Eversheds Digital Banking Seminar Combatting Cybercrime: Risks, Consequences and Mitigation 30 September 2015 Polly Sprenger Of Counsel Introduction Recent high-profile breaches − Ashley Madison : leak of members’ data so that individuals could be identified. − Sony Pictures : resulted in the leaking of sensitive data as well as a number of the studio’s upcoming films. − British Airways : complaints about points being stolen from the BA’s Executive Club scheme. − GitHub : an attempt to knock its site offline by flooding it with traffic, a DDoS (distributed denial of service). − Uber : it was reported that login details for Uber accounts were being offered for sale for as little as $1. Eversheds LLP | Risks Introduction – UK figures −The BIS 2014 Information Security Breaches Survey reported that although information security breaches affecting UK businesses have decreased over the last year, the cost of breaches has nearly doubled. −81% of large organisations and 60% of small businesses suffered a security breach in the last year. −The average number of breaches suffered in the last year was 16 in large organisations and 6 in small organisations. −The average cost to a firm of the worst security breach was £600k £1.15m in large organisations and £65k-£115k in small organisations. −10% of organisations that suffered a breach were so badly damaged by the attack, they had to change the nature of their business. −In 2011, the Cabinet Office estimated that the UK loses £27bn per year to cyber crime. Eversheds LLP | Risks Introduction – UK figures (cont’d) −The majority of businesses have increased IT security investment over the last year. −Awareness of cyber security as a business risk rose sharply in 2014, with 88% of FTSE 350 firms including cyber risk in their risk register. −30% indicated that their board received regular cyber security briefings. −59% of boardrooms have either a basic or clear understanding of where their organisation’s critical information and data are being shared. −The Edelman Privacy Risk Index found that 71% of customers would leave an organisation after a data breach. Eversheds LLP | Risks Introduction – US figures −Between 2005 and 2013 there were 616 million data rights breaches in the US from 3,964 reported incidents. −According to the October 2013 EY report on Beating cybercrime, 77% of the of companies had detected a security event in 2013 and 34% said that the number of security incidents detected increased from the previous year. −The average number of security incidents detected in 2013 was 135 per organisation. −In 2013, the average company spend on cyber security per employee: banking and finance firms - $2,500; retail and consumer firms - $400. −Companies are increasing their investment in cyber security to face off the dangers and funding for cyber security companies hit $1.02bn in Q1 2015. Eversheds LLP | Risks Introduction – US figures (cont’d) −The number of companies reporting concerns about cyber security to US regulators more than doubled in the past two years to 1,174. −In PWC’s 2014, Global Economic Crime Survey, 25% of respondents had experienced cyber crime and 10% had suffered financial losses of more than $1m. −45% of financial services sector organisations had suffered a cyber crime; 34% in other industries. −Cyber crime is the second most common type of economic crime reported: 39% in financial services sector; 17% in other industries. −41% of financial services sector firms and 26% in other industries believe it is likely that they will experience cyber crime in the next 2 years. Eversheds LLP | Risks Who are the cyber criminals? −Cyber criminals : interested in making money through fraudulent activity or from the sale of valuable information. −Industrial competitors and foreign intelligence services : interested in gaining an economic advantage or sensitive information for their companies or countries. −Hackers : find interfering with and infiltrating computer systems an enjoyable challenge and a competition with other hackers. −Hackivists : who attack companies or countries for political or ideological motives. −Employees or those who have legitimate access : through either accidental or deliberate misuse. Eversheds LLP | Risks Types of cyber attacks −Botnets. Networks of infected computers (known as zombie armies) that are remotely controlled to stage large-scale co-ordinated attacks. −Denial of service attack (DOS). A DOS is an attack aimed at swamping an organisation's server with more emails or requests for information than the server is designed to cope with, overloading the targeted system and resulting in the loss of a particular network service. −Distributed denial of service attack (DDOS). Rather than using one computer and one internet connection (as in a DOS attack), a DDOS attack uses botnets, often in different locations around the world, to launch the attack. −Pharming. An attack that installs software in a system in order to redirect traffic intended for a genuine website to another, bogus, site. −Phishing. The sending of individual emails to obtain specific information about individuals (for example, financial information or website log-in details). −Spamming. Sending unsolicited junk mail over the internet. −Spoofing. Sending emails in a way that makes them appear to have originated from someone or somewhere trustworthy rather than from the actual source. −Viruses, worms and Trojan horses. Small computer programs introduced into a system deliberately (and invariably with malicious or imbecilic intent) to carry out a useless and/or destructive function. Eversheds LLP | Risks Ongoing evolution of cyber security threats * *”Beating Cybercrime, Security Program Management from the board’s perspective,” EY, Source: http://www.slideshare.net/GaldeMerkline/ey-beatingcybercrime Eversheds LLP | Risks Who are the victims of cyber crime? −Anyone, or any organisation can be affected by cyber crime. −Some attacks are cast as a wide net and others are specifically targeted. −Cybercriminals can target their attacks at servers, websites, computers, mobile devices, tablets and the cloud. −Cyber attack victims can be: • • • • Companies (large and small) High-profile individuals Government bodies General members of the public Eversheds LLP | Consequences Potential losses and costs − Victims of cyber attacks may incur significant costs both in relation to remediation and repair, but also in relation to reputational damage, litigation, loss of revenues and compensation. − Financial loss from hacked bank accounts, identity fraud, cyber extortion and blackmail. − Financial loss from business disruption and interruption. − Theft of confidential intellectual property. − Damage to reputation, hiring PR consultants and lawyers. − Remediation and repair costs to restore or recreate lost, damaged or stolen data. − Costs of notifying affected parties. Eversheds LLP | Consequences Potential regulatory issues −For FCA regulated companies adequate cyber security measures are an integral part of regulatory compliance. −Regulated entities are obliged to take reasonable care to establish and maintain effective systems and controls for compliance with the regulatory requirements and standards, and for countering the risk that the entity might be used to further financial crime (SYSC 3.2.6R). −A regulated entity must maintain adequate policies and procedures to ensure compliance with its obligations under the regulatory system (SYSC 6.1.1R). −An entity must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems (PRIN 3). −In 2010 Zurich Insurance Plc was fined £2.27 million for breaches of PRIN 3, SYSC 3.2.6R and SYSC 6.1.1R in failing to have adequate systems and controls to maintain the security of confidential customer information. Eversheds LLP | Consequences Listed companies −In general terms, a company listed on the stock exchange must act in accordance with the FCA's Listing Principles (Listing Rule 7.2R). The most relevant in the context of a company suffering from a breach of cyber security include: • Listing Principle 2: a listed company must take reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations. • Listing Principle 3: a listed company must act with integrity towards holders and potential holders of its listed shares. −Listed entities must also communicate information to holders and potential holders of their shares in such a way as to avoid the creation or continuation of a false market in such listed equity shares (Listing Principle 4). −As well as the general obligations and principles, listed companies may have a duty to disclose cyber security breaches to the market under DTR 2.2.1R. Eversheds LLP | Consequences Business liability and litigation threat −Apart from the regulatory ramifications of a data theft, a company may be liable to its customers or suppliers under: 1. Breach of contract – even if the security breach does not lead to loss of customer data, disruption to the business could lead to claims of breach of express or implied contractual obligations to maintain adequate functioning IT services 2. Negligence – third parties could bring a claim in tort for a failure to exercise reasonable care and skill. The third party would have to prove the damage and loss it suffered, so the attack would have to be successful −One of the major problems with disruptions to business is the potential for large claims to arise out of short-lived service interruptions and the escalating losses that can flow directly from a cyber security problem. Eversheds LLP | Consequences US and UK litigation −In the US, several claims of this type have been brought on a class action basis. In 2008, ChoicePoint, a data broker, settled a class action of this nature, on a no-admissions basis, for $10 million. −However, these types of proceedings are not routinely successful in the US as, to date, the courts have not found that having personal information lost or stolen is an actionable injury in itself, although the time and inconvenience of replacing credit cards and altering passwords may amount to sufficient damage. −As yet, claims by customers whose data have been lost or stolen have gained little traction in the UK. −This is because it is uneconomical for individuals to bring these claims and there is the uncertainty around whether the individual has suffered any damage. Eversheds LLP | Consequences Sanctions and potential redress −In addition to the traditional criminal legislation against theft and fraud, which also applies to cyber crime, legislation specifically targeting cyber crime includes: • The Computer Misuse Act 1990 • The Data Protection Act 1998 • The Communications Act 2003 −Offences under these acts can result in fines or imprisonment for up to 10 years. −This is not much use for companies, civil remedies are available: • • • • Actions for damages Injunctions Third part disclosure orders Breach of confidence claims Eversheds LLP | Mitigation Insurance −Many existing insurance policies do not protect against cyber crime losses. −It is still far from standard for cyber insurance to be offered as part of a company's overall coverage. As such, it is best practice to confirm exactly which areas are and are not covered, before any attack. −Policy premiums for cyber liability insurance vary, depending on a number of factors, including the size and structure of the organisation, the amount and types of insurance cover purchased, and the size of any retentions or deductibles. −They will also differ by sector. Healthcare institutions, for example, which store significant amounts of sensitive personal data, are generally subject to higher premiums. −The cyber insurance market is also still relatively immature, the terms of cyber liability cover may be relatively negotiable and, with insurers competing to establish market share, there may be opportunities to negotiate increased cover without any increase in premiums. Eversheds LLP | Mitigation CESG – 10 Steps to Cyber Security Eversheds LLP | Mitigation Measures to put in place There are essentially four broad measures that an organisation should consider taking to mitigate the risk of a cyber attack and manage any subsequent fallout: 1. Assessment 2. Education 3. Implementation 4. Management Eversheds LLP | Mitigation Measures to put in place 1. Assessment −Identify what to protect (i.e. confidential data, IP, sensitive personal data or even legal advice). −Assessing the risk. −Understanding the regulatory requirements. −Checking the contractual position. −Ensuring business continuity. −Putting back-up in place. 2. Education −Produce an internal user security management policy detailing how staff are required to use the system. −Implement internal staff training for joiners and refresher courses for existing employees. −Put in place reporting processes for non-compliance with the policy. −Draft a home and mobile working policy because of threats from staff owned devices and staff systems at home. Eversheds LLP | Mitigation Measures to put in place 3. Implementation −Avoid excessive user privileges, too many employees having access to confidential data and/or systems. −Implement account management where only certain members of staff have access to relevant specific data. −Differentiate between privileged and standard accounts, monitor user activity. −Scan all media for malware before importation onto the company network. −Consider producing and implementing a cyber incident response policy. 4. Management −Establish a monitoring strategy and regime ensuring that all ICT systems and networks are continuously monitored. −Ensure that recognised standards for security management good practice are applied across the company. −Security patches must be applied promptly, anti-malware defences kept up to date, and regular scans made of all systems across an organisation. −Management is also important in maintaining the corporate culture necessary to ensure that there are secure cyber defences in place. Eversheds LLP | Questions? Of Counsel Polly Sprenger Litigation & Disputes Management +44 798 062 4443 pollysprenger@eversheds.com Eversheds One Wood Street London EC2V 7WS eversheds.com ©2015 Eversheds LLP Eversheds LLP is a limited liability partnership