Richard M. Borden

•  Cyber crime costs $400 billion annually – Lloyd’s •  Global cyber insurance uptake growing 21% annually

•  $2.5 billion in written cyber premiums in 2016 •  Rating agencies now addressing cyber-maturity in credit ratings •  Cybersecurity is dominant risk for CEOs

•  70% view it a major threat •  $3 trillion market value destroyed in 2015 •  “Top 5” risk likelihood – 2017 World Economic Forum

•  Most companies remain unprepared: •  Only 58% of companies have resources to comply with security regulations •  1.5 million InfoSec job shortage by 2019 •  Only 21% of companies at “mature” stage •  Only 1/3 of corporations have a data breach response plan

The Cybersecurity Backdrop

New York 23 NYCRR 500 - The Significance •  Billed as a “first-in-the-nation”

regulation concerning cybersecurity

•  Arguably the most stringent broadly applicable cyber regulation in existence

•  Goes beyond other data privacy and cybersecurity regulations, including the Graham Leach Bliley Act

•  Covers information and systems that do not include, store, process or maintain PII

•  Requires new compliance processes and is built around the Risk Assessment

•  Likely modification and expansion of existing protocols to meet regulatory requirements

•  C-Suite must personally certify compliance with the Regulation on an annual basis

•  Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.

•  The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: •  identify and assess internal and external cybersecurity risks that may threaten the security or

integrity of Nonpublic Information stored on the Covered Entity’s Information Systems •  use defensive infrastructure and the implementation of policies and procedures to protect the

Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts

•  detect Cybersecurity Events •  respond to identified or detected Cybersecurity Events to mitigate any negative effects •  recover from Cybersecurity Events and restore normal operations and services •  fulfill applicable regulatory reporting obligations

The Main Requirement – 500.02

•  Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

The Main Requirement – 500.02 (cont.)

•  Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is:

•  Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity

•  any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records

•  any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual

The Main Requirement – 500.02 (cont.)

Information Governance Implications •  What systems are considered

“Information Systems” that must be protected under 500.02?

•  What is “Nonpublic Information” that is not Personal Data/Personally Identifiable Information?

•  The Regulation required new types of system and data classification.

•  It is critical to know what systems house, process and access Nonpublic Information.

•  Written Data Governance Policies and Procedures are required to be part of the Cybersecurity Policy, which must be approved by Senior Officer(s). 500.03(b)

•  The Risk Assessment, which is the basis of the Cybersecurity Program and the related Policies and Procedures, requires written criteria for assessment of the Program including adequacy of controls. 500.09

•  There are requirements to dispose of Nonpublic Information. 500.13

•  Systems must be maintained that “are designed to reconstruct material financial transactions sufficient to support normal operations and obligations….” 500.06

•  The Regulation requires a Covered Entity to submit to DFS a written Certification of Compliance by February 15, 2018

•  The written statement would require the signature of the Chairperson of the Board of Directors of the entity or named Senior Officer(s) (i.e. CEO or committee) certifying that such person has reviewed documents, reports, certifications and opinions of such officers, employees, representatives and outside vendors

•  Similar to a Sarbanes-Oxley 404 certification

Annual Compliance Certification

EU Global Data Protection Regulation (GDPR) •  The EU General Data Protection

Regulation (GDPR) replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

•  The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

•  Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.