Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Cybercrime, Brand Damage Among Top Risks for Technology, Media and Communications Companies, Executives Say

gordon-tucker-3By Gordon Tucker, Protiviti Managing Director
Technology, Media and Communications Industry Leader

 

 

 

If improving brand protection isn’t a top-line agenda item in the cybersecurity discussions happening at the highest levels in your organization, it needs to be. In today’s era of lightning-quick social media sharing, brand protection has become even more important — and far more challenging — for technology, media and communications (TMC) companies. Two factors play a role:

  • Expanding use of social media and mobile applications by customers and employees: It is all too easy for outsiders to acquire and misrepresent personal and proprietary information.
  • The relentless tide of cyberthreats: The Identity Theft Resource Center (ITRC) reports that the number of U.S. data breaches reached an all-time high in 2016. Several leading TMC companies were among the businesses hit with high-profile, far-reaching, costly and reputation-damaging breaches last year.

In the face of these realities, including growing public disclosures of data leaks and breaches, many TMC companies are beginning to re-evaluate how they interact with other organizations and how they safeguard against breaches. Most C-level executives in this industry group also now realize that they themselves could be targets for hackers and other malicious actors seeking to gain access to personal records and other sensitive data.

There is no doubt that TMC executives, in general, are thinking a lot more about brand protection these days. In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, TMC executives ranked the following risks among the top five for their industry group in 2017:

  • Social media, mobile applications and other internet-based applications may significantly impact our brand, customer relationships, regulatory compliance processes and/or how we do business, and
  • Our organization many not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage our brand.

On the cyber-risk front, it is important for TMC companies to recognize that the customer and financial data they handle are not the only targets for hackers. An organization’s intellectual property (IP) can be even more valuable to some threat actors, including nation states. The loss or theft of IP not only could undermine a company’s ability to compete but damage its brand and reputation in unanticipated ways.

Without question, loss or theft of any type of high-value data can have lasting, negative effects on an organization from both operational and brand perspectives. Everything negative that happens to a company and becomes public can damage its brand – and cyber breaches and loss of IP are some of the fastest ways for this damage to occur. Given these considerations, management and the board must work together to manage the brand and make brand protection one of the company’s top priorities.

To engage in effective dialogue on this topic, a recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some guidance: Executives should take the lead in deciding what type of interaction they would like from the board and define how they want to involve the board in the brand protection process. And if the executives haven’t done this yet, then the board should waste no time in asking for their input.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy

and

Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.

Jim

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: www.protiviti.com/ITpriorities.

Jim

 

 

 

 

 

Executive Perspectives on Top Risks for 2015

Today, North Carolina State University’s ERM Initiative and Protiviti released the results of our third annual global survey of board members and C-level executives. Our survey assesses the extent to which a broad collection of risks are likely to affect organizations in 2015. We’ll be discussing the results here in greater detail over the coming weeks. For now, I want to share with you our short video along with our key results:

Among our key findings this year:

  • The global business environment in 2015 is perceived to be somewhat less risky for organizations than it was in the last two years.
  • Most organizations are more likely to invest additional resources towards risk management in 2015 compared to the past two years.
  • Regulatory change and heightened regulatory scrutiny is the top overall risk for the third consecutive year.
  • There are concerns about cyberthreats disrupting core operations.
  • Economic conditions are again a key risk area for organizations.
  • There is greater focus on succession challenges and the ability to attract and retain talent.

Infographic - 2015 Top Risks SurveyOur report, Executive Perspectives on Top Risks for 2015, as well as a podcast and video, are available at www.protiviti.com/TopRisks. We also have published an informative infographic. In addition, on Thursday, February 12 (at 1:00 p.m. ET/10:00 a.m. PT), Protiviti and North Carolina State University will host a webinar to discuss the survey results and provide analysis as to how organizations can address these risk areas.

I again want to acknowledge our outstanding partners at North Carolina State University’s ERM Initiative: Dr. Mark Beasley, Dr. Bruce Branson and Professor Donald Pagach. It is a tremendous pleasure to work with them on this well-received project. I also want to thank the many individuals in Protiviti, including our Industry Leadership team, for their valuable contributions to this project.

Jim