3. Cybersecurity is a legal issue
• Types
• Security
• Privacy
• Unauthorized Access
• International Laws
• GDPR
• Privacy Shield
• China’s Cybersecurity Law
• Federal Laws and Regs
• FTC, SEC, HIPAA
• State Laws
• All 50 States
• Privacy (50) + security (20+)
• NYDFS, Colo FinServ, CaCPA
• Industry Groups
• PCI
• FINRA
• Contracts
• 3rd Party Bus. Assoc.
• Privacy / Data Security /
Cybersecurity Addendum
4. Common business objections
1.We have an “IT Guy”
2.We have an “IT Company”
3.We are “compliant”
4.We have cyber insurance
5.We are not a large company (or, “tech” company)
6.Our data is not that valuable
11. Since cyber is an overall business risk issue,
who is on the team?
12. Who is on the cyber risk team, and when?
Internal team
• CISO
• IT
• Information Security
• Business
• Risk
• Legal
• Privacy
• CFO
• COO
• HR
• Audit
• Marketing
External team
• Legal
• MSP / MSSP
• Security Firm
• Forensics Firm
• Insurance
• Cyber, etc.
• Broker
• Carrier
• PR Firm
• Notification Vendor
• Law Enforcement
13. Team considerations
Questions to consider
• Do you have a “cyber risk
committee”?
• Who is the “head coach”?
• Who are the “coordinators”?
• i.e., who takes the lead on and
“owns”:
• Proactive risk management
• Incident response
• Chain of command
• Have you considered the team
members’ personalities, experience,
and other intangibles vis-à-vis the
role they play?
Planning considerations
• Who is on the field during which
situation?
• Do the players know their role?
• Are the players eligible to play?
• i.e., pre-approval of vendors,
engagements executed
• Can they communicate?
• Understand language
• Logistics for communicating
• How often do they practice?
• Do you play scrimmages?
14. Takeaway: It takes a team of many different stakeholders within and
outside of the organization, working together as a team,
to effectively manage cyber risk.
16. Common cybersecurity best practices
1. Risk assessment.
2. Policies and procedures focused on
cybersecurity.
• Social engineering, password, security
questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware
detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10.Backups segmented offline, cloud, redundant.
11.Incident response plan.
12.Encrypt sensitive and air-gap hypersensitive
data.
13.Adequate logging and retention.
14.Third-party security risk management
program.
15.Firewall, intrusion detection and prevention
systems.
16.Managed services provider (MSP) or managed
security services provider (MSSP).
17.Really top-notch battle-tested CISO
18.Cyber risk insurance.
17. Canary in the coal mine
• What is your role?
• How does your company (or
others) handle:
• P&P + Training
• MFA
• Phishing
• Backups
• IRP & IR Team
• Cyber Insurance
18.
19. How mature is the company’s cyber risk
management program?
• “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter
maintain, a comprehensive information security program that is reasonably designed to
protect the security, confidentiality, and integrity of personal information collected from or
about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
• “We believe disclosures regarding a company’s cybersecurity risk management program and
how the board of directors engages with management on cybersecurity issues allow
investors to assess how a board of directors is discharging its risk oversight responsibility in
this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018)
• “Each Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS
Cybersecurity Regulations § 500.02
• “Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organizational measures to ensure a level of security appropriate
to the risk, including …” GDPR, Art. 32
“A business shall implement and maintain
reasonable procedures, including taking any
appropriate corrective action, to protect from
unlawful use or disclosure any sensitive personal
information collected or maintained by the
business in the regular course of business.”
– Ken Paxton
22. Assess cyber risk
“If you know the enemy and know yourself, you need not fear the result
of a hundred battles. If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.” – Sun Tzu
The most essential step?
• How do you protect against what you don’t know?
• How do you protect what you don’t know you have?
• How do you comply with rules you don’t know exist?
• No two companies are alike, neither are their risks, neither are their risk
tolerances.
• Demonstrates real commitment to protect, not just “check the box
compliance.”
23. Evaluating risk and prioritization
“You can’t boil the ocean, how do you prioritize?”
Traditional risk equation
Risk = probability x loss
More realistic risk equation – this is a business issue
Risk = probability x loss x cost x time to implement x impact on
resources x benefits to the business x detriments to the business
24. Takeaway: Reasonable cybersecurity is a process, not a definition: it
includes understanding your risks, prioritizing your efforts,
and executing your priorities in a systematic manner.
25. Once you have your team in place and understand what
your risks are that you’re trying to manage, what do you do?
26. What do you think?
What do you think is the most glaring thing missing when I look at
substantial incidents and data breaches I have handled over the past 20
years?
1. Lack of hardware, services, gadgets, and gizmos?
2. Lack of support from management?
3. Lack of funding?
4. Lack of talent?
5. Lack of skills and knowledge?
6. Lack of strategy?
27.
28.
29. Strategic leadership and planning
“Strategy without tactics is the slowest route to victory, tactics
without strategy is the noise before defeat.” – Sun Tsu
What does strategy consider?
• Risk analysis – present and future
• Resources – present and future
• Who is on your team?
• For different situations, understand team capabilities – internal and external
• How is your team executing?
• Don’t forget 3rd and Nth party risk!
• Prioritize and execute for evolving threats
• Objectives – what is a “win”?
31. Takeaway: Winning is withstanding the attacks so your company can stay
focused on its primary mission. Winning comes from
preparation, resilience, and continuously learning and adapting.
32. Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-19
• Best Lawyers in Dallas 2014-19, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)