Representatives from the fields of health care, finance, energy and consulting, along with a representative from state government, participated in a panel discussion at Rutgers Law School – Newark in early November. The event was sponsored by the Rutgers Center for Corporate Law and Governance and the Computer and Technology Law Journal.
The panelists were Assistant Attorney General Christine A. Hoffman, Deputy Director of the New Jersey Division of Criminal Justice; Paul D. Milkman, Senior Vice President CISO, Head of Technology and Operations Risk at CIT Group; Joseph Santamaria, Vice President – Information Technology and Chief Information Officer for PSEG Services Corporation; Alexander Tovitz, Director, Enterprise Risk Management and Compliance Audit, Horizon Blue Cross Blue Shield of New Jersey; and Steven Zaki, Director, FS Cyber and Risk Practice, PwC. Professor Douglas S. Eakeley served as moderator.
Assistant Attorney General Hoffman commented on the release the prior week by the Attorney General and State Police of the first annual statistics on cyber breaches. That release reported that 676 data breaches were reported to the State Police in 2016, affecting more than 116,000 New Jersey account holders. She indicated that information is illegally obtained through phishing, malware, ransomware and other methods. Noting that some companies are afraid to report information breaches for fear of bad publicity, she said: “We work hard to reassure these companies that we try to protect our victims.”
PwC Director Steven Zakin provided an overview of cybersecurity as a consultant to companies in various industries. He noted that cyber risks were not just technical in nature, and should be included in any company’s enterprise risk management system. Cyber risks should be important not only to top management but to the board of directors as well, where ultimate responsibility for corporate oversight and compliance resides.
The other three panelists then addressed the kinds of cybersecurity risks their companies and industries confront, how cyber fits within their companies’ enterprise risk management program, the policies and procedures they have for mitigating, detecting and responding to cyber risks as well as to breaches/hacks, the roles their boards of directors play in this process, and the roles of the state and federal governments.
Joseph Santamaria said that cybersecurity at PSEG means insuring that customers have safe and uninterrupted delivery of electricity, that their personal information is protected, and that the company’s assets (including its nuclear power plants) are also protected. He noted that the company works closely with federal regulators and law enforcement to identify risks of cyberattacks from overseas that have disrupted utilities in other countries.
Paul Milkman, whose experience in the technology and finance sector included stints at TD Bank, Fannie Mae and IBM before his arrival at CIT as Chief Information Security Officer, described the evolution of perspectives and preventive/remedial efforts undertaken by companies as cybersecurity developed into a business risk proposition. He emphasized the importance of companies paying attention to vendors and outside contractors as part of the cyber risk management function, the need for transparency in the company’s transactions, and the necessity of development a prompt and effective strategy for responding in the event of a breach or a hack.
Alexander Tovitz reported that Horizon Blue Cross Blue Shield is responsible for safeguarding private health information for 3.7 million of its customers. As a consequence, employees are constantly “trained and retrained” to comply with HIPPA privacy laws. He also stressed the importance of coordinating with outside vendors and partners (doctors, hospitals, pharmacies) to protect against and mitigate cyber risks.