CYBER RISK What Not-for-Profit Management & Boards Need to Know - - PDF document

9/20/2017 1

CYBER RISK

What Not-for-Profit Management & Boards Need to Know

John Dougherty IT Director, Unbound johnd@unbound.org Jan Hertzberg Director, BKD jhertzberg@bkd.com September 20, 2017

9/20/2017 2

• Participate in entire webinar
• Answer polls when they are provided
• If you are viewing this webinar in a group
• Complete group attendance form with
• Title & date of live webinar
• Your company name
• Your printed name, signature & email address
• All group attendance sheets must be submitted to training@bkd.com within 24

hours of live webinar

• Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE

certificates within 15 business days of live webinar

TO RECEIVE CPE CREDIT

4

RAPIDLY EVOLVING CYBERTHREATS – MOTIVATIONAL SHIFTS

ADDITIVE MOTIVATION PROGRESSION LINE

HACKTIVISTS NATION-STATES FRAUDSTERS

THEFT DISRUPTION DESTRUCTION

9/20/2017 3

TOP CYBERCRIMES

• Business email compromise
• Ransomware
• Corporate account takeover
• Identity theft
• Theft of sensitive data
• Theft of intellectual property
• Denial of service

5

DATA BREACHES IN THE NEWS

6

2015

Breach of 10,00 donors personal info between 2013–2015

2017

Muncie, Indiana-based not-for-profit organization breached, lost all financial & client data

2016

Breach of data for 550,000 individuals

2014

309,000 university faculty, staff & students

9/20/2017 4

EXAMPLE: BUSINESS EMAIL COMPROMISE

• University admin receives email from “CFO” requesting all employee W2s pursuant to an IRS

inquiry

• Needs it today (received in the afternoon)
• Admin puts it all together into one PDF,

alphabetized

• Hacker responds, telling her “this is more

than I had hoped for”

• Compromised W2 information sold on the

underground market

• Numerous employees contacted by real IRS about issues with their returns, or why they

submitted two returns

7

• Midsize health care provider sustained two

consecutive attacks on EMR system; ransom paid in bitcoin

• After first attack, hardware/software upgrades were

identified but budgetary constraints delayed implementation

• After second attack, provider performed forensic

evaluation to verify breach extent & eradicate malware

• Performed a cybersecurity assessment to identify

vulnerabilities

EXAMPLE: RANSOMWARE

8

9/20/2017 5

9

RANSOM LETTER

10

• Given the quantity & variety of Personal Identifiable Information (PII),

cyber risk is inherently high

• Spending priority is often given to the organization’s mission rather than

to “back-office”

• Challenging to recruit & retain expensive resources
• Infrastructure improvements may not be robust
• Heavy reliance on third-party service providers
• Reputational risk is critical

WHY ARE NOT-FOR-PROFIT ORGANIZATIONS SO VULNERABLE?

9/20/2017 6

POTENTIAL BREACH IMPACTS

Negative publicity Regulatory sanctions Refusal to share personal information Damage to brand Regulator scrutiny Legal liability Fines Damaged donor relationships Damaged employee relationships Deceptive or unfair trade charges

!

Diversion of resources Lost productivity

11

DARK WEB PRICING

Credit Cards Price (2012–2014) Current Price Visa & Mastercard $4 $7 Visa & Mastercard with Track 1 & Track 2 Data $23 (V); $35 (MC) $30 Premium American Express $28 $30 Bank Account Credentials $15,000 for 500 $15,000 for 500 Email Accounts Price (2012–2014) Current Price Popular Email (Gmail, Hotmail, Yahoo) $100 per 100,000 $100 per 100,000 Corporate Email N/A $500 per Mailbox IP Address of Email User $90 $90

12

9/20/2017 7

13

WHAT DRIVES COST OF BREACHES?

Ponemon 2016 Cost of Data Breach Study

14

• Timing
• In 93% of breaches, it took attackers minutes or less to compromise

systems (Adobe products easiest to hack; Mozilla the most difficult)

• In 83% of cases, it took weeks or more to discover an incident
• ccurred
• Attackers take easiest route (63% leveraged weak, default or stolen

passwords)

• 95% of breaches were made possible by nine patterns including poor

IT support processes, employee error & insider/privilege misuse of access

INTERESTING STATISTICS

9/20/2017 8

REGULATORY RESPONSE OVER TIME

15

1934 SEC Act 1996 HIPAA 2000 CFR17 Part 248 Brokers Consumer Protection 2003 California Data Breach Law 2017 Executive Order Strengthening the Cybersecurity of Federal Networks & Critical Infrastructure 2006 Indiana Breach Notification Law 1974 Family Educational Rights & Privacy Act (FERPA) 1999 Gramm- Leach-Bliley Act 2001 Cybersecurity Enhancement Act 2006 PCI DSS 2009 HITECH 2018 General Data Protection Regulation (GDPR) 2013 HIPAA (Omnibus)

16

• Covers
• Health care providers
• Health care payors
• Health care clearinghouses
• Employers who administer their own health plans
• Protected health information (PHI)
• Covered entities may only use or disclose PHI as permitted
• Enforced by HHS Office for Civil Rights
• State attorneys general
• Introduced
• HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013)

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)

9/20/2017 9

17

• Covers
• Businesses accepting credit & debit card payments
• “Card Present” transactions (card swipes)
• “Card Not Present” transactions (e-commerce)
• Cardholder data
• Storing, processing & transmitting by “merchants”
• Enforced by
• Credit card brands
• “Acquiring Bank” responsible for processing payment transactions
• Introduced
• PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,

Mastercard, Discover, American Express, JCB), created the PCI DSS in 2006; updated

• n three-year cycle

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

18

• Covers
• Financial services organizations including post-secondary educational institutions
• Financial aid records
• Develop, implement & maintain a written information security program
• Designate employee responsible for coordinating the security program
• Identify & assess risks to student information
• Select appropriate services providers capable of maintaining appropriate safeguards
• Periodically evaluate & update their security program
• Enforced by
• Federal Trade Commission (FTC)
• Introduced
• Dear Colleague Letter GEN-15-18 (July 29, 2015)

GRAMM-LEACH-BLILEY ACT (GLBA)

9/20/2017 10

CYBER RISK OVERSIGHT

WHAT DO BOARDS WANT TO KNOW?

20 What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets? Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected? Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker? Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?

9/20/2017 11

21

Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue

FIVE PRINCIPLES OF CYBER RISK OVERSIGHT

1

FIVE PRINCIPLES OF CYBER RISK OVERSIGHT

22

Understand legal implications of cyber risks as they relate to their organization’s specific circumstances

2

9/20/2017 12

FIVE PRINCIPLES OF CYBER RISK OVERSIGHT

23

Have adequate access to cybersecurity expertise, & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda

3

FIVE PRINCIPLES OF CYBER RISK OVERSIGHT

24

Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget

4

9/20/2017 13

FIVE PRINCIPLES OF CYBER RISK OVERSIGHT

25

Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach

5

ASSESSING YOUR CYBERSECURITY PROGRAM

9/20/2017 14

27

NIST CYBERSECURITY FRAMEWORK (NIST CSF)

• Background
• Published February 12, 2014, by the National Institute of Standards &

Technology (NIST)

• Voluntary federal framework (not a set of standards) for critical

infrastructure services

• Provides common language for organizations to assess, communicate

& measure improvement security posture

• Controls
• High-level controls provide framework of “what” but not “how”
• Five functions, 22 control categories, 98 key controls derived from industry

best practice & standards

• Contains four maturity tier ratings

NIST CYBERSECURITY FRAMEWORK

28

Framework Categories

Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness & Training Data Security Information Protection Processes Maintenance Protective Technology Anomalies & Events Security Continuous Monitoring Response Planning Detection Processes Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications

24

9/20/2017 15

29

FRAMEWORK BENEFITS

• Comprehensive in scope
• Intuitive
• Risk-based – allows the organization to prioritize remediation

activities depending on the organization’s risk appetite & cybersecurity control maturity desired

• Commonly accepted standard – provides basis of consistent

assessment in the future

OVERALL APPROACH

30

Phase 1 – Discovery

• Determine business & compliance requirements for cybersecurity
• Review documentation related to cybersecurity infrastructure, e.g., network diagrams, asset

inventory

• Identify systems & data stores containing personally identifiable information (PII), electronic

protected health information (ePHI), etc.

Phase 2 – Analysis

• Conduct on-site interviews with key stakeholders to
• Document processes that identify cyber risk, protect key information assets, detect/respond to

threats & recover should a breach occur

• Evaluate process/control maturity & determine risk

Phase 3 – Remediation Planning

• Identify recommendations & action plans addressing
• Remediation activities to be completed
• Identify type of investment, e.g., resources, hardware/software

9/20/2017 16

CASE STUDY

32

• International not-for-profit that builds relationships of mutual respect & support

to bridge cultural, religious & economic divides

• Sponsorship program connects individual sponsors with a child or elderly

person in one of the 19 countries in which Unbound operates. Sponsor support provides education, food, health care & livelihood opportunities for families

• Serves more than 300,000 children, youth & elderly persons in Africa, Asia,

Latin America & the Caribbean

• More than 260,000 sponsors throughout all 50 states in the U.S. & 86 other

countries

• More than 92 cents of every dollar spent is going toward program support

ABOUT UNBOUND

9/20/2017 17

33

• Why did we do it?
• Board of directors felt that it was important to have an independent

review of cyber risks

• President/CEO shall not fail to protect intellectual property,

information & files from loss, breach or significant damage

• Initial concerns
• IT staff already very busy with operational activities & concerned

about potential time commitment

• We are already focused on security, won’t this be a duplicate effort?

THE INSIDE STORY

34

• Next steps
• Evaluate remediation recommendations in light of current operational

requirements to determine if additional staffing, hardware & software is required

• Priorities
• Cyber risk insurance
• Vendor risk management program
• Update policies & procedures
• Security awareness training

THE INSIDE STORY

9/20/2017 18

35

• Although Unbound was already PCI-compliant, the NIST CSF assessment

required the organization to evaluate processes & controls not related to the PCI Cardholder Data Environment (CDE). Determined that documentation & process consistency was missing in some cases

• Reaffirmed that other current processes & controls were working effectively,

largely due to past PCI remediation activities

• Board & senior management gained greater knowledge of & insight into

cybersecurity activities

• IT gained knowledge of practices by operational groups (HR, Finance) to

safeguard information

• Operational groups had greater awareness of cyberissues & more committed to

safeguarding their data

BENEFITS

36

• Cybersecurity risk has grown substantially for

not-for-profit organizations

• Framework-based cybersecurity assessment allows the
• rganization to determine if an effective cybersecurity

program is in place

• Remediation activities can be prioritized & scheduled

based on level of risk & control maturity

SUMMARY

9/20/2017 19

QUESTIONS?

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts &

• circumstances. Consult your BKD advisor or legal counsel

before acting on any matters covered BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE

• Sponsors. State boards of accountancy have final authority on

the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

9/20/2017 20

• CPE credit may be awarded upon verification of participant

attendance

• For questions, concerns or comments regarding CPE

credit, please email the BKD Learning & Development Department at training@bkd.com

CPE CREDIT

THANK YOU!

FOR MORE INFORMATION

Jan Hertzberg | Director, BKD | jhertzberg@bkd.com John Dougherty | IT Director, Unbound | johnd@unbound.org

9/20/2017 21