Cybercrime: risks, penalties and prevention



Similar documents
Mitigating and managing cyber risk: ten issues to consider

How To Cover A Data Breach In The European Market

Cyber Risks and Insurance Solutions Malaysia, November 2013

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

How do we Police Cyber Crime?

10 Smart Ideas for. Keeping Data Safe. From Hackers

Managing Cyber Risk through Insurance

Fighting Cyber Crime in the Telecommunications Industry. Sachi Chakrabarty

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber/ Network Security. FINEX Global

Making Sense of Cyber Insurance: A Guide for SMEs

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Insurance Presentation

Cyber Risk Management

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

State of Security Survey GLOBAL FINDINGS

Vulnerability Assessment & Compliance

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Cyber Threats: Exposures and Breach Costs

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

A practical guide to IT security

Identifying Cyber Risks and How they Impact Your Business

Cyber and data Policy wording

How-To Guide: Cyber Security. Content Provided by

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

How To Protect Your Business From A Cyber Attack

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Brief. The BakerHostetler Data Security Incident Response Report 2015

Cyber Security Recommendations October 29, 2002

CYBER/ NETWORK SECURITY

Small businesses: What you need to know about cyber security

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

Cyber Security Strategy

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber Insurance Research Paper

Cyber and Data Security. Proposal form

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

How To Protect Your Data From Being Hacked

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

Unit 3 Cyber security

Addressing Cyber Risk Building robust cyber governance

Cybercrime in Canadian Criminal Law

Topic 1 Lesson 1: Importance of network security

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Managing cyber risks with insurance

How To Protect Your Computer From Attack

Who s next after TalkTalk?

The UK cyber security strategy: Landscape review. Cross-government

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

ACE European Risk Briefing 2012

Small businesses: What you need to know about cyber security

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE

Data Access Request Service

Promoting a cyber security culture and demand compliance with minimum security standards;

Insurance implications for Cyber Threats

Conditions of Use. Communications and IT Facilities

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Information Security

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

DATA AND PAYMENT SECURITY PART 1

Allianz Global Corporate & Specialty. Cyber Risks. Recent Trends. AIRMIC 15 th June 2015

Defensible Strategy To. Cyber Incident Response

Transcription:

Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn, Lockheed Martin, Barclays and Citigroup. On 3 October 2013, Adobe creators of Acrobat and Photoshop software), disclosed that it had been the victim of cybercrime. It was reported that 38 million users were affected and that the attackers obtained source codes and credit card information. This article gives an overview of current cybercrime victims and losses. We then give suggestions on how to prevent cyber attacks and mitigate against potential losses. What is cybercrime? Cybercrime encompasses a wide range of activities, including: hacking phishing denial of service (DoS) attacks creating and distributing malware unauthorised data access corruption or deletion of data interception of data. There are a wide range of cyber criminals with differing motivations, such as: organised criminal groups with financial aims companies trying to steal intellectual property or commit corporate espionage state-sponsored hacking networks intent on espionage or political aims hacktivists with political aims Page 1 of 5

individuals and small groups with financial aims or to prove they can rogue private investigators seeking information, evidence or news stories. Groups of hackers can easily work together across multiple countries and they do not need to be in the same location as their target. Hackers can also co-ordinate their attacks. In December 2012 a denial of service (DoS) attack was launched on San Francisco-based Bank of the West to distract IT security from account takeovers and theft of funds. Who are the victims of cybercrime? Anyone or any organisation can be affected by cybercrime. Cyber attack victims can be: companies (large and small) high-profile individuals government bodies general members of the public. Some attacks are cast as a wide net (e.g. malware left on public websites) and others are specifically targeted. Cybercriminals can target their attacks at servers, websites, computers, mobile devices and tablets, as well as information stored in the cloud. Even non-digital operations can be at risk; industrial control systems have been targeted in the past (e.g. by the Stuxnet computer worm). What are the potential losses from cybercrime? Cybercrime losses vary depending on the nature of the target and attack. A report commissioned by the Cabinet Office in 2011 estimated that the UK loses 27 billion per annum to cybercrime, of which 21 billion is lost by UK businesses. One particularly serious risk is the theft of consumer information. The Edelman Privacy Risk Index found that 71 per cent of customers would leave an organisation after a data breach. Some other examples of losses from cybercrime include: financial loss from hacked bank accounts, identity fraud, cyber extortion and blackmail (e.g. threatening to disclose stolen data, delete data on the owner s system, or attack a network unless a payment is made) Page 2 of 5

financial loss from business disruption or interruption penalties imposed by regulators theft of intellectual property such as confidential designs and schematics which enables pirated copies to be produced damage to reputation of an individual, business or brand costs of re-securing, digitally cleaning (to remove viruses and malware), and re-establishing secure networks loss of key data which can cripple a business (e.g. deletion of a customer database) identity theft loss of personal data (e.g. from databases and records of government bodies). What are the potential responses from regulators? Regulators can impose hefty fines on companies who lose or inadequately protect consumer information. For example, following the theft of personal data from Sony in 2011, the Information Commissioner's Office (ICO) fined Sony 250,000 for having inadequate cybersecurity. New EU legislation, due to come into force in the UK in 2016, will mandate disclosure of lost or stolen consumer data and could impose fines of up to 2 per cent of a company s worldwide turnover. For example, if Sony, who had worldwide turnover of approximately US $72 billion for the fiscal year ended 31 March 2013, had been penalised under the new EU regime, it could have been fined up to US $1.5 billion. What redress is available after a cyber attack? In addition to traditional criminal legislation against theft and fraud, which can apply to cybercrime, legislation specifically targeted at cybercrime includes: The Computer Misuse Act 1990 The Data Protection Act 1998 The Communications Act 2003. Page 3 of 5

Offences under these acts can result in fines or imprisonment for up to 10 years. There are also sections related to cybercrime in the Regulatory and Investigatory Powers Act 2000 and the Terrorism Act 2000. Law enforcement agencies who deal with cyber attacks include: e-crime divisions of local police the National Crime Agency GCHQ/the intelligence services (depending on the nature of the offence). Issues of jurisdiction had traditionally posed significant obstacles to investigating and prosecuting cybercrime, although the UK s ratification of the Budapest Convention on Cybercrime in 2011 should make it easier to pursue cyber criminals in future. Under UK law, prosecutions can be sought in the UK under the Computer Misuse Act 1990 where the individual is within the UK at the time of the commission of the offence, or occasionally where the data or device accessed was within the UK. Similarly, prosecutions can be sought under the Communications Act 2003 where there is a significant connection to the UK such as the presence of the cybercriminal or the target. Civil remedies are also available. Remedies can include actions for damages, injunctions, third party disclosure orders, and breach of confidence. Business liability for cybercrime? During the 2011 UK phone hacking scandals, press organisations were revealed to have hired private investigators to carry out allegedly illegal inquiries and phone hacking. The phone hacking scandal demonstrated that businesses can be held vicariously liable for cybercrimes committed by their employees or agents. In addition to monitoring their own networks and performing background checks on their employees, businesses should also ensure that they work with reputable contractors when sourcing services where cybercrime might be a tempting way to achieve results (e.g. private investigators). Such precautions are also advisable to reduce the risk of an inside job, as even the best firewalls and anti-virus programs are usually ineffective against an individual who has access to the network. Page 4 of 5

How can cyber attacks be prevented and losses mitigated? Many existing insurance policies do not protect against cybercrime losses. Specific cybercrime insurance is currently offered by only a limited number of insurers. This is expected to change as both insurers and customers develop a better understanding of cyber risks. Cyber insurance policies should become more widely available and better tailored to provide appropriate cover. Companies should also take steps to improve and test their systems. Data back-ups and clear business continuity plans are crucial. Businesses can also check their systems through penetration testing. This involves white hat hackers (i.e. legitimate IT hacking consultants) testing a system s vulnerabilities, by attempting to break into it, so that weak spots can be identified and repaired. Some industries and governments even conduct cyber war games. Waking Shark II on 12 November 2013 was a war game conducted by government officials and staff from London banks and financial institutions. It involved a series of announcements and scenarios, such as how a major attack on computer systems might hit stock exchanges and unfold on social media. The importance of updates Cybercrime and cyber insurance are going through a period of change and maturity. Risk managers are increasingly aware of the issues and seeking appropriate coverage. Insurers are working on developing their understanding of the risks and advising their insureds on how to prevent attacks and mitigate fall-out. High-profile cases will continue to hit the headlines and generate significant losses. Businesses and insurers must ensure that they keep abreast of recent developments and new vulnerabilities so that they can guard against such risks, keep their networks up-to-date with relevant patches and be prepared for when cyber events occur. For more information, please contact John Farrell j.farrell@kennedys-law.com or Stephen O Dea s.o dea@kennedys-law.com Kennedys is a trading name of Kennedys Law LLP. Kennedys Law LLP is a limited liability partnership registered in England and Wales (with registered number OC353214). Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information