Presentation - Cyber Security with a Twist

Cyber Security With a Twist
Protecting Information in Market
Actions
April 13, 2015
Moderator: Sue Stead, Nelson Brown & Co.
Speakers: Holly Blanchard, Examination Resources, LLC
Bernd Breitenbach, Guardian Life Insurance Co.
Jon Brynga, Hanover Insurance Group
Jerry Link, INS Services, Inc.
Joy Morton, Virginia Bureau of Insurance
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Before the Exam
o Share your Company Cyber and IT Security Practices with the
Regulators or consultants up front and request they comply with
them.
o Determine what information will be accessed through systems vs.
paper or other medium.
o Establish a contact point in IT/Information Security to work with
Regulators/consultants on exams and help with technical issues.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Before the Exam
o Determine if you want to provide access to Company Systems,
networks, etc. and what hardware requirements are necessary. Make
it clear to the regulator whether their laptops would have to undergo a
IT Security scan before hooking up to the Company
Networks/Systems.
o Have dedicated company hardware and printers ready that can be
substituted for regulators if they won’t subject their equipment to scans
or their equipment does not have the required security protocols.
o Request that examiners refrain from any personal or nonbusiness
emails while hooked up to company networks or email systems.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Communications
o Avoid sending anything with Personally Identifiable
information such as flash drives or mail diskettes unless
secured, encrypted or password protected.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
During the Exam
o Provide a secure facility (locking room, locking cabinets) for regulators to leave
laptops, flash drives, etc. so they don’t have to take them back and forth if they
don’t need to.
o Where possible use Secure Email Networks to send and provide PII information in
lieu of normal emails. Where not possible, password protect all documents,
spreadsheets, etc. that may contain PII information.
o Request that regulators do not take any documentation with PII out of the office
during the course of audit. Provide them with locking file cabinets. Request
regulators leave any documents containing PII secured in the office.
o Provide examiners with a secure shredding bin to house confidential information to
be destroyed.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
After the Exam
o Notify HTG to disable any passwords or access provided.
o Ask regulators to return any documentation with PII.
o Continue to use Secure email to share audit results.
o Make sure any published audit reports/findings do not contain any PII or that it is
redacted by the DOI before publishing.
o Survey regulators or consultants on their experience and any areas that need
improvements.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Additional Consideration
o Communications from Company to Regulators. Use Secure File Transfer
Portals (SFTPs) to move encrypted & secure company data
o Restrict examiner direct access to Company legacy systems. Provide data
extracts from Company legacy systems and make such data available to
examiners via accessible share drives
o Ensure security of Company data is baked into contracts with third party
vendors
At front end - - ensure security of Company data at time of data
delivery to vendor
At back end - - ensure security of Company data upon conclusion of
examination at vendor
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Data Security and Integrity
for the Regulator
o Prior to exam start dates; have a discussion with the Company on what process,
procedures, and technologies they would be comfortable with. They may already
have technical solutions in place.
o Ensure devices (laptops) are encrypted to industry standard device encryption
software.
o Utilize secured private cloud storage instead of transferring exam documents via
mail on cd’s and jump drives (not Public cloud such as Box). This will increase the
security and efficiencies at the same time lower the overall cost of the
examination. Many of you may have already utilized the INS Sharefile
environment.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
Data Security and Integrity
for the Regulator
o Minimize the use of private email domains especially when transmitting
examination documents since the emails are not encrypted. Ex. Gmail.com,
Yahoo.com, etc.
o If utilizing a hosted Teammate environment, ensure it is physically located in a
Datacenter where all power, network redundancies, and backup, DR, and CEM
plans are inherited especially when engaging a third party vendor.
o Ensure all these standards are required for all third party vendors.
o Review NIST standards for a better understanding of data security requirements.
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA
THANK YOU
IRES Foundation 2015 National School on Market Regulation
Surfin’ the waves of Regulation | April 12-14, 2015 | Hilton La Jolla | San Diego, CA