1 / 24

Critical Issues in Nonprofit Leadership Stress Tests

This session discusses critical issues facing nonprofit leaders in today's sector and offers stress tests to navigate them effectively.

tnall
Download Presentation

Critical Issues in Nonprofit Leadership Stress Tests

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stress Tests for Nonprofit Leadership: Critical Issues Facing the Sector January 17, 2018

  2. Stress Tests for Nonprofit Leadership: Critical Issues Facing the Sector Was it Something I Said? – Standing for Organizational Values in Tumultuous Times Laura Abel, Senior Policy Counsel, The Lawyers Alliance Phil Zaccheo, Member, Bond,Schoeneck & King

  3. Stress Tests for Nonprofit Leadership: Critical Issues Facing the Sector Immigration Challenges for Employers in the Trump Era Elena Voss, Assistant General Counsel, Metropolitan Museum of Art Joanna Silver, Member, Bond, Schoeneck & King

  4. Stress Tests for Nonprofit Leadership: Critical Issues Facing the Sector Board Oversight of Cybersecurity in the Face of Mounting Risk January 17, 2018

  5. Presenters: Robert E. Leamer Executive Vice President, General Counsel and Chief Administrative Officer Metropolitan Jewish Health System *** Tracy E. Miller Health Care, Higher Education, and Cybersecurity/Data Privacy Practice Groups Bond Schoeneck & King, PLLC millert@bsk.com 5

  6. Rising Cybersecurity Risk Worldwide cyber attacks – Wannacry. Mounting risk of ransomware. Attacks on organizations of all sizes on the rise. Average estimated cost of breach is $350 per health care record and $245 per higher education record. Unprecedented sharing of data under federal and state health reform increases risk, scope, and cost of a breach. 6

  7. Risks to Information Security Targeted attacks by hackers and cyber criminals—financial and other motives. Employee negligence and theft. Third parties—other providers or vendors that have your organization’s data or access to information systems. Loss or theft of mobile devices. Vulnerabilities in information systems/devices. 7

  8. Cyber-Breaches Can Target Many Operational Areas Unauthorized Access To: Personal financial data Employee information Confidential proprietary company data--customers’ lists, financial data, trade secrets Donor lists Medical/client information Security controls-electronic locks, security cameras Other electronic devices and system controls (thermostats). 8

  9. Damage Associated with Cyber-Breaches Can Be Equally Diverse Interruption of operations Payment of extortion demands Property loss due to breach of physical security Cost of forensic assessment Notices to affected parties including public announcements Cost of credit monitoring Other damage to third parties Reputational damage Regulatory investigations (state and federal) and sanctions. 9

  10. Applicable Laws • Heath Insurance Portability and Accountability Act (1996), as amended by HI-TECH Act (2009) (HIPAA) – (Security Rule) • Gramm-Leach-Bliley Act (Higher Education) • Federal Trade Commission (“FTC”)—Oversight generally • FTC—Red Flags Rule • NYS Department of Financial Services (“DFS”) Cybersecurity Rules • NYS Information Security Breach and Notification Act • Payment Card Industry Security Standard (PCI)—DSS. 100

  11. Security Standards – Scalable Standards • Organizations are unique and vary in size and resources. • Measures are required that “reasonably” implement a security standard taking into account: (i) size of the organization; (ii) capability; (iii) the cost of specific security measures; and (iv) operational impact. • Balance risk against impact of protective measures on operations. • HIPAA Security Rule—General standards, except encryption for data transmitted electronically or at rest. • National Cybersecurity Standards – NIST (www.nist.gov) • NYS Cybersecurity Rule mandates specific security safeguards. 111

  12. NYS Cybersecurity Rule Effective Date: March 1, 2017. Entities Covered: banks, insurance companies, health plans and other entities supervised or licensed by the NYS Department of Financial Services (“DFS”). Non-Public Information (“NPI”) – personal financial and medical information not in the public domain. 122

  13. NYS Cybersecurity Rule Major Requirements Adopt a cybersecurity program with specified elements; Designate a qualified individual to serve as a chief information security officer; Conduct continuous monitoring or annual periodic penetration testing and a bi-annual vulnerability assessment; Maintain audit systems to detect and respond to cybersecurity events; Use multi-factor or risk-based authentication; Encrypt NPI at rest and in transmission; Adopt an incident response plan with specified elements; Annually submit a certification of compliance to DFS commencing February 15, 2018; and Adopt policies and procedures for the security of information systems and NPI accessible to or held by third parties. 133

  14. Overview – Building Blocks of an Effective Cybersecurity Program Risk Assessment Assigned Security Responsibility Written Policies and Procedures Safeguards (Administrative, Technical, Physical) Workforce Policies and Training Third Party Oversight, including Business Associate Agreements Effective Breach Response Policy Governance Oversight Cybersecurity Insurance 144

  15. Mitigating Cyber Risk • Education • Incursion testing • Added controls • Spam filters • Two-step authentication • Access limitation (minimum necessary) • Assessment of physical security, both for servers and property in general • Cybersecurity integrated into business practices and transactions • Insurance 155

  16. Insuring Against Cybersecurity Risk What does your cybersecurity policy cover? Investigation – attorneys and consultants Response to regulatory enforcement Business interruption costs Notice to individuals Potential civil liability Liability to business partners for their costs Loss of data and/or intellectual property Public relations services Ransomware Scope of coverage, exclusions, limits on coverage. 166

  17. Mounting Focus on Board Oversight Target breach—Shareholders’ derivative suit asserted that the Board of Directors had breached fiduciary duty to the corporation. NYS Cybersecurity Rule—CISO of each covered organization must report in writing to the Board at least annually. National Association of Corporate Directors: General duty to oversee risk assessment and management, including internal controls; Assure access to information and expertise needed by Board. 177

  18. Board Duty of Care Duty of care – to protect corporate assets, reputation, data, operations and mission. Judgment that prudent person would use in similar circumstances. Permissible to rely in good faith on management and consultants. In re Caremark – duty to have a reporting system and respond to identified risks. 188

  19. Data on Board Oversight (from Deloitte, BDO and National Association of Corporate Directors (“NACD”) Survey) 2017 national survey of Board Directors of large companies listed cybersecurity as the leading risk. 54% reported that the Audit Committee has primary responsibility. (Deloitte) In 2017, 79% reported that the Board is more involved with cybersecurity than 12 months ago and 78% say company has increased investment in cybersecurity in the last year. 28% are briefed quarterly; 20% briefed twice a year. (BDO Survey) Only 15% of Directors said that they are very satisfied with the quality of cybersecurity information they receive. (NACD) 199

  20. The Government’s Rising Expectation Concerning Directors’ Performance Sarbanes-Oxley Act of 2002 New York Not-for-Profit Revitalization Act of 2013 The Yates Memo, September 9, 2015 Series of high profile cases 200

  21. Cybersecurity as Part of Enterprise Risk Management Overall Risks to Not-for-Profit Organizations Personal injury liability Regulatory risks, audits and investigations Natural disasters Sexual harassment in the workplace Cyber-risks Existential risks 211

  22. Other Core Issues for Board Oversight Management expertise and commitment Culture of compliance Resources targeted to priorities identified for Board consideration … And the Mission of the Organization 222

  23. Enterprise-Risk Management Comprehensive assessment of all risks throughout the organization Assessment of current mitigation efforts Offers a structure to prioritize risks and target resources Integrated approach across the institution with Board reporting 233

  24. Key Questions-Structure and Substance for Board Oversight Board Committee or full Board? Who reports to the Board? Has the Board approved cybersecurity policies? How often is the Board briefed? Under what circumstances? Has the Board received training? How has the Board/executive management signaled the importance of cybersecurity to employees? Is cybersecurity approached as part of enterprise-risk management? Have priorities been identified? Are sufficient resources dedicated to those priorities? 244

More Related