cybersecurity session sponsor - cacm ppt.… · theft of target’s third party hvac ... on...

Cybersecurity

copy 2017 CACM Law Seminar

Session Sponsor

2017 CACM Law Seminar 1

Cybersecurityfor Management Businesses and

Independently-Managed Associations

ModeratorCecilia Brennan Esq

PanelistsRobb Etnyre CAMEx CCAM

Aneacute Agostini CIC CRMMeredith Bennett

Welcome


Panelists

Aneacute Agostini CEO CID Insurance Programs Inc

Robb Etnyre General Manager

(On-site) Tahoe Donner

Meredith Bennett Second VP National Tech and Cyber Practice Leader USLI

Moderator Cecilia N Brennan Esq

AGENDA

I Legal Basics

II Network Security and Privacy BreachesExposures

III Real-Life Application ndash On-site Managerrsquos Perspective

IV Prevention and Take-Aways Liability and Risk Transfer

V Q amp A

VI Additional Resources

VII Close

I

Legal Basics


bull If you store collect manage andor protect

consumer data you MUST KEEP IT SAFE

bull A series of overlapping federal and state laws

govern cybersecurity and data privacy in the

United States

o Primarily enforced by the Federal Trade

Commission Department of Health and Human

Services and statesrsquo Attorneys General

Federal Statutes and Efforts on Cybersecurity

ndash Highlights

Cybersecurity Act of 2015

Cybersecurity Enhancement Act of 2014

National Cybersecurity Protection Act of 2014

Federal Information Security Modernization Act of 2014

Cybersecurity Workforce Assessment Act

Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government

Memorandum on Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements

National Institute of Standards and Technologyrsquos (NIST) Cybersecurity Framework

Federal Statutes and Regulations on Data

Privacy - Highlights

Federal Trade Commission Act

Financial Services Modernization Act

Health Insurance Portability and Accountability Act (HIPAA)

Fair Credit Reporting Act

Fair and Accurate Credit Transactions Act

Electronic Communications Privacy Act

Various FCC Regulations and Rules


State-Based Data Breach Statutes

47 states and Washington DC have data breach laws

Exceptions are Alabama New Mexico and South Dakota

Applicable state breach law depends on state of domicile of the consumer not the location of the affected business

Encryption is a safe harbor

Massachusetts now requires the posting of reports of breaches online

Californiarsquos Key Breach Statute

California Civil Code Section 1798 et seq

Codified July 1 2003 (amended effective 112017)

Requires notification of any California resident whose

unencrypted personal information was or is reasonably

believed to have been breached

Effective January 1 2017 - requires notification of any

California resident whose encrypted information that was

breached (along with identifying encryption keys or

credentials)

II

Network Security and Privacy

Breaches


Audience Poll Q 1

What is your top concern about

cybersecurity

Social Engineering An Illustration

(Mr Robot)


Key Sources of Cyber Breaches amp

Extortion Hackers (social engineering)

VirusMalware

Staff Error

Rogue Employee

LostStolen Mobile Devices

Business Banking Services

Business online banking regulations

Business banking crime does happen

Association Financials vs Bank

Statements

Electronic Vendor Services

Third-party vendor cyber exposures

Theft of Targetrsquos third party HVAC vendorrsquos credentials

Management CompanyCommunity Association vendor services Types of services assessment payment services

electronic check signing services data storage providers payroll services etc


Vendor Services Management Company

v Community Association

Who should be the responsible

party

Who has access to what data

What is your contractual agreement

with these vendors

Website amp Email Security

Compromised or infected websites-malware attacks

Distributed Denial of Service (DDoS) attacks

Ransomware attacks

Proprietary information extortion attacks

(Websites with links to service providers)

Cloud-Based Information Storage

One large data storage source providing technology services

Who is responsible if you are part of a large-scale cyber breach

Encryption of data stored and strong vendor agreements


III

Real-life Application

On-site Managerrsquos Perspective

Business Online Banking

Policy on Internal vs External Fund

Transfer

Best Practice Two Token Verification for

External Fund TransferFrom Jeff Bonzon [mailtoverizon10mbme]Sent Tuesday October 04 2016 925 AMTo Michael SalmonSubject Re available

I need you to take care of a transfer

Thank youJeff Bonzon

Private Information of Members

and Employees

Phishing email to Director of Human Resources ldquofromrdquo

board president requesting a copy of all 2015 company W-2s

Company HRPayroll database assigning employee ID numbers based on last 4-6 numbers of Social Security Number

Company holiday party invite list private information on one Excel file

Point of Sale system (POS) has many users with no internal system for forensic examination of system user activity Any POS employee can access membership database


Site content security breach - Malware introduced (WordPress exploit)

Creates false content on website and Malware is detected by internet search engines like GoogleAssociation website is blocked by Google Chrome Search Engine Even after Malware is removed the World Wide Web page restoration process with search engine can take days to validate company website authenticity

Management Company or

Association Websites

IV

Best Practices and Take-Aways

Liability amp Risk

TransferPrevention

Audience Poll Q 2

Do you have any experience with

employee-related issues - vulnerability

with current and ex-employees

disgruntled employees etc


Source NetDiligence 2014 Claims Study

Prevention and Response Plans

REMEMBER

People should be the biggest defense not

the biggest security vulnerability

There are 3 different ways that staff can

harm a business

IntentionalMalicious Acts

Negligence

Accidental Acts



How can you prevent against the ldquoroguerdquo employee

Background Checks Do they include a credit check

Limiting Access Donrsquot give employees access to files or information if they donrsquot need it

Negligence

Training

Encryption

Security

Accidental Acts

Human error ndash itrsquos going to happen


Audience Poll Q 3

Are you and your employees regularly

trained on cybersecurity defense

Audience Poll Q 4

Do you have an incident response

plan in the event of a breach

What If You Have a Breach

Incident response plan

Location

Updated

Testedcommunicated with all involved

Insurance

Claims Examiner Breach Coach


Company-Wide Sample Policies

Q amp A

Additional Resources

Commission on Enhancing National Cybersecurity

httpswwwwhitehousegovthe-press-

office20160209executive-order-commission-

enhancing-national-cybersecurity

Federal Trade Commission

httpswwwftcgovsystemfilesdocumentsplain-

languagepdf0205-startwithsecuritypdf


Additional Resources Contrsquod

Department of Homeland Security

httpswwwdhsgovxlibraryassetsprivacydhs-privacy-

safeguardingsensitivepiihandbook-march2012pdf

California Office of Attorney General

httpsoagcagovsitesallfilesagwebpdfsdbr2016-

data-breach-reportpdf


Federal State and Local Chambers of Commerce

httpadvocacycalchambercomwp-

contentuploadspolicyCybersecurityReportpdf

Other CompaniesOrganizations

httpswwwexperiancomassetsdata-

breachbrochuresresponse-guidepdf

httpsiapporgresourcesarticlesecurity-breach-

response-plan-toolkit

Thank You

Cover

Cybersecurity PPt


Cybersecurityfor Management Businesses and

Independently-Managed Associations

ModeratorCecilia Brennan Esq

PanelistsRobb Etnyre CAMEx CCAM

Aneacute Agostini CIC CRMMeredith Bennett

Welcome


Panelists






AGENDA

I Legal Basics




V Q amp A


VII Close

I

Legal Basics






United States





ndash Highlights


































credentials)

II


Breaches


Audience Poll Q 1


cybersecurity


(Mr Robot)




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt


Panelists






AGENDA

I Legal Basics




V Q amp A


VII Close

I

Legal Basics






United States





ndash Highlights


































credentials)

II


Breaches


Audience Poll Q 1


cybersecurity


(Mr Robot)




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt






United States





ndash Highlights


































credentials)

II


Breaches


Audience Poll Q 1


cybersecurity


(Mr Robot)




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt

















credentials)

II


Breaches


Audience Poll Q 1


cybersecurity


(Mr Robot)




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt


Audience Poll Q 1


cybersecurity


(Mr Robot)




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt




VirusMalware

Staff Error

Rogue Employee






Statements










party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt





party



with these vendors




Ransomware attacks








III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt


III





Transfer






and Employees











IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt






IV


Liability amp Risk

TransferPrevention

Audience Poll Q 2








REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt




REMEMBER




harm a business


Negligence

Accidental Acts






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt






Negligence

Training

Encryption

Security

Accidental Acts



Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt


Audience Poll Q 3



Audience Poll Q 4





Location

Updated


Insurance




Q amp A


























Thank You

Cover

Cybersecurity PPt



Q amp A


























Thank You

Cover

Cybersecurity PPt


















Thank You

Cover

Cybersecurity PPt

cybersecurity session sponsor - cacm ppt.… · theft of target’s third party hvac ... on...

Documents