PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES"

Transcription

1 PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

2 Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial services organisations is all too real: a well-targeted cyber attack, together with an increased risk of regulatory action, has the potential to endanger an organisation's existence. The gravity of the risks associated with a cyber attack or data breach from another source has meant that these issues are increasingly - and rightly - becoming the domain of the board room. Edwards Wildman recently hosted a seminar in London with BAE Systems Detica and Lockton, which focussed on the increased business threat presented by cyber attacks and weaknesses in information security. The seminar, which brought together practitioners, consultants and experts from across the financial services sector, considered the various approaches to effective cyber risk management for banks and insurance organisations regulated by both the Financial Services Authority (FSA) and the Information Commissioner's Office (ICO). Managing the threat In June 2012, Jonathan Evans, the Director General of the UK Security Services, stated at the Lord Mayor's Annual Defence and Security Lecture that businesses must consider cyber risks as party of their annual corporate governance. This was in light of a recent incident involving a London listed company, with whom MI5 had worked, which had resulted in an estimated revenue loss of some 800 million as a result of a hostile cyber attack. The panelists at the seminar emphasised that threats range in motivation and resources. Actors who are more visible include 'script kiddies' and 'hacktivists', whose intent could be for the thrill of carrying out the attack, or to seek press exposure and cause reputational damage to a particular organisation.. The less visible actors include criminals, industrial spies and state-sponsored attackers and their motivations are usually more targeted with the aim of staying hidden such as carrying out attacks for financial "Businesses are facing significant cyber risks as a result of our increasing dependence on information technology. It is vital that organisations take a more holistic, business-led approach to assessing and managing this risk - by protecting the highest value information assets, implementing effective monitoring to identify potential issues and having a tried-andtested plan to respond in the event of a significant incident." gain or political advantage. Digital crime is on the increase and Mark Fishleigh, Director 80% is now organised crime 1. Offline criminals are increasingly being linked to online criminals there is clearly a movement of long established organised crime working its way into the digital space, which has opened up a whole new landscape that is constantly evolving and growing. This new landscape of cyber threats includes the growth of traditional 'cyber attacks' such as usage of commercial malware and website hacking, as well as the emergence of new risks, such as the increase in data security risks posed by the rise in cloud computing, data sharing, the personalisation of services and mobile workforces. At the heart of cyber risk management strategies sits information security. Organisations, particularly those active in the financial services sector, are recommended to consider the following: Confidentiality of data: make information accessible only to persons or systems with appropriate authority; 1 Detica Commissioned Study from Centre for Policing and Security at LMU

3 Integrity of data: safeguard the accuracy and completeness of information and its processing; Limit Availability of data: limit access to confidential information to those persons or systems that are required to have access for their job function, and allow access only when their identity is verified; and Non-repudiation and accountability of data: the persons or systems that process the information need to take ownership and be held accountable for their actions and inactions. Understanding the exposure For every organisation, arguably the main exposure as a victim of a cyber attack is that the information finds its way into the public domain. A recent study carried out by Ponemon Institute LLC showed that the cost of data breaches continues to rise 2 and in the United Kingdom, the average organisational cost per data breach is estimated at around 1.75 million. A BAE Systems Detica study for the Cabinet Office has projected the cost of cyber crime to the country at 27 billion 1.8% of GDP 3. Although some queries may be raised about the bases for these estimates, there is undoubtedly an exposure for Corporate UK and managing this is difficult. Typically, cyber attacks generally cause a variety of losses, including direct costs of forensics and breach response, civil liability, regulatory liability, reputation management, business disruption and indirect losses such as damage to reputation and loss of customer confidence and business. Businesses can try and mitigate at least the direct costs by negotiating contracts that include effective risk allocation. However, in practice this is not usually a straightforward process cloud providers, for instance, typically refuse to assume responsibility for damages arising out of a data loss or breach, even in circumstances where the cloud provider is at fault. Finally, issues arise in respect of identifying the applicable law, the recoverability of losses and the enforcement of judgments, especially in circumstances where multiple jurisdictions are involved. This can lead to uncertainty about which country has the right to enforce and impose fines. In the United Kingdom, the FSA and ICO have powers to impose regulatory fines. The FSA has taken an extremely strict approach when dealing with weaknesses in information security, in circumstances where there has been a breach of Principle 3 of the FSA Handbook requiring an organisation to take reasonable care to organise and control its affairs responsibly and effectively. The FSA imposed one of the largest fines on a financial institution for a total of 3 million for loss of unencrypted data sent to third parties and found that HSBC had inadequate training and ineffective systems and controls to deal with data security. Typically, the ICO imposes fines of up to 500,000, with the highest fine so far being 325,000 against two NHS trusts for stolen hard drives that were sold on ebay in There has been much commentary that these fines are not high enough, and certainly fines against private companies have been dwarfed by those in respect of public sector breaches. This is likely to change shortly, as the EU data protection regime is about to be overhauled due to the proposed General Data Protection Regulation, which will take effect two years after it is adopted by the European Parliament. Under the proposed new regime, national data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation, which could have crippling effects on organisations

4 Risk Management: Proactive management of risks The most effective way to deal with cyber risks and exposures is to proactively manage them. This can be simplified to a 5-stage process: Stage 1: Assess the information and risk Stage 2: Review the requirements Stage 3: Assemble the team Stage 4: Develop the procedures Stage 5: Implement Stage 1: Assess the information and risk: The process of identifying and managing cyber risk should be part of every organisation's business practice. It is therefore be important for organisations to undertake an audit of the information on their systems and their information security risks in order to understand the nature of the information at risk. Stage 2: Review the requirements: There are a number of legal and regulatory requirements that apply to financial services organisations. Some of these regulatory requirements impact all organisations, such as data protection and privacy laws. However, there are also sector specific regulations that apply to regulated financial services organisations. On a European level, both Basel III and Solvency II will impose significant additional regulatory burdens on organisations operating in the financial services sector.

5 Data Protection and Privacy Requirements: Data protection and privacy in the United Kingdom is governed by the Data Protection Act 1998 and the Privacy in Electronic Communications (E- Commerce Directive) Regulations This regime is set to change as Europe prepares to implement the proposed General Data Protection Regulation. That will add to the following key requirements for organisations when dealing with personal data: Requirements around transparency; Requirements around the justification for processing; Requirements around data quality; Requirements for individual rights; Security requirements; Requirements around the international transfer of data; and Requirements around data breach notification. Although the draft General Data Protection Regulation is not yet final, one of the proposals is that all organisations will have 24 hours 'where feasible' to notify their data protection authority of a data breach. There are similar obligations to notify the individuals whose data has been lost. This obligation, if not managed effectively, could seriously impact the reputation of financial services organisations suffering a data breach and substantial costs for required notifications. "The legal and regulatory framework consists of general data protection and information security requirements together with sector specific requirements. The aim for financial services organisations is to put in place best practice that seeks to achieve compliance with all relevant requirements, yet at the same time recognising that 100% compliance will be impossible." Richard Graham, Partner Financial Services Requirements: For financial services organisations in the United Kingdom, the Financial Services and Markets Act 2000 provides a framework to deal with information security and grants specific powers to the FSA. The FSA's Principles for Businesses impose certain overriding requirements on regulated organisations, including Principle 2 that requires an organisation to 'conduct its business with due skill, care and diligence' and Principle 3 that requires an organisation to 'take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems'. In addition, the Senior Management Arrangements, Systems and Controls (SYSC) provides specific operational and contractual requirements for financial services organisations proactively managing information security risk, including in respect of outsourcing arrangements (see SYSC 8 and SYSC 13) and significant failures in an organisation's systems and controls. Stage 3: Assemble the team: Once an organisation has assessed the information risk and the applicable legal and regulatory framework, it can then take a step towards assembling a team, which would typically include internal stakeholders, external legal advisers, IT and forensics. It is important at this stage that senior stakeholders are involved. Stage 4: Develop the procedures: As part of the pro-active risk management planning, an incident response plan should be developed. It will always be important for organisations to implement relevant procedures that adequately deal with risk avoidance and mitigation. Once the risks have been identified, it is an attractive proposition for organisations to seek to transfer at least some of their potential losses through cyber insurance. Even though an organisation may be compliant with the relevant legal and regulatory regimes, this does not automatically ensure security of the data, and cyber insurance can help bear the burden of some of the costs associated with a

6 data breach. Within the cyber insurance marketplace, there appears to be little uniformity among the terms of the policies available in the marketplace. In broad terms there are two main approaches to cyber insurance: Reimbursement policies which allow the insured to hire their own choice of consultants and vendors to respond to a data breach, such as legal, forensic and crisis management consultants (with consent from the insurer); and Policies requiring use of pre-approved vendors or that require that the vendors be appointed and paid directly by the insurer. For any organisation though, reimbursement of costs is probably the biggest financial risk of a cyber attack. Typically, organisations can seek insurance coverage for network security liability, media liability, privacy liability, breach response costs and extortion payments. However, the insurability of fines remains an uncertain issue, and indirect business losses are generally not subject to insurance. First party cyber coverage (coverage for an insured s own direct losses, as opposed to coverage for third party claims asserted against the insured) that is available includes breach response costs, cyberextortion and certain network failure expenses. Vendor relationships and indemnity provisions can raise interesting insurance coverage issues. For instance, where an organisation is dependent on a cloud provider that is hosting its data, and the cloud provider services or security fails, what and whose insurance would respond? Can an organisation seek insurance coverage for the risk of failure of cloud provider and its own resultant business losses? It remains to be seen how the insurance sector will deal with this problem. "Despite efforts to mitigate customer or employee data breaches or privacy violations through strong IT security and improved corporate governance the balance sheet will always be faced with a residual risk. It is this residual risk which specialist insurers in London and the US have started to address." Ben Beeson, Partner Stage 5: Implement: The final stage of any proactive risk management strategy is to implement the plan and repeat the process. Lessons will be learned at each stage and it is important that these are fed back into the process, and the process reviewed repeatedly in light of new information. Putting in place appropriate procedures to monitor cyber risks, and necessary detection and response tools, should help manage the risk if there is a data breach or cyber attack.

7 Risk Management: Reactive management of risks If and when an incident occurs, it will be important to execute a tested data breach response plan. This can be simplified to a 5-stage process: Stage 1: Assemble the response team Stage 2: Assess the issue Stage 3: Contain and remedy Stage 4: Notify Stage 5: Review Stage 1: Assemble the response team: After procedures for identifying and managing cyber risks have been implemented, the real test for organisations is what happens when an incident occurs. Organisations should put in place, before any incident takes place, a team with clear roles and responsibilities allocated internally, and external advisers, including forensic and legal consultants, to coordinate in responding to an incident and mitigate the potential damages. If an organisation has insurance that may apply to a data breach or other cyber incident, then identification of the broker to contact to provide notice to the relevant insurer is part of the planning process. Stage 2: Assess the issue: Organisations should avoid a 'knee jerk' reaction, which can sometimes lead to detrimental consequences and additional costs that defeat the effort and planning that went into implementing planning procedures. The most effective reactive risk management is to ensure that the response is as systematic and sequential as possible, with time for thoughtful analysis of the technical issues and legal requirements involved. Unless the nature and extent of the breach is understood, and the information involved identified, effective containment, required response and remedial action will be particularly hard to achieve.

8 Stage 3: Contain and remedy: Once the response team is assembled and the nature of the breach or other cyber incident understood, the next step is generally to systematically contain and remedy the situation as far as possible. Some key tips for reactive risk management are to consider the question of timing of any response or notification, and tactical use of external lawyers to assist in the response and preserve available privileges associated with the investigation of the situation. Expect the unexpected. At a time where tensions are high and resources are stretched, following the organisation's incident response plan and avoiding impulsive decisions could be the difference between managing the incident successfully or exposing the business to undue commercial and financial risks. Stage 4: Notify: Once the extent of the breach is identified, the next step is to consider notification to comply with regulatory notification requirements, as well as for public relations purposes. Stage 5: Review: Once the incident has been dealt with, the organisation can improve its response plan by reviewing how its process responded to the incident, react to additional enquiries and adapt its plans for future incidents. "Effective breach management requires a balancing exercise between implementing a structured response plan and reacting to ever changing commercial demands, at all times executed with the support and energy of central management." Mark Deem, Partner Richard Graham Partner Mark Deem Partner This publication is for guidance only and is not intended to be a substitute for specific legal advice. If you would like further information, please contact the Edwards Wildman Palmer LLP lawyer responsible for your matters or one of the lawyers listed below: Richard Graham, Partner +44 (0) Mark Deem, Partner +44 (0)

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you

More information

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

erisks Policyholder s Guide to Privacy & Security Breach Response Planning erisks Policyholder s Guide to Privacy & Security Breach Response Planning Professional Indemnity Financial Institutions Directors & Officers Management Liability Medical Malpractice Media Liability Level

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive

More information

UK Data Risks Incident RoadMap

UK Data Risks Incident RoadMap Data breach summary steps Hiscox s data breach Experts Knowing what to do in the event of a data breach ( security incident ) can make the situation much less daunting when it may seem like your house

More information

A NEW APPROACH TO CYBER SECURITY

A NEW APPROACH TO CYBER SECURITY A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION In the ever-evolving technological landscape which we all inhabit, our lives are dominated by

More information

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks Hacks, breaches, stolen data, trade secrets hijacked, privacy violated, ransom demands made; how can you protect your data

More information

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach

More information

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

Cyber Liability Insurance

Cyber Liability Insurance Annual Board of Directors Conference 29 April 2014 TOC - 1 The Cyber Risk Landscape 2 Regulation Changes 3 Case Study Why to insure 4 Page 2 The Cyber Risk Landscape 2013 Lloyds Risk Index : Cyber Risk

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

Cyber Exposure for Credit Unions

Cyber Exposure for Credit Unions Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of

More information

Cyber and data Policy wording

Cyber and data Policy wording Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and

More information

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers

More information

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management Care Providers Protecting your organisation, supporting its success Risk Management Insurance Employee Benefits Investment Management Care providers are there to help those in need. But who helps the care

More information

Cyber threat reality check GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE THE THREAT IS GROWING IGNORING IT CAN BE COSTLY

Cyber threat reality check GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE THE THREAT IS GROWING IGNORING IT CAN BE COSTLY GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE WHY COMPLACENCY IS UNWARRANTED > WHERE CYBER THREATS COME FROM > THREE STEPS TO MANAGING CYBER THREATS > Cyber threat reality check THE

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Cyber/ Network Security. FINEX Global

Cyber/ Network Security. FINEX Global Cyber/ Network Security FINEX Global ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over

More information

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Proposed guidance for firms outsourcing to the cloud and other third-party IT services Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is

More information

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties Pamela Passman President and CEO Center for Responsible Enterprise And Trade (CREATe.org)

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The Legal Pitfalls of Failing to Develop Secure Cloud Services SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Helping to protect your business and your customers in the event of a data breach

Helping to protect your business and your customers in the event of a data breach Helping to protect your business and your customers in the event of a data breach Equifax Data Breach Assistance helps you respond more quickly and effectively, limiting the reputational damage to your

More information

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title

More information

The Cloud and Cross-Border Risks - Singapore

The Cloud and Cross-Border Risks - Singapore The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in

More information

Discussion on Network Security & Privacy Liability Exposures and Insurance

Discussion on Network Security & Privacy Liability Exposures and Insurance Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter

More information

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for Division of Gaming Customer Due Diligence Guidelines for Interactive Gaming & Interactive Wagering Companies November 2005 Customer Due Diligence for Interactive Gaming & Interactive Wagering Companies

More information

Charities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Charities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management Charities & Not for Profit Protecting your organisation, supporting its success Risk Management Insurance Employee Benefits Investment Management Charities are there to help those in need. But who helps

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies

More information

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

The problem of cloud data governance

The problem of cloud data governance The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

Cyber Risk Management

Cyber Risk Management Cyber Risk Management A short guide to best practice Insight October 2014 So what exactly is 'cyber risk'? In essence, cyber risk means the risk connected to online activity and internet trading but also

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

What you need to know and what you can t afford to ignore!

What you need to know and what you can t afford to ignore! Cyber Risk: What you need to know and what you can t afford to ignore! James Johnston Directors' and Officers' Insurance Underwriter Daniel Fletcher Cyber Insurance Underwriter Financial & Specialty Markets

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor Cyber Risks Management Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor 1 Contents Corporate Assets Data Breach Costs Time from Earliest Evidence of Compromise to Discovery of Compromise The Data Protection

More information

Rogers Insurance Client Presentation

Rogers Insurance Client Presentation Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com

More information

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance YOUR TRUSTED PARTNER IN A DIGITAL AGE A guide to Hiscox Cyber and Data Insurance 2 THE CYBER AND DATA RISK TO YOUR BUSINESS This digital guide will help you find out more about the potential cyber and

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

Cyber and Data Security. Proposal form

Cyber and Data Security. Proposal form Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

The UK cyber security strategy: Landscape review. Cross-government

The UK cyber security strategy: Landscape review. Cross-government REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 890 SESSION 2012-13 12 FEBRUARY 2013 Cross-government The UK cyber security strategy: Landscape review 4 Key facts The UK cyber security strategy: Landscape

More information

The era of hacks and cyber regulation

The era of hacks and cyber regulation 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,

More information

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released February 3, 2010 Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior

More information

Vendor Management Challenge Doing More with Less

Vendor Management Challenge Doing More with Less Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter

More information

Cyber security Keeping your business resilient

Cyber security Keeping your business resilient Intelligence FIRST helping your business make better decisions Cyber security Keeping your business resilient Cyber security is about keeping your business resilient in the modern technological age. It

More information

FINAL NOTICE. The Bank of New York Mellon London Branch ( BNYMLB ) The Bank of New York Mellon International Limited ( BNYMIL )

FINAL NOTICE. The Bank of New York Mellon London Branch ( BNYMLB ) The Bank of New York Mellon International Limited ( BNYMIL ) FINAL NOTICE To: The Bank of New York Mellon London Branch ( BNYMLB ) The Bank of New York Mellon International Limited ( BNYMIL ) Reference Numbers: 122467 183100 Address: 1 Canada Square London E14 5AL

More information

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES OF THE PROPOSED CYBERCRIME DIRECTIVE? Dr Mark Abell, Graeme Payne and Joseph Jackson, Bird & Bird, London, UK Cybersecurity is arguably receiving more

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

Accountability Model for Cloud Governance

Accountability Model for Cloud Governance Accountability Model for Cloud Governance Massimo Felici, Hewlett-Packard Laboratories CSP Forum 2014, Athens, 21-22 May 2014 Overview Problem of Data Governance Data Governance in the Cloud Accountability

More information

ISO/IEC 27018 Safeguarding Personal Information in the Cloud. Whitepaper

ISO/IEC 27018 Safeguarding Personal Information in the Cloud. Whitepaper ISO/IEC 27018 Safeguarding Personal Information in the Cloud Whitepaper Summary The protection of private information has never been a higher priority. Many national and international bodies, including

More information

Cyber Risks in Italian market

Cyber Risks in Italian market Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

The Future of Cyber Insurance

The Future of Cyber Insurance The Future of Cyber Insurance The Future of Cyber Insurance In 2013, UK and Irish businesses alone sustained an average of more than 70 new infections a day, putting them both in the top 10 countries

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released June 24, 2010 How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior Vice President, ACE North America Marketing

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

Health Care Data Breach Discovery Strategies for Immediate Response

Health Care Data Breach Discovery Strategies for Immediate Response Health Care Data Breach Discovery Strategies for Immediate Response March 27, 2014 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Sarah Flanagan Partner

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Protecting your business from cyber crime and data loss. November 2014

Protecting your business from cyber crime and data loss. November 2014 Protecting your business from cyber crime and data loss November 2014 1 QBE - Protecting your business from cyber crime and data loss Foreword Today s business environment moves at a rapid pace with a

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting

More information

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone: Company or Trading Name: Address: Post Code: Telephone: E-mail: Website: Date Business Established Number of Employees Do you have a Chief Privacy Officer (or Chief Information Officer) who is assigned

More information

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh Navigating Cyber Risk Exposure and Insurance Stephen Wares EMEA Cyber Risk Practice Leader Marsh Presentation Format Four Key Questions How important is cyber risk and how should we view the cyber threat?

More information

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com Implementing and monitoring effective compliance policies & procedures charlesrussellspeechlys.com Robert Bond Partner Robert Bond has over 36 years' experience in advising national and international clients

More information