PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES



Similar documents
Mitigating and managing cyber risk: ten issues to consider

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Who s next after TalkTalk?

Cybercrime: risks, penalties and prevention

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber Risks October

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

A NEW APPROACH TO CYBER SECURITY

The potential legal consequences of a personal data breach

Cloud Computing: Legal Risks and Best Practices

UK Data Risks Incident RoadMap

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

How To Cover A Data Breach In The European Market

Cyber and data Policy wording

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Exposure for Credit Unions

Cyber Security - What Would a Breach Really Mean for your Business?

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Cyber Risks in the Boardroom

Helping to protect your business and your customers in the event of a data breach

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Committees Date: Subject: Public Report of: For Information Summary

Cyber Liability Insurance

Discussion on Network Security & Privacy Liability Exposures and Insurance

DATA BREACH COVERAGE

Cyber/ Network Security. FINEX Global

Data Breach and Senior Living Communities May 29, 2015

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Cyber threat reality check GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE THE THREAT IS GROWING IGNORING IT CAN BE COSTLY

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

The Cloud and Cross-Border Risks - Singapore

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Cyber Security Issues - Brief Business Report

Cyber Risks in Italian market

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

Rogers Insurance Client Presentation

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

The problem of cloud data governance

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

How To Protect Your Business From A Cyber Attack

Security Incident Management Policy

Managing Cyber Risk through Insurance

How To Protect Your Data From Hackers

Cyber security Building confidence in your digital future

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Charities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Protecting your business from cyber crime and data loss. November 2014

Cyber and Data Security. Proposal form

The era of hacks and cyber regulation

White Paper on Financial Institution Vendor Management

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

The UK cyber security strategy: Landscape review. Cross-government

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Unit 3 Cyber security

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

New EU Data Protection legislation comes into force today. What does this mean for your business?

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Standard: Information Security Incident Management

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

ISO/IEC Safeguarding Personal Information in the Cloud. Whitepaper

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber Security Evolved

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Guidance on data security breach management

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Health Care Data Breach Discovery Strategies for Immediate Response

Big Data for Mutuals. Marc Dautlich 25 November 2013

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Financial Services Guidance Note Outsourcing

Securing the Cloud Infrastructure

Solving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction

Cyber Risk Management

Don t Wait Until It s Too Late: Top 10 Recommendations for Negotiating Your Cyber Insurance Policy

The promise and pitfalls of cyber insurance January 2016

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Transcription:

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial services organisations is all too real: a well-targeted cyber attack, together with an increased risk of regulatory action, has the potential to endanger an organisation's existence. The gravity of the risks associated with a cyber attack or data breach from another source has meant that these issues are increasingly - and rightly - becoming the domain of the board room. Edwards Wildman recently hosted a seminar in London with BAE Systems Detica and Lockton, which focussed on the increased business threat presented by cyber attacks and weaknesses in information security. The seminar, which brought together practitioners, consultants and experts from across the financial services sector, considered the various approaches to effective cyber risk management for banks and insurance organisations regulated by both the Financial Services Authority (FSA) and the Information Commissioner's Office (ICO). Managing the threat In June 2012, Jonathan Evans, the Director General of the UK Security Services, stated at the Lord Mayor's Annual Defence and Security Lecture that businesses must consider cyber risks as party of their annual corporate governance. This was in light of a recent incident involving a London listed company, with whom MI5 had worked, which had resulted in an estimated revenue loss of some 800 million as a result of a hostile cyber attack. The panelists at the seminar emphasised that threats range in motivation and resources. Actors who are more visible include 'script kiddies' and 'hacktivists', whose intent could be for the thrill of carrying out the attack, or to seek press exposure and cause reputational damage to a particular organisation.. The less visible actors include criminals, industrial spies and state-sponsored attackers and their motivations are usually more targeted with the aim of staying hidden such as carrying out attacks for financial "Businesses are facing significant cyber risks as a result of our increasing dependence on information technology. It is vital that organisations take a more holistic, business-led approach to assessing and managing this risk - by protecting the highest value information assets, implementing effective monitoring to identify potential issues and having a tried-andtested plan to respond in the event of a significant incident." gain or political advantage. Digital crime is on the increase and Mark Fishleigh, Director 80% is now organised crime 1. Offline criminals are increasingly being linked to online criminals there is clearly a movement of long established organised crime working its way into the digital space, which has opened up a whole new landscape that is constantly evolving and growing. This new landscape of cyber threats includes the growth of traditional 'cyber attacks' such as usage of commercial malware and website hacking, as well as the emergence of new risks, such as the increase in data security risks posed by the rise in cloud computing, data sharing, the personalisation of services and mobile workforces. At the heart of cyber risk management strategies sits information security. Organisations, particularly those active in the financial services sector, are recommended to consider the following: Confidentiality of data: make information accessible only to persons or systems with appropriate authority; 1 Detica Commissioned Study from Centre for Policing and Security at LMU

Integrity of data: safeguard the accuracy and completeness of information and its processing; Limit Availability of data: limit access to confidential information to those persons or systems that are required to have access for their job function, and allow access only when their identity is verified; and Non-repudiation and accountability of data: the persons or systems that process the information need to take ownership and be held accountable for their actions and inactions. Understanding the exposure For every organisation, arguably the main exposure as a victim of a cyber attack is that the information finds its way into the public domain. A recent study carried out by Ponemon Institute LLC showed that the cost of data breaches continues to rise 2 and in the United Kingdom, the average organisational cost per data breach is estimated at around 1.75 million. A BAE Systems Detica study for the Cabinet Office has projected the cost of cyber crime to the country at 27 billion 1.8% of GDP 3. Although some queries may be raised about the bases for these estimates, there is undoubtedly an exposure for Corporate UK and managing this is difficult. Typically, cyber attacks generally cause a variety of losses, including direct costs of forensics and breach response, civil liability, regulatory liability, reputation management, business disruption and indirect losses such as damage to reputation and loss of customer confidence and business. Businesses can try and mitigate at least the direct costs by negotiating contracts that include effective risk allocation. However, in practice this is not usually a straightforward process cloud providers, for instance, typically refuse to assume responsibility for damages arising out of a data loss or breach, even in circumstances where the cloud provider is at fault. Finally, issues arise in respect of identifying the applicable law, the recoverability of losses and the enforcement of judgments, especially in circumstances where multiple jurisdictions are involved. This can lead to uncertainty about which country has the right to enforce and impose fines. In the United Kingdom, the FSA and ICO have powers to impose regulatory fines. The FSA has taken an extremely strict approach when dealing with weaknesses in information security, in circumstances where there has been a breach of Principle 3 of the FSA Handbook requiring an organisation to take reasonable care to organise and control its affairs responsibly and effectively. The FSA imposed one of the largest fines on a financial institution for a total of 3 million for loss of unencrypted data sent to third parties and found that HSBC had inadequate training and ineffective systems and controls to deal with data security. Typically, the ICO imposes fines of up to 500,000, with the highest fine so far being 325,000 against two NHS trusts for stolen hard drives that were sold on ebay in 2011. There has been much commentary that these fines are not high enough, and certainly fines against private companies have been dwarfed by those in respect of public sector breaches. This is likely to change shortly, as the EU data protection regime is about to be overhauled due to the proposed General Data Protection Regulation, which will take effect two years after it is adopted by the European Parliament. Under the proposed new regime, national data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation, which could have crippling effects on organisations. 2 http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf 3 http://www.baesystems.com/cs/groups/public/documents/document/mdaw/mdm5/~edisp/baes_020885.pdf

Risk Management: Proactive management of risks The most effective way to deal with cyber risks and exposures is to proactively manage them. This can be simplified to a 5-stage process: Stage 1: Assess the information and risk Stage 2: Review the requirements Stage 3: Assemble the team Stage 4: Develop the procedures Stage 5: Implement Stage 1: Assess the information and risk: The process of identifying and managing cyber risk should be part of every organisation's business practice. It is therefore be important for organisations to undertake an audit of the information on their systems and their information security risks in order to understand the nature of the information at risk. Stage 2: Review the requirements: There are a number of legal and regulatory requirements that apply to financial services organisations. Some of these regulatory requirements impact all organisations, such as data protection and privacy laws. However, there are also sector specific regulations that apply to regulated financial services organisations. On a European level, both Basel III and Solvency II will impose significant additional regulatory burdens on organisations operating in the financial services sector.

Data Protection and Privacy Requirements: Data protection and privacy in the United Kingdom is governed by the Data Protection Act 1998 and the Privacy in Electronic Communications (E- Commerce Directive) Regulations 2003. This regime is set to change as Europe prepares to implement the proposed General Data Protection Regulation. That will add to the following key requirements for organisations when dealing with personal data: Requirements around transparency; Requirements around the justification for processing; Requirements around data quality; Requirements for individual rights; Security requirements; Requirements around the international transfer of data; and Requirements around data breach notification. Although the draft General Data Protection Regulation is not yet final, one of the proposals is that all organisations will have 24 hours 'where feasible' to notify their data protection authority of a data breach. There are similar obligations to notify the individuals whose data has been lost. This obligation, if not managed effectively, could seriously impact the reputation of financial services organisations suffering a data breach and substantial costs for required notifications. "The legal and regulatory framework consists of general data protection and information security requirements together with sector specific requirements. The aim for financial services organisations is to put in place best practice that seeks to achieve compliance with all relevant requirements, yet at the same time recognising that 100% compliance will be impossible." Richard Graham, Partner Financial Services Requirements: For financial services organisations in the United Kingdom, the Financial Services and Markets Act 2000 provides a framework to deal with information security and grants specific powers to the FSA. The FSA's Principles for Businesses impose certain overriding requirements on regulated organisations, including Principle 2 that requires an organisation to 'conduct its business with due skill, care and diligence' and Principle 3 that requires an organisation to 'take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems'. In addition, the Senior Management Arrangements, Systems and Controls (SYSC) provides specific operational and contractual requirements for financial services organisations proactively managing information security risk, including in respect of outsourcing arrangements (see SYSC 8 and SYSC 13) and significant failures in an organisation's systems and controls. Stage 3: Assemble the team: Once an organisation has assessed the information risk and the applicable legal and regulatory framework, it can then take a step towards assembling a team, which would typically include internal stakeholders, external legal advisers, IT and forensics. It is important at this stage that senior stakeholders are involved. Stage 4: Develop the procedures: As part of the pro-active risk management planning, an incident response plan should be developed. It will always be important for organisations to implement relevant procedures that adequately deal with risk avoidance and mitigation. Once the risks have been identified, it is an attractive proposition for organisations to seek to transfer at least some of their potential losses through cyber insurance. Even though an organisation may be compliant with the relevant legal and regulatory regimes, this does not automatically ensure security of the data, and cyber insurance can help bear the burden of some of the costs associated with a

data breach. Within the cyber insurance marketplace, there appears to be little uniformity among the terms of the policies available in the marketplace. In broad terms there are two main approaches to cyber insurance: Reimbursement policies which allow the insured to hire their own choice of consultants and vendors to respond to a data breach, such as legal, forensic and crisis management consultants (with consent from the insurer); and Policies requiring use of pre-approved vendors or that require that the vendors be appointed and paid directly by the insurer. For any organisation though, reimbursement of costs is probably the biggest financial risk of a cyber attack. Typically, organisations can seek insurance coverage for network security liability, media liability, privacy liability, breach response costs and extortion payments. However, the insurability of fines remains an uncertain issue, and indirect business losses are generally not subject to insurance. First party cyber coverage (coverage for an insured s own direct losses, as opposed to coverage for third party claims asserted against the insured) that is available includes breach response costs, cyberextortion and certain network failure expenses. Vendor relationships and indemnity provisions can raise interesting insurance coverage issues. For instance, where an organisation is dependent on a cloud provider that is hosting its data, and the cloud provider services or security fails, what and whose insurance would respond? Can an organisation seek insurance coverage for the risk of failure of cloud provider and its own resultant business losses? It remains to be seen how the insurance sector will deal with this problem. "Despite efforts to mitigate customer or employee data breaches or privacy violations through strong IT security and improved corporate governance the balance sheet will always be faced with a residual risk. It is this residual risk which specialist insurers in London and the US have started to address." Ben Beeson, Partner Stage 5: Implement: The final stage of any proactive risk management strategy is to implement the plan and repeat the process. Lessons will be learned at each stage and it is important that these are fed back into the process, and the process reviewed repeatedly in light of new information. Putting in place appropriate procedures to monitor cyber risks, and necessary detection and response tools, should help manage the risk if there is a data breach or cyber attack.

Risk Management: Reactive management of risks If and when an incident occurs, it will be important to execute a tested data breach response plan. This can be simplified to a 5-stage process: Stage 1: Assemble the response team Stage 2: Assess the issue Stage 3: Contain and remedy Stage 4: Notify Stage 5: Review Stage 1: Assemble the response team: After procedures for identifying and managing cyber risks have been implemented, the real test for organisations is what happens when an incident occurs. Organisations should put in place, before any incident takes place, a team with clear roles and responsibilities allocated internally, and external advisers, including forensic and legal consultants, to coordinate in responding to an incident and mitigate the potential damages. If an organisation has insurance that may apply to a data breach or other cyber incident, then identification of the broker to contact to provide notice to the relevant insurer is part of the planning process. Stage 2: Assess the issue: Organisations should avoid a 'knee jerk' reaction, which can sometimes lead to detrimental consequences and additional costs that defeat the effort and planning that went into implementing planning procedures. The most effective reactive risk management is to ensure that the response is as systematic and sequential as possible, with time for thoughtful analysis of the technical issues and legal requirements involved. Unless the nature and extent of the breach is understood, and the information involved identified, effective containment, required response and remedial action will be particularly hard to achieve.

Stage 3: Contain and remedy: Once the response team is assembled and the nature of the breach or other cyber incident understood, the next step is generally to systematically contain and remedy the situation as far as possible. Some key tips for reactive risk management are to consider the question of timing of any response or notification, and tactical use of external lawyers to assist in the response and preserve available privileges associated with the investigation of the situation. Expect the unexpected. At a time where tensions are high and resources are stretched, following the organisation's incident response plan and avoiding impulsive decisions could be the difference between managing the incident successfully or exposing the business to undue commercial and financial risks. Stage 4: Notify: Once the extent of the breach is identified, the next step is to consider notification to comply with regulatory notification requirements, as well as for public relations purposes. Stage 5: Review: Once the incident has been dealt with, the organisation can improve its response plan by reviewing how its process responded to the incident, react to additional enquiries and adapt its plans for future incidents. "Effective breach management requires a balancing exercise between implementing a structured response plan and reacting to ever changing commercial demands, at all times executed with the support and energy of central management." Mark Deem, Partner Richard Graham Partner Mark Deem Partner This publication is for guidance only and is not intended to be a substitute for specific legal advice. If you would like further information, please contact the Edwards Wildman Palmer LLP lawyer responsible for your matters or one of the lawyers listed below: Richard Graham, Partner +44 (0)20 7556 4418 rgraham@edwardswildman.com Mark Deem, Partner +44 (0)20 7556 4425 mdeem@edwardswildman.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information