presentation to infosecurity ireland cyber security ... to infosecurity ireland cyber security &...
TRANSCRIPT
Presentation to InfoSecurityIreland
Cyber Security & Corporate Risk Management
Pearse Ryan Partner, Arthur Cox
13 April 2016 DMS#20546349.1
Agenda
• introduction• what is this all about?• what is currently happening?• what is this costing?• cyber threat & corporate risk• international developments• how should organisations
manage this?• conclusion• questions?
2
What is this all
about?
Introduction to cyber security
Cyber attacks on
Company’s have
increased
dramatically over
the last decade
exposing:
Sensitive
personal and
business
information
Disrupting
critical
operations
High costs on
the economy
(estimated to
be €800 million
in Ireland)
4
Introduction to cyber security
Cyber security is the ability
to protect or defend an
organisation's online systems
and technology from attack
5
Introduction to cyber security
• The economy depends on a stable, safe, and resilient
online environment
• A vast array of networks allows us to:
Communicate
and travel
Run our
economy
Power our
homes
Provide
government
services
6
Increasing impact on Organisations/Companies
Financial crime
Financialloss
Drop in share price
Regulatoryfines
Loss of competitiveadvantage
Operationaldowntime
Reputationaldamage
Reducedshareholder
value
Lack of customer
trust
Cyber security demonstrates
regulatory compliance and good
governanceand is
expected by customers,
partners and shareholders
Rogue employees
Data breaches
Theft of customer
information
Organised crime
Denial of service
7
Introduction to cyber security
10 years ago, they looked like this…
8
Introduction to cyber security
Now they look like this…
9
What's happening
currently?
Carbanak – the biggest bank heist ever
11
Denial of service for cash
12
DD4BC – the professionals
13
14
Cyber extortion
15
Social engineering…
“There’s a sucker born every minute”Phineas T. Barnum
16
Social Engineering
• Q: Why break down the door or sneak in through the window when you can be invited in?
17
“Old fashioned” credit card theft
18
19
Hacking – there’s nothing like advertising!
20
Personal data theft
21
Attack – Beware of the Youth!
22
But don't forget....
23
24
25
So, how bad can it get?
26
So, how bad can it get?
27
So, how bad can it get?
28
What does this
cost?
Recent Examples
30
Interestingly
31
Cyber Threat & Corporate Risk Management
32
Cyber Threat & Corporate Risk Management
33
• Is cyber risk management, including cyber insurance, moving to the top of the corporate risk management issues list?
• Is this where the risk belongs?• Slowly but surely Board of Directors are recognising cyber as
No. 1 corporate risk management issue• “Recognising” – the risk not new but corporate assessment of
risk is (relatively) new• Why new recognition?
– Increase in hacking incidents– High profile data incidents– Cyber insurance now viable– International developments– General increased public awareness– Trickle up of awareness to Board
Cyber Threat & Corporate Risk Management –Role of Board
34
• Operational management – senior executives
• Corporate governance & strategic decision making – Board
• Senior executives – run company & answer to Board
• Board members – duties & responsibilities deriving from:– Statute
– Common law
• Directors owe obligations/duties to company rather than shareholders or third parties – fiduciary relationship with company
• Risks to Directors:– Reputational risk
– Removal from Board/employment risk where also an executive (e.g. CEO)
– Action by company & personal liability for loss to company due to failure of duty –theoretically possible
– Restriction order – cyber attack renders company insolvent – S150/Companies Act 1990 – company insolvent at time of windup – 5y restriction order – theoretically possible
• Overall – cyber threat is risk issue for Board
Third Party Suppliers
35
• What to do? – Contract for Services
Third Party Suppliers
36
• What to do? – What not to do
International Developments
37
International Developments
38
• Overall: no longer just the info sec guys who shout wolf!
• Overall: are standards either express or de-facto emerging and will lawyers use/misuse these?
International Developments (contd.)
39
• 2011 – US Securities & Exchange Commission, Division of Corporate Finance – Guidance Note on dealing and reporting cyber security incidents – “this guidance provides the Division of Corporate Finances views regarding disclosure obligations relating to cybersecurity risks and cyber incidents” – non binding but SEC powerful => persuasive – is it only a matter of time before:– Guidance argued before and accepted by US court as an
objective cyber security standard?
– Cyber attack destroys share price
– Company prior public sec statements used against it in court
International Developments (contd.)
• 2014 – SEC wrote to high profile companies requesting voluntary disclosure in SEC filings of info sec breaches e.g. Amazon and Google have agreed to disclose.
• Disclosure will likely become generic e.g. AIG – “like other global companies, we have from time to time, experienced threats to our data systems, including malware and computer virus attacks, unauthorised access, systems failures and disruptions”.
40
International Developments (contd.)
41
• Jan 2014 – Institute of Chartered Accountants in England & Wales – Cyber Security in Corporate Finance – to “help not only to raise awareness of the cyber security risks that businesses face, but also to show how they can - with expert help – begin to tackle those risks when they are raising finance, undertaking M&Aand restructuring”.
• Further stated that “all businesses involved in corporate finance need therefore to be aware of these cyber risks and of what they can do to help protect their data, their clients and their reputation”.
International Developments (contd.)
42
• February 2014 – US National Institute of Standards and Technology (NIST) publication of Framework for Improving Critical Infrastructure CyberSecuritytogether with RoadMap for improving critical infrastructure cybersecurity – follows on from President Obama Executive Order 13636: Improving Critical Infrastructure Cybersecurity Version 1.0, which tasked NIST with developing a cost-effective framework “to reduce cyber risks to critical infrastructure”
• Critical infrastructure has wide definition – chemical, communications, critical manufacturing, defence, financial services, energy, healthcare and IT sectors
International Developments (contd.)
43
• Framework not a national standard but:
– A de facto standard?
– Likely to be argued as standard by plaintiffs in litigation
– Intended to evolve – to where?
– Incentive for corporations to map cybersecurity planning against Framework
– Can be used by non-US corporations
• May 2014 –UK MI5 and GCHQ wrote to FTSE 350 companies in UK offering to conduct an assessment of their cyber defences – ‘Cyber Governance Health Check’ – part of UK Cyber Security Strategy, the commercial part of which intends to improve cyber health of UK business and make UK a safe place to do business.
International Developments (contd.)
44
EU Developments:• February 2013 – EU Commission publication of Cybersecurity
Strategy of the European Union: outlining Commissions plans to ensure common level of network security across Europe AND draft of Cyber Security Directive. Strategy aims to reduce cybercrime & improve network resilience by raising awareness of issues surrounding cyber security, developing an internal market for cyber security products & increasing R&D investment.
• December 2015 –Network & Information Security Directive(AKA Cyber Security Directive) approved:– Ensure Member States & Private sector providing certain critical
infrastructure within EU take appropriate steps to deal with cyber security threat
– Facilitate info sharing on cyber security threats between public & private sectors across Member States
– Mandatory reporting and possible fines– See hand-out article for detail
International Developments (contd.)
45
• New Data Protection Regulation
– Status: publication in June 2016 expected
– 2y lead in period
– Unified EU data protection law
– Put in place data breach procedures
– New fine regime – up to 4% of PA global turnover
– Current max fine regime
– Overall – the Regulation will up the data security & data protection law ante & is primarily a corporate risk management issue
– See hand-out article for further detail
UK £500,000
France Breach 1 – €150,000Thereafter - €300,000
Italy €36,000
Spain €600,000
Germany €300,000
International Developments (contd.)
46
• USA – Cyber Security Information Sharing Act (CISA) – 2015 – scheduled to go before Senate – 2012 & 2014 legislation failed in Senate
Q: does Act promote threat intelligence sharing or force organisations to share data with Government?
• Cybersecurity Information Sharing Act has 'significant problems'
Criminal Law - Domestic
47
Criminal Damage Act 1991 S2 – “Damage” to “Property”, which includes data
S5 – unauthorised access to data – operate computer within the State with intent to access data within/outside the state or outside the state with intent to access data within the state – “whether or not he accesses any data” and “without lawful excuse”
Ancillary/related offences
Criminal Justice (Theft & Fraud Offences) Act 2001 S9 – unauthorised use of a computer – person acting dishonestly, whether
within/outside the State, operates/causes to be operated, a computer with intention of making a gain for himself/another or causing loss to another
Criminal Justice Act 2011 Gardaí powers to investigate “… serious and complex offences”
Assist investigation of white collar crime
S15 – DC order on Garda application – make available docs/describe docs/info on docs e.g. passwords
S18 – allows reasonable presumptions re authorship due to circumstances of creation/exchange e.g. place hands on keyboard
S19 – withholding information offence – Q: obligation to report relevant offences?
Criminal Law – International Co-operation
• Jan 2013: Establishment of European Cybercrime Centre – pool and co-ordinate EU cybercrime expertise to support member states
• July 2013: draft Directive concerning measures to ensure a high common level of network and information security across the Union
• 2010 EU/US summit – establishment of EU/US Working Group on Cybersecurity and Cybercrime
• Cybercrime convention ratification draft Bill
• OVERALL – area due for significant legislative change
• See hand-out for further detail on Criminal Justice (Offences Relating to Information Systems) Bill 2016
48
Criminal Law - International
49
• International – Mutual Assistance & Extradition
How should
companies
manage this?
Cyber security risk managment
Prepare
• Cyber security risk
and threat
assessment
• Security process
or technical
assessments
• Security policy
development
• Third party cyber
security
assurance
Protect
• Security architecture
• Security technology implementation
• Security process design and
implementation
• Identity and access management
• Privacy and data protection
• Data classification
• Enterprise application integrity
• Business continuity and disaster recovery
• Penetration testing
• PCI – DSS
React
• Security operations
and monitoring
• Security and data
breach incident
response
Change
• Security program
strategy and
planning
• Security governance
• Security awareness
51
Assess:
• information & technology used
• threats & vulnerabilities
• controls & processes
• governance & management
Develop cyber security strategy:
• access control
• encryption
• data loss prevention
• monitoring
• backups
• incident response plan
Implement:
• polices
• procedures
• training
At a minimum
52
Cyber security prioritisation
Roles and responsibilities are clearly defined
Governance, Risk Appetite & Management level reports are in place (KRI/KPI) and cover cyber security incidents and breaches
Formal risk acceptance and insurance covers unmitigated risks
The company complies with relevant regulation/ legislation
Policies & standards articulate and support company’s cyber security objectives
Effective assurance of control design and operation in place, especially for controls based at third parties
Incident management processes and business continuity exercises include cyber security
Information Asset Register is in place
Awareness ‘Human firewall’ training in place
Certifications to meet the company’s cyber security requirements
53
Cyber security focus v running a business
54
Cyber Insurance & Role of Lawyers
55
Cyber Insurance
56
Cyber Insurance – Incident Response Legal Services
57
INSURER
Legal
Advisers
Information
Security /
Forensics
Customer
ContactPR [others]
Insured - Incident
Cyber Insurance – Incident Response Legal ServicesAnatomy of Legal Service Provision
58
Insurer
Ireland – Arthur Cox
Various Insurer Panel
suppliers work in co-
operation
Other Insurer Incident
Response Panel Providers
Contact
Insured Victim
Lead Law Firm
e.g. NY firm
Various Countries
Remotely triage situation
Agree next steps
Complete 42-72 hour
Work product / deliverables
and debrief presentations
Next steps
Arthur Cox and other Law Firms
INCIDENT
Incident Response Legal ServicesAnatomy of Legal Service Provision
59
Incident - Victim
Legal Adviser
Existing
SuppliersEmployees Computer
Forensics
Data
Protection
Criminal
Discipline /
Termination
Third Party is cause– Dispute
Third Party not cause - Assistance
Other Regulatory
• Central Bank
• Ireland v
Overseas
Regulator
ODPC – Notification
Other national regulators (Q
of data control)
Gardaí
Notification
Civil action against wrongdoer
Potential data recovery?
Insurance
Policy
Interpretation
Claims advice
Litigation
Attribution
Fair
Procedures Q
Notification
Investigation
Confidential
Information
• Injunction
• Litigation
Notification:
• Ireland
• Overseas
Criminal Proceedings
Existing
Customers
Potential:
• Customer
dispute
• Customer
injunction/litiga
tion against
insured victim
Contract
Third Party
Wrongdoer
Notification
Investigation
Conclusion
60
Conclusion
61
• Cyber threat is clear risk to business both value and continuity
• Role of Board – responsibility stops there
• Role of cyber insurance – mitigate the risk both financial & professional services “hit squad”
• Incident Response – critical both as part of corporate risk planning & component of cyber insurance offering
Questions
Pearse Ryan Partner
Technology & Innovation Department
Arthur Cox
Telephone: +353 (0)1 618 0518
Email: [email protected]
This presentation is not intended to provide comprehensive legal advice
& contact your legal advisor
Thank you
63