Cybercrime: risks, penalties and prevention

Transcription

1 Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn, Lockheed Martin, Barclays and Citigroup. On 3 October 2013, Adobe creators of Acrobat and Photoshop software), disclosed that it had been the victim of cybercrime. It was reported that 38 million users were affected and that the attackers obtained source codes and credit card information. This article gives an overview of current cybercrime victims and losses. We then give suggestions on how to prevent cyber attacks and mitigate against potential losses. What is cybercrime? Cybercrime encompasses a wide range of activities, including: hacking phishing denial of service (DoS) attacks creating and distributing malware unauthorised data access corruption or deletion of data interception of data. There are a wide range of cyber criminals with differing motivations, such as: organised criminal groups with financial aims companies trying to steal intellectual property or commit corporate espionage state-sponsored hacking networks intent on espionage or political aims hacktivists with political aims Page 1 of 5

2 individuals and small groups with financial aims or to prove they can rogue private investigators seeking information, evidence or news stories. Groups of hackers can easily work together across multiple countries and they do not need to be in the same location as their target. Hackers can also co-ordinate their attacks. In December 2012 a denial of service (DoS) attack was launched on San Francisco-based Bank of the West to distract IT security from account takeovers and theft of funds. Who are the victims of cybercrime? Anyone or any organisation can be affected by cybercrime. Cyber attack victims can be: companies (large and small) high-profile individuals government bodies general members of the public. Some attacks are cast as a wide net (e.g. malware left on public websites) and others are specifically targeted. Cybercriminals can target their attacks at servers, websites, computers, mobile devices and tablets, as well as information stored in the cloud. Even non-digital operations can be at risk; industrial control systems have been targeted in the past (e.g. by the Stuxnet computer worm). What are the potential losses from cybercrime? Cybercrime losses vary depending on the nature of the target and attack. A report commissioned by the Cabinet Office in 2011 estimated that the UK loses 27 billion per annum to cybercrime, of which 21 billion is lost by UK businesses. One particularly serious risk is the theft of consumer information. The Edelman Privacy Risk Index found that 71 per cent of customers would leave an organisation after a data breach. Some other examples of losses from cybercrime include: financial loss from hacked bank accounts, identity fraud, cyber extortion and blackmail (e.g. threatening to disclose stolen data, delete data on the owner s system, or attack a network unless a payment is made) Page 2 of 5

3 financial loss from business disruption or interruption penalties imposed by regulators theft of intellectual property such as confidential designs and schematics which enables pirated copies to be produced damage to reputation of an individual, business or brand costs of re-securing, digitally cleaning (to remove viruses and malware), and re-establishing secure networks loss of key data which can cripple a business (e.g. deletion of a customer database) identity theft loss of personal data (e.g. from databases and records of government bodies). What are the potential responses from regulators? Regulators can impose hefty fines on companies who lose or inadequately protect consumer information. For example, following the theft of personal data from Sony in 2011, the Information Commissioner's Office (ICO) fined Sony 250,000 for having inadequate cybersecurity. New EU legislation, due to come into force in the UK in 2016, will mandate disclosure of lost or stolen consumer data and could impose fines of up to 2 per cent of a company s worldwide turnover. For example, if Sony, who had worldwide turnover of approximately US $72 billion for the fiscal year ended 31 March 2013, had been penalised under the new EU regime, it could have been fined up to US $1.5 billion. What redress is available after a cyber attack? In addition to traditional criminal legislation against theft and fraud, which can apply to cybercrime, legislation specifically targeted at cybercrime includes: The Computer Misuse Act 1990 The Data Protection Act 1998 The Communications Act Page 3 of 5

4 Offences under these acts can result in fines or imprisonment for up to 10 years. There are also sections related to cybercrime in the Regulatory and Investigatory Powers Act 2000 and the Terrorism Act Law enforcement agencies who deal with cyber attacks include: e-crime divisions of local police the National Crime Agency GCHQ/the intelligence services (depending on the nature of the offence). Issues of jurisdiction had traditionally posed significant obstacles to investigating and prosecuting cybercrime, although the UK s ratification of the Budapest Convention on Cybercrime in 2011 should make it easier to pursue cyber criminals in future. Under UK law, prosecutions can be sought in the UK under the Computer Misuse Act 1990 where the individual is within the UK at the time of the commission of the offence, or occasionally where the data or device accessed was within the UK. Similarly, prosecutions can be sought under the Communications Act 2003 where there is a significant connection to the UK such as the presence of the cybercriminal or the target. Civil remedies are also available. Remedies can include actions for damages, injunctions, third party disclosure orders, and breach of confidence. Business liability for cybercrime? During the 2011 UK phone hacking scandals, press organisations were revealed to have hired private investigators to carry out allegedly illegal inquiries and phone hacking. The phone hacking scandal demonstrated that businesses can be held vicariously liable for cybercrimes committed by their employees or agents. In addition to monitoring their own networks and performing background checks on their employees, businesses should also ensure that they work with reputable contractors when sourcing services where cybercrime might be a tempting way to achieve results (e.g. private investigators). Such precautions are also advisable to reduce the risk of an inside job, as even the best firewalls and anti-virus programs are usually ineffective against an individual who has access to the network. Page 4 of 5

5 How can cyber attacks be prevented and losses mitigated? Many existing insurance policies do not protect against cybercrime losses. Specific cybercrime insurance is currently offered by only a limited number of insurers. This is expected to change as both insurers and customers develop a better understanding of cyber risks. Cyber insurance policies should become more widely available and better tailored to provide appropriate cover. Companies should also take steps to improve and test their systems. Data back-ups and clear business continuity plans are crucial. Businesses can also check their systems through penetration testing. This involves white hat hackers (i.e. legitimate IT hacking consultants) testing a system s vulnerabilities, by attempting to break into it, so that weak spots can be identified and repaired. Some industries and governments even conduct cyber war games. Waking Shark II on 12 November 2013 was a war game conducted by government officials and staff from London banks and financial institutions. It involved a series of announcements and scenarios, such as how a major attack on computer systems might hit stock exchanges and unfold on social media. The importance of updates Cybercrime and cyber insurance are going through a period of change and maturity. Risk managers are increasingly aware of the issues and seeking appropriate coverage. Insurers are working on developing their understanding of the risks and advising their insureds on how to prevent attacks and mitigate fall-out. High-profile cases will continue to hit the headlines and generate significant losses. Businesses and insurers must ensure that they keep abreast of recent developments and new vulnerabilities so that they can guard against such risks, keep their networks up-to-date with relevant patches and be prepared for when cyber events occur. For more information, please contact John Farrell [email protected] or Stephen O Dea s.o [email protected] Kennedys is a trading name of Kennedys Law LLP. Kennedys Law LLP is a limited liability partnership registered in England and Wales (with registered number OC353214). Page 5 of 5