3rd Party Risk – Pt. 1Practical Considerations for Privacy & Security Due Diligence

Page 2

Agenda

• Introductions

• 3rd Party Risk Due Diligence Best Practices• Questionnaires• On-Site Reviews

• Q&A

Page 3

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems• Security / compliance entrepreneur• Security industry analyst

• Deb Hampson, AVP & Assistant General Counsel, The Hartford• Head of Corporate Privacy Office since 2006• Previously head of The Hartford Life's Corporate

Compliance Unit and the Group Benefits Legal Team• Specialties: privacy law, insurance law, corporate

compliance, social media legal and compliance issues.

Page 4

Co3 Automates Breach Management

PREPARE

Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps

REPORT

Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational

preparedness• Generate audit/compliance reports

ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments

MANAGE

Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion

Page 5

About The Hartford

Personal Lines

Small Commercial

Middle Market

Group Benefits

Specialty

Retirement

Individual Life

Mutual Funds

Annuities

Page 6

Data Breaches and 3rd Party Leaks

Malicious Cyber-Attacks

Lost/Stolen Assets

3rd Party Leaks

Internal/ Employee

Actions

Global Consumer Electronics Firm:

Hackers stole customer data, including credit card information

100 million records

Community-Based Healthcare Plan:

Laptops with patient data stolen by former employee

208,000 records

Multi-Channel Marketing Service:

Digital marketing agency exposes customer data of dozens of clients

Millions of records

Government Agency:

Employee sent CD-ROM with personal data on registered advisors

139,000 records

The multitude of breach regulations don’t care how the data was lost. You are subject to the same requirements.

3RD PARTY RISKPractical Considerations

Page 8

3rd Party Privacy & Security Due Diligence

Questionnaire On-Site Visits

Certifications Annual Audits

POLLDo You Have A 3rd Party Questionnaire?

Page 10

Who Receives a Questionnaire?

• Every vendor that handles customer data, employee data or company confidential data receives a questionnaire.

• The questionnaire is developed using:• International standards:

• ISO/IEC 27001 Information Management Systems• ISO/IEC 27002 Code of Practice for Information Security Management• the BITS Financial Institution Shared Asset Program and • internal Privacy and Information Protection Policies

• Internal Privacy and Information Protection policies based on regulatory requirements.

Page 11

What Areas Does the Questionnaire Address?

Overview of services being provided

Privacy and Security Policies

Organizational Structure

Personnel Security

Environmental Security

Operations Management

Network Management

Information Handling

Access Control

Compliance

Business Continuity and Disaster Recovery

POLL

Do You Conduct On-Site Reviews For 3rd Parties

Page 13

Who gets an On-Site Visit?

Risk-Based Approach For Vendors Who:

• Provide incomplete questionnaire responses• Provide unsatisfactory questionnaire responses• Handle contracts over a specified dollar amount• Handle information that is sensitive or confidential• Are located in a foreign country

Page 14

Address key privacy and security policies and procedures to ensure senior management

buy in

Allows assessors to obtain more specific information on vendor’s

controls

Verify the existence of key security documents

Verify key physical security and environmental controls in place

Interviews with key personnel

Meetings with vendor Senior management

Comprehensive document Review

Physical security inspection

Verify that security requirements detailed in the Statement of Work are

implemented.

Policy/Statement of work verification

Components Of An On-Site Review Process

Page 15

Top Questions

1.Do comprehensive information security policies exist that all employees must read and accept?

2.Are all employees and contractors with access to Company data required to take information security awareness training?

3.Are there processes in place that ensure access to Company data is authorized and granted in the most restrictive manner possible and limited to those having a business need for such authorization?

4.Is access to Company data contingent on a thorough criminal background history investigation performed using an accredited personnel investigation agency?

5.Are physical security measures in place to control physical access to systems or output that contain Company data?

Page 16

Top Questions (cont.)

6. Is all access to Company data logged and reviewed on a regular basis?

7. Is there a Security Incident Response Plan in place that contains procedures to be followed in the event of any actual, suspected, or threatened security breach, including unauthorized use, access, disclosure, theft, manipulation, or reproduction of Company data?d

8. Will the vendor submit to an annual Security Risk Assessment review based on ISO 27001, conducted by the Company (or it's agent)?

9. Is there commercially reasonable and effective network intrusion prevention or detection, firewalls and anti-virus protection in place and functioning properly?

10.Are operating systems and applications associated with the Company appropriately patched after knowledge of any security vulnerabilities?

11. Are all sensitive or confidential data sent over public networks encrypted with at least 256-bit encryption?

Page 17

Considerations For Foreign Service Providers

Scope of Services and Sensitivity of Data• Are the services contemplated to be performed temporarily or on an ongoing

basis?• Do the services involve the handling, storage or transmission of sensitive data?• Can the company execute an exit strategy if services disrupted?

Geographic, Cultural, Social and Political Factors• How far away is the vendor?• What language barriers?• How often does the Company plan to review or audit the vendor?• Do on-site reviews need to be done?• What social or political factors are reasonably likely to affect the provider?• Can the Company monitor these factors?

Business Continuity and Disaster Recovery• Does the vendor have Business Continuity Plan?• Does the vendor have experience executing the plan?• Local Laws Regulating Privacy and Data Security

Page 18

Considerations For Foreign Service Providers (cont.)

Local Laws Regulating Privacy and Data Security • Are there local laws that impose requirements on vendor with regard to data?• How do the local laws apply to the Company?

Legal/Compliance Risk• What contractual provisions required to ensure proper resolution of disputes?• If local laws create requirements are they consistent with the provisions the

Company applies to its US based service providers?• What is the process under local laws for responding to access requests by

individuals, subpoenas or other requests for disclosure from governmental agencies?

Security Controls• Can the vendor reasonably be expected to satisfy stricter or rapidly evolving

standards for data security?• Is the vendor transferring data to other locations or countries?

Page 19

How About When You Receive A Questionnaire?

• What do you do when there are too many questions to answer?

• How do you ensure consistent responses?

• How do you respond to yes/no questions?

• How do you manage the volume?

• Whose Privacy and Security Policies and Procedures do you follow?

QUESTIONS

Page 21

Next Webinar

• Canadian Breach Regulations• Next Thursday, 10/25 @ 1 PM• Invites with more info and registration information in the

next day or two

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Deb Hampson

Assistant VP & Assistant GC

debra.hampson@thehartford.com

www.thehartford.com