Your cybersecurity breach will happen!Here’s what to do to mitigate your risk

Thursday, 25 September 2014

Overview of this presentation

• International & local public & private entities that have had incidents.

Examples of cybersecurity breaches: Act now!

• A brief overview of legislation you should be familiar with.

Legislation to consider: Consequences if you don’t!

• Preparing for a cybersecurity breach• A breach has happened: first steps & considerations• Sharing information in your industry: strength in numbers• After the cybersecurity breach: fixing and fighting back

A cybersecurity breach game-plan: Mitigating risk!

Breaches: It happened to them, it will happen to you!• Estimated annual cost of cybercrime to global economy –

US$400 million – McAfee, June 2014;• Estimated value of cybercrime in SA – 0.14% of GDP,

McAfee, June 2014• Sony Corporation PlayStation breach – US$171 million so

far, 12% off share price – Booz & Co, 2014• Target breach – US$148 million in costs, CEO resignation

– Forbes, September 2014 • South African Police Service website – Cost unknown,

major reputational damage• Payment Association of South Africa, card hack – cost

unknown, major reputational damage

Why bother with cybersecurity…surely it’s something for the geeky IT guys to deal with?

• MFM Act• Companies Act• POPI Act• ECT Act• RIC Act• King III Report• South Africa Connect: The National Broadband Policy• The National Integrated ICT Policy Green Paper• The White Papers on Transforming Public Service

Delivery• The Minimum Information Standards Policy• The Minimum Interoperability Standards Policy• Free and Open Source Software Policy

Organisation leaders: it’s

no longer just the IT guys’ problem, its

your responsibility

!

A basic guideline for cybersecurity: condition 7 of POPI

• A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent• loss of, damage to or unauthorised

destruction of personal information; and• unlawful access to or processing of

personal information

Condition 7: Security safeguards – Part 1

Chapter 3: Conditions for lawful processing of personal information

• A responsible party must take reasonable measures to:• identify all reasonably foreseeable internal and

external risks to personal information in its possession or under its control;

• establish and maintain appropriate safeguards against the risks identified;

• regularly verify that the safeguards are effectively implemented; and

• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Condition 7: Security safeguards – Part 2

Chapter 3: Conditions for lawful processing of personal information

• Where the responsible party appoints an operator:• This must be under proper authority

and respect confidentiality;• Must be governed by a contract

which enforces confidentiality and security.

• Where security breaches occur, data subject and Regulator must be notified.

Condition 7: Security safeguards – Part 3

Preparing for a cybersecurity breach

• Categorise data & define access• Use smart network design• Protect super-sensitive data• Audit and test your network

Be aware of: your network & data and implement protection procedures

• Cybersecurity breach management plans• Get consents to use of your network

Have best practice policies & procedures

• Supply chain matters• Client and customer matters• Be aware of and evaluate cyber threats

Be aware of cybersecurity risks of business relations

A breach has happened! First steps and considerations

• Directors, lawyers, IT and PR

Internal processes & governance after breach

• Considerations whilst conducting an investigation

Conduct an extensive internal investigation

• Statutory reporting obligations• Contractual reporting obligations• Shareholder / stakeholder reporting obligations

Should all breaches be investigated: investigation thresholds & reporting

Sharing information in your industry: strength in numbers

Why sharing may be good

Competition law considerations

After the cybersecurity breach: fixing and fighting back

Effective breach response methods

Exercising patience may help

Don’t overreact or break the law – liability concerns

Practical tips & recommendations

• Read the legislation. Consider POPI’s Condition 7 as a minimum;• Do your operations warrant information security awareness

training for staff.• Put procedures in place to limit who can access certain information

on your organisation's computer system.  • Ensure that laptops and other mobile devices have passwords and

similar security and are preferably encrypted. • Physical security of the premises where you store sensitive

information.  • Put proper contracts in place that compel your service providers to

give you assurances that they will comply with some sort of cybersecurity standard. 

• Consider whether securing cyber insurance is necessary.  Your current "generic" insurance not likely to provide cover.

• Have a technical and legal information/cyber security gap analysis done…it will make shareholders or the Auditor-General happy!

Develop a comprehensive strategy, but consider these now

Any questions?

Follow us on: