translating cybersecurity preparedness
TRANSCRIPT
/ / 2
THE PANEL
> JoAnn Carlton
General Counsel and Corporate Secretary, Bank of America Merchant Services
> Edward J. McAndrew
Assistant United States Attorney, Cybercrime Coordinator U.S.
Attorney’s Office
> Mercedes Tunstall
Partner, Pillsbury Winthrop Shaw Pittman LLP
> Brian Kudowitz
Commercial product Director, IP/Privacy & Data Security/Tech &
Telecom, Bloomberg BNA
/ / 3
THREAT LANDSCAPE: OVERVIEW
> Data breaches
> Enforcement and liability
> Evolving business models and
dependencies
/ / 5
RECENT INCIDENTS AND TAKEAWAYS
> VTech
> JPMorgan/E*Trade/Scottrade/Dow Jones
> Sacred Heart
> Anthem
> Chipotle
> Kaspersky, and LastPass
> Harvard and other university breaches
/ / 6
THREAT LANDSCAPE: ENFORCEMENT & LIABILITY
> Complex regulatory and law enforcement environment:
DOJ
FTC
HHS
FCC
SEC
State AG’s
Non-U.S. regulators
> New and upcoming laws and regulations
> Class action litigation
/ / 7
THREAT LANDSCAPE: BUSINESS DEPENDENCIES
> Increasing dependence on PII as part of business models:
Behavioral advertising
Mobile/Wearables/Internet of Things
E-Health
Ed-Tech
Digital currency and crowd-lending
> Inside threats
> Third-party vendor risk
> IP risk
> Brand value and damage
> Shareholder panic
/ / 9
Challenges
• Budget constraints
• Back-office concern v. front-office concern
• Low employee fluency
• Cultural inertia
• Business-scaling dilemma
INTEGRATING CYBERSECURITY INTO THE BUSINESS MODEL
> Drive change from the top down;
> Build privacy preparedness across the organization;
> Cybersecurity should be proactive, not reactive:
Planning and response are part of one continuous cycle.
/ / 10
CHAMPIONING CYBERSECURITY INTERNALLY
> Make the case to the corporate board by:
Understanding and conveying the threat landscape;
Connecting threats to business growth and viability;
Positioning privacy and security as a business selling point;
Monitor changes that pose risk.
> Establish open communication across group lines.
> Education and training is essential.
> Advocate for a bottom-up approach to privacy in new products and services development.
/ / 11
> Inventory data collection and flows
> Regular risk assessment
> Privacy By Design
> Establish/rehearse incident response plan
> Employee education
> Inside threat detection
> Vendor due diligence
> Engage with law enforcement and regulators
> Consult with legal counsel
> Cybersecurity insurance
> Information sharing: ISACs and ISAOs
> Build a deep and broad bench of expertise
> Invest in security and detection systems
> Execute incident response plan
> Law enforcement notification
> Collaboration with outside counsel
> Brand-damage control
> Forensic assessment and evidence collection
> Breach notification
> Remediation
> Retrospective incident analysis
PLAN/PREPARE RESPONSE
/ / 12
PUTTING IT ALL TOGETHER
Board Buy-in
Organizational Adoption and
Communicatoin
Proactive Implementation
Preparedness
Response
Lessons Learned