Cyber-security: legal implications for financial institutions. IAPP Europe Data Protection Intensive 2013

Transcription

1 Cyber-security: legal implications for financial institutions IAPP Europe Data Protection Intensive 2013

2 Vivienne Artz Managing Director and General Counsel, Citi Cyber threat landscape Kris McConkey Director, Cyber Threat Detection & Response, PwC Legal risks faced by financial institutions and the evolving regulatory frameworks in the EU and US Nigel Parker Senior Associate, Allen & Overy

3 April 2013 Vivienne Artz Managing Director and General Counsel, Citi

4 Cyber-security fiction to fact Examples of cyber-security attacks Financial services perspective Cyber-security in the broader risk landscape 1

5 Cyber-security in the commercial context From fiction 2

6 New York Blackout (2003) suggested cause a cyber-attack on power grid infrastructure To fact 3

7 Cyber-security in the commercial context A teenage boy who hacked into a Polish tram system used it like "a giant train set", causing chaos and derailing four vehicles Stuxnet attack on Iran s uranium enrichment centrifuges 4 Sony - data on 77 million global gamers compromised Evernote 50m user passwords compromised

8 Network Intrusions Lin Mun Poo 32-year-old Malaysian National Intrusion Federal Reserve Bank, Cleveland Intrusion into DOD Contractor UC Operation lures Poo to U.S. Arrested in NYC with 400,000 Credit Card Numbers on laptop Forensic Analysis revealed hacks into U.S. Government and Banking Sector Systems 5

9 Attacks on High Net Worth Clients 6 Igor Klopov 24-year-old Russian National Expert in mining the internet Brokerage & Home Equity Line of Credit (HELOC) compromises Targeted Wealthy American Businessmen Recruited U.S. Based Accomplices Actual Loss $15 MM

10 Hacktivists Hacktivists Anonymous 7

11 On the outskirts of Shanghai, in a run-down neighbourhood dominated by a 12-story white office tower, sits a People s Liberation Army base for China s growing corps of cyberwarriors. (New York Times, February 2013) NY Times article reported on the release by Mandiant of a report which concluded that nearly 150 sophisticated hacking attempts against American corporations and government agencies over the past decade almost certainly originated from this single Shanghai office building controlled by People's Liberation Army) 8

12 Distributed Denial of Service Attacks In 2012 a number of US financial institutions were subjected to distributed denial of service attacks, intended to disrupt online banking services 9

13 Distributed Denial of Service Attacks (DDoS) Since early September 2012, the Financial Service sector has been the target of an escalating series of DDoS Attacks. 10

14 Citi (10-K): Citi s Operational Systems and Networks Have Been, and Will Continue to Be, Subject to an Increasing Risk of Continually Evolving Cybersecurity or Other Technological Risks, Which Could Result in the Disclosure of Confidential Client or Customer Information, Damage to Citi s Reputation, Additional Costs to Citi, Regulatory Penalties and Financial Losses. Although Citi devotes significant resources to maintain and regularly upgrade its systems and networks with measures such as intrusion and detection prevention systems and monitoring firewalls to safeguard critical business applications, there is no guarantee that these measures or any other measures can provide absolute security. 11

15 Bank of America (10-K): A failure in or breach of our operational or security systems or infrastructure, or those of third parties with which we do business, including as a result of cyber attacks, could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses. Although to date we have not experienced any material losses relating to cyber attacks or other information security breaches, there can be no assurance that we will not suffer such losses in the future. Our risk and exposure to these matters remains heightened because of, among other things, the evolving nature of these threats, our prominent size and scale and our role in the financial services industry, our plans to continue to implement our Internet banking and mobile banking channel strategies and develop additional remote connectivity solutions to serve our customers when and how they want to be served, our expanded geographic footprint and international presence, the outsourcing of some of our business operations, the continued uncertain global economic environment, threats of cyberterrorism, and system and customer account conversions. 12

16 JP Morgan (10-K) JPMorgan Chase and other financial services institutions and companies engaged in data processing have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, or sabotage systems, often through the introduction of computer viruses or malware, cyberattacks and other means. The Firm and several other U.S. financial institutions have also experienced several significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which were intended to disrupt consumer online banking services. 13

17 Importance of cyber-technology is increasing: In the private sector, banks have led defence against attacks; because they have been a primary target Threat landscape is rapidly evolving with regard to perpetrators, their motivations and capabilities Privacy/data-related risks include: Loss or destruction of data Unauthorised access to data Unauthorised alteration of data Unauthorised use of data Account takeovers 14

18 1 Financial crime criminal, often highly organised and well-funded, using technology to steal money or other assets 2 Corporate espionage e.g. theft of trade secrets, other IP 3 Government driven states attacking private sector organisations and especially the critical national infrastructure 4 Terrorism terrorist groups against attacking either state or private assets 5 Hacktivism attacks are undertaken by proponents of an idealistic cause 15

19 Impact Water supply crisis Chronic fiscal imbalance Severe income disparity Rising greenhouse gas emissions Cyber attacks Source: Global Risks 2012 World Economic Forum Likelihood 16