to view or the slides from Polly's session.

advertisement
Eversheds Digital Banking Seminar
Combatting Cybercrime: Risks,
Consequences and Mitigation
30 September 2015
Polly Sprenger
Of Counsel
Introduction
Recent high-profile breaches
− Ashley Madison : leak of members’ data so that
individuals could be identified.
− Sony Pictures : resulted in the leaking of sensitive
data as well as a number of the studio’s upcoming
films.
− British Airways : complaints about points being
stolen from the BA’s Executive Club scheme.
− GitHub : an attempt to knock its site offline by
flooding it with traffic, a DDoS (distributed denial of
service).
− Uber : it was reported that login details for Uber
accounts were being offered for sale for as little as $1.
Eversheds LLP |
Risks
Introduction – UK figures
−The BIS 2014 Information Security Breaches Survey reported that
although information security breaches affecting UK businesses
have decreased over the last year, the cost of breaches has nearly
doubled.
−81% of large organisations and 60% of small businesses suffered a
security breach in the last year.
−The average number of breaches suffered in the last year was 16 in
large organisations and 6 in small organisations.
−The average cost to a firm of the worst security breach was £600k £1.15m in large organisations and £65k-£115k in small
organisations.
−10% of organisations that suffered a breach were so badly damaged
by the attack, they had to change the nature of their business.
−In 2011, the Cabinet Office estimated that the UK loses £27bn per
year to cyber crime.
Eversheds LLP |
Risks
Introduction – UK figures (cont’d)
−The majority of businesses have increased IT security investment
over the last year.
−Awareness of cyber security as a business risk rose sharply in 2014,
with 88% of FTSE 350 firms including cyber risk in their risk
register.
−30% indicated that their board received regular cyber security
briefings.
−59% of boardrooms have either a basic or clear understanding of
where their organisation’s critical information and data are being
shared.
−The Edelman Privacy Risk Index found that 71% of customers would
leave an organisation after a data breach.
Eversheds LLP |
Risks
Introduction – US figures
−Between 2005 and 2013 there were 616 million data rights
breaches in the US from 3,964 reported incidents.
−According to the October 2013 EY report on Beating cybercrime,
77% of the of companies had detected a security event in 2013 and
34% said that the number of security incidents detected increased
from the previous year.
−The average number of security incidents detected in 2013 was 135
per organisation.
−In 2013, the average company spend on cyber security per
employee: banking and finance firms - $2,500; retail and consumer
firms - $400.
−Companies are increasing their investment in cyber security to face
off the dangers and funding for cyber security companies hit
$1.02bn in Q1 2015.
Eversheds LLP |
Risks
Introduction – US figures (cont’d)
−The number of companies reporting concerns about cyber security to US
regulators more than doubled in the past two years to 1,174.
−In PWC’s 2014, Global Economic Crime Survey, 25% of respondents had
experienced cyber crime and 10% had suffered financial losses of more
than $1m.
−45% of financial services sector organisations had suffered a cyber crime;
34% in other industries.
−Cyber crime is the second most common type of economic crime reported:
39% in financial services sector; 17% in other industries.
−41% of financial services sector firms and 26% in other industries believe it
is likely that they will experience cyber crime in the next 2 years.
Eversheds LLP |
Risks
Who are the cyber criminals?
−Cyber criminals : interested in making money through fraudulent
activity or from the sale of valuable information.
−Industrial competitors and foreign intelligence services :
interested in gaining an economic advantage or sensitive
information for their companies or countries.
−Hackers : find interfering with and infiltrating computer systems an
enjoyable challenge and a competition with other hackers.
−Hackivists : who attack companies or countries for political or
ideological motives.
−Employees or those who have legitimate access : through
either accidental or deliberate misuse.
Eversheds LLP |
Risks
Types of cyber attacks
−Botnets. Networks of infected computers (known as zombie armies) that are
remotely controlled to stage large-scale co-ordinated attacks.
−Denial of service attack (DOS). A DOS is an attack aimed at swamping an
organisation's server with more emails or requests for information than the server
is designed to cope with, overloading the targeted system and resulting in the
loss of a particular network service.
−Distributed denial of service attack (DDOS). Rather than using one computer
and one internet connection (as in a DOS attack), a DDOS attack uses botnets,
often in different locations around the world, to launch the attack.
−Pharming. An attack that installs software in a system in order to redirect traffic
intended for a genuine website to another, bogus, site.
−Phishing. The sending of individual emails to obtain specific information about
individuals (for example, financial information or website log-in details).
−Spamming. Sending unsolicited junk mail over the internet.
−Spoofing. Sending emails in a way that makes them appear to have originated
from someone or somewhere trustworthy rather than from the actual source.
−Viruses, worms and Trojan horses. Small computer programs introduced into
a system deliberately (and invariably with malicious or imbecilic intent) to carry
out a useless and/or destructive function.
Eversheds LLP |
Risks
Ongoing evolution of cyber security threats
*
*”Beating Cybercrime, Security Program Management from the board’s perspective,” EY,
Source: http://www.slideshare.net/GaldeMerkline/ey-beatingcybercrime
Eversheds LLP |
Risks
Who are the victims of cyber crime?
−Anyone, or any organisation can be affected by cyber crime.
−Some attacks are cast as a wide net and others are specifically
targeted.
−Cybercriminals can target their attacks at servers, websites,
computers, mobile devices, tablets and the cloud.
−Cyber attack victims can be:
•
•
•
•
Companies (large and small)
High-profile individuals
Government bodies
General members of the public
Eversheds LLP |
Consequences
Potential losses and costs
− Victims of cyber attacks may incur significant costs both in relation to remediation
and repair, but also in relation to reputational damage, litigation, loss of revenues and
compensation.
− Financial loss from hacked bank accounts, identity fraud, cyber extortion and
blackmail.
− Financial loss from business disruption and interruption.
− Theft of confidential intellectual property.
− Damage to reputation, hiring PR consultants and lawyers.
− Remediation and repair costs to restore or recreate lost, damaged or stolen data.
− Costs of notifying affected parties.
Eversheds LLP |
Consequences
Potential regulatory issues
−For FCA regulated companies adequate cyber security measures are an
integral part of regulatory compliance.
−Regulated entities are obliged to take reasonable care to establish and
maintain effective systems and controls for compliance with the regulatory
requirements and standards, and for countering the risk that the entity
might be used to further financial crime (SYSC 3.2.6R).
−A regulated entity must maintain adequate policies and procedures to ensure
compliance with its obligations under the regulatory system (SYSC 6.1.1R).
−An entity must take reasonable care to organise and control its affairs
responsibly and effectively, with adequate risk management systems (PRIN
3).
−In 2010 Zurich Insurance Plc was fined £2.27 million for breaches of PRIN 3,
SYSC 3.2.6R and SYSC 6.1.1R in failing to have adequate systems and
controls to maintain the security of confidential customer information.
Eversheds LLP |
Consequences
Listed companies
−In general terms, a company listed on the stock exchange must act in
accordance with the FCA's Listing Principles (Listing Rule 7.2R). The most
relevant in the context of a company suffering from a breach of cyber
security include:
• Listing Principle 2: a listed company must take reasonable steps to
establish and maintain adequate procedures, systems and controls to
enable it to comply with its obligations.
• Listing Principle 3: a listed company must act with integrity towards
holders and potential holders of its listed shares.
−Listed entities must also communicate information to holders and potential
holders of their shares in such a way as to avoid the creation or continuation
of a false market in such listed equity shares (Listing Principle 4).
−As well as the general obligations and principles, listed companies may have
a duty to disclose cyber security breaches to the market under DTR 2.2.1R.
Eversheds LLP |
Consequences
Business liability and litigation threat
−Apart from the regulatory ramifications of a data theft, a company may be
liable to its customers or suppliers under:
1. Breach of contract – even if the security breach does not lead to loss of
customer data, disruption to the business could lead to claims of breach of
express or implied contractual obligations to maintain adequate functioning
IT services
2. Negligence – third parties could bring a claim in tort for a failure to
exercise reasonable care and skill. The third party would have to prove the
damage and loss it suffered, so the attack would have to be successful
−One of the major problems with disruptions to business is the potential for
large claims to arise out of short-lived service interruptions and the
escalating losses that can flow directly from a cyber security problem.
Eversheds LLP |
Consequences
US and UK litigation
−In the US, several claims of this type have been brought on a class action
basis. In 2008, ChoicePoint, a data broker, settled a class action of this
nature, on a no-admissions basis, for $10 million.
−However, these types of proceedings are not routinely successful in the US
as, to date, the courts have not found that having personal information lost
or stolen is an actionable injury in itself, although the time and
inconvenience of replacing credit cards and altering passwords may amount
to sufficient damage.
−As yet, claims by customers whose data have been lost or stolen have
gained little traction in the UK.
−This is because it is uneconomical for individuals to bring these claims and
there is the uncertainty around whether the individual has suffered any
damage.
Eversheds LLP |
Consequences
Sanctions and potential redress
−In addition to the traditional criminal legislation against theft and
fraud, which also applies to cyber crime, legislation specifically
targeting cyber crime includes:
• The Computer Misuse Act 1990
• The Data Protection Act 1998
• The Communications Act 2003
−Offences under these acts can result in fines or imprisonment for up
to 10 years.
−This is not much use for companies, civil remedies are available:
•
•
•
•
Actions for damages
Injunctions
Third part disclosure orders
Breach of confidence claims
Eversheds LLP |
Mitigation
Insurance
−Many existing insurance policies do not protect against cyber crime losses.
−It is still far from standard for cyber insurance to be offered as part of a
company's overall coverage. As such, it is best practice to confirm exactly
which areas are and are not covered, before any attack.
−Policy premiums for cyber liability insurance vary, depending on a number of
factors, including the size and structure of the organisation, the amount and
types of insurance cover purchased, and the size of any retentions or
deductibles.
−They will also differ by sector. Healthcare institutions, for example, which
store significant amounts of sensitive personal data, are generally subject to
higher premiums.
−The cyber insurance market is also still relatively immature, the terms of
cyber liability cover may be relatively negotiable and, with insurers
competing to establish market share, there may be opportunities to
negotiate increased cover without any increase in premiums.
Eversheds LLP |
Mitigation
CESG – 10 Steps to Cyber Security
Eversheds LLP |
Mitigation
Measures to put in place
There are essentially four broad measures that an organisation
should consider taking to mitigate the risk of a cyber attack and
manage any subsequent fallout:
1. Assessment
2. Education
3. Implementation
4. Management
Eversheds LLP |
Mitigation
Measures to put in place
1. Assessment
−Identify what to protect (i.e. confidential data, IP, sensitive personal data or
even legal advice).
−Assessing the risk.
−Understanding the regulatory requirements.
−Checking the contractual position.
−Ensuring business continuity.
−Putting back-up in place.
2. Education
−Produce an internal user security management policy detailing how staff are
required to use the system.
−Implement internal staff training for joiners and refresher courses for
existing employees.
−Put in place reporting processes for non-compliance with the policy.
−Draft a home and mobile working policy because of threats from staff owned
devices and staff systems at home.
Eversheds LLP |
Mitigation
Measures to put in place
3. Implementation
−Avoid excessive user privileges, too many employees having access to
confidential data and/or systems.
−Implement account management where only certain members of staff have
access to relevant specific data.
−Differentiate between privileged and standard accounts, monitor user
activity.
−Scan all media for malware before importation onto the company network.
−Consider producing and implementing a cyber incident response policy.
4. Management
−Establish a monitoring strategy and regime ensuring that all ICT systems
and networks are continuously monitored.
−Ensure that recognised standards for security management good practice
are applied across the company.
−Security patches must be applied promptly, anti-malware defences kept up
to date, and regular scans made of all systems across an organisation.
−Management is also important in maintaining the corporate culture
necessary to ensure that there are secure cyber defences in place.
Eversheds LLP |
Questions?
Of Counsel
Polly Sprenger
Litigation & Disputes
Management
+44 798 062 4443
pollysprenger@eversheds.com
Eversheds
One Wood Street
London
EC2V 7WS
eversheds.com
©2015 Eversheds LLP
Eversheds LLP is a limited liability partnership
Download