www.pwc.com
Compliance and a Culture
of Integrity
Data and Privacy
October 29, 2014
Cyber security and Privacy…..
. . . a Board level issue
• Increase in the Security and Privacy regulatory mandates in recent years, as well
as expected changes in upcoming years
• Emerging technologies and reliance on third parties have created a borderless
infrastructure
• Growing demand by business leaders to understand how privacy (“what” data is
sensitive to the business) and security (“how” to protect the data deemed
sensitive) is integrated
• Increase in threats and vulnerabilities to sensitive data and corporate assets
• Even companies that place great emphasis on securing their business processes
can become the victim of cybercrime. Cybercrime can manifest in many ways
• Having a documented, demonstrated and regularly tested program helps in the
event of regulator oversight
PwC
2
Cyber security . . .
. . . a strategic imperative
Global Business Ecosystem
Traditional boundaries have shifted
• The ecosystem is built around a
model of open collaboration
and trust—the very attributes
being exploited by an increasing
number of global adversaries.
• Constant information flow is
the lifeblood of the business
ecosystem. Data is distributed
and disbursed throughout the
ecosystem, expanding the domain
requiring protection.
• Adversaries are actively
targeting critical assets
throughout the ecosystem—
significantly increasing the
exposure and impact to
businesses.
PwC
Pressures and changes which
create opportunity and risk
3
Motivated Adversaries
Adversary
• Loss of competitive
advantage
• Disruption to critical
infrastructure
•
•
•
•
Organized
Crime
• Immediate financial
gain
• Collect information for
future financial gains
• Financial / Payment
Systems
• PII
• PCI
• PHI
• Regulatory inquiries and
penalties
• Lawsuits
• Loss of confidence
Hacktivists
• Influence political and
/or social change
• Pressure business to
change their practices
• Corporate secrets
• Business information
• Information of key
executives, employees,
customers, partners
• Disruption of business
activities
• Brand and reputation
• Loss of consumer
confidence
• Personal advantage,
monetary gain
• Professional revenge
• Patriotism
• Sales, deals, market
strategies
• Corporate secrets, IP,
R&D
• Business operations
• Personnel information
•
•
•
•
Insiders
Trade secrets
Business information
Emerging technologies
Critical infrastructure
Impact
• Economic, political,
and/or military
advantage
Nation
State
PwC
Targets
Motives
Trade secret disclosure
Operational disruption
Brand and reputation
National security impact
4
Current cybersecurity risks and trends
Even companies that place great emphasis on
securing their business processes can become the
victim of cybercrime.
• large organizations (those with gross annual
revenues of $1 billion or more) detected 44%
more incidents compared with last year.
PwC
Source: 2014 PwC Global State of Information Security Survey
5
Current cybersecurity risks and trends
The average number of annual detected incidents has
increased, evidencing today’s elevated threat
environment. As a result, total financial losses due to
incidents has risen given the cost and complexity of
responding to threats.
PwC
2009
2010
Source: 2014 PwC Global State of Information Security Survey
2011
2012
2013
2014
6
Current cybersecurity risks and trends
• Mobile security is an area of continued vulnerability. Mobility has generated
a deluge of data, but deployment of mobile security has not kept pace
• Companies are increasingly sharing data with third parties. While services
can be outsourced, accountability for security and privacy cannot
• Compromises attributed to third parties with trusted access increases while
due diligence weakens:

55% have security baselines for external partners, suppliers, and
vendors (60% in 2013)

50% perform risk assessments on third-party vendors (53% in
2013)
• Very few organizations have true visibility into third party business partners
• Changing relationship between the organization and consumers- multiple
channels/consumer touch points (e.g. website/mobile site/app/store)
without centralized oversight and “control”
PwC
7
Current cybersecurity risks and trends
• Current and former employees are the most-cited culprits of security
incidents, but implementation of key insider-threat safeguards is declining:

56% have privileged user-access tools (65% in 2013)

51% monitor user compliance with security policies (58% in 2013)

51% have an employee security training and awareness program
(60% in 2013)
• While less frequent, incidents attributed to nation-states, organized crime,
and competitors increased sharply in 2014:
PwC

86% jump in incidents by nation-states

64% rise in compromises by competitors

26% increase in incidents by organized crime
8
Data breaches are costly and on the rise
Estimated annual losses to
business from data and
identity theft: $150B**
Average cost of a
compromised
record: $188*
Average cost of post
breach response
activities (legal fees,
forensics) - $1.5M*
Each card brand can assess fines for PCI
non-compliance. Examples include:
• Visa (pre breach)$5K-$25K per month
• MasterCard (related to breach) $100K for
each PCI violation
Publicized breaches of personal information:
PwC
Average cost of a data
breach: $5.4M *
2011
2012
2013
1,097
1,631
1390
Estimates at $3M in
lost business per
incident*
*Source: Ponemon Institute’s “2013 Annual Study: U.S. Cost of a Data Breach”
**Source: McAfee 2013 Study: “The Economic Impact of Cybercrime and Cyber Espionage”
9
State Breach Notification Laws
Generally, the laws mandate
that if there is:
• unauthorized access to or
disclosure of unencrypted
personally identifiable
information (PII) that
• threatens the security of
such PII and
• creates a risk of identity
theft
The person that "owns" such
PII must notify affected:
• state residents
• state agencies and/or
• consumer protection
agencies
PwC
Forty seven US states plus DC, Guam,
Puerto Rico and the Virgin Islands
• Alabama, New Mexico and South
Dakota have no law
10
State Security Breach Laws – a quick comparison
Scope of
Personal
Information
covered
Key data such as
name plus SSN<
bank account
number, credit
card number
(Illinois)
Passwords, PINS
and other access
codes (Alaska)
Date of birth,
electronic signature
(North Dakota)
Trigger for
notification
obligation
No notice unless
misuse of the data
is likely
(Colorado)
Notice if breach
creates a
substantial risk of
ID theft or fraud
(Maine)
Notice if there is
reason to know that
personal
information was
acquired (Mass)
Recipient of
Notice
Impacted resident
(all states)
Consumer
reporting
agencies if > 500
(Minnesota)
Consumer reporting
agencies if > 1000
(Michigan, Nevada)
Content of
Notice
Describe nature of
the incident (North
Carolina)
Don’t describe
nature of the
incident (Mass)
Timing of
Notice
As soon as
practicable (Mass)
Five days
(California)
PwC
Biometric data
such as
fingerprints, voice
print and retinal
images (Nebraska,
North Carolina)
Consumer
reporting agencies
if > 10000
(Georgia)
After a reasonable
investigation has
been conducted
(Arizona)
11
Typical Data Breach Legal Response
Most incidents are not cyber security or hacking events, for example:
•
Lost or stolen employee laptop (encryption will help)
•
HR employee accidentally sending spreadsheet to the wrong person
•
Vendor accidentally uploading file to the wrong server
Even the small ones take time to address:
 What data was involved?
 Was it encrypted?
 Who accessed it? How trustworthy are they?
 How can it be used by the person who accessed it?
 Is there a likelihood of harm? (some states don’t care)
 Finding the individuals’ names and contact information
 Drafting letters based on state requirements
PwC
12
Typical Data Breach Legal Response
Need to do analysis to determine if notice is required:
•
Look at the various state laws
•
Look at your customer contracts (for B to B)
•
Comply with your privacy notices
Even if notice is not required, it may be appropriate:
•
Is there an ethical responsibility to notify?
•
If notify in one state, should you notify in all?
•
Could it be a bad PR move not to notify, even if not required?
•
But over-notification also has its issues
A robust Incident Response Plan is necessary to enable prompt reaction.
Prompt reaction is key to a successful response.
PwC
13
How to monitor for data loss and potential threats
• While organizations have made significant security improvements, they have
not kept pace with today’s determined adversaries – many rely on
yesterday’s security practices to combat today’s threats
• Even the most advanced blocking techniques are inadequate against
motivated and targeted attacks. Reduce reliance on prevention-only
capabilities
• Spend less on prevention, invest in detection, response and predictive
capabilities
• Assume a state of continuous compromise, necessitating continuous
monitoring, response and remediation
• Architect for monitoring at all levels of IT stack – network, OS, application,
content, transactions and user behaviors – and develop security operations
center responsible for continuous monitoring, detection and response
• Chose context-aware network, endpoint and application security solutions
that provide prevention, detection, prediction and response capabilities
PwC
14
Evolving perspectives - adapting to the new reality
Historical
IT Security
Perspectives
Today’s Leading
Cybersecurity
Insights
Scope of the challenge
• Limited to your “four walls”
and the extended enterprise
• Spans your interconnected
global business ecosystem
Ownership and
accountability
• IT led and operated
• Business-aligned and owned;
CEO and board accountable
Adversaries’
characteristics
• One-off and opportunistic;
motivated by notoriety,
technical challenge, and
individual gain
• Organized, funded and
targeted; motivated by
economic, monetary and
political gain
Information asset
protection
• One-size-fits-all approach
• Prioritize and protect your
“crown jewels”
Defense posture
• Protect the perimeter;
respond if attacked
• Plan, monitor, and rapidly
respond when attacked
Security intelligence and
information sharing
• Keep to yourself
• Public/private partnerships;
collaboration with industry
working groups
PwC
15
Building a Cyber Security & Privacy
Program
PwC
16
Common challenges and keys to an effective program
• Creating a robust strategy that accounts for a
complex, multi-regulatory & changing
environment
1. An effective governance structure
• Managing individual concerns and perceptions
across differing cultures
3. An effective risk assessment process
• Understanding the information the
organization collects & processes
2. A strong culture and attitude at all levels
4. A complete, dynamic, current lifecycle data
inventory that includes third parties
5. Controls aligned with a selected framework
• Managing information across the data lifecycle,
within and outside your organization
6. An effective training and awareness program
• Building secure networks and systems
7. An effective team that ensures compliance
with laws and regulations
• Standardizing practices across all entities and
regions, including all channels
• Coordinating incident response
• Driving policy and controls into business
practices and technology
• Adopting privacy values throughout the
enterprise
• Ensuring Business Continuity & Disaster
Recovery
strategies are in place
PwC
8. An effective auditing and monitoring
function
9. Policies and procedures that are current,
communicated, and followed
10. An effective, documented, and tested
incident response plan
11. An effective, documented, and tested
Business Continuity and Disaster Recovery
plan
17
Cyber Security program components
C – Suite Focus Areas
Secure information is power
Strategy,
Governance &
Management
Security
Architecture &
Services
• Align with the
business
Emerging
Technologies &
Market Trends
• Adapt to the future
• Security by design
Risk &
Compliance
Management
• Manage risk and
regulations
Threat,
Intelligence &
Vulnerability
Management
• Address threats &
weaknesses
Incident &
Crisis
Management
• Anticipate &
respond to security
crises
Identity &
Access
Management
• Enable Secure
Access
PwC
Data Protection
& Privacy
• Safeguard critical
assets
18
Taking action: 5 steps toward a strategic cyber program
1
Ensure that your cybersecurity strategy is aligned with business
objectives and is strategically funded
2
Identify your most valuable information assets, and prioritize protection
of this high-value data
3
Understand your adversaries, including their motives, resources, and
methods of attack to help reduce the time from detect to respond
4
Assess cybersecurity of third parties and supply chain partners, and
ensure they adhere to your security policies and practices
5
Collaborate with others to increase awareness of cybersecurity threats
and response tactics
PwC
19
Contacts
Bonnie L. Yeomans
VP, Assistant General Counsel
and Privacy Officer
CA Technologies
(631) 342-2678
bonnie.yeomans@ca.com
Jacqueline T Wagner
Managing Director – New York Privacy
Leader
PwC
(646) 471-5644
jacqueline.t.wagner@us.pwc.com
Ariel Litvin
Director - IT Risk & Security Assurance
PwC
(646) 471-0999
ariel.litvin@us.pwc.com
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer
to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes
only, and should not be used as a substitute for consultation with professional advisors.
PwC
20