vathis
Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation matters, insurance coverage, and class actions involving alleged violations of federal statutes, including the Telephone Consumer Protection Act. Ms. Vathis has represented financial institutions, loan servicers, investment firms, law firms, brokers, attorneys and other professionals. She handles matters nationwide in federal and state courts. Her practice also includes monitoring litigation for international insurers, advising on risk management, evaluating existing insurance coverage, drafting insurance policy language and analyzing insurance coverage under professional liability, cyber and first-party property insurance policies.
In a two hour live webcast, a panel of thought leaders and practitioners assembled by The Knowledge
Group will discuss the significant and latest issues with respect to Hot Topics in Dealing with Banking
Cyber Security.
Key topics include:
• Digital Crime
• Threat Overload
• Case Studies
• Heightened Regulatory Oversight
• Threat Detection
• Cyber-Attack Triage
• Recent regulatory issues and updatesJune 19, 2014
10
Featured Speakers:
June 19, 2014
11
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Maria Z. VathisOf CounselBryan Cave LLP
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Introduction
Paul has worked with a wide range of public sector, global financial and commercial institutions to
manage the fraud, compliance and security risks that have evolved rapidly over the last 10 years. He
specializes in practical, innovative approaches to building and using technology to solve the real
challenges faced by these organizations who are dealing with systematic attacks on their customers, data
assets, and infrastructure. Paul specializes in digital crime and financial crime threats and is a frequent
media and analyst commentator on digital criminality, security, technology and risk management. He
advises financial institutions and government agencies around the world.
June 19, 2014
12
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
June 19, 2014
13
Digital Crime Threats and Responses
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Simple Digital Crime
June 19, 2014
14
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Simple Digital Crime
June 19, 2014
15
Once installed
1) Configuration-driven – attacks different banks in different ways
2) Enables tailored attacks which are aware of withdrawal limits and other factors
3) Can perform internal transfers and external payments
4) Downloadable mule IBAN – evade IBAN blacklists
5) Hijacks one-time tokens
6) Delay customer recognition of fraud – fake balance screens
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
The New Digital Crime
June 19, 2014
16
Fraud Challenge Cyber Challenge
Fraud attacks are attacks against a business
process
Cyber attacks are against information technology
infrastructure
Comms Challenge
Comms attacks are unauthorized or illegal use
of communications technology
Criminals seek to create or manipulate transactions.
Criminals seek to steal data or control/disrupt
systems.
Criminals seek to use or manipulate comms systems to plan or
facilitate crime.
Financial Gain
Information TheftPolitical / Economic
EspionageDenial of Service / Sabotage
Facilitate CrimePromote Ideology
National Security Advantage
Def
init
ion
Met
ho
dT
hre
at
Act
or
Go
al
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Common Defences
June 19, 2014
17
Common Defenses
Fraud Defences Cyber Defences Comms Defences
Risk management and security can be enhanced by combining cyber, fraud and comms intelligence and correlating sources of threats to enable better detection and faster, more efficient investigation
Shared intelligence on the threat
Shared intelligence on the threat
Shared intelligence on the threat
Augmentation with other risk sources
Augmentation with other risk sources
Augmentation with other risk sources
Inte
l.
Sh
arin
g
X-
fun
ctio
n
enri
chm
en
t
Integrated investigation tools Integrated investigation tools Integrated investigation tools
Op
erat
ion
s
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
June 19, 2014
18
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Potential Impact – More Than Theft Of Funds
June 19, 2014
19
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Organizational Impact of Digital Crime
June 19, 2014
20
Detection Level
Investigation-level
Organisation-level
Information sharing; incident logging; multi-skilled operations teams;
Org structure changes; risk management framework
Automated integration of intelligence data;device reputation; endpoint hardening; Detection systems integration
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Case Study: Retail Bank
June 19, 2014
21
Network penetration
and surveillance
Identify high value customer targets, profile their behaviour and formulate attack plan
Surveillance - Identify security procedures & protocols by attacking attack email accounts of staff who work in fraud, risk & security
Attack the existing control systems e.g. change or remove limits on debit cards or for international funds transfer
Exfiltration of account data to enable account compromise
Account Compromise
Quietly compromise accounts – set up mules to receive transactions from compromised accounts
Massive DDOS attack on website and phone systems - distraction
Cash OutRapid movement of funds from target accounts to mule accounts
Mule accounts move money offshore to multiple locations
Funds withdrawn as cash at ATMs in multiple offshore locations
Crypto/Ransomware left as threat to stop any legal pursuit / theft of sensitive data / blackmail of senior staff
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Case Study: Insurance
June 19, 2014
22
Network penetration
and surveillance
Identify high value customer targets, long standing customers with no claims, high value vehicles, property
Surveillance - Identify security procedures & protocols by attacking email accounts of staff who work in fraud, risk & security
Attack the existing control systems e.g. change or remove limits on payouts
Exfiltration of policy holder data for account takeover
Account Compromise
Cash Out
Claim against high value policies
Funnel money through mule accounts to offshore locations and extract as ATM withdrawals
Crypto/Ransomware left as threat to stop any legal pursuit / theft of sensitive data / blackmail of senior staff
Massive DDOS attack on website and phone systems - distraction
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence
Introduction
Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement and Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational coordination, information sharing, and collaboration among government and private sector. In his position as Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber Education and Outreach Awareness, Federal and State Government Engagement, Industry Cyber Engagement, and Critical Infrastructure Stakeholder Risk Assessments and Mitigations.
Mr. Kizzee also serves as the Program Manager of a Joint Program Office implementing key operational information sharing and information sharing support program activities associated with Public-Private Threat Information Sharing, Enhanced Cyber Security Services for Critical Infrastructure, and Implementing Trusted and Secure Automation among public-private cyber data sharing. A graduate of the United States Naval Academy, Mr. Kizzee has a Bachelor of Science degree in Mathematics, a Juris Doctor degree from the Georgetown University Law Center, and a Master of Laws from the Judge Advocate General’s School of the Army at the University of Virginia’s School of Law. In addition to being a retired Marine Corps Judge Advocate, Mr. Kizzee is a career Federal civil servant with over ten years of Federal service.
June 19, 2014
23
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
What is a “Best Case” Information Sharing Scenario?
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action;
with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of the transaction.
Character of Data• Relevant to Recipient interests
• No “noise”• No redundancy
• Actionable by Recipient• Informs/defines decision/action of value to the Recipient (including additional analysis)
• Timely transmitted to Recipient• Recipient decision/action can be taken in time to be of maximum value to the Recipient
• Trustworthy• Data and/or Source is of suitable credibility for decision/action
Nature of Impacts• Recipient’s capture of data causes no harm to Source
Nature of transaction• Transmission and capture involves minimal resource and delay (automated)
June 19, 2014
24
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Common Barriers to “Best Case” Information Sharing
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of
the transaction.
Data Insufficiency• Insufficient data to inform decision/action• Lack of awareness or appreciation of relevance of data
Poor data flow mapping• Right data goes to the wrong Recipient• Wrong data goes to the right Recipient
Trust• Fear of harm chills Source sharing• Recipient actions cause Source or others harm
“Threat Overload”
June 19, 2014
25
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to successfully ingest, parse, and inform their necessary decision or action.
1. Too much data
2. Too much relevant data
June 19, 2014
26
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to successfully ingest, parse, and inform their necessary decision or action.
Too much shared data
• “One-size” threat data does not “fit-all” of a non-uniform Recipient base
• Segmentation of recipients by their data requirements
• Map generated data against the relevant segmented requirements of recipients• “I out source all of my IT.”• “I conduct basic system administration of my network.”• “I research, analyze, and develop mitigations for threats to my enterprise infrastructure.”• “I develop and provide services and products to mitigate threats to networks and systems.”
• Data flow follows the map of generated data to the relevant recipient
• “Information Sharing” defined by recipient requirements segmentation and data flow mapping.
June 19, 2014
27
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to successfully ingest, parse, and inform their necessary decision or action.
Too much relevant shared data
• A good problem to have is still a problem
• Enhance the quality of analysis• Tools• Tradecraft and skills
• Enhance capacity• Analytical collaboration• Tailored analytics• Trust, credibility, and scoring of data and source• Standard, structured data sharing profiles to enable auto ingest and parsing
• “Information Sharing” made scalable and sustainable by partnership, process, and coordination.
June 19, 2014
28
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Threat Overload
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most optimal and manageable form and quantity of ingest required to inform their necessary decision or action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of
the transaction.
• So what should I do differently?
• “Information Sharing” isn’t just sharing information, it is a data flow:• defined by recipient requirements segmentation and data flow mapping, and• made scalable and sustainable by partnership, processes, and coordination in the data flow.
Governance matters:• What data is required?• To whom?• For what purpose(s)?• Under what conditions?• What uses will cause harm and are not permitted?
Information sharing arrangements and marriage?
June 19, 2014
29
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland Security
Introduction
Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action and general
commercial litigation with an emphasis on financial services, insolvency and creditor rights. He routinely represents
financial institutions in a variety of matters including data breach issues, general bank operations, insolvency, material
defensive litigation, and credit risk management. Kenneth was recently named as one of the Best Lawyers in Dallas in
Banking and Finance by D Magazine and has been ranked as one of the top banking attorneys in Texas by Super Lawyers
magazine since 2006.
June 19, 2014
30
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
The Feds are Watching
• OCC’s Semiannual Risk Perspective
• Cyber attacks are more frequent and more sophisticated
• Increasingly targeting smaller institutions
• Leads banks to implement new technologies, rely on third-party providers
• May adversely affect bank’s ability to identify and control risks
• Agencies have provided guidance focusing on corporate governance tools
June 19, 2014
31
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
The Feds are Watching
• FFIEC’s recent webinar: High Level Goals
• Set the tone and build a security culture
• Identify, measure, mitigate, and monitor risks
• Develop risk management processes scaled to risks and complexity of institution
• Align cybersecurity strategy with business strategy
• Create a governance process that ensures ongoing awareness and accountability
• Timely report cyber-vulnerabilities to senior management
• FFIEC will announced vulnerability and risk-mitigation assessments, late 2014
June 19, 2014
32
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
The Feds are Watching
• Federal Reserve guidance: managing outsourcing risk
• Outsourcing of processing, information technology services, and operational activities creates risk
• Carefully evaluate what information to provide to vendor: consider financial information, customer information, and CSI
• Ensure vendor compliance with privacy laws and regulations
June 19, 2014
33
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
The Feds are Watching
• Securities Exchange Commission guidance
• 2011: SEC guidance requires disclosure of material information regarding cybersecurity risks
• SEC’s Recent Roundtable
• Cybersecurity is SEC’s “number one global threat”
• SEC says it must play a role, but the nature of that role is still emerging
June 19, 2014
34
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
The Feds are Watching
• Other Government actors:
• The White House 2013 Executive Order on cybersecurity encourages policy coordination and information sharing among federal agencies
• FBI says that resources devoted to cyber threats will soon eclipse resources devoted to terrorism
• FDIC statement: banks must be aware of threats and use government-sponsored resources
June 19, 2014
35
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Detecting the Threats
• We will continue to see cyber threats and material data breaches.
June 19, 2014
36
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Detecting the threats
• What will those threats look like in the financial services arena?
• An event that puts an individual’s name plus social security number, financial record, or debit card at risk—whether in digital or paper format
• An event that puts a company and its deposits at risk—wire fraud
• Data breaches may occur from malicious criminal attacks, system glitches, or human error
• Breaches may include atypical catastrophic or mega data breaches running into the millions of records—e.g., TJ MAXX or Target
• A breach may be more typical, ranging from as few as a single compromised record to 100,000 compromised records
June 19, 2014
37
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Detecting the threats
• Who initiates cyber threats?
June 19, 2014
38
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Detecting the threats
• Examples of threats
• Wrongdoers attack larger banks through Distributed Denial of Service (DDoS):
o These attacks interrupt the ability to do businesso Some allege that Iran took an active role in a recent DDoS attack
• Both large and small banks experience phishing and malware attacks targeting consumers
o Criminals install malware on a victim’s computer to access passwords and other critical information
o They drain deposit accounts• Corporate accounts provide lucrative opportunities for phishing and malware attacks
o Deposits typically exceed consumer accountso Not so much a bank security issue than a customer security issueo Criminals issue unauthorized wires (not uncommon to see six-figure problems)
• Hactivists unlawfully access systems to make an example or to prove points
June 19, 2014
39
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Detecting the threats
• Understand the evolution of the threat environment—either follow the technology or hunt the hunter
• 1950s and 60s saw an increase in paper check fraud that continues today (more reliance on machines)
• ATM Machines (increased access points)
• Internet Banking (increased access points and outsourcing)
• Mobile Banking (continuing to increase access points and tapping into the unbanked market)
• Mobile Payment Systems (uncharted territory)
June 19, 2014
40
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Cyber-Attack Triage: Process Is Key
June 19, 2014
41
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
This is a fine metaphor, but it’s not the right way to think about cyber attacks.
Fixing leaks is losing the battle.
Cyber-Attack Triage: Process Is Key
June 19, 2014
42
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Cyber-Attack Triage: Process Is Key• The First 24 Hours Checklist
Panicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happened and immediately contact your legal counsel for guidance on initiating these 10 critical steps:
Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.
Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan.
Secure the premises around the area where the data breach occurred to help preserve evidence.
Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives.
Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.
June 19, 2014
43
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Cyber-Attack Triage: Process Is Key• The First 24 Hours Checklist (continued)
Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.
Review protocols regarding disseminating information about the breach for everyone involved in this early stage.
Assess priorities and risks based on what you know about the breach.
Bring in your forensics firm to begin an in-depth investigation.
Notify law enforcement, if needed, after consulting with legal counsel and upper management.
June 19, 2014
44
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Cyber-Attack Triage: Process Is Key• Notification: When and how should you notify?
• Certain state laws and federal regulations shrink the timeline to 30 or 45 days.
• Some states mandate specific content for you to include in customer notification letters. This can include toll-free numbers and addresses for the three major credit bureaus, the FTC and a state’s attorney general.
• Contact with law enforcement is important. Notification may be delayed if law enforcement believes it would interfere with an ongoing investigation.
• Multiple state laws may apply to one data breach.
• If some affected individuals live in a state that mandates notification and others live in a state that doesn’t, you may need to notify everyone.
• Some recipients will think the notification letter itself is a scam.
June 19, 2014
45
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Cyber-Attack Triage: Process Is Key
What does the financial institution’s in-house legal team need to do before a breach occurs?
• Establish relationships with any necessary external counsel now – not after the breach.
• Review and stay up to date on state and federal laws governing data breaches in the financial institutions sector.
• Direct the creation of a concrete, written, and fully vetted response policy.
Then, when a breach occurs, counsel can quickly determine whether it is necessary to notify affected individuals, the media, law enforcement, government agencies and other third parties, such as card holder issuers.
June 19, 2014
46
Kenneth JohnstonShareholder Kane Russell Coleman & Logan PC
Introduction
Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation matters,
insurance coverage, and class actions involving alleged violations of federal statutes, including the Telephone Consumer
Protection Act.
Ms. Vathis has represented financial institutions, loan servicers, investment firms, law firms, brokers, attorneys and other
professionals. She handles matters nationwide in federal and state courts. Her practice also includes monitoring litigation
for international insurers, advising on risk management, evaluating existing insurance coverage, drafting insurance policy
language and analyzing insurance coverage under professional liability, cyber and first-party property insurance policies.
Phone: (312) 602-5127
Email: [email protected]
June 19, 2014
47
Maria Z. VathisOf CounselBryan Cave LLP
Trends in Privacy & Security Class Actions
Shifting attack vectors, scanning for vulnerabilities and leveraging zero day exploits – these terms describe the plaintiffs’ class action bar just as easily as they do hackers. This quarter’s analysis of the types of complaints filed by the Plaintiffs’ bar, and the ways in which those complaints have been structured, shows an increase in class action filing and an ongoing evolution by the plaintiffs’ bar to identify the “right” strategy for obtaining damages or leveraging settlement value.
The following are key findings concerning data-related complaints filed by the plaintiffs’ bar over the most recently reported quarter (2014 – Q1):
• A total of 178 data-related class action complaints were filed.
• Despite overwhelming media attention on payment card related data security breaches, the majority of complaints (77%) involve data privacy (collection, use and sharing) as opposed to data security (safeguarding and breach) (23%). As a result, while data security litigation is on the rise when compared to previous quarter, it remains a minority of overall litigation.
June 19, 2014
48
Maria Z. VathisOf CounselBryan Cave LLP
* Source: Shahin Rothermel and David Zetoony, “Shifting Trends: Privacy & Security Class Action Litigation,” Bryan Cave Data Privacy & Security Bulletin, June 2014.
Additional Litigation Statistics
• Complaints against Target accounted for more than 50% of all data security-related filings.
• Telemarketing remained the most common primary legal theory alleged (64%).
• The U.S. District Court for the Central District of California (25%) replaced the Northern District of Illinois (15%) as the most popular federal forum for filing.
• In terms of industry sectors, retail (21%), debt collection (16%), financial services (7%), and marketing (7%) received the largest number of complaints.
• 96% of complaints filed in federal courts in the first quarter alleged putative national classes.
• Consumers’ mobile phone numbers were the leading type of data at issue (44%), followed by credit and debit card information (18%) and fax numbers (17%).
• Over 100 plaintiffs’ firms were involved in data-related litigation. The vast majority of firms filed less than four complaints.
June 19, 2014
49
Maria Z. VathisOf CounselBryan Cave LLP
Bryan Cave Data Breach Hotline
Hackers don't stop working at 5:00... and neither do we. Data breaches can and do occur at any time, day or night. When a security breach occurs, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach.
That's why an attorney from our global Bryan Cave Data Privacy and Security Practice is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week.
June 19, 2014
50
Maria Z. VathisOf CounselBryan Cave LLP
June 19, 2014
51
CLE PROCESSINGThe Knowledge Group offers complete CLE processing solutions for your webcasts and land events. This comprehensive service includes everything you need to offer CLE credit at your conference: Complete end-to-end CLE credit Solutions Setting up your marketing collateral properly. Completing and filing all of the applications to the state bar. Guidance on how to structure content meet course material requirements for the state Bars. Sign up forms to be used to check & confirm attendance at your event. Issuing official Certificates of Attendance for credit to attendees.
Obtaining CLE credit varies from state to state and the rules can be complex. The Knowledge Group will help you navigate the complexities via complete cost effective CLE solutions for your conferences. Most CLE processing plans are just $499 plus filing fees and postage.
To learn more email us at [email protected] or CALL 646-202-9344
June 19, 2014
52
PRIVATE LABEL PROGRAM & INTERNAL TRAINING The Knowledge Group provides complete private label webcasts and in-house training solutions. Developing and executing webcasts can be a huge logistical nightmare. There are a lot of moving parts and devolving a program that is executed smoothly and cost effectively can prove to be a significant challenge for companies who do not produce events on a regular basis. Live events require a high level of proficiency in order to execute proficiently. Our producers will plan and develop your webcast for you and our webcast technicians will execute your live event with expert precision. We have produced over 1000 live webcasts. Put our vast expertise to work for you. Let us develop a professional webcast for your firm that will impress all your clients and internal stakeholders. Private Label Programs Include: Complete Project Management Topic Development Recruitment of Speakers (Or you can use your own) Marketing Material Design PR Campaign Marketing Campaign Event Webpage Design Slides: Design and Content Development Speaker coordination: Arranging & Executing Calls, Coordinating Slides & Content Attendee Registration Complete LIVE Event Management for Speaker and Attendees including:
o Technical Supporto Event Moderatoro Running the Live event (All Aspects)o Multiple Technical Back-ups & Redundancies to Ensure a Perfect Live Evento Webcast Recording (MP3 Audio & MP4 Video)o Post Webcast Performance Survey
CLE and CPE Processing Private Label Programs Start at just $999
June 19, 2014
53
RESEARCH & BUSINESS PROCESS OUTSOURCING The Knowledge Group specializes in highly focused and intelligent market and topic research. Outsource your research projects and business processes to our team of experts. Normally we can run programs for less than 50% of what it would cost you to do it in-house. Here are some ideal uses for our services: Market Research and Production
o List Research (Prospects, Clients, Market Evaluation, Sales Lists, Surveys)o Design of Electronic Marketing Collateralo Executing Online Marketing Campaigns (Direct Email, PR Campaigns)o Website Designo Social Media
Analysis & Research
o Research Companies & Produce Reportso Research for Cases o Specialized Research Projects
eSales (Electronic Inside Sales – Email and Online)
o Sales Leads Developmento eSales Campaigns
Inside Sales people will prospect for leased, contact them and coordinate with your sales team to follow up. Our Inside eSales reps specialize in developing leads for big-ticket enterprise level products and services.
o Electronic Database Building – Comprehensive service which includes development of sales leads, contacting clients, scoring leads, adding notes and transferring the entire data set to you for your internal sales reps.
eCustomer Service (Electronic Inside Sales – Email and Online)
o Real-Time Customer Service for Your clients Online Chat Email
o Follow-Up Customer Service Responds to emails Conducts Research Replies Back to Your Customer
Please note these are just a few ways our experts can help with your Business Process Outsourcing needs. If you have a project not specifically listed above please contact us to see if we can help.
► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type your
question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
June 19, 2014
54
Paul HenningerGlobal Product DirectorBAE Systems Applied Intelligence [email protected]
Kenneth JohnstonShareholder Kane Russell Coleman & Logan [email protected]
Maria Z. VathisOf CounselBryan Cave [email protected]
Carlos P. KizzeeDeputy Director, Stakeholder Engagement & Cyber Infrastructure ResilienceUnited States Department of Homeland [email protected]
June 19, 2014
55
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee: Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish. Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription). Free CLE/CPE/CE Processing3 (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge. (Exclusive benefit only available for PAID
UNLIMITED subscribers.) 6 Month Subscription is $299 with No Additional Fees. Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free. Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
June 19, 2014
56
Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts: Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49 CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: [email protected] with “Unlimited” in the subject.
June 19, 2014
57
ABOUT THE KNOWLEDGE GROUP, LLC.
The Knowledge Group, LLC is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group, LLC is producing this event for information purposes only. We do not intend to provide or offer business advice. The contents of this event are based upon the opinions of our speakers. The Knowledge Congress does not warrant their accuracy and completeness. The statements made by them are based on their independent opinions and does not necessarily reflect that of The Knowledge Congress' views. In no event shall The Knowledge Congress be liable to any person or business entity for any special, direct, indirect, punitive, incidental or consequential damages as a result of any information gathered from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their Contributors or Licensed Partners and are being used with permission under license. These images and/or photos may not be copied or downloaded without permission from 123RF Limited