Tag: risk mitigation

Fasoo Moderates Panel on Cybersecurity and Your CompanyBill Blake, Senior Vice President and CCO (Chief Customer Officer) of Fasoo, moderated a panel discussion on Cybersecurity on September 13, 2017 at Harter Secrest & Emery LLP in Rochester, NY.  The event entitled Cyber Security & Your Company – What You Need to Know Now featured industry leaders and experts from The Bonadio Group, Fasoo, Lawley, and Harter Secrest & Emery LLP discuss how, when, and why to plan for a cyber attack.

The event was part of a continuing dialog with organizations on the needs for stricter cybersecurity controls in the wake of the ever growing threat of data breaches and threats to business operations.  Recent data breaches at Equifax, Verizon and others show that any organization is vulnerable to external attacks or insider threats.  Regulations and legislation, such as the New York NYDFS 23 NYCRR 500 cybersecurity regulations and GDPR in Europe, are causing businesses to improve their security posture to protect business and customer information.

Paul Greene, an attorney with Harter Secrest & Emery LLP, started the event with some opening remarks and Bill Blake got right into the discussion questions which hit on a number of cybersecurity topics, including how to prepare for a cyber attack, the role of insurance in your incident response plan and how the newest cybersecurity regulations and laws affect your business.

High on the list was a discussion of the recent Equifax data breach and how it affects businesses and consumers.  This lead to a discussion and questions about risk assessments and how they are critical to improving your cyber security posture.

Carl Cadregari, an Executive Vice President at The Bonadio Group, talked about the frequency of doing a risk assessment.  This is not something you can do once.  The threat landscape is constantly changing and the needs of your business are evolving, so you need to continually assess your risk and the best ways to mitigate it.  Carl said that finding your most sensitive data and encrypting it is one of the best ways to ensure you are protected.  If a hacker gets encrypted files, they won’t be able to use them.  In many cases this may not be considered a data breach, so you don’t need to report it.

While most of us think about technical solutions, legal ones are as important as well, since a cybersecurity event is not a breach until your attorney says it is.  Paul Greene mentioned “It’s important to involve counsel in your Risk Assessment process because it allows you to have a full and frank discussion about any shortcomings you may find, without worrying that those discussions can be used against you.  That’s the protection of the attorney-client privilege, it allows for that “oh [expletive]” moment when you discover something that may be really bad, without the worry that those communications will be used against you.”

Reggie Dejean, a Specialty Insurance Director from Lawley Insurance, talked about the crucial role of insurance in any cyber compliance program.  He said, “Cybersecurity insurance can help mitigate the financial loss that occurs when, not if, a data breach happens to a company. These policies can help cover some of the costs which include forensics, credit monitoring, notifying those affected, public relations and more. In today’s world, any size company is susceptible to a cyber breach, so cyber intrusion insurance can help reduce your risk and costs.”

Bill Blake brought up printing as a risk that many organizations don’t think about.  There tends to be a focus on digital assets, but if someone prints sensitive information, there is still the same liability when it comes to regulation and the law.  Numerous audience members asked if protection of sensitive data extends to paper files and the general consensus is that it does.  Preventing printing to minimize risk is clearly a good strategy when applicable, but masking sensitive data and applying visible watermarks are also good strategies to help eliminate sensitive data on paper and allow you to trace the information back to the person that printed it.

Another big discussion was around risk in the supply chain.  An audience member from a bank said they share a lot of information with Equifax and was wondering if the bank is liable because of the Equifax data breach.  Under the NYDFS 23 NYCRR 500 cybersecurity regulations an organization is responsible for the security of data it shares with its supply chain.  Whether the bank needs to inform authorities of a breach in its supply chain is unclear, but it is ultimately responsible for its data.  Third and fourth party protection will come from both technical and legal remedies.  You need air tight legal agreements to mitigate your risk, but encrypting and controlling your shared information is the best solution to supply chain risk.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that companies should focus on protecting their sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.

Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance EventFollowing our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017.  A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.

Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”.  Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers.  Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey gave great insight into the readiness of financial services organizations to comply with the new regulations.  One key statistic from the survey that picked up on Jennifer’s discussion on third party liability is that only about half the organizations think they can meet the two-year transitional period to implement a third-party services provider security policy.  One member of the audience mentioned that they may have to switch some service providers who can’t meet the requirements.  The discussion also talked about fourth-party service providers, since you as a covered entity can’t know who your service providers use for their business.  This gets complicated very quickly.

Dr. Ponemon’s keynote was followed by a panel discussion moderated by Kevin Cox from Brite Computers on meeting governance and security aspects of the regulation.  The panel included Dr. Ponemon, Jennifer Beckage, Dave Hansen from Freed Maxick, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  Based on a number of questions from the audience, the panel had a lively discussion on incident response.  A key item is to engage your legal and insurance providers immediately if you suspect a negative cyber event.  How you characterize an event and your response to it is not only a technical and process issue, but a legal one too.  An event is not considered an incident until an attorney says so.

One key discussion was on data retention and protection.  Since the regulation talks about encrypting and limiting access to all nonpublic data, one way to minimize risk is to delete information that is no longer needed by the business.  If you don’t have it, you don’t need to protect it.  This not only helps with general security hygiene, but also helps satisfy other regulations, since eliminating unneeded information reduces a company’s general liability.  As in the earlier discussions, this lends itself to protection and revoking access to nonpublic information you share with your service providers.

Fasoo wants to thank all the Buffalo NYDFS 23 NYCRR 500 roadshow sponsors for all their support.  It was a great event and everyone said that got a lot of great information that will help them as they strive toward meeting the first deadline of August 28, 2017.

Ponemon Institute
Brite Computers
Lawley Insurance
Phillips Lytle LLP
Freed Maxick

Rochester NYDFS Pathways to Compliance Event a Big SuccessThe first of the NYDFS 23 NYCRR 500 roadshow events in Rochester, NY on May 16, 2017 was a great success as numerous people from local financial services companies participated in a great forum to help organizations understand how to meet the new cybersecurity regulations that went into effect on March 1, 2017.

The event was held at Harter Secrest & Emery LLP in Rochester and started what will be a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging group of regulations.

The event started with an “Overview of 23 N.Y.C.R.R. Part 500 and Key Legal Challenges” by F. Paul Greene of Harter Secrest & Emery LLP.  Paul focused on many of the legal issues around compliance, including what is a covered entity.  Any organization regulated under the Banking, Insurance or Financial Services law is subject to this regulation.  This includes foreign and out of state businesses that operate in New York and most likely applies to the whole organization, unless the organization has a segregated IT infrastructure.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current posture of readiness to comply with the new regulations.  Some of the more interesting results are that most organizations do not believe they can meet the timelines for compliance, over 70 percent think a lack of knowledgeable personnel will hamper their efforts and most are very concerned about how to implement effective security policies for third party service providers.

Dr. Ponemon’s keynote was followed by a Panel Discussion – Pathway to Compliance – that was moderated by Kevin Cox from Brite Computers.  Panel members included Dr. Ponemon, Paul Greene, Reg Harnish from GreyCastle Security, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  There was a lot of discussion around doing a risk assessment and understanding what nonpublic information assets you have and where they are.  This lead to insurance questions and how best to mitigate risk related to business continuity following a data breach.  While insurance is critical to recovery from loss, it is not a substitute for a good cybersecurity program.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that the regulation is intended to protect companies and their customers by protecting sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.  That is the focus needed to improve the cybersecurity posture at each covered entity.

Fasoo wants to thank all the Rochester NYDFS 23 NYCRR 500 roadshow sponsors for all their support in making it an outstanding event.

Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance

Click here to see the Countdown to Compliance, Fasoo Sponsored Ponemon Institute Survey of NYDFS 23 NYCRR 500Fasoo sponsored a Ponemon Institute survey to determine the readiness of financial firms doing business in New York State to comply with the new cybersecurity regulation NYDFS 23 NYCRR 500 that went into effect on March 1, 2017.  The regulation includes deadlines to implement procedures and solutions to achieve compliance with the new standards.  Since New York is one of the world’s financial capitals, the state wants to ensure that organizations that operate under the banking, insurance or financial services regulations provide a secure information sharing environment to protect companies and their customers.

“The survey is aptly titled “Countdown to Compliance,” said Dr. Larry Ponemon.  “Our goal is to provide insight into the challenges these organizations face in complying with the demanding new requirements which apply to all ‘nonpublic information’ – at rest, in-transit and shared with third parties.  The survey will provide insight into their efforts to comply over the next 180 to 365 days.”

Many organizations may not realize they are covered under these regulations, but if you just go to the NY Department of Financial Services website, you can search for your business.  If you are a financial institution,

insurance company, insurance licensee or service contract provider, you are most likely covered.  This also includes foreign banks that are New York State-chartered or licensed.

This is the second Ponemon Institute survey sponsored by Fasoo during the past year. The previous research, titled “Risky Business: How Company Insiders Put High Value Information at Risk” polled IT security practitioners on risks of data breaches by trusted insiders.  The information in that survey is still very relevant to financial services firms and any business today.

“Both of these Ponemon surveys build market awareness and inform CIO/CISO and Compliance Officer leadership as to the need and now the mandatory New York State requirements for data-centric security, audit, and compliance solutions,” said John Herring, CEO of Fasoo, Inc.  “We are joining with leading Legal, GRC and Insurance cybersecurity professionals to sponsor several events across New York State to highlight strategies and enterprise ready data-centric solutions to address regulatory compliance.”

If want to get an early release copy of the “Countdown to Compliance” survey and keep apprised of Fasoo sponsored NYDFS events, please register here.


Photo credit thenails

Fasoo Hits Nerve with Message of Security, Governance and Productivity at RSA 2017After two days at the 2017 RSA Conference in San Francisco, it looks like Fasoo’s message of Security, Governance and Productivity is hitting a nerve with security professionals, analysts, executives and other attendees.  As the regulatory and business climate change to overcome constant threats to businesses and the data they use to drive profitability, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

An interesting theme at this year’s show is Business Driven Security.  I think the convergence of business and security is finally coming to a head as boards and executives realize they must think of security solutions as a business driver that helps mitigate business risk so they can propel their businesses forward.

One main focus this year is helping financial organizations comply with the New York State Department of Financial Services (NYS DFS) cybersecurity regulations.  Fasoo employees spoke to numerous banks and mortgage companies at the booth that are affected by this new regulation to encrypt nonpublic data and provide clear access control and audit trails.  The Fasoo Data Security Framework can help protect sensitive data from getting into the wrong hands and help meet this comprehensive regulation.

Other attendees were very interested in providing a more secure way of collaborating with documents.  It’s clear that organizations need to secure their data and protect against cyber attacks, but if employees and partners aren’t productive, business comes to a halt.  Productivity drives innovation and Wrapsody is a great way to let people share ideas securely as they drive their businesses.

Of course what would RSA be without some fun?  Our hourly presentations are very lively and attendees are entered into a drawing for an Amazon Echo.  We gave one away on Tuesday and will at the end of each day.  Aside from the prize, a lot of people were very interested in how Fasoo can really protect sensitive information from getting outside their companies and either cause them to go afoul of regulators or hurt their bottom line.  Encrypting and always controlling information is the best way to meet regukatory requirements and protect your intellectual property.

If you haven’t already, stop by booth S1239 on the show floor to see how we can help your business.

Fasoo wows RSA 2016 visitorsThis year’s RSA Conference in San Francisco gave security professionals, executives and other attendees a lot to choose from as they tried to help their organizations prevent cyberattacks and mitigate the risk of insider threats.  Apple’s current flap with the FBI on encryption was a big point of discussion throughout the event, including during keynotes.  Amit Yoran, the President of RSA, came out strongly against government backdoors and weakening encryption.

Fasoo’s theme this year was Design Your Data Security Blueprint and visitors to the Fasoo booth got to see how the Fasoo Data Security Framework and Sparrow could help them achieve their goal of protecting their sensitive data from getting into the wrong hands.

A lot of conversations centered on the understanding that it’s not a matter of if I get hacked, but when.  I spoke to one gentleman who was talking about the concept of security crumple zones where you assume that some layers of your security will get breached.  The concept is similar to car safety, where the ultimate goal is protect what is most valuable.  Fasoo was showing attendees a multi-layered approach to data security that relies on a data-centric security model with people-centric policies.  This allows an organization to protect critical data immediately and adjust access control policy as roles and people change.

As concerns about inevitable data breaches have reached the board level in organizations, talk has turned to mitigating risk, as opposed to stopping breaches.  Most people understand that you can’t eliminate risk, but you need to minimize its negative affects.

Fasoo What's My RiskTo have some fun with this topic, Fasoo had a game called “What’s My Risk” where contestants spun a wheel to pick a risk, like lose a laptop.  They would pick a possible solution that showed what they did to help mitigate the risk; choices included “Do Nothing”, “implement Endpoint Encryption”, “use DLP”, and use the Fasoo Data Security Framework.  This generated a conversation to discuss if they were protected, protected somewhat or not protected at all.  The contestant got a Fasoo Data Security t-shirt with the outcome for their participation.

Participants had a chance to qualify for an Apple Watch if they posted a picture of themselves on the expo floor wearing a Fasoo Data Security t-shirt and post it on the Fasoo Facebook page.  Check it out to see who posted their picture.

Another main topic during the show was threat analysis and approaches to eliminate or at least reduce the damage done by cyber and insider threats.  During his keynote, Amit Yoran said, “We are only pretending when we think that firewalls, anti-virus, etc. are going to be good enough. Yet, that isn’t translating into actual changes.”  A lot of the attention is still focused on infrastructure, but conversations finally are turning to protect the data itself and really understand how people are using or misusing sensitive information.

A lot of visitors to the Fasoo booth were very interested in how Fasoo RiskView can help them understand user behavior and how it may indicate risk to sensitive data.  By using machine learning algorithms. it can help an organization define baseline normal usage patterns and then detect anomalies to help predict potential threats.  The current state of malware and zero-day attacks are so sophisticated that applying strong encryption and controlling permissions to that data is still the only way to truly protect it.  Understanding the usage of both protected and unprotected data is a more focused approach to threat analysis than many are currently using.

Book a meeting