sec cybersecurity guidance critical disclosure · pdf filedollars worth of data from u.s....
TRANSCRIPT
SEC Cybersecurity Guidance… Critical Disclosure Considerations
Rick Dakin CEO & Chief Security Strategist
June 26, 2012
1
Agenda
Introduction
SEC Cyber Risk Guidance Overview
SEC Cyber Risk Disclosure Issues
Considerations for Calculating
Impact of Cyber Incidents
Risk Management Integration with
SEC Disclosure Processes
Recent FBI Enforcement & FTC
Wyndham Lawsuit – Initial Lessons
About Coalfire
3
Deep expertise in Healthcare (HIPAA), Retail (PCI), Banking (GLBA), Utilities (NERC) and Cloud
Over [120] employees and contractors across [7] offices: Denver, Seattle, New York, Dallas, Los Angeles, San Francisco and Washington, D.C.
Full suite of IT GRC solutions: compliance audit, risk and vulnerability assessment, application security, penetration testing and forensic analysis
Served over [1,500] clients to date, including Oracle, Epic, IBM, Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock, Savvis
IT
Governance
Risk and
Compliance
Leading independent provider of IT Governance, Risk and Compliance (IT-GRC) Services
Why Additional SEC Guidance? • SEC already requires material risk disclosure … even for data risk
• New disclosure requirements require registrants to identify cyber incidents and risks that make an investment in the company “risky.”
• Cyber spies and criminals steal what is estimated to be tens of billions of dollars worth of data from U.S. companies each year. Yet experts say few companies report these losses to shareholders. – (See General Alexander)
• Calculating the costs of cyber theft, whether for criminal or espionage purposes, is difficult. The Ponemon Institute has found the average cost of a breach to be between $5 million and $8 million. But, larger incidents like Lockheed Martin, Heartland, Sony and others have much broader impact.
• Undisclosed Data Risks … prior to breach • RSA – 8-K anticipates no material impact or future consequences …. Really?!?! • Sony • SAIC - Tricare • Heartland Payments – (going from a good to GREAT security program!)
• Ineffective security programs are not a defense for “not knowing or suspecting” a cyber incident
1. Disclose actual or suspected data breach o Data breach with material impact
o See “Management Discussion & Analysis”
o Financial Statement Impact
2. Disclose material risk of an incident- Risk Factors o Inherent risk due to nature of the business environment … to include
outsourced functions
o Likelihood of past incident predicting future events
o Regulatory requirements and potential penalties
o Risk mitigation oversight
o Avoid “boiler plate” descriptions of general risk factors that apply to all/most other registrants – SEC requires specific cyber risks relating to registrant
o Summary of relevant insurance coverage
SEC Disclosure Guidance
Business Description o Inherent risk – material impact on clients, partners and industry
o Competitive position
o Viability of current or future products
Legal Proceedings o Identification of ongoing or potential litigation with material impact
o Description of impact or relief being requested
Financial Statement Disclosure o Remediation, investigation and recovery costs
o Security program enhancements
o Litigation costs and fines
o Reputation damage or impairment of future earnings
Disclosure Controls and Procedures o Impact on future reporting for the registrant
Management Discussion & Analysis
Integrate cyber risk into an enterprise risk management program
More than a firewall
Business and IT involvement to select JUSTIFIED controls
Monitor control effectiveness to guide program adjustments
Establish controls to identify future risks … potential data breach
With more advanced cyber threats, more distributed business support systems and a reduced tolerance for system failure, Data Risk Management has moved from the data center to the board room.
How will organization governance identify and respond to new risks?
Privacy is only part of the problem … critical infrastructure is coming under attack
FBI migrates the mission of the FBI to focus on cyber crime
DHS launches a new cyber division would get new authority under the Comprehensive Cybersecurity Bill proposed in 2012
Protecting a company requires more active participation in the cyber security community
ISAC
Management Discussion – The Bigger Picture
SEC Disclosure Guidance - Issues Culture and Cost “It’s very unlikely companies are going to belly up to the bar and run around and start reporting this all of sudden,” said Jody Westby, chief executive of Global Cyber Risk, a consulting firm. The ROI of cyber risk is still not fully understood.
Volume of Data Breach Events But Larry Ponemon, chairman of the Ponemon Institute, a research group in Traverse City, Mich., said reporting on potential risk is almost meaningless because virtually every firm is at risk and “almost every major organization” has suffered a breach. He predicted that companies still will provide only minimal disclosure.
Lack of Understanding of Where the Toxic Data is Located One of the easiest risk management questions a CEO could ask a CIO is, “please give me a list of our most sensitive data and a brief map on where all that data is located on our critical systems or with our 3rd parties.” For auditors, this is a typical scope question but for executives it is a “Bet the Business” question.
Lack of Corporate Oversight for Information Security Many organizations do not effectively link security EVENT monitoring to INCIDENT REPORTING. As a result of limited transparency, more senior executives are SURPRISED by incidents.
ePHI – Patient Data (HIPAA/HITECH)
Credit card data (PCI DSS)
Non-public Personal Financial Data (GLBA and FTC)
Personally Identifiable Information (PII)
Payroll data
Tax data
Credit report and background checks
Access to critical infrastructure systems
Cyber Risk Exposure – Types of Data
Material Impact Calculation
Investigation and Remediation Costs
Enhanced Security Program Costs
Lost Revenues
Litigation and Regulatory Fines
Reputation Damage
Cyber Liability Insurance
SEC Impact Considerations
SEC, Cyber Liability Insurance & 3 Myths
Myth #1 – “I use the online reservation system offered by my franchise. They’ll cover me if their system is hacked and my guests’ information is compromised.”
Myth #2 – “If a hotel guest’s credit card information is stolen at the property level, my payment card processing company will cover me under their policy.”
Myth #3 – “Cyber liability coverage is a waste of money.”
Hotel “Cyber Liability Myths Exposed” By Brad Durbin - Petra Risk Solutions
The Path Forward – Risk Management Program
NIST SP 800-30 is an industry “Best Practice” and is
referenced by the HIPAA Security Rule.
Rep
eat
Per
iod
ical
ly
1. Scope the Analysis 2. Inventory and Characterize Systems 3. Threat and Vulnerability Assessment 4. Identify Security Controls/Safeguards 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Risk Remediation 9. Results Documentation (Report)
Changing Environment Mobile payments
Cloud services
New regulatory oversight
Changing Controls Post firewall and AV era
New security technology (White listing, Cloud log sharing, Identity Management systems, enhanced Incident Response Plans, and Data Loss Prevention tools)
Cybersecurity is shifting from prevention to agile response … are your controls changing, as well? …. Shucks, we have to change our risk assessment and audit procedures.
Enhanced Threats Current threat analysis – availability from intelligence community and ISAC
New threat vectors change control selection … go beyond PCI DSS test procedures
The insider Threat Several fraud investigations resulted in employee theft and not system breach
Risks to Consider for Retail Environments
Other Federal/State Government Enforcement Actions on Data Breach, Privacy and Security
FBI – Federal Bureau of Investigation – Increasing Pace of Privacy and Security Enforcement Actions
FTC – Federal Trade Commission – Increasing Number of Lawsuits and Settlements relating to Consumer Privacy and Security
States – Massachusetts, California, Texas and almost all 50 states have recently enacted and are increasingly enforcing Data Breach, Privacy, and Security Laws, with money fines and other penalties for companies failing
to conform to state data breach, privacy and security laws and regulations.
FBI - Privacy and Security Enforcement
FBI announced in June that a 2-year undercover operation called
“Operation Card Shop” had come to fruition.
Busting two dozen people in 13 countries for fraud involving computer crime was described by the Bureau as “the largest coordinated international law enforcement action in history directed at ‘carding' crimes—offenses in which the internet is used to traffic in and exploit the stolen credit card, bank account, and other personal identification information of hundreds of thousands of victims globally.”
The operation involved a fake website called CarderProfit.com created by the FBI and described as a “veritable eBay for thieves.” Criminals used the site to buy and sell stolen credit card information without knowing they were being watched. Federal officials say this elaborate sting prevented potential losses of more than $200 million.
Other FBI cyber crime-fighting successes in June include the arrest of a Pennsylvania man on charges of hacking into a variety of companies and government agencies and selling stolen access credentials. There were guilty pleas in one high-profile case as two members of the LulzSec hacking collective, Ryan Cleary and Jake Davis, pled guilty to various cyber crimes in a UK court, and in another headline-grabbing case a serious recommended punishment was filed concerning a man from Jacksonville, Fla., who hacked into celebrity email accounts. Perhaps the fear of five years in jail and paying a six-figure restitution will help deter folks from invading other people's digital space.
FTC Enforcement Escalation over 10 yrs (1)
10 years ago, the FTC alleged that Microsoft made false security and privacy promises pertaining to Microsoft's Passport Single Sign-In, Passport Wallet, and Kids Passport. The case was settled by Microsoft agreeing to implement and maintain a comprehensive information security program. In addition, Microsoft agreed to have its security program “certified as meeting or exceeding the standards in the consent order by an independent professional every two years.”
Since then, the FTC has taken seriously the words uttered by Chairman Timothy J. Muris when he announced the 2002 settlement with the world's largest software company:
“Good security is fundamental to protecting consumer privacy. Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act.”
In the decade since then, a wide range of companies have been hit with FTC privacy settlements, including social network giant Facebook, search giant Google, pharmacy giant CVS Caremark, and media giant Disney. These settlements subject the plaintiff to decades of scrutiny that amounts to probation, during which any additional violations carry accelerated penalties. In some cases, there are multi-million dollar fines as well, like $5 million for CVS and $3 million for Disney.
FTC Enforcement Escalation Over 10 yrs (2)
FTC issued its largest fine in a privacy-related case in 2006 against data broker ChoicePoint Inc. for compromises of financial records of more than 163,000 consumers. ChoicePoint agreed to pay $10 million in civil penalties and $5 million in consumer redress in a settlement.
In 2011, FTC signed consent decrees with Google Inc. , Facebook Inc., and Twitter Inc. over privacy violations, requiring the companies to adopt comprehensive privacy programs and submit to audits. Social-networking company MySpace Inc. settled similar allegations with the agency last month.
In June 2012, FTC settled a complaint on against Spokeo, a Pasadena, California-based search engine, for selling personal information in violation of the law. Spokeo agreed to pay $800,000. Spokeo's business model has been described as “spookeo” because it revolves around collecting personal information about individuals from various sources, including social networks, and merging the data to build dossiers that include name, address, age, email address, hobbies, photos, ethnicity, religion, and participation on social networking sites.
FTC – Protecting Consumer Privacy
FTC Release Final Report on April 2, 2012:
“Protecting Consumer Privacy in an Era of Rapid Change” – addressing privacy issues associated with new and emerging technologies and business models (“Report”).
The FTC Report articulates a privacy framework of best practices (“Framework”) for businesses to follow in developing and implementing privacy and security practices relating to the collection and use of consumer data. While not legally binding, the Framework is an indication of how the FTC will use its enforcement and regulatory authority, including its authority to challenge unfair or deceptive practices, under Section 5 of the FTC Act. As such, companies should pay close attention to the Framework in order to mitigate any FTC enforcement actions.
20
June 26, 2012, 2:18PM
FTC Sues Wyndham Over Breaches Linked to $10m In Fraud by Paul Roberts
UPDATE: The U.S. Federal Trade Commission has fined Wyndham Hotels for a string of data breaches that resulted in information on hundreds of thousands of customers being lost to cyber criminals. An FTC complaint, filed on June 26, 2012, asks for "permanent injunctive relief" against Wyndham for failing to maintain what the FTC calls "reasonable security" necessary to keep intruders from compromising the network of the hotel chain. Wyndham's failure to protect its IT network laid the groundwork for a series of three data breaches in which cyber criminals based in Russia stole financial information later used to generate $10.6 million in fraudulent purchases. A Phoenix, Arizona, data center used by Wyndham was the source of the breach, the FTC said.
Alleged Violations of the FTC Act in FTC Lawsuit: 1. DECEPTION: Wyndham represented that they had “implemented reasonable and appropriate measure to protect personal information against unauthorized access.” They failed to take such actions. The statements they made about security were false or misleading and constitute a violation of the act under deceptive acts or practices. 2. UNFAIRNESS: Wyndham “failed to employ reasonable and appropriate measure to protect personal information against unauthorized access.” This failure has caused substantial injury to consumers and “is not outweighed by countervailing benefits to consumer or competition.”
Wyndham and SEC Disclosure Guidance
Even though hackers broke into computers at hotel giant
Wyndham three times in two years and stole credit card information belonging to over half a million customers, Wyndham did not report the break-in in corporate filings, even with new SEC cyber risk disclosure guidance.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records. Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat.”
Wyndham said in an emailed statement to the Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported,” in reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
The Penalty
$1.5 million FTC lawsuit
$10 million in fraud claims reimbursement
Legal and remediation costs
Higher IT audit and compliance reporting costs
Reputation and/or brand damage
Failure to comply with SEC Cyber Risk Guidance?
What does this mean for Franchisors?
"If the allegations are true, this is a damning indictment of Wyndham's security, and its
commitment to customer privacy and safety," says Neal O'Farrell, executive director of
The Identity Theft Council, a grassroots ID theft protection agency. "I've seen small
businesses with better security."
O'Farrell says the weak links are likely Wyndham's franchised locations, "where poor
security standards can create easy opportunities for intruders." He adds: "Those weak
links become a back door to the corporate networks and sensitive information.
Bruce Schaeffer, President of Franchise Valuations Ltd., observes that personal data
breaches among franchise chains are more frequent than commonly thought due to
inadequate security measures. "I have more toes on my right foot than there are
franchisors that I know of that do any, much less regular, penetration testing of their
networks and have information security policies and procedures in place — and written in
their operating manuals," says attorney Schaeffer.
"Regular application layer vulnerability testing is required for all Internet facing
applications in addition to code reviews before they go live," cautions Henry Chan of
Franchise Technology Risk Management. "The other risk to point out is that most
franchisors outsource all of their technology development," observes Chan.
Summary
Establish an enterprise IT risk management program
Apply known risk factors to go beyond baseline compliance and industry standard risk disclosure
Report cyber security risks in a more comprehensive manner
Confirm that your Incident Response Program is current and includes adequate disclosure and update processes
Questions
