The Changing Faces of Cybersecurity Governance
WHAT TO DO BEFORE AND
AFTER A CYBERSECURITY
BREACH?
Written By:
PR
Gurpreet Dhillon, Ph.D,
Virginia Commonwealth University,
Richmond, Virginia,
O
FD
O
C
,Previous publications in The Changing Faces of Cybersecurity Governance Series
March 2015
CYBERSECURITY GOVERNANCE: FIVE REASONS
YOUR CYBERSECURITY GOVERNANCE STRATEGY
MAY BE FLAWED AND HOW TO FIX IT
By Peter Iannone & Ayman Omar
March 2015
CYBERSECURITY ACT OF 2015 REVIEW: WHAT IT
MEANS FOR CYBERSECURITY GOVERNANCE AND
ENTERPRISE RISK MANAGEMENT
By Joseph J. Panetta & R. Andrew Schroth
PR
September 2015
CYBERSECURITY REGULATION AND PRIVATE
LITIGATION INVOLVING CORPORATIONS AND THEIR
DIRECTORS AND OFFICERS: A LEGAL PERSPECTIVE
O
By Perry E. Wallace, Richard J. Schroth and William H. DeLone
FD
September 2015
HOW CAN BOARDS AVOID CYBERSECURITY PAIN?
A LEGAL PERSPECTIVE
By Perry E. Wallace, Richard J. Schroth and William H. DeLone
O
C
The views and opinions expressed in this paper are those of the author and do not necessarily reflect the position or policy of the
Kogod Cybersecurity Governance Center (KCGC).
, “We have been hacked!” These are the dreaded Companies can defend themselves by conducting
words no executive wants to hear. Yet this is risk assessments, mitigating against risks that
exactly how the co-chairman of Sony Pictures they cannot remove, preparing and implementing
Entertainment, Amy Pascal’s, Monday morning a breach response plan, and implementing best
started when the company discovered its entire practices. Past events have shown that better
computer system had been hacked by an prepared companies are able to survive an attack
organization called Guardians of Peace. This was and continue their business operations. Experts
one of the biggest attacks in 2014. Several others recommend board of director’s involvement in
have followed in 2015 and 2016. data protection; active participation from senior
decision makers can reduce the cost of data
Over the past few years the size and magnitude of breach. There are several other ways managers
cybersecurity breaches have increased. The 2014 can prevent, reduce, and mitigate against data
South Korean breach, where nearly 20 million (40% breaches.
of the country’s population) people were affected,
epitomized the seriousness of the problem. More
recently a cybersecurity breach was discovered in Reasons for investing in cybersecurity
Ukrainian banks. Carbanak, a malware program,
Increased frequency
infected the bank’s administrative computers.
PR
The breach resulted in banks of several countries, Greater impact on business continuity
including the USA, Russia and Japan getting Data breach costs have skyrocketed
infected. The seriousness of the problem can be
judged from the 2016 Internet Security Threat
Report published by Symantec. Nearly half a billion
personal records were stolen or lost in 2015 and Anthem
O
on an average one new zero-day vulnerability Another one bites the dust
was discovered each week. When a zero-day
vulnerability is discovered, it gets added to the On January 29, 2015, it was discovered that
FD
toolkit of cyber criminals. Anthem, Inc, one of the nation’s leading health
insurers, was the victim of a cyberattack whereby
An IBM study concluded that an average data cyberattackers attempted to gain access to
breach costs about 3.52 to 3.79 million US personally identifiable information about current
dollars and it keeps rising every year1. It is not and former Anthem members. The hackers began
just the dollar expense that matters in breach accessing the information in early December 2014
O
situations. It is very likely that the breach damages and, during a nearly 7 week window, perpetrators
the company’s reputation, and some smaller were able to gain access to nearly 80 million
unprepared organizations might never recover records2. Anthem has indicated that not only
C
from a major disaster. current members of Anthem were impacted. On
its website3, Anthem noted, “In addition, some
Cybersecurity breaches affect organizations in members of other independent Blue Cross
different ways. Reputational loss and decreased and Blue Shield plans who received healthcare
market value have often been cited as significant services in any of the areas that Anthem serves
concerns. Loss of confidential data and may be impacted. In some instances, non-
compromising competitiveness of a firm can also Anthem members and non-Blue Plan members
cause havoc. There is no doubt that preventive may have been impacted if their employer
mechanisms need to be put in place. However, offered Anthem and non-Anthem health plan
when an IT security breach does occur, what options. Anthem is providing identity protection
should be the response strategy? How can the services to all individuals that are impacted.”
impact of a breach be minimized? What regulatory Although Anthem maintains that no credit card or
and compliance aspects should a company be financial information was accessed, the threat to
cognizant of? What steps should be taken to avoid individuals’ finances remains. The hackers were
a potential attack? able to gain access to names of individuals, health
1
WHAT TO DO BEFORE AND
AFTER A CYBERSECURITY
BREACH?
Written By:
PR
Gurpreet Dhillon, Ph.D,
Virginia Commonwealth University,
Richmond, Virginia,
O
FD
O
C
,Previous publications in The Changing Faces of Cybersecurity Governance Series
March 2015
CYBERSECURITY GOVERNANCE: FIVE REASONS
YOUR CYBERSECURITY GOVERNANCE STRATEGY
MAY BE FLAWED AND HOW TO FIX IT
By Peter Iannone & Ayman Omar
March 2015
CYBERSECURITY ACT OF 2015 REVIEW: WHAT IT
MEANS FOR CYBERSECURITY GOVERNANCE AND
ENTERPRISE RISK MANAGEMENT
By Joseph J. Panetta & R. Andrew Schroth
PR
September 2015
CYBERSECURITY REGULATION AND PRIVATE
LITIGATION INVOLVING CORPORATIONS AND THEIR
DIRECTORS AND OFFICERS: A LEGAL PERSPECTIVE
O
By Perry E. Wallace, Richard J. Schroth and William H. DeLone
FD
September 2015
HOW CAN BOARDS AVOID CYBERSECURITY PAIN?
A LEGAL PERSPECTIVE
By Perry E. Wallace, Richard J. Schroth and William H. DeLone
O
C
The views and opinions expressed in this paper are those of the author and do not necessarily reflect the position or policy of the
Kogod Cybersecurity Governance Center (KCGC).
, “We have been hacked!” These are the dreaded Companies can defend themselves by conducting
words no executive wants to hear. Yet this is risk assessments, mitigating against risks that
exactly how the co-chairman of Sony Pictures they cannot remove, preparing and implementing
Entertainment, Amy Pascal’s, Monday morning a breach response plan, and implementing best
started when the company discovered its entire practices. Past events have shown that better
computer system had been hacked by an prepared companies are able to survive an attack
organization called Guardians of Peace. This was and continue their business operations. Experts
one of the biggest attacks in 2014. Several others recommend board of director’s involvement in
have followed in 2015 and 2016. data protection; active participation from senior
decision makers can reduce the cost of data
Over the past few years the size and magnitude of breach. There are several other ways managers
cybersecurity breaches have increased. The 2014 can prevent, reduce, and mitigate against data
South Korean breach, where nearly 20 million (40% breaches.
of the country’s population) people were affected,
epitomized the seriousness of the problem. More
recently a cybersecurity breach was discovered in Reasons for investing in cybersecurity
Ukrainian banks. Carbanak, a malware program,
Increased frequency
infected the bank’s administrative computers.
PR
The breach resulted in banks of several countries, Greater impact on business continuity
including the USA, Russia and Japan getting Data breach costs have skyrocketed
infected. The seriousness of the problem can be
judged from the 2016 Internet Security Threat
Report published by Symantec. Nearly half a billion
personal records were stolen or lost in 2015 and Anthem
O
on an average one new zero-day vulnerability Another one bites the dust
was discovered each week. When a zero-day
vulnerability is discovered, it gets added to the On January 29, 2015, it was discovered that
FD
toolkit of cyber criminals. Anthem, Inc, one of the nation’s leading health
insurers, was the victim of a cyberattack whereby
An IBM study concluded that an average data cyberattackers attempted to gain access to
breach costs about 3.52 to 3.79 million US personally identifiable information about current
dollars and it keeps rising every year1. It is not and former Anthem members. The hackers began
just the dollar expense that matters in breach accessing the information in early December 2014
O
situations. It is very likely that the breach damages and, during a nearly 7 week window, perpetrators
the company’s reputation, and some smaller were able to gain access to nearly 80 million
unprepared organizations might never recover records2. Anthem has indicated that not only
C
from a major disaster. current members of Anthem were impacted. On
its website3, Anthem noted, “In addition, some
Cybersecurity breaches affect organizations in members of other independent Blue Cross
different ways. Reputational loss and decreased and Blue Shield plans who received healthcare
market value have often been cited as significant services in any of the areas that Anthem serves
concerns. Loss of confidential data and may be impacted. In some instances, non-
compromising competitiveness of a firm can also Anthem members and non-Blue Plan members
cause havoc. There is no doubt that preventive may have been impacted if their employer
mechanisms need to be put in place. However, offered Anthem and non-Anthem health plan
when an IT security breach does occur, what options. Anthem is providing identity protection
should be the response strategy? How can the services to all individuals that are impacted.”
impact of a breach be minimized? What regulatory Although Anthem maintains that no credit card or
and compliance aspects should a company be financial information was accessed, the threat to
cognizant of? What steps should be taken to avoid individuals’ finances remains. The hackers were
a potential attack? able to gain access to names of individuals, health
1
