Shawn Tuma delivered this presentation on April 9, 2019, at the Oklahoma State University 4th Annual Cyber Security Conference in Oklahoma City, Oklahoma.
In twenty years of practicing cyber law, Shawn Tuma has seen a multitude of cybersecurity and data breach cases that have helped him understand the real-world risks companies face and the practical things they can do to prioritize their resources and effectively manage cyber risk. In this presentation, he will share his experience on issues such as:
· Why cybersecurity is an overall business risk issue that must be properly managed to comply with laws and regulations
· Why strategic leadership is critical in cybersecurity
· Why teams are critical for cybersecurity and how to personalities and psychology can impact that team
· The most likely real-world risks that most companies face
· How to prioritize limited resources to effectively manage the most likely real-world risks
· What is reasonable cybersecurity
· How to develop, implement, and mature a cyber risk management program
· Why cyber insurance is a critical component of the cyber risk management process
The Active Management Value Ratio: The New Science of Benchmarking Investment...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk
1. Spencer Fane LLP | spencerfane.com
Cybersecurity is a Team Sport:
How to Use Teams, Strategies, and
Processes to Manage Cyber Risk
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma
3. Spencer Fane LLP | spencerfane.com
Laws and regulations
• Types
– Security
– Privacy
– Unauthorized Access
• International Laws
– GDPR
– Privacy Shield
– China’s Cybersecurity Law
• Federal Laws and Regs
– FTC, SEC, HIPAA
• State Laws
– All 50 States
– Privacy (50) + security (20+)
– NYDFS, Colo FinServ, CaCPA
• Industry Groups
– PCI
– FINRA
• Contracts
– 3rd Party Bus. Assoc.
– Privacy / Data Security /
Cybersecurity Addendum
4. Spencer Fane LLP | spencerfane.com
Cybersecurity is no longer just an IT issue –
it is an overall business risk issue.
5. Spencer Fane LLP | spencerfane.com
Common objections
1. We are not a large company
2. Our data is not that valuable
3. We have an “IT Guy”
4. We have an “IT Company”
5. We have cyber insurance
11. Spencer Fane LLP | spencerfane.com
Cyber attacks against SMBs
SMB – Small & Medium
Size Business (1 – 1,000)
Cyber attacks in 2018
• 61% 67%
Data breaches in 2018
• 54% 58%
Source: Ponemon Institute LLC, 2018 State of Cybersecurity in Small & Medium Size
Businesses Report (Sponsored by Keeper Security, Inc.)
12. Spencer Fane LLP | spencerfane.com
Most Likely Real-World Risks
Most Companies Face
13. Spencer Fane LLP | spencerfane.com
Is it really always the Russians?
• 63% confirmed breaches from weak, default, or
stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
14. Spencer Fane LLP | spencerfane.com
Cyber attacks against SMBs
Source: Ponemon Institute LLC, 2018 State of Cybersecurity in Small & Medium Size
Businesses Report (Sponsored by Keeper Security, Inc.)
15. Spencer Fane LLP | spencerfane.com
Common cybersecurity best practices
1. Risk assessment.
2. Policies and procedures focused on
cybersecurity.
– Social engineering, password, security
questions
3. Training of all workforce on P&P, then
security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware
detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud,
redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive
data.
13. Adequate logging and retention.
14. Third-party security risk management
program.
15. Firewall, intrusion detection and prevention
systems.
16. Managed services provider (MSP) or
managed security services provider (MSSP).
17. Cyber risk insurance.
16. Spencer Fane LLP | spencerfane.com
Canary in the coal mine
• What is your role?
• How does your company
handle:
– P&P + Training
– MFA
– Phishing
– Backups
– IRP & IR Team
– Cyber Insurance
18. Spencer Fane LLP | spencerfane.com
How mature is the company’s cyber risk
management program?
• “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and
thereafter maintain, a comprehensive information security program that is reasonably
designed to protect the security, confidentiality, and integrity of personal information
collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent
Order (Aug. 14, 2014)
• “We believe disclosures regarding a company’s cybersecurity risk management
program and how the board of directors engages with management on cybersecurity
issues allow investors to assess how a board of directors is discharging its risk
oversight responsibility in this increasingly important area.” SEC Statement and
Guidance (Feb. 21, 2018)
• “Each Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entity’s Information Systems.”
NYDFS Cybersecurity Regulations § 500.02
• “Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
19. Spencer Fane LLP | spencerfane.com
How mature is the company’s cyber risk
management program?
• “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and
thereafter maintain, a comprehensive information security program that is reasonably
designed to protect the security, confidentiality, and integrity of personal information
collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent
Order (Aug. 14, 2014)
• “We believe disclosures regarding a company’s cybersecurity risk management
program and how the board of directors engages with management on cybersecurity
issues allow investors to assess how a board of directors is discharging its risk
oversight responsibility in this increasingly important area.” SEC Statement and
Guidance (Feb. 21, 2018)
• “Each Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entity’s Information Systems.”
NYDFS Cybersecurity Regulations § 500.02
• “Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
“A business shall implement and maintain
reasonable procedures, including taking any
appropriate corrective action, to protect from
unlawful use or disclosure any sensitive
personal information collected or maintained
by the business in the regular course of
business.” – Ken Paxton
20. Spencer Fane LLP | spencerfane.com
What is
reasonable
cybersecurity?
Too little – “just
check the box”
Too much –
“boiling the ocean”
21. Spencer Fane LLP | spencerfane.com
Reasonable cybersecurity is a process,
Not a definition
22. Spencer Fane LLP | spencerfane.com
Prioritizing Limited Resources to Most
Effectively Manage Most Likely Real-
World Risks
23. Spencer Fane LLP | spencerfane.com
Assess cyber risk
“If you know the enemy and know yourself, you need not fear the result
of a hundred battles. If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.” – Sun Tzu
The most essential step?
• How do you protect against what you don’t know?
• How do you protect what you don’t know you have?
• How do you comply with rules you don’t know exist?
• Demonstrates real commitment to protect, not just “check the box
compliance.”
• No two companies are alike, neither are their risks, neither are their risk
tolerances.
24. Spencer Fane LLP | spencerfane.com
What do you think?
What do you think is the most glaring thing missing when I look
at substantial incidents and data breaches I have handled over
the past 20 years?
1. Lack of hardware, services, gadgets, and gizmos?
2. Lack of support from management?
3. Lack of funding?
4. Lack of talent?
5. Lack of skills and knowledge?
6. Lack of strategy?
27. Spencer Fane LLP | spencerfane.com
Strategic leadership and planning
“Strategy without tactics is the slowest route to victory, tactics
without strategy is the noise before defeat.” – Sun Tsu
What does strategy consider?
• Who is your head coach?
• Who is on your team?
– Inside and outside
– Technical, Business, Operations, HR, Marketing, and …yes, even Legal
• Risk analysis
• Resources
• Don’t forget 3rd and Nth party risk!
• Objectives – what is a “win”?
28. Spencer Fane LLP | spencerfane.com
Evaluating risk and prioritization
“You can’t boil the ocean”
Traditional risk equation
Risk = probability x loss
More realistic risk equation – this is a business issue
Risk = probability x loss x cost x time to implement x impact on
resources x benefits to the business x detriments to the business
29. Spencer Fane LLP | spencerfane.com
Your Team – People & Personalities
33. Spencer Fane LLP | spencerfane.com
Psychology and personality
• Psychology: “the scientific study of the human mind and its functions,
especially those affecting behavior in a given context.”
• Personality: “the combination of characteristics or qualities that form
an individual’s distinctive character.”
• How do you tell the difference between an introvert and extrovert IT
guy?
34. Spencer Fane LLP | spencerfane.com
Myers-Briggs Personality Type Indicator
Extraversion (E) Introversion (I)
How people respond and interact with the world
around them.
• (E) turns inward, deep meaning, time alone
• (I) turns outward, social interaction, w/others
Sensing (S) Intuition (N)
How people gather information from the world
around them.
• (S) focus on what learn from senses, facts
• (N) focus on patterns impressions, abstracts
Thinking (T) Feeling (F)
How people make decisions based on the information
they gathered from their sensing or intuition
functions.
• (T) focus on facts and objective data
• (F) consider people and emotions more
Judging (J) Perceiving (P)
How people tend to deal with the outside world.
• (J) prefer structure and firm decisions
• (P) more open, flexible, adaptable
35. Spencer Fane LLP | spencerfane.com
Common questions about teams
1. Who should be on the team and what should they know?
2. What are the team members’ responsibilities?
3. Who is responsible for developing the strategy and seeing the
whole playing field?
4. How do team members’ personalities affect their roles and
performance?
5. How should the team be organized?
6. If you have cyber insurance, who is the contact person?
36. Spencer Fane LLP | spencerfane.com
Because There is No Such
Thing as “Secure”
37. Spencer Fane LLP | spencerfane.com
Incident Response Planning & Practicing
Incident Response Checklist
• Determine whether incident justifies escalation
• Begin documentation of decisions and actions
• Engage experienced legal counsel to lead
process, determine privilege vs disclosure tracks
• Notify and convene Incident Response Team
• Notify cyber insurance carrier
• Engage specialized security/forensics to mitigate
continued harm, gather evidence, and investigate
• Assess scope and nature of data compromised
• Preliminarily determine legal obligations
• Determine whether to notify law enforcement
• Begin preparing public relations message
• Engage notification / credit services vendor
• Notify affected business partners
• Investigate whether data has been “breached”
• Determine when notification “clock” started
• Remediate and protect against future breaches
• Confirm notification / remediation obligations
• Determine proper remediation services
• Obtain contact information for notifications
• Prepare notification letters, frequently asked
questions, and call centers
• Plan and time notification “drop”
• Implement public relations strategy
• Administrative reporting (i.e., FTC, HHS, SEC &
AGs)
• Implement Cybersecurity Risk Management
Program
38. Spencer Fane LLP | spencerfane.com
Cyber / Privacy Risk Insurance
Key considerations about cyber insurance:
• If you don’t know you have it, you don’t!
• Does your provider or broker really “get” cyber?
• Is your coverage based on your risk?
• Was security/IT involved in procurement?
• Does your coverage include social engineering?
• Does your coverage include contractual liability?
• Do you have first-party and third-party coverage?
• Do you understand your sub-limits?
• Can you chose your counsel and vendors?
39. Spencer Fane LLP | spencerfane.com
“You don’t drown by falling in the water;
You drown by staying there.” – Edwin Louis Cole
40. Spencer Fane LLP | spencerfane.com
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• Board of Directors & General Counsel, Cyber Future
Foundation
• Board, Southern Methodist University Cyber Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy Law Trailblazers,
National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-18
• Best Lawyers in Dallas 2014-18, D Magazine
(Cybersecurity Law)
• Council, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on
Science & Technology Committee of the American Bar
Association
• North Texas Crime Commission, Cybercrime Committee
& Infragard (FBI)
• International Association of Privacy Professionals (IAPP)