80 likes | 91 Views
Learn about the key aspects of cybersecurity for boards and management, including risk assessment, information security programs, governance structure, and incident response plans based on the NAIC Insurance Data Security Model Law.
E N D
Lessons from the Trenches: What Boards and Management Need to Know about Cybersecurity Moderator Shawn R. Grotte, CPA Partner, BKD LLP
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE Session Presenters Philip Sherrill, CPA, CIA, CHIE Vice-President and Chief Audit Executive Arkansas Blue Cross and Blue Shield Shawn R. Grotte, CPA Partner BKD LLP Devin Shirley, CISSP, GISP Chief Information Security Officer Arkansas Blue Cross and Blue Shield
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Lawadopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” • Comprehensive Written Information Security Program • Considers the size and complexity of the organization • Considers the nature and scope of activities • Considers the sensitivity of information the organization governs • Objectives of an Information Security Program • Protect the security and confidentiality of sensitive information • Protect against any threats or hazards • Protect against unauthorized access or use; minimize the risk of harm • Process for retention and destruction of sensitive information
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Lawadopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” • Risk Assessment • Identify reasonably foreseeable internal and external threats • Access the likelihood and potential impact of those threats • Assess the sufficiency of policies and procedures • Assess the effectiveness of key controls (no less than annually) • Program Adjustments • Monitor, evaluate and adjust, as appropriate, to relevant changes in: • Technology and Information System infrastructure • Sensitivity of information • Internal or external threats • Changing business arrangements, i.e. M&A, partnerships, outsourcing, etc.
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Lawadopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” • Board Governance Structure • The Board or an appropriate committee of the Board shall require management to: • Develop, implement and maintain an Information Security Program • Report on the overall status of the program and compliance with the Model Law • Report on material matters related to the program • Oversight of Third-Party Service Providers • Demonstrate due diligence in the selection of third-party service providers • Require appropriate administrative, technical and physical measures
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Lawadopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” • Risk Management and Controls • Appropriate Security Measures, based on assessed risk • Integration in an organization’s Enterprise Risk Management process • Awareness of emerging threats and vulnerabilities • Cybersecurity awareness training • Incident Response Plan • Written Incident Response Plan designed to: • Define the internal process for responding to an event • Define roles, responsibilities and decision-making authority • Define internal and external information sharing • Requirements for remediation
THE 2018 CHIEF FINANCIAL OFFICER ROUNDTABLE NAIC Insurance Data Security Model Lawadopted October 24th, 2017 “…to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…” • Annual Certification • Submitted to the Commissioner in writing by February 15thcertifying compliance • Notification (Licensee, Third-Party, Reinsurers) • Notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that an event has occurred • The Licensee reasonably believes that the information involved is of 250 or more consumers residing in the State and either: • An event requires notice to be provided to any government, regulatory or supervisory body • There is reasonable likelihood of material harm impacting a consumer in the State or a material part of the normal operations of the Licensee