protecting your business and client information in a digital world - mitch tanenbaum, information...

How To Survive In A Risky Cyber World

2016 IFG Wealth Management Forum Scottsdale, AZ April 2016

Mitch Tanenbaum www. CyberCecurity . com Mitch @ CyberCecurity.com 720-891-1663

GEEK ALERT!

Ransomware

What can you do?

1. Backups, backups and more backups 2. Business continuity plan 3. Disaster recovery plan 4. Incident response plan

• Rowlett incident

Test repeatedly!

Law Firms (and financial advisors)

1500 x the size of the WikiLeaks State Department cable leak

And Financial Advisors

Ask your law firms and advisors for a copy

of their written cyber security plan

As a law firm or advisor have a written plan

Same goes for family offices – have a plan, ask for a plan

NASDAQ Study

1500+ CxOs and Directors

90% of respondents have a medium to high

cybersecurity vulnerability

91% of NEDs cannot read a cybersecurity report, preventing them from asking the intelligent questions (executive coaching)

40% don’t feel responsible for the repercussions of a cyber attack.

Spear Phishing

Targeted Emails–often to execs and finance

Drop malware

Asks employees to wire money

Conduct phishing tests

• At one client, they sent 350 emails

139 were opened, 35 clicked on the malware

Including one C-Suite member

What Does The FBI Think?

“I am convinced that there are only two types

of companies: those that have been hacked

and those that will be. And even they are

converging into one category: companies that

have been hacked and will be hacked again “

- Robert S Mueller III,

Director, Federal Bureau of Investigation

RSA Cyber Security Conference,

San Francisco, CA. , March 1, 2012

New York DFS Proposed Regulations

(Post Ben Lawsky)

Shared proposal with every state, federal and local regulator in the country

1. 12 written cyber security policies and procedures

2. Third party service provider management 3. Multi factor authentication 4. Chief Information Security Officer

http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf

5. Application security 6. Cyber security personnel and

intelligence 7. Annual cyber security audits 8. Notice Of cyber security incidents


If you are required to comply, it will require

outside expertise


SEC Risk Alert To Investment Advisors

and Broker Dealers

Issued Last September

1. Governance – manage the cyber risk process 2. Access rights – who can see what 3. Data Loss Prevention – PII in emails 4. Vendor Management – who do you share data with? 5. Training 6. Incident response plan

Cyber security exam initiative to improve compliance

http://mtanenbaum.us/sec-issues-risk-alert-to-advisors-and-brokers/

What To Do

California – Bellwether for the rest of the

country

CA AG Kamala Harris released a breach

report in February

As part of that, she defined

REASONABLE SECURITY PROCEDURES as

referred to in CA AB 1950

Implement all CIS 20 controls which are

appropriate

Implement multi factor authentication for

consumer facing web sites containing

sensitive personal information

Consistently use strong encryption on

portable devices and maybe desktops

AG Harris Says:

The failure to implement all the controls

that apply to an organization’s environment

constitutes a lack of reasonable security.

What Is The CIS 20

Center For Internet Security: 1. Inventory devices 2. Inventory software 3. Secure configurations for user devices 4. Continuous vulnerability assessment 5. Control admin privileges 6. Manage audit logs

What Is The CIS 20

7. Email and web protection

8. Malware defenses

9. Control of ports, protocols and services

10. Data recovery capability

11. Secure configuration For network devices

12. Boundary defense

13. Data protection

What Is The CIS 20

14. Control access based on need to know

15. Wireless control

16. Account monitoring

17. Security skills assessment and training

18. Application software security

19. Incident response and management

20. Penetration testing and red team exercises

What Does The CFPB Say?

CFPB entered consent decree with fintech firm Dwolla in February

Specifies what CFPB expects Dwolla to do

$100k fine, 5 years of monitoring

NO BREACH INVOLVED!

1. Establish, implement and maintain a comprehensive data security plan 2. Adopt and implement reasonable and appropriate data security policies and procedures 3. Designate a qualified person to be accountable for the data security program 4. Conduct data security risk assessments twice a year 5. Evaluate and adjust the data security program in light of the results

6. Conduct regular, mandatory employee security training 7. Develop, update and implement security patches 8. Develop, implement and maintain an appropriate method of customer identity authentication at registration time. 9. Develop, implement and maintain reasonable procedure for third party risk (service providers). 10. Obtain an annual data security audit from an independent, qualified, third party, using generally accepted professional procedures and standards

The Board must review all submissions

The Board is ultimately responsible for

ensuring compliance with the consent

order

Mobile

More and more sensitive data on mobile

Encrypt devices

Restrict what applications are installed

Use encrypted text (WhatsApp, Signal)

Use encrypted email (Absio)

• Both directions

• With clients and internally

Mobile Device Management (MDM)

software

Use current OS version

• Android Ver 6 – Marshmallow

• iPhone iOS 9

PATCH

Cyber Insurance

It is not a silver bullet

We are seeing insurance carriers claiming

the insured “failed to follow minimum

required practices”

You need to verify that coverages and

practices are aligned

Education

To get our free weekly cyber security

email newsletter, please send an email to

Mitch @ CyberCecurity.com and we will

add you to the list.