Enterprise Risk Management Symposium, Salt Lake City, Panel Presentation with Jason Sabin of DigiCert, Doron Rotman of KPMG and Ben Holt of Stoel Rives
Reveal an Escalating Problem 1 There is greater focus… …but, still poor results. 55% of Audit Committees think more agenda time should be devoted to cybersecurity 88% of Boards say that their strategic risk register includes a cybersecurity risk category TOP CONCERNS FOR AUDIT COMMITTEES 1. Gov., Processes, Controls and Risk 2. Management 3. IT Risk and Emerging Technologies 4. Uncertainty 5. Information Privacy/Security/Cyber Average # of exposed or compromised records in US data breach FTSE 350 Cyber Governance Health Check HM Government (U.K.) Reported losses ($US Billions) by US companies from unauthorized use of computers by employees in 2014. Average Cost ($US Millions) of an organizational data breach “Is Governance Keeping Pace?” KPMG 2015 Data Breach Industry Forecast Experian 2015 Cost of a Data Breach Study: Global Analysis IBM – Ponemon Institute U.S. Dept. of Health and Human Services 29,087 $6.53 $40 2015 Global Audit Committee Survey KPMG’s Audit Committee Institute
stolen records. - December 2013, Leading Financial Services Firm 6-month intrusion results in 1.16 million stolen credit and debit cards. - September 2014, Leading Retailer Breach cost banks and credit unions over $200 million. - December 2013, Leading Retailer Data breach results in 56 million stolen payment card details and 53 million email addresses. - September 2014, Leading Home Improvement Retailer Privacy has Become a Conversation in Every Boardroom Breach thought to impact between 69 – 80 million customer records. - January 2015, Leading Health Insurance Provider Breach thought to impact between 69 – 80 million customer records. - January 2015, Leading Health Insurance Provider Data breach compromised 21.5 million employee and non-employee Social Security numbers and other highly sensitive records. - June 2015, US Government 1 Data breach suspected to impact 36 million accounts and 9 million individual credit card transactions from more than 50 countries. - July 2015, Online Dating Site
Consumer Products & Retail Energy & Natural Resources Healthcare & Life Sciences Financial Services • Credit Information & Transactions • Marketing Information & Campaigns • Pricing & Margin Information • Operational & Logistics Information • Geolocation Research Information • Formulas & Research Information • Industrial Control Information (SCADA, Oil Distribution Systems) • Contracts • Electronic Health Information • Patient Information (Financial) • Formulas & Research Information • Healthcare Delivery Systems • Claims Information • Medical Device Data • Clinical Trial Data • Financial/Investment Models • Account Information • Operational Monitoring Information (Transaction Volume, Shifts, Fraud Alerts) • Sensitive Strategic Information (IPO Information, Research Materials, Pre-release Analyst Reports) Industrial Manufacturing Telecom/ Technology & Media Cross Industry • Manufacturing Techniques • Quality Control Systems • New Technology Deployments • Supply Chain Information & Logistics Industry Types of Valuable Data Identification and prioritization of sensitive data in each industry • Customer & Employee Personal Data • Financial Reporting Data • Strategic Access (Mergers, Pricing, Strategies) • Regulated Data • Strategic Risk Information • IT infrastructure configuration data • Intellectual Property • Customer Payment Data • Innovations • Call Logs • Source Code • Cookies • IP Addresses 2
Corporate Intellectual Property, Research, Development, Merger, Acquisitions, Divestiture, Trade secrets Customer Patient, Benefits, Financial, Health Employee Third Party Data Category A critical organizational need is to identify what data is sensitive and critical to each stakeholder in the information lifecycle. This categorization of data helps drive a risk-based agenda and meaningful investment. Attorney-Client Human Resources, Payroll, Health, Benefits, Performance Reviews Commercial Agreements, Rate Cards, Hosted Data, Managed Data Lawsuit, Arbitration, Privileged Communications 2
BUILDING A COMPREHENSIVE IMPLEMENTATION HUMAN FACTORS OPERATIONS TECHNOLOGY PLANNING & CONTROL INFORMATION RISK MANAGEMENT PRIVACY AND SECURITY FOUNDATIONS LEADERSHIP & GOVERNANCE LEGAL & COMPLIANCE 3 PRIVACY CAPABILITY
and Supply Chain management Internet of things Changing regulatory requirements Mobile Consumer trust and brand protection Big Data Data localization 4
the organization experienced an accidental or unauthorized access and/or release of data? ▪ Is the organization subject to regulatory requirements for data privacy, security, and business continuity? ▪ How effectively can the organization detect and respond to a suspected, discovered, and/or reported data breach? ▪ Are the organization’s security capabilities aligned with the delivery of business objectives and supports its governance structure? ▪ Has the board of directors, executive management or audit committee assessed the organization’s ability to detect, respond and recover from a data security event? ▪ How well does the organization’s current operating model support responses to changes in economic conditions, regulatory reform, and increased risk management measures? 4
Data Gatherer Partner Focus Data Focus International Focus • Data Mapping (What data do I have) • Data culling (What data do I want) • Data Risk Management (What data am I willing to risk) • Data Protection (How Do I Lock Which Data) • Data service mapping (Who holds my data?) • Servicer Risk (What is my downside?) • Mitigating legal risk (What does my contract say?) • Where is My data stored? • Where is my data gathered? • What are the rules? (EU, HIPAA, GLB, PCI, Data Breach) 4
Data Subject Bring Your Own Device (BYOD) Sharing Apps •Location tracking •What can I share? Surprise! Policies • Jailbreaking • Password/PIN • Discoverable – No right to privacy • Seizeable – border seizures •Kids •Repair •Upgrading 4
SLA and high risk data What is the exchange? - Free vs. Paid What type of data is collected by the vendor? Narrow the rules: focus on what do I need to keep private Review your policies - Not set and forget What rules do I play by? (EU, HIPAA, GLB, PCI, data breach) Encrypt! (Data at rest, data in transit, backups, device) Leaving and deletion Risk allocation 4
are larger and more impactful than ever Privacy starts and ends with sensitive information Privacy is a business issue and not just an IT issue Privacy triggers are growing and stem from common business and organizational themes 5
benholt
buyselltechnologies
rakuraku0615
mercari_inc
ogasuke
tokyo_metropolitan_gov_digital_hr
loglass2019
kuranuki
leveragestech
takashi_toyosaki
beerandtech_recruiter
lalha
lycorp_recruit_jp
sferik
addyosmani
stephaniewalter
philnash
geeforr
chriscoyier
samlambert
denniskardys
destraynor
chrisshort
afnizarnur
dougneiner
