SlideShare a Scribd company logo

Co3 rsc r5

Patrick Florer
Patrick Florer

A discussion of the elements and costs of a data breach

Business
1 of 65
Deconstructing the Cost of a Data Breach
Agenda • Introductions • Deconstructing the cost of a data breach: • Data breaches can involve many types of data. • Data breaches can involve many types of costs. • The costs of a data breach can range from zero to more than $170 million. • Q&A Page 2
Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst • Patrick Florer, Co-Founder & CTO, Risk Centric Security • Fellow of and Chief Research Analyst at the Ponemon Institute. • 32 years of IT experience, including roles in IT operations, development, and systems analysis • 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment Page 3
Co3 Automates Breach Management PREPARE ASSESS Improve Organizational Quantify Potential Impact, Readiness Support Privacy Impact • Assign response team Assessments • Describe environment • Track events • Simulate events and incidents • Scope regulatory requirements • Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact Assessments REPORT MANAGE Document Results and Easily Generate Detailed Track Performance Incident Response Plans • Document incident results • Escalate to complete IR plan • Track historical performance • Oversee the complete plan • Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients • Generate audit/compliance reports • Monitor progress to completion Page 4
About Risk Centric Security • Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. • Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000. Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose Software Page 5
What is a data breach?  Data Breach: • A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. • The law is evolving – basically a breach is an unauthorized use of a computer system. • Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). • Data breaches can also happen by accident or error. Page 6
What is a data breach? Data Breach: • Is the concept of a breach too narrow to describe many types of events? • Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time? Page 7
What kinds of data might be exposed? • Operational Data • Intellectual Property • Financial Information • Personally Identifiable Information (PII) • Protected Health Information (PHI) Page 8
What kinds of data might be exposed? Personally Identifiable Information (PII): • The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Page 9
What data aren’t PII? • Data that identify a person that are not considered protected: • Name • Address • Phone number • Email address – things are changing with regard to e-mail addresses • Facebook name • Twitter handle Page 10
Is it PII or not?  Personally Identifiable Information (PII): • According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. • Geo-location data? • Was the Epsilon breach a “breach”? • Have there been other “non-breach” breaches? • Given the powerful correlations that can be made, are these definitions too narrow? Page 11
What kinds of data might be exposed? Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Page 12
POLL
What costs are we going to discuss? • Direct and Indirect Costs? • Primary and Secondary Costs? • Costs that we should be able to discover and/or estimate. • Costs that might be difficult to discover and/or estimate. Page 14
What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Page 15
What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Page 16
What costs are we going to discuss? Costs that might be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Page 17
Whose costs are we going to discuss? • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Page 18
How do we measure and estimate costs? • Fixed / Overall Costs  Per record costs • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Page 19
Sources of Data How do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releases Disclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Page 20
Sources of Data Research projects: • Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net) Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Page 21
Sources of Data Non-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Page 22
Some Estimates of Cost Ponemon Institute 2011 Cost of Data Breach Study: United States • 49 Companies surveyed – multiple people per company. • Breach sizes ranged from 5K – 100K exposed records. • Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. • According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. • The raw data are published in the report appendix. Page 23
POLL
Some Estimates of Cost: Ponemon Institute In the 2011 report: • Overall weighted average per record = $194 (down from $214 in 2010) • Overall average total = $5.5 M (down from $7.2M in 2011) Page 25
Some Estimates of Cost: Ponemon Institute Page 26
Some Estimates of Cost: Ponemon Institute Page 27
Some Estimates of Cost: Larger Breaches DSW Shoes (2005): • 1.4 million records / $6.5M – $9.5M (press releases) • Cost per record = $4.64 – $6.79 Page 28
Some Estimates of Cost: Larger Breaches TJX (Dec, 2007): • 90 million records / $171M – $191M (SEC filings) • Accelerated CapEx = $250M (rumored) • Cost per record = $1.90 – $2.12 Page 29
Some Estimates of Cost: Larger Breaches Heartland Payment Systems (Dec, 2009): • 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings) • Cost per record = ~$0.90 Page 30
Some Estimates of Cost: Larger Breaches Sony (Mar, 2011): • 100 million records / $171M (Sony press release) • Cost per record = $1.71 Page 31
Some Estimates of Cost: Larger Breaches Global Payments (June, 2011): • 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings) • Up to $30M recovered through insurance (SEC filings) • Total cost estimated to be $110M - $120M • Cost per record = $15.71 - $80 Page 32
Some Estimates of Cost: Larger Breaches South Carolina Department of Revenue (October, 2012), as of 11/08/2012: • 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed • Two pronged attack – phish and malware • Data were not encrypted – Governor of SC stated it was best practice not to encrypt • Outside forensics and legal have been retained • Total cost estimated to be $12M - $18M • Cost per record = $3 - 5 Page 33
Some Estimates of Cost: Correlations • Measured on a per record basis, the cost per record declines as the size of the breach increases • Measured on a total cost basis, the total cost increases as the number of exposed records increases • Both of these correlations are weak Page 34
Some Estimates of Cost: Ponemon Correlations Page 35
Some Estimates of Cost: Ponemon Correlations Page 36
Some Estimates of Cost: Ponemon + Other Data Correlations Page 37
Some Estimates of Cost: Ponemon + Other Data Correlations Page 38
Some Estimates of Cost: Ponemon + Other Data Correlations Page 39
Some Estimates of Cost: Ponemon + Other Data Correlations Page 40
Some Estimates of Cost: Ponemon + Other Data Correlations Page 41
Some Estimates of Cost: Ponemon + Other Data Correlations Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost Page 42
Some Estimates of Cost: Ponemon + Other Data Correlations Page 43
Some Estimates of Cost: Ponemon + Other Data Correlations Page 44
Some Estimates of Cost: Ponemon + Other Data Correlations Page 45
Some Estimates of Cost: Ponemon + Other Data Correlations Page 46
Are There Patterns in the Data? Log10 Frequency of Exposed Records Page 47
Are the Patterns in the Data? Beta4 Distribution with Uncertainty Page 48
Are there Patterns in the Data? Beta4 Quantile- Quantile (Q-Q) Plot Page 49
Are there Patterns in the Data? Levy Distribution – a very poor fit Page 50
Are There Patterns in the Data? Future Research Model breach cost by size of breach, using a scale that is logarithmic (mostly): • <5K records • 5K – 100K records • 100K – 1M records • 1M – 10M records • 10M – 100M records • >100M records Page 51
Wrap-up • We have covered many topics today. To summarize: • Breaches can involve many types of data: • To date, most reported breaches deal with PII, PHI, and credit card data. • For many of these breaches, the number of records exposed is not reported, often because the number is unknown. • Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Page 52
Wrap-up • Breaches involve many types of costs: • In the largest credit card breaches, the majority of costs are due to settlements with the card brands. • A PHI breach may result in fines that seem disproportionate to the number of records exposed. • Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). • Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Page 53
Wrap-up • The costs of a data breach can range from nothing to over $170 million. • Breaches that are never detected cost nothing – nothing that can be measured, at least. • Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. • For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Page 54
Wrap-up • There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: • The numbers of records exposed in reported breaches appear to follow a lognormal distribution. • Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. • As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Page 55
QUESTIONS
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE One Alewife Center, Suite 450 “Co3…defines what software packages Cambridge, MA 02140 for privacy look like.” PHONE 617.206.3900 GARTNER WWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172 patrick@riskcentricsecurity.com www.riskcentricsecurity.com
APPENDIX
What kinds of data might be exposed? Operational Data: • Unpublished phone numbers • Private email addresses • HR data about employees • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Page 59
What kinds of data might be exposed? Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes Page 60
What kinds of data might be exposed? Financial information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Page 61
What is PII in the European Union? Personally Identifiable Information (PII): • A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; from wikipedia.com Page 62
What is Protected Health Information (PHI)? • PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Page 63
What is Protected Health Information (PHI)?  Protected Health Information (PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Page 64
How do we estimate costs – Intellectual Property How to value? • Fair Market Value • Cost to Create • Historical Value Methodologies: • Cost Approach: Reproduction or Replacement • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Page 65

Recommended

Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breachPatrick Florer
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Patrick Florer
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
 

Recommended

Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breachPatrick Florer
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Patrick Florer
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
Identity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained EnablerIdentity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained EnablerDuane Blackburn
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 
The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013Patrick Florer
 
Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...Patrick Florer
 

More Related Content

What's hot

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
Identity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained EnablerIdentity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained EnablerDuane Blackburn
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 

What's hot (20)

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data Breach
 
Identity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained EnablerIdentity Intelligence: From Reactionary Support to Sustained Enabler
Identity Intelligence: From Reactionary Support to Sustained Enabler
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
 

Viewers also liked

The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013Patrick Florer
 
Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...Patrick Florer
 
Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Patrick Florer
 
Psychology for Startups
Psychology for StartupsPsychology for Startups
Psychology for Startupsjericsinger
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 

Viewers also liked (7)

The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013
 
Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...Herd Immunity – Does this concept from Immunology have relevance for Informat...
Herd Immunity – Does this concept from Immunology have relevance for Informat...
 
Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3
 
Source seattle 2012
Source seattle 2012Source seattle 2012
Source seattle 2012
 
Psychology for Startups
Psychology for StartupsPsychology for Startups
Psychology for Startups
 
Intruders
IntrudersIntruders
Intruders
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 

Similar to Co3 rsc r5

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryClarknuber
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityNoreen Whysel
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119David Doughty
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Edge Pereira
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 

Similar to Co3 rsc r5 (20)

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality Industry
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital Identity
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 

Recently uploaded

(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 

Recently uploaded (20)

(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 

Co3 rsc r5

  • 2. Agenda • Introductions • Deconstructing the cost of a data breach: • Data breaches can involve many types of data. • Data breaches can involve many types of costs. • The costs of a data breach can range from zero to more than $170 million. • Q&A Page 2
  • 3. Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst • Patrick Florer, Co-Founder & CTO, Risk Centric Security • Fellow of and Chief Research Analyst at the Ponemon Institute. • 32 years of IT experience, including roles in IT operations, development, and systems analysis • 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment Page 3
  • 4. Co3 Automates Breach Management PREPARE ASSESS Improve Organizational Quantify Potential Impact, Readiness Support Privacy Impact • Assign response team Assessments • Describe environment • Track events • Simulate events and incidents • Scope regulatory requirements • Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact Assessments REPORT MANAGE Document Results and Easily Generate Detailed Track Performance Incident Response Plans • Document incident results • Escalate to complete IR plan • Track historical performance • Oversee the complete plan • Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients • Generate audit/compliance reports • Monitor progress to completion Page 4
  • 5. About Risk Centric Security • Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. • Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000. Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose Software Page 5
  • 6. What is a data breach?  Data Breach: • A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. • The law is evolving – basically a breach is an unauthorized use of a computer system. • Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). • Data breaches can also happen by accident or error. Page 6
  • 7. What is a data breach? Data Breach: • Is the concept of a breach too narrow to describe many types of events? • Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time? Page 7
  • 8. What kinds of data might be exposed? • Operational Data • Intellectual Property • Financial Information • Personally Identifiable Information (PII) • Protected Health Information (PHI) Page 8
  • 9. What kinds of data might be exposed? Personally Identifiable Information (PII): • The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Page 9
  • 10. What data aren’t PII? • Data that identify a person that are not considered protected: • Name • Address • Phone number • Email address – things are changing with regard to e-mail addresses • Facebook name • Twitter handle Page 10
  • 11. Is it PII or not?  Personally Identifiable Information (PII): • According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. • Geo-location data? • Was the Epsilon breach a “breach”? • Have there been other “non-breach” breaches? • Given the powerful correlations that can be made, are these definitions too narrow? Page 11
  • 12. What kinds of data might be exposed? Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Page 12
  • 13. POLL
  • 14. What costs are we going to discuss? • Direct and Indirect Costs? • Primary and Secondary Costs? • Costs that we should be able to discover and/or estimate. • Costs that might be difficult to discover and/or estimate. Page 14
  • 15. What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Page 15
  • 16. What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Page 16
  • 17. What costs are we going to discuss? Costs that might be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Page 17
  • 18. Whose costs are we going to discuss? • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Page 18
  • 19. How do we measure and estimate costs? • Fixed / Overall Costs  Per record costs • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Page 19
  • 20. Sources of Data How do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releases Disclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Page 20
  • 21. Sources of Data Research projects: • Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net) Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Page 21
  • 22. Sources of Data Non-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Page 22
  • 23. Some Estimates of Cost Ponemon Institute 2011 Cost of Data Breach Study: United States • 49 Companies surveyed – multiple people per company. • Breach sizes ranged from 5K – 100K exposed records. • Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. • According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. • The raw data are published in the report appendix. Page 23
  • 24. POLL
  • 25. Some Estimates of Cost: Ponemon Institute In the 2011 report: • Overall weighted average per record = $194 (down from $214 in 2010) • Overall average total = $5.5 M (down from $7.2M in 2011) Page 25
  • 26. Some Estimates of Cost: Ponemon Institute Page 26
  • 27. Some Estimates of Cost: Ponemon Institute Page 27
  • 28. Some Estimates of Cost: Larger Breaches DSW Shoes (2005): • 1.4 million records / $6.5M – $9.5M (press releases) • Cost per record = $4.64 – $6.79 Page 28
  • 29. Some Estimates of Cost: Larger Breaches TJX (Dec, 2007): • 90 million records / $171M – $191M (SEC filings) • Accelerated CapEx = $250M (rumored) • Cost per record = $1.90 – $2.12 Page 29
  • 30. Some Estimates of Cost: Larger Breaches Heartland Payment Systems (Dec, 2009): • 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings) • Cost per record = ~$0.90 Page 30
  • 31. Some Estimates of Cost: Larger Breaches Sony (Mar, 2011): • 100 million records / $171M (Sony press release) • Cost per record = $1.71 Page 31
  • 32. Some Estimates of Cost: Larger Breaches Global Payments (June, 2011): • 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings) • Up to $30M recovered through insurance (SEC filings) • Total cost estimated to be $110M - $120M • Cost per record = $15.71 - $80 Page 32
  • 33. Some Estimates of Cost: Larger Breaches South Carolina Department of Revenue (October, 2012), as of 11/08/2012: • 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed • Two pronged attack – phish and malware • Data were not encrypted – Governor of SC stated it was best practice not to encrypt • Outside forensics and legal have been retained • Total cost estimated to be $12M - $18M • Cost per record = $3 - 5 Page 33
  • 34. Some Estimates of Cost: Correlations • Measured on a per record basis, the cost per record declines as the size of the breach increases • Measured on a total cost basis, the total cost increases as the number of exposed records increases • Both of these correlations are weak Page 34
  • 35. Some Estimates of Cost: Ponemon Correlations Page 35
  • 36. Some Estimates of Cost: Ponemon Correlations Page 36
  • 37. Some Estimates of Cost: Ponemon + Other Data Correlations Page 37
  • 38. Some Estimates of Cost: Ponemon + Other Data Correlations Page 38
  • 39. Some Estimates of Cost: Ponemon + Other Data Correlations Page 39
  • 40. Some Estimates of Cost: Ponemon + Other Data Correlations Page 40
  • 41. Some Estimates of Cost: Ponemon + Other Data Correlations Page 41
  • 42. Some Estimates of Cost: Ponemon + Other Data Correlations Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost Page 42
  • 43. Some Estimates of Cost: Ponemon + Other Data Correlations Page 43
  • 44. Some Estimates of Cost: Ponemon + Other Data Correlations Page 44
  • 45. Some Estimates of Cost: Ponemon + Other Data Correlations Page 45
  • 46. Some Estimates of Cost: Ponemon + Other Data Correlations Page 46
  • 47. Are There Patterns in the Data? Log10 Frequency of Exposed Records Page 47
  • 48. Are the Patterns in the Data? Beta4 Distribution with Uncertainty Page 48
  • 49. Are there Patterns in the Data? Beta4 Quantile- Quantile (Q-Q) Plot Page 49
  • 50. Are there Patterns in the Data? Levy Distribution – a very poor fit Page 50
  • 51. Are There Patterns in the Data? Future Research Model breach cost by size of breach, using a scale that is logarithmic (mostly): • <5K records • 5K – 100K records • 100K – 1M records • 1M – 10M records • 10M – 100M records • >100M records Page 51
  • 52. Wrap-up • We have covered many topics today. To summarize: • Breaches can involve many types of data: • To date, most reported breaches deal with PII, PHI, and credit card data. • For many of these breaches, the number of records exposed is not reported, often because the number is unknown. • Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Page 52
  • 53. Wrap-up • Breaches involve many types of costs: • In the largest credit card breaches, the majority of costs are due to settlements with the card brands. • A PHI breach may result in fines that seem disproportionate to the number of records exposed. • Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). • Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Page 53
  • 54. Wrap-up • The costs of a data breach can range from nothing to over $170 million. • Breaches that are never detected cost nothing – nothing that can be measured, at least. • Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. • For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Page 54
  • 55. Wrap-up • There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: • The numbers of records exposed in reported breaches appear to follow a lognormal distribution. • Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. • As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Page 55
  • 57. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE One Alewife Center, Suite 450 “Co3…defines what software packages Cambridge, MA 02140 for privacy look like.” PHONE 617.206.3900 GARTNER WWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172 patrick@riskcentricsecurity.com www.riskcentricsecurity.com
  • 59. What kinds of data might be exposed? Operational Data: • Unpublished phone numbers • Private email addresses • HR data about employees • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Page 59
  • 60. What kinds of data might be exposed? Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes Page 60
  • 61. What kinds of data might be exposed? Financial information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Page 61
  • 62. What is PII in the European Union? Personally Identifiable Information (PII): • A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; from wikipedia.com Page 62
  • 63. What is Protected Health Information (PHI)? • PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Page 63
  • 64. What is Protected Health Information (PHI)?  Protected Health Information (PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Page 64
  • 65. How do we estimate costs – Intellectual Property How to value? • Fair Market Value • Cost to Create • Historical Value Methodologies: • Cost Approach: Reproduction or Replacement • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Page 65