Bill Blake, Senior Vice President and CCO (Chief Customer Officer) of Fasoo, moderated a panel discussion on Cybersecurity on September 13, 2017 at Harter Secrest & Emery LLP in Rochester, NY. The event entitled Cyber Security & Your Company – What You Need to Know Now featured industry leaders and experts from The Bonadio Group, Fasoo, Lawley, and Harter Secrest & Emery LLP discuss how, when, and why to plan for a cyber attack.
The event was part of a continuing dialog with organizations on the needs for stricter cybersecurity controls in the wake of the ever growing threat of data breaches and threats to business operations. Recent data breaches at Equifax, Verizon and others show that any organization is vulnerable to external attacks or insider threats. Regulations and legislation, such as the New York NYDFS 23 NYCRR 500 cybersecurity regulations and GDPR in Europe, are causing businesses to improve their security posture to protect business and customer information.
Paul Greene, an attorney with Harter Secrest & Emery LLP, started the event with some opening remarks and Bill Blake got right into the discussion questions which hit on a number of cybersecurity topics, including how to prepare for a cyber attack, the role of insurance in your incident response plan and how the newest cybersecurity regulations and laws affect your business.
High on the list was a discussion of the recent Equifax data breach and how it affects businesses and consumers. This lead to a discussion and questions about risk assessments and how they are critical to improving your cyber security posture.
Carl Cadregari, an Executive Vice President at The Bonadio Group, talked about the frequency of doing a risk assessment. This is not something you can do once. The threat landscape is constantly changing and the needs of your business are evolving, so you need to continually assess your risk and the best ways to mitigate it. Carl said that finding your most sensitive data and encrypting it is one of the best ways to ensure you are protected. If a hacker gets encrypted files, they won’t be able to use them. In many cases this may not be considered a data breach, so you don’t need to report it.
While most of us think about technical solutions, legal ones are as important as well, since a cybersecurity event is not a breach until your attorney says it is. Paul Greene mentioned “It’s important to involve counsel in your Risk Assessment process because it allows you to have a full and frank discussion about any shortcomings you may find, without worrying that those discussions can be used against you. That’s the protection of the attorney-client privilege, it allows for that “oh [expletive]” moment when you discover something that may be really bad, without the worry that those communications will be used against you.”
Reggie Dejean, a Specialty Insurance Director from Lawley Insurance, talked about the crucial role of insurance in any cyber compliance program. He said, “Cybersecurity insurance can help mitigate the financial loss that occurs when, not if, a data breach happens to a company. These policies can help cover some of the costs which include forensics, credit monitoring, notifying those affected, public relations and more. In today’s world, any size company is susceptible to a cyber breach, so cyber intrusion insurance can help reduce your risk and costs.”
Bill Blake brought up printing as a risk that many organizations don’t think about. There tends to be a focus on digital assets, but if someone prints sensitive information, there is still the same liability when it comes to regulation and the law. Numerous audience members asked if protection of sensitive data extends to paper files and the general consensus is that it does. Preventing printing to minimize risk is clearly a good strategy when applicable, but masking sensitive data and applying visible watermarks are also good strategies to help eliminate sensitive data on paper and allow you to trace the information back to the person that printed it.
Another big discussion was around risk in the supply chain. An audience member from a bank said they share a lot of information with Equifax and was wondering if the bank is liable because of the Equifax data breach. Under the NYDFS 23 NYCRR 500 cybersecurity regulations an organization is responsible for the security of data it shares with its supply chain. Whether the bank needs to inform authorities of a breach in its supply chain is unclear, but it is ultimately responsible for its data. Third and fourth party protection will come from both technical and legal remedies. You need air tight legal agreements to mitigate your risk, but encrypting and controlling your shared information is the best solution to supply chain risk.
The event finished with questions from attendees on the most challenging areas in their companies for compliance. One bit of advice from the panel was to remember that companies should focus on protecting their sensitive information. While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.