Presentation to InfoSecurityIreland

Cyber Security & Corporate Risk Management

Pearse Ryan Partner, Arthur Cox

13 April 2016 DMS#20546349.1

Agenda

• introduction• what is this all about?• what is currently happening?• what is this costing?• cyber threat & corporate risk• international developments• how should organisations

manage this?• conclusion• questions?

2

What is this all

about?

Introduction to cyber security

Cyber attacks on

Company’s have

increased

dramatically over

the last decade

exposing:

Sensitive

personal and

business

information

Disrupting

critical

operations

High costs on

the economy

(estimated to

be €800 million

in Ireland)

4

Introduction to cyber security

Cyber security is the ability

to protect or defend an

organisation's online systems

and technology from attack

5

Introduction to cyber security

• The economy depends on a stable, safe, and resilient

online environment

• A vast array of networks allows us to:

Communicate

and travel

Run our

economy

Power our

homes

Provide

government

services

6

Increasing impact on Organisations/Companies

Financial crime

Financialloss

Drop in share price

Regulatoryfines

Loss of competitiveadvantage

Operationaldowntime

Reputationaldamage

Reducedshareholder

value

Lack of customer

trust

Cyber security demonstrates

regulatory compliance and good

governanceand is

expected by customers,

partners and shareholders

Rogue employees

Data breaches

Theft of customer

information

Organised crime

Denial of service

7

Introduction to cyber security

10 years ago, they looked like this…

8

Introduction to cyber security

Now they look like this…

9

What's happening

currently?

Carbanak – the biggest bank heist ever

11

Denial of service for cash

12

DD4BC – the professionals

13

14

Cyber extortion

15

Social engineering…

“There’s a sucker born every minute”Phineas T. Barnum

16

Social Engineering

• Q: Why break down the door or sneak in through the window when you can be invited in?

17

“Old fashioned” credit card theft

18

19

Hacking – there’s nothing like advertising!

20

Personal data theft

21

Attack – Beware of the Youth!

22

But don't forget....

23

24

25

So, how bad can it get?

26

So, how bad can it get?

27

So, how bad can it get?

28

What does this

cost?

Recent Examples

30

Interestingly

31

Cyber Threat & Corporate Risk Management

32

Cyber Threat & Corporate Risk Management

33

• Is cyber risk management, including cyber insurance, moving to the top of the corporate risk management issues list?

• Is this where the risk belongs?• Slowly but surely Board of Directors are recognising cyber as

No. 1 corporate risk management issue• “Recognising” – the risk not new but corporate assessment of

risk is (relatively) new• Why new recognition?

– Increase in hacking incidents– High profile data incidents– Cyber insurance now viable– International developments– General increased public awareness– Trickle up of awareness to Board

Cyber Threat & Corporate Risk Management –Role of Board

34

• Operational management – senior executives

• Corporate governance & strategic decision making – Board

• Senior executives – run company & answer to Board

• Board members – duties & responsibilities deriving from:– Statute

– Common law

• Directors owe obligations/duties to company rather than shareholders or third parties – fiduciary relationship with company

• Risks to Directors:– Reputational risk

– Removal from Board/employment risk where also an executive (e.g. CEO)

– Action by company & personal liability for loss to company due to failure of duty –theoretically possible

– Restriction order – cyber attack renders company insolvent – S150/Companies Act 1990 – company insolvent at time of windup – 5y restriction order – theoretically possible

• Overall – cyber threat is risk issue for Board

Third Party Suppliers

35

• What to do? – Contract for Services

Third Party Suppliers

36

• What to do? – What not to do

International Developments

37

International Developments

38

• Overall: no longer just the info sec guys who shout wolf!

• Overall: are standards either express or de-facto emerging and will lawyers use/misuse these?

International Developments (contd.)

39

• 2011 – US Securities & Exchange Commission, Division of Corporate Finance – Guidance Note on dealing and reporting cyber security incidents – “this guidance provides the Division of Corporate Finances views regarding disclosure obligations relating to cybersecurity risks and cyber incidents” – non binding but SEC powerful => persuasive – is it only a matter of time before:– Guidance argued before and accepted by US court as an

objective cyber security standard?

– Cyber attack destroys share price

– Company prior public sec statements used against it in court

International Developments (contd.)

• 2014 – SEC wrote to high profile companies requesting voluntary disclosure in SEC filings of info sec breaches e.g. Amazon and Google have agreed to disclose.

• Disclosure will likely become generic e.g. AIG – “like other global companies, we have from time to time, experienced threats to our data systems, including malware and computer virus attacks, unauthorised access, systems failures and disruptions”.

40

International Developments (contd.)

41

• Jan 2014 – Institute of Chartered Accountants in England & Wales – Cyber Security in Corporate Finance – to “help not only to raise awareness of the cyber security risks that businesses face, but also to show how they can - with expert help – begin to tackle those risks when they are raising finance, undertaking M&Aand restructuring”.

• Further stated that “all businesses involved in corporate finance need therefore to be aware of these cyber risks and of what they can do to help protect their data, their clients and their reputation”.

International Developments (contd.)

42

• February 2014 – US National Institute of Standards and Technology (NIST) publication of Framework for Improving Critical Infrastructure CyberSecuritytogether with RoadMap for improving critical infrastructure cybersecurity – follows on from President Obama Executive Order 13636: Improving Critical Infrastructure Cybersecurity Version 1.0, which tasked NIST with developing a cost-effective framework “to reduce cyber risks to critical infrastructure”

• Critical infrastructure has wide definition – chemical, communications, critical manufacturing, defence, financial services, energy, healthcare and IT sectors

International Developments (contd.)

43

• Framework not a national standard but:

– A de facto standard?

– Likely to be argued as standard by plaintiffs in litigation

– Intended to evolve – to where?

– Incentive for corporations to map cybersecurity planning against Framework

– Can be used by non-US corporations

• May 2014 –UK MI5 and GCHQ wrote to FTSE 350 companies in UK offering to conduct an assessment of their cyber defences – ‘Cyber Governance Health Check’ – part of UK Cyber Security Strategy, the commercial part of which intends to improve cyber health of UK business and make UK a safe place to do business.

International Developments (contd.)

44

EU Developments:• February 2013 – EU Commission publication of Cybersecurity

Strategy of the European Union: outlining Commissions plans to ensure common level of network security across Europe AND draft of Cyber Security Directive. Strategy aims to reduce cybercrime & improve network resilience by raising awareness of issues surrounding cyber security, developing an internal market for cyber security products & increasing R&D investment.

• December 2015 –Network & Information Security Directive(AKA Cyber Security Directive) approved:– Ensure Member States & Private sector providing certain critical

infrastructure within EU take appropriate steps to deal with cyber security threat

– Facilitate info sharing on cyber security threats between public & private sectors across Member States

– Mandatory reporting and possible fines– See hand-out article for detail

International Developments (contd.)

45

• New Data Protection Regulation

– Status: publication in June 2016 expected

– 2y lead in period

– Unified EU data protection law

– Put in place data breach procedures

– New fine regime – up to 4% of PA global turnover

– Current max fine regime

– Overall – the Regulation will up the data security & data protection law ante & is primarily a corporate risk management issue

– See hand-out article for further detail

UK £500,000

France Breach 1 – €150,000Thereafter - €300,000

Italy €36,000

Spain €600,000

Germany €300,000

International Developments (contd.)

46

• USA – Cyber Security Information Sharing Act (CISA) – 2015 – scheduled to go before Senate – 2012 & 2014 legislation failed in Senate

Q: does Act promote threat intelligence sharing or force organisations to share data with Government?

• Cybersecurity Information Sharing Act has 'significant problems'

Criminal Law - Domestic

47

Criminal Damage Act 1991 S2 – “Damage” to “Property”, which includes data

S5 – unauthorised access to data – operate computer within the State with intent to access data within/outside the state or outside the state with intent to access data within the state – “whether or not he accesses any data” and “without lawful excuse”

Ancillary/related offences

Criminal Justice (Theft & Fraud Offences) Act 2001 S9 – unauthorised use of a computer – person acting dishonestly, whether

within/outside the State, operates/causes to be operated, a computer with intention of making a gain for himself/another or causing loss to another

Criminal Justice Act 2011 Gardaí powers to investigate “… serious and complex offences”

Assist investigation of white collar crime

S15 – DC order on Garda application – make available docs/describe docs/info on docs e.g. passwords

S18 – allows reasonable presumptions re authorship due to circumstances of creation/exchange e.g. place hands on keyboard

S19 – withholding information offence – Q: obligation to report relevant offences?

Criminal Law – International Co-operation

• Jan 2013: Establishment of European Cybercrime Centre – pool and co-ordinate EU cybercrime expertise to support member states

• July 2013: draft Directive concerning measures to ensure a high common level of network and information security across the Union

• 2010 EU/US summit – establishment of EU/US Working Group on Cybersecurity and Cybercrime

• Cybercrime convention ratification draft Bill

• OVERALL – area due for significant legislative change

• See hand-out for further detail on Criminal Justice (Offences Relating to Information Systems) Bill 2016

48

Criminal Law - International

49

• International – Mutual Assistance & Extradition

How should

companies

manage this?

Cyber security risk managment

Prepare

• Cyber security risk

and threat

assessment

• Security process

or technical

assessments

• Security policy

development

• Third party cyber

security

assurance

Protect

• Security architecture

• Security technology implementation

• Security process design and

implementation

• Identity and access management

• Privacy and data protection

• Data classification

• Enterprise application integrity

• Business continuity and disaster recovery

• Penetration testing

• PCI – DSS

React

• Security operations

and monitoring

• Security and data

breach incident

response

Change

• Security program

strategy and

planning

• Security governance

• Security awareness

51

Assess:

• information & technology used

• threats & vulnerabilities

• controls & processes

• governance & management

Develop cyber security strategy:

• access control

• encryption

• data loss prevention

• monitoring

• backups

• incident response plan

Implement:

• polices

• procedures

• training

At a minimum

52

Cyber security prioritisation

Roles and responsibilities are clearly defined

Governance, Risk Appetite & Management level reports are in place (KRI/KPI) and cover cyber security incidents and breaches

Formal risk acceptance and insurance covers unmitigated risks

The company complies with relevant regulation/ legislation

Policies & standards articulate and support company’s cyber security objectives

Effective assurance of control design and operation in place, especially for controls based at third parties

Incident management processes and business continuity exercises include cyber security

Information Asset Register is in place

Awareness ‘Human firewall’ training in place

Certifications to meet the company’s cyber security requirements

53

Cyber security focus v running a business

54

Cyber Insurance & Role of Lawyers

55

Cyber Insurance

56

Cyber Insurance – Incident Response Legal Services

57

INSURER

Legal

Advisers

Information

Security /

Forensics

Customer

ContactPR [others]

Insured - Incident

Cyber Insurance – Incident Response Legal ServicesAnatomy of Legal Service Provision

58

Insurer

Ireland – Arthur Cox

Various Insurer Panel

suppliers work in co-

operation

Other Insurer Incident

Response Panel Providers

Contact

Insured Victim

Lead Law Firm

e.g. NY firm

Various Countries

Remotely triage situation

Agree next steps

Complete 42-72 hour

Work product / deliverables

and debrief presentations

Next steps

Arthur Cox and other Law Firms

INCIDENT

Incident Response Legal ServicesAnatomy of Legal Service Provision

59

Incident - Victim

Legal Adviser

Existing

SuppliersEmployees Computer

Forensics

Data

Protection

Criminal

Discipline /

Termination

Third Party is cause– Dispute

Third Party not cause - Assistance

Other Regulatory

• Central Bank

• Ireland v

Overseas

Regulator

ODPC – Notification

Other national regulators (Q

of data control)

Gardaí

Notification

Civil action against wrongdoer

Potential data recovery?

Insurance

Policy

Interpretation

Claims advice

Litigation

Attribution

Fair

Procedures Q

Notification

Investigation

Confidential

Information

• Injunction

• Litigation

Notification:

• Ireland

• Overseas

Criminal Proceedings

Existing

Customers

Potential:

• Customer

dispute

• Customer

injunction/litiga

tion against

insured victim

Contract

Third Party

Wrongdoer

Notification

Investigation

Conclusion

60

Conclusion

61

• Cyber threat is clear risk to business both value and continuity

• Role of Board – responsibility stops there

• Role of cyber insurance – mitigate the risk both financial & professional services “hit squad”

• Incident Response – critical both as part of corporate risk planning & component of cyber insurance offering

Questions

Pearse Ryan Partner

Technology & Innovation Department

Arthur Cox

Telephone: +353 (0)1 618 0518

Email: pearse.ryan@arthurcox.com

This presentation is not intended to provide comprehensive legal advice

& contact your legal advisor

Thank you

63