PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Transcription

1 PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

2 Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial services organisations is all too real: a well-targeted cyber attack, together with an increased risk of regulatory action, has the potential to endanger an organisation's existence. The gravity of the risks associated with a cyber attack or data breach from another source has meant that these issues are increasingly - and rightly - becoming the domain of the board room. Edwards Wildman recently hosted a seminar in London with BAE Systems Detica and Lockton, which focussed on the increased business threat presented by cyber attacks and weaknesses in information security. The seminar, which brought together practitioners, consultants and experts from across the financial services sector, considered the various approaches to effective cyber risk management for banks and insurance organisations regulated by both the Financial Services Authority (FSA) and the Information Commissioner's Office (ICO). Managing the threat In June 2012, Jonathan Evans, the Director General of the UK Security Services, stated at the Lord Mayor's Annual Defence and Security Lecture that businesses must consider cyber risks as party of their annual corporate governance. This was in light of a recent incident involving a London listed company, with whom MI5 had worked, which had resulted in an estimated revenue loss of some 800 million as a result of a hostile cyber attack. The panelists at the seminar emphasised that threats range in motivation and resources. Actors who are more visible include 'script kiddies' and 'hacktivists', whose intent could be for the thrill of carrying out the attack, or to seek press exposure and cause reputational damage to a particular organisation.. The less visible actors include criminals, industrial spies and state-sponsored attackers and their motivations are usually more targeted with the aim of staying hidden such as carrying out attacks for financial "Businesses are facing significant cyber risks as a result of our increasing dependence on information technology. It is vital that organisations take a more holistic, business-led approach to assessing and managing this risk - by protecting the highest value information assets, implementing effective monitoring to identify potential issues and having a tried-andtested plan to respond in the event of a significant incident." gain or political advantage. Digital crime is on the increase and Mark Fishleigh, Director 80% is now organised crime 1. Offline criminals are increasingly being linked to online criminals there is clearly a movement of long established organised crime working its way into the digital space, which has opened up a whole new landscape that is constantly evolving and growing. This new landscape of cyber threats includes the growth of traditional 'cyber attacks' such as usage of commercial malware and website hacking, as well as the emergence of new risks, such as the increase in data security risks posed by the rise in cloud computing, data sharing, the personalisation of services and mobile workforces. At the heart of cyber risk management strategies sits information security. Organisations, particularly those active in the financial services sector, are recommended to consider the following: Confidentiality of data: make information accessible only to persons or systems with appropriate authority; 1 Detica Commissioned Study from Centre for Policing and Security at LMU

3 Integrity of data: safeguard the accuracy and completeness of information and its processing; Limit Availability of data: limit access to confidential information to those persons or systems that are required to have access for their job function, and allow access only when their identity is verified; and Non-repudiation and accountability of data: the persons or systems that process the information need to take ownership and be held accountable for their actions and inactions. Understanding the exposure For every organisation, arguably the main exposure as a victim of a cyber attack is that the information finds its way into the public domain. A recent study carried out by Ponemon Institute LLC showed that the cost of data breaches continues to rise 2 and in the United Kingdom, the average organisational cost per data breach is estimated at around 1.75 million. A BAE Systems Detica study for the Cabinet Office has projected the cost of cyber crime to the country at 27 billion 1.8% of GDP 3. Although some queries may be raised about the bases for these estimates, there is undoubtedly an exposure for Corporate UK and managing this is difficult. Typically, cyber attacks generally cause a variety of losses, including direct costs of forensics and breach response, civil liability, regulatory liability, reputation management, business disruption and indirect losses such as damage to reputation and loss of customer confidence and business. Businesses can try and mitigate at least the direct costs by negotiating contracts that include effective risk allocation. However, in practice this is not usually a straightforward process cloud providers, for instance, typically refuse to assume responsibility for damages arising out of a data loss or breach, even in circumstances where the cloud provider is at fault. Finally, issues arise in respect of identifying the applicable law, the recoverability of losses and the enforcement of judgments, especially in circumstances where multiple jurisdictions are involved. This can lead to uncertainty about which country has the right to enforce and impose fines. In the United Kingdom, the FSA and ICO have powers to impose regulatory fines. The FSA has taken an extremely strict approach when dealing with weaknesses in information security, in circumstances where there has been a breach of Principle 3 of the FSA Handbook requiring an organisation to take reasonable care to organise and control its affairs responsibly and effectively. The FSA imposed one of the largest fines on a financial institution for a total of 3 million for loss of unencrypted data sent to third parties and found that HSBC had inadequate training and ineffective systems and controls to deal with data security. Typically, the ICO imposes fines of up to 500,000, with the highest fine so far being 325,000 against two NHS trusts for stolen hard drives that were sold on ebay in There has been much commentary that these fines are not high enough, and certainly fines against private companies have been dwarfed by those in respect of public sector breaches. This is likely to change shortly, as the EU data protection regime is about to be overhauled due to the proposed General Data Protection Regulation, which will take effect two years after it is adopted by the European Parliament. Under the proposed new regime, national data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation, which could have crippling effects on organisations

4 Risk Management: Proactive management of risks The most effective way to deal with cyber risks and exposures is to proactively manage them. This can be simplified to a 5-stage process: Stage 1: Assess the information and risk Stage 2: Review the requirements Stage 3: Assemble the team Stage 4: Develop the procedures Stage 5: Implement Stage 1: Assess the information and risk: The process of identifying and managing cyber risk should be part of every organisation's business practice. It is therefore be important for organisations to undertake an audit of the information on their systems and their information security risks in order to understand the nature of the information at risk. Stage 2: Review the requirements: There are a number of legal and regulatory requirements that apply to financial services organisations. Some of these regulatory requirements impact all organisations, such as data protection and privacy laws. However, there are also sector specific regulations that apply to regulated financial services organisations. On a European level, both Basel III and Solvency II will impose significant additional regulatory burdens on organisations operating in the financial services sector.

5 Data Protection and Privacy Requirements: Data protection and privacy in the United Kingdom is governed by the Data Protection Act 1998 and the Privacy in Electronic Communications (E- Commerce Directive) Regulations This regime is set to change as Europe prepares to implement the proposed General Data Protection Regulation. That will add to the following key requirements for organisations when dealing with personal data: Requirements around transparency; Requirements around the justification for processing; Requirements around data quality; Requirements for individual rights; Security requirements; Requirements around the international transfer of data; and Requirements around data breach notification. Although the draft General Data Protection Regulation is not yet final, one of the proposals is that all organisations will have 24 hours 'where feasible' to notify their data protection authority of a data breach. There are similar obligations to notify the individuals whose data has been lost. This obligation, if not managed effectively, could seriously impact the reputation of financial services organisations suffering a data breach and substantial costs for required notifications. "The legal and regulatory framework consists of general data protection and information security requirements together with sector specific requirements. The aim for financial services organisations is to put in place best practice that seeks to achieve compliance with all relevant requirements, yet at the same time recognising that 100% compliance will be impossible." Richard Graham, Partner Financial Services Requirements: For financial services organisations in the United Kingdom, the Financial Services and Markets Act 2000 provides a framework to deal with information security and grants specific powers to the FSA. The FSA's Principles for Businesses impose certain overriding requirements on regulated organisations, including Principle 2 that requires an organisation to 'conduct its business with due skill, care and diligence' and Principle 3 that requires an organisation to 'take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems'. In addition, the Senior Management Arrangements, Systems and Controls (SYSC) provides specific operational and contractual requirements for financial services organisations proactively managing information security risk, including in respect of outsourcing arrangements (see SYSC 8 and SYSC 13) and significant failures in an organisation's systems and controls. Stage 3: Assemble the team: Once an organisation has assessed the information risk and the applicable legal and regulatory framework, it can then take a step towards assembling a team, which would typically include internal stakeholders, external legal advisers, IT and forensics. It is important at this stage that senior stakeholders are involved. Stage 4: Develop the procedures: As part of the pro-active risk management planning, an incident response plan should be developed. It will always be important for organisations to implement relevant procedures that adequately deal with risk avoidance and mitigation. Once the risks have been identified, it is an attractive proposition for organisations to seek to transfer at least some of their potential losses through cyber insurance. Even though an organisation may be compliant with the relevant legal and regulatory regimes, this does not automatically ensure security of the data, and cyber insurance can help bear the burden of some of the costs associated with a

6 data breach. Within the cyber insurance marketplace, there appears to be little uniformity among the terms of the policies available in the marketplace. In broad terms there are two main approaches to cyber insurance: Reimbursement policies which allow the insured to hire their own choice of consultants and vendors to respond to a data breach, such as legal, forensic and crisis management consultants (with consent from the insurer); and Policies requiring use of pre-approved vendors or that require that the vendors be appointed and paid directly by the insurer. For any organisation though, reimbursement of costs is probably the biggest financial risk of a cyber attack. Typically, organisations can seek insurance coverage for network security liability, media liability, privacy liability, breach response costs and extortion payments. However, the insurability of fines remains an uncertain issue, and indirect business losses are generally not subject to insurance. First party cyber coverage (coverage for an insured s own direct losses, as opposed to coverage for third party claims asserted against the insured) that is available includes breach response costs, cyberextortion and certain network failure expenses. Vendor relationships and indemnity provisions can raise interesting insurance coverage issues. For instance, where an organisation is dependent on a cloud provider that is hosting its data, and the cloud provider services or security fails, what and whose insurance would respond? Can an organisation seek insurance coverage for the risk of failure of cloud provider and its own resultant business losses? It remains to be seen how the insurance sector will deal with this problem. "Despite efforts to mitigate customer or employee data breaches or privacy violations through strong IT security and improved corporate governance the balance sheet will always be faced with a residual risk. It is this residual risk which specialist insurers in London and the US have started to address." Ben Beeson, Partner Stage 5: Implement: The final stage of any proactive risk management strategy is to implement the plan and repeat the process. Lessons will be learned at each stage and it is important that these are fed back into the process, and the process reviewed repeatedly in light of new information. Putting in place appropriate procedures to monitor cyber risks, and necessary detection and response tools, should help manage the risk if there is a data breach or cyber attack.

7 Risk Management: Reactive management of risks If and when an incident occurs, it will be important to execute a tested data breach response plan. This can be simplified to a 5-stage process: Stage 1: Assemble the response team Stage 2: Assess the issue Stage 3: Contain and remedy Stage 4: Notify Stage 5: Review Stage 1: Assemble the response team: After procedures for identifying and managing cyber risks have been implemented, the real test for organisations is what happens when an incident occurs. Organisations should put in place, before any incident takes place, a team with clear roles and responsibilities allocated internally, and external advisers, including forensic and legal consultants, to coordinate in responding to an incident and mitigate the potential damages. If an organisation has insurance that may apply to a data breach or other cyber incident, then identification of the broker to contact to provide notice to the relevant insurer is part of the planning process. Stage 2: Assess the issue: Organisations should avoid a 'knee jerk' reaction, which can sometimes lead to detrimental consequences and additional costs that defeat the effort and planning that went into implementing planning procedures. The most effective reactive risk management is to ensure that the response is as systematic and sequential as possible, with time for thoughtful analysis of the technical issues and legal requirements involved. Unless the nature and extent of the breach is understood, and the information involved identified, effective containment, required response and remedial action will be particularly hard to achieve.

8 Stage 3: Contain and remedy: Once the response team is assembled and the nature of the breach or other cyber incident understood, the next step is generally to systematically contain and remedy the situation as far as possible. Some key tips for reactive risk management are to consider the question of timing of any response or notification, and tactical use of external lawyers to assist in the response and preserve available privileges associated with the investigation of the situation. Expect the unexpected. At a time where tensions are high and resources are stretched, following the organisation's incident response plan and avoiding impulsive decisions could be the difference between managing the incident successfully or exposing the business to undue commercial and financial risks. Stage 4: Notify: Once the extent of the breach is identified, the next step is to consider notification to comply with regulatory notification requirements, as well as for public relations purposes. Stage 5: Review: Once the incident has been dealt with, the organisation can improve its response plan by reviewing how its process responded to the incident, react to additional enquiries and adapt its plans for future incidents. "Effective breach management requires a balancing exercise between implementing a structured response plan and reacting to ever changing commercial demands, at all times executed with the support and energy of central management." Mark Deem, Partner Richard Graham Partner Mark Deem Partner This publication is for guidance only and is not intended to be a substitute for specific legal advice. If you would like further information, please contact the Edwards Wildman Palmer LLP lawyer responsible for your matters or one of the lawyers listed below: Richard Graham, Partner +44 (0) rgraham@edwardswildman.com Mark Deem, Partner +44 (0) mdeem@edwardswildman.com