Annual Seminar on Risk Management and Regulatory Examina7on/Compliance Issues Affec7ng Interna7onal Banks. October 7, 2014

Transcription

1 Annual Seminar on Risk Management and Regulatory Examina7on/Compliance Issues Affec7ng Interna7onal Banks October 7, 2014 Regulatory Expecta7ons for an Effec7ve Cyber Security Program Walter J. Mix III, Director/Financial Services Prac7ce Group Leader, BRG Nicole Jacoby, Special Counsel, Banking Division New York State Department of Financial Services Alan Avery, Partner, Lathan & Watkins LLP Stuart D. Levi, Partner, Skadden Arps, Slate, Meagher & Flom LLP

2 Summary of Presenta/ons 1. Overview of Enterprise Cyber Security and Risk Management Issues Walter J. Mix III, Director/Financial Services Prac7ce Group Leader, BRG 2. DFS Cyber Security Ini/a/ve - Nicole Jacoby, Special Counsel, Banking Division, New York State Department of Financial Services 3. Regulatory Expecta/ons for an Effec/ve Cybersecurity Program - Federal Ini/a/ves - Alan Avery, Partner, Latham & Watkins LLP 4. Cybersecurity 2014: The State of Li/ga/on - Stuart Levi, Partner, Skadden Arps, Slate, Meagher & Flom LLP 2

3 Overview of Enterprise Cyber Security and Risk Management Issues Presenter: Walter J. Mix III, Director/Financial Services Prac7ce Group Leader, BRG Tel: (213) ; expert.com Berkeley Research Group LLC (BRG) 550 Hope Street, Suite 2150, Los Angeles CA Website: expert.com 3

4 Overview 1. Governmental/Regulatory Responses 2. Cyber Security Acacks 3. Defini7ons 4. Bank Technology and Cyber Security Program - Bank Technology - Informa7on Security 5. Enterprise Security Strategy 6. Incident Response Team 7. Incident Priori7za7on 8. Issues Going Forward 9. Ques7ons 4

5 Governmental Regulatory Responses v FBI Cyber Acacks Eclipsing Terrorism v State Regulators v Federal Reserve v OCC v FDIC v SEC v Included in examina7on process v Safety and soundness issue 5

6 Cyber Security Acacks Breaches and Data Loss Verizon publishes an annual Data Breach Security Report. Last year s report analyzed 621 confirmed data breaches. Some of the findings were: 69% of breaches were spoced by an external party 9% were spoced by customers Social tac7cs using , phone calls and social networks to gain informa7on on individuals are olen ignored, but contributed to 29% of acacks. 76% of network intrusions exploited weak or stolen creden7als. Strict policies are required to reduce this easily preventable risk. 6

7 Cyber Security Acack Map.ipviking.com 7

8 Defini/ons o Cyber Security Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or acack o Malware Malicious solware programs designed to damage or perform unwanted ac7ons against computers and computer systems o Hacking A person who secretly gets access to a computer system in order to get informa7on, cause damage, etc. : a person who hacks into a computer system o Data Loss Loss of informa7on through hacking, malware or physical stealing of electronic or paper informa7on 8

9 Cyber Security Program Elements of an effec.ve Cyber Security Program o Enterprise Risk Management Opera7onal Risk Corporate Governance o Expect to be acacked and have plans, policies and procedures that have been tested and kept up to date o Policies and Procedures o Plans and Audits o Have test plans for acack scenarios o Early warning and ini7al response ac7ons o Communica7ons plans o Penetra7on tests and security audits o Third Party Provider Audits o Cybersecurity Providers o Make rela7onships with FBI and Law Enforcement before an incident occurs 9

10 Bank Technology and Cyber Security Several factors have led to banks having an7quated technology; Sun- seong legacy systems Implemen7ng new technologies IT resource constraints / ROIs The problems created by these factors include; Inconsistent and unreliable data Data security, data privacy and Cyber Security risk Comprehensive management reports Audits (both internal and regulatory) Enterprise risk management IT risk among highest 10

11 Bank Technology Cyber Security Financial ins7tu7ons are top targets of Cyber Criminals; Acacks on banks make news when they happen and they are happening more frequently and with more sophis7ca7on The profile of an acack and the acackers has changed drama7cally and will con7nue to change Na7on State acacks Organized Crime acacks Newer versions of Malware More sophis7cated acack profiles Costs and reputa7onal risk is high for banks that get acacked Banks are in defensive modes and are struggling to stay up to speed with these changes 11

12 Informa/on Security Informa7on Security methods and processes of protec7ng informa7on q People, Processes and Technology are the components of Informa7on Security People - the biggest security risk because they don t take all the necessary steps to secure access to informa7on Processes banks fail to have proper processes in place for training, disaster recovery and data breaches Technology In many cases, banks do not keep their systems current and have IT resource constraints 12

13 Informa/on Security Best Prac/ces Best prac7ces for protec7ng informa7on exists include: PEOPLE Strong passwords, clean desks, destruc7on of un- needed documents and data, use of encryp7on technology, protec7on of mobile devices and on- going training PROCESSES Training programs for on- boarding employees and for annual cer7fica7ons. Processes for off- boarding employees and receiving back all company informa7on. Disaster recovery plans, Cybersecurity acack plans, IT refresh policies TECHNOLOGY Proper configura7ons of networks and computers, secure wireless networks and secure remote access, current an7- virus and an7spyware solware, upgrades to equipment and proper disposal of older technology 13

14 Enterprise Security Strategy Business Goals and Strategies Informa7on Risk Enterprise Opera/onal Risk Business Opera7ons Risk Legal and Regulatory Risk Regula/ons Threats Threat Strategy Governance and Risk Management Security Service Control Objec7ve Iden7ty and Access Management Security Service Control Objec7ve Enterprise Risk Management Threat Management Security Service Control Objec7ve Data Protec7on Management Security Service Control Objec7ve Secure Applica7on Development Security Service Control Objec7ve Business Con7nuity Security Service Control Objec7ve Physical Security Security Service Control Objec7ve Regulatory Compliance Security Service Control Objec7ve Control Framework 14

15 Incident Response Team Establish Contract With a Third Party Partner 15

16 Incident Priori/za/on Priority Based On: Health and Safety of Staff Confiden7ality, Privacy, and Integrity of Informa7on Business Impact Regulatory / Customer No7fica7on Resource Impact for Eradica7on and Recovery 16

17 Issues Going Forward IT S NOT IF OR WHEN, IT S WHERE Corporate Boards All business sectors Ask: Could this happen to us? Ask: Has this happened to us? Banks Technology Officers Need a strategic/holis7c solu7on Understand the poten7al threats Be proac7ve Future Con7nued evolu7on of acacks Checking the box does not equal security Long- term changes in payment system technology 17

18 QUESTIONS 18

19 DFS Cyber Security Ini/a/ve Presentation by Nicole Jacoby Special Counsel, Banking Division

20 DFS Cyber Security Overview Industry Outreach & Survey Results DFS- Specific Ini7a7ves Next Steps Enhanced IT Examina7ons

21 DFS Cyber Security Industry Survey & Findings Management of IT Systems Informa7on Security Framework Use of Security Technologies Penetra7on Tes7ng Budget & Costs Corporate Governance Incidents & Breaches Planning for the Future Con7nuing Challenges

22 DFS- Specific Ini7a7ves: DFS Cyber Security Anonymous Industry Benchmarking via DFS- hosted Webcast Industry Lecer re FS- ISAC Membership (hcp:// pdf) Report on Cyber Security in the Banking Sector (hcp:// pr140505_cyber_security.pdf)

23 Next Steps: Report on Insurance Industry Enhanced IT Examina7ons: Addi7onal focus in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery Holis7c view of an ins7tu7on s cyber readiness Tailored to reflect each ins7tu7on s unique risk profile

24 Regulatory Expectations for an Effective Cybersecurity Program IIB Annual Seminar on Risk Management and Regulatory Examination/Compliance Issues Alan Avery October 7, 2014 Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins associated office in the Kingdom of Saudi Arabia. In Qatar, Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.

25 Federal Regulatory Perspective Recent Initiatives Federal Financial Institutions Examination Council (FFIEC) Cybersecurity and Critical Infrastructure Working Group (CCWIG) Cybersecurity Web Page Cybersecurity Assessment Program SEC Risk Alert on Cybersecurity Preparedness (April 15, 2014) FINRA Cybersecurity Sweep Letter Announcement (January 2014)

26 FFIEC Recent Initiatives Cybersecurity and Critical Infrastructure Working Group (CCWIG) Formed June 2013 Coordinates with intelligence, law enforcement, Homeland Security, and industry officials Seeks to ensure member agencies (CFPB, FDIC, Federal Reserve, NCUA, OCC, State Liaison Committee) have accurate and timely threat information to assist institutions in protecting themselves and customers

27 FFIEC - Recent Initiatives Cybersecurity Web Page Launched June 2014 Central repository for FFIEC-related materials on cybersecurity

28 FFIEC Recent Initiatives Cybersecurity Assessment Program Announced June 2014 Current focus on community institutions Pilot program at 500 community institutions Conducted by state and federal agencies as part of regularly scheduled examinations Designed to give state and federal agencies the ability to assess institutions vulnerability to cyber threats and their preparedness to mitigate risks Key areas of focus: Risk management and oversight Threat intelligence and collaboration Cybersecurity controls Service provider and vendor risk management Cyber incident management and resilience

29 SEC Recent Initiatives Risk Alert on Cybersecurity Preparedness SEC s Office of Compliance Inspections and Examinations (OCIE) announced in a Risk Alert on April 15, 2014, that the SEC would be examining 50 registered broker-dealers and investment advisers to assess cybersecurity preparedness in the securities industry and to obtain information about the industry s recent experiences with certain types of cyber threats.

30 SEC Recent Initiatives As part of this risk assessment, OCIE will conduct examinations that will be focused on: the individual broker-dealer and/or investment adviser s cybersecurity governance; identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; and detection of unauthorized activity and experiences with certain cybersecurity threats.

31 FINRA Recent Initiatives Cybersecurity Sweep Letters FINRA announced in January 2014, that it would be sending sweep letters to broker-dealers asking for information pertaining to their approaches to managing cybersecurity risks in order to assess such broker-dealers approaches to managing threats and protecting their IT systems. These cybersecurity sweep letters are intended to enable FINRA to: understand better the types of threats that firms face; increase its understanding of firms risk appetite, exposure and major areas of vulnerabilities to their IT systems; understand better firms approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and share its observations and findings with firms, where appropriate.

32 FINRA Recent Initiatives The targeted sweep letters focus of the following areas: approaches to information technology risk assessment; business continuity plans in case of a cyber-attack; organizational structures and reporting lines; processes for sharing and obtaining information about cybersecurity threats; understanding of concerns and threats faced by the industry; assessment of the impact of cyber-attacks on the firm over the past 12 months; approaches to handling distributed denial of service attached; training programs; insurance coverage for cybersecurity-related events; and contractual arrangement with third-party service providers

33 Federal Legislation Current Status Cybersecurity Information and Sharing Act of 2014 (S. 2588) Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 624)

34 Thank You Alan W. Avery Partner, New York E: T: Although this seminar presentation may provide information concerning potential legal issues, it is not a substitute for legal advice from qualified counsel. The presentation is not created or designed to address the unique facts or circumstances that may arise in any specific instance, and you should not and are not authorized to rely on this content as a source of legal advice and this seminar material does not create any attorney-client relationship between you and Latham & Watkins.

35 Cybersecurity 2014: The State of Liitgation Presented by Stuart Levi Beijing Houston PaloAlto Tokyo Boston London Paris Toronto Brussels LosAngeles SãoPaulo Washington,D.C. Chicago Moscow Shanghai Wilmington Frankfurt Munich Singapore HongKong NewYork Sydney Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 35 Skadden, Arps, Slate, Meagher & Flom LLP

36 PRIVACY V. CYBERSECURITY Privacy Privacy policy compliance Big data mining Privacy regulations Internet of things Do not track Location data Global enforcement Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 36 Skadden, Arps, Slate, Meagher & Flom LLP

37 PRIVACY V. CYBERSECURITY Cybersecurity Data breaches Non-data cyber theft Denial of service attacks Compliance with security policies NIST guidelines Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 37 Skadden, Arps, Slate, Meagher & Flom LLP

38 PRIVACY V. CYBERSECURITY Government Spying Snowden revelations Access to records through public companies Government monitoring Global implications Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 38 Skadden, Arps, Slate, Meagher & Flom LLP

39 PRIVACY V. CYBERSECURITY Increased demands for privacy regulation Government spying PRIVACY Data Breaches CYBERSECURITY Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 39 Skadden, Arps, Slate, Meagher & Flom LLP

40 KEY LEGAL THREATS TODAY FTC enforcement activity Misleading consumers by promising industry-standard or robust security Inadequate security protection Shareholder litigation For any cybersecurity loss (not just data breaches)» Denial of service» Loss of intellectual property or confidential information Data breach class actions Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 40 Skadden, Arps, Slate, Meagher & Flom LLP

41 THE RESPONSE CLOCK HAS ACCELERATED HISTORICAL PRACTICE COMPANIES OFTEN DELAYED NOTICE UNTIL FULL FORENSIC ANALYSIS WAS DONE» Provided time to formulate a response and manage PR, communications and legal» Companies often hopeful that forensics analysis would reveal notice was not required» Sometimes delay was required by law enforcement, but this was the exception Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 41 Skadden, Arps, Slate, Meagher & Flom LLP

42 THE RESPONSE CLOCK HAS ACCELERATED Today, companies face a new and pressing reality: Privacy advocates/activists» Learning of breaches and threatening to go public if the company does not disclose» Generally unsympathetic to pleas that the company needs more time to formulate its response Insurance plans may require prompt notice Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 42 Skadden, Arps, Slate, Meagher & Flom LLP

43 THE RESPONSE CLOCK HAS ACCELERATED States starting to define an upper limit on delaying notice California AG Complaint Kaiser Foundation Health Plan» September 24, 2011 Learns an external hard drive with unencrypted personal information was purchased at a third store» December 11, 2011 Obtains hard drive» December 21, 2011 Completes first round of forensic testing» Mid-February 2012 Completes testing» March 19, 2012 Commences notification Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 43 Skadden, Arps, Slate, Meagher & Flom LLP

44 THE FTC AND PLAINTIFF LAWYERS NEED A HOOK The company failed to install or implement adequate security protections. Were there internal or consultant recommendations that were ignored? The company misled customers about the level of its security. The company s procedures or policies were lacking or not followed. Security policies Vendor policies C-suite and/or board was not adequately kept apprised of security procedures. The company took too long to provide notice of a data breach or to respond to an attack Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 44 Skadden, Arps, Slate, Meagher & Flom LLP

45 KEY TAKEAWAY The goal of every company today should be to eliminate as many of these hooks as possible Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 45 Skadden, Arps, Slate, Meagher & Flom LLP

46 STEPS EVERY COMPANY SHOULD BE TAKING TODAY Privacy audit and implementation Risk assessment Establish a rapid response team Testing Privacy by design Evaluate insurance coverage Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 46 Skadden, Arps, Slate, Meagher & Flom LLP

47 DATA SECURITY CLASS ACTIONS ARE ON THE RISE Plaintiffs lawyers are looking to cash in on the increase in data security breaches at retailers, banks and other institutions. Their tool of choice: large-scale class actions based around theories of alleged damage to consumers privacy. While few cases have been filed so far, the number will undoubtedly grow. Examples: In re Sony Gaming Networks & Customer Data Security Breach Litig., No. MDL , 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. Jan. 21, 2014) Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) Allison v. Aetna, Inc., 2010 U.S. Dist. LEXIS (E.D. Pa. Mar. 9, 2010) In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS (N.D. Ill. Sept. 3, 2013) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 47 Skadden, Arps, Slate, Meagher & Flom LLP

48 DATA SECURITY CLASS ACTIONS ARE ON THE RISE Most cases are brought under the same theories, usually including some combination of claims based on: Violation of state data breach notification laws» 47 states currently have such laws, which vary from state to state Violation of state consumer fraud statutes Negligence Negligent misrepresentation Breach of express and implied contract Breach of express and implied warranties Unjust enrichment Invasion of privacy These claims will usually be governed by the laws of each plaintiff s home state. Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 48 Skadden, Arps, Slate, Meagher & Flom LLP

49 DATA SECURITY CLASS ACTIONS ARE ON THE RISE There are ways to fight back against this new breed of class action. Typical defense arguments on motion to dismiss include: Plaintiffs lack standing Plaintiffs lack cognizable injury Plaintiffs have no private right of action Economic loss doctrine bars plaintiffs claims Consumer fraud claims fail under some states laws Remedial efforts by companies may moot some claims Defending against class certification Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 49 Skadden, Arps, Slate, Meagher & Flom LLP

50 DEFENSES TO DATA SECURITY CLASS ACTIONS Lack of standing For Article III standing, plaintiffs must suffer:» Injury in fact that is concrete and particularized and actual or imminent» Not merely conjectural or hypothetical Most plaintiffs allege damages for risk of future harm Courts disagree whether an increased risk of personal data being misused in the future is sufficient to constitute concrete and imminent injury necessary for Article III standing Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 50 Skadden, Arps, Slate, Meagher & Flom LLP

51 DEFENSES TO DATA SECURITY CLASS ACTIONS Lack of standing Some courts have held that an increased risk of personal data being misused in the future is not sufficient» Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) (where no one could say if and/or when any confidential information may be fraudulently used, the likelihood of such an occurrence is speculative, and the time when any such occurrence would come to pass (if ever) is entirely uncertain )» Allison v. Aetna, Inc., 2010 U.S. Dist. LEXIS 22373, at *19-20 (E.D. Pa. Mar. 9, 2010) ( Plaintiff s alleged injury of an increased risk of identity theft is far too speculative ) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 51 Skadden, Arps, Slate, Meagher & Flom LLP

52 DEFENSES TO DATA SECURITY CLASS ACTIONS Lack of standing There was hope that the U.S. Supreme Court s decision in Clapper v. Amnesty International, 133 S. Ct. 1138, 1147 (2013), would strengthen this argument for defendants But even after Clapper, courts are still divided:» In re Sony Gaming Networks & Customer Data Security Breach Litig., No. MDL , 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. Jan. 21, 2014) ( Although Sony argues that Plaintiffs allegations are insufficient because none of the named Plaintiffs have alleged that their Personal Information was actually accessed by a third party, Clapper does not require such allegations )» In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS , at *8 (N.D. Ill. Sept. 3, 2013) (under Clapper, [m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing because threatened injury must be certainly impending to constitute injury in fact, and... [a]llegations of possible future injury are not sufficient ) (quoting Clapper, 133 S. Ct. at 1147) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 52 Skadden, Arps, Slate, Meagher & Flom LLP

53 DEFENSES TO DATA SECURITY CLASS ACTIONS The economic loss doctrine bars many tort claims Prohibits recovery of purely economic losses in tort absent personal injury or property damage» Not all states have accepted the doctrine Plaintiffs in data security cases will only allege economic losses, if they assert any damages at all» Includes credit monitoring fees, payment of fraudulent charges (that are reimbursed later by the financial institution) or lowered credit score These claims are barred by the doctrine» See, e.g., In re Sony Gaming Networks & Customer Data Security Breach Litig., No. MDL , 2014 U.S. Dist. LEXIS 7353 (S.D. Cal. Jan. 21, 2014) (granting motion to dismiss negligence claims based on economic loss doctrine without leave to amend) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 53 Skadden, Arps, Slate, Meagher & Flom LLP

54 DEFENSES TO DATA SECURITY CLASS ACTIONS No private right of action under state data breach statutes 47 states have adopted such statutes Most do not provide a private right of action» Example: Amburgy, 671 F. Supp. 2d at 1056 ( [T]he Missouri Attorney General has exclusive authority in bringing claims against data handlers for violation of Missouri s data breach notification law, Mo. Rev. Stat ) But some state statutes do allow private suits» Cal. Civ. Code (b) ( Any customer injured by a violation of this title may institute a civil action to recover damages )» N.H. Rev. Stat. 359-C:21(I) ( Any person injured by any violation under this subdivision may bring an action for damages )» Va. Code Ann (I) ( Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section ) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 54 Skadden, Arps, Slate, Meagher & Flom LLP

55 SETTLEMENTS HAVE BEEN MODEST TJ Maxx data breach class settlement was touted as a $41 million settlement» In reality, far fewer class members participated than expected (approximately 3% of eligible individuals)» Total claims were approximately $6.1 million» Plaintiffs attorneys received $6.5 million in fees Curry v. AvMed, Inc., No. 10-CV JLLK (S.D. Fla. Feb. 28, 2014)» Settlement fund is $3 million» If no identity theft, maximum recovery is $30» AvMed will pay actual damages to class members who suffered identity theft (up to $250,000 total) Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 55 Skadden, Arps, Slate, Meagher & Flom LLP

56 SETTLEMENTS HAVE BEEN MODEST In re Countrywide Fin. Corp. Customer Data Sec. Breach Litig., MDL 1998, 2009 WL (W.D. Ky. Dec. 22, 2009)» Settlement included a reimbursement component for class members who suffered identify theft, up to $50,000 per class member, capped at $1m» Also included an offer of free credit monitoring» Company also paid $3.5 million in attorneys fees In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., 851 F. Supp. 2d 1040 (S.D. Tex. 2012)» Settlement provided between $1 million and $2.4 million in benefits to class members» Only 11 valid claims; bulk of the $1 million that the company committed to pay went to cy pres» $600,000 in attorneys fees Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 56 Skadden, Arps, Slate, Meagher & Flom LLP

57 Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates Cyberattacks 2014 How to Prepare Today and Respond Tomorrow 57 Skadden, Arps, Slate, Meagher & Flom LLP