Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Similar documents
Mitigating and managing cyber risk: ten issues to consider

Cybercrime: risks, penalties and prevention

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Managing Cyber Risk through Insurance

The potential legal consequences of a personal data breach

The era of hacks and cyber regulation

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber and data Policy wording

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risks October

Cyber and Data Security. Proposal form

Cyber Security Issues - Brief Business Report

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Data Protection Breach Management Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Cyber Security - What Would a Breach Really Mean for your Business?

Caedmon College Whitby

Small businesses: What you need to know about cyber security

CYBER RISK SECURITY, NETWORK & PRIVACY

Guidance on data security breach management

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber security initiatives in European Union and Greece The role of the Regulators

Cyber Risk Management

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Seamus Reilly Director EY Information Security Cyber Security

Guidance on data security breach management

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

The Cancer Running Through IT Cybercrime and Information Security

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Data controllers and data processors: what the difference is and what the governance implications are

Who s next after TalkTalk?

DATA AND PAYMENT SECURITY PART 1

Cybersecurity y Managing g the Risks

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Data Security Breach Incident Management Policy

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

University of Sunderland Business Assurance Information Security Policy

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Is your Organization SAFE?

A practical guide to IT security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Small businesses: What you need to know about cyber security

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Information Security Policy

Navigating the Privacy Law Landscape - US and Europe

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

DATA PROTECTION POLICY

How To Cover A Data Breach In The European Market

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

How-To Guide: Cyber Security. Content Provided by

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Commonwealth Fraud Control Guidelines Annual Reporting Questionnaire

Big Data for Mutuals. Marc Dautlich 25 November 2013

Corporate Policy and Strategy Committee

Unit 3 Cyber security

Regulation of Investigatory Powers Act 2000

DATA PROTECTION POLICY

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Article 29 Working Party Issues Opinion on Cloud Computing

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority

Cyber Security Strategy

Privacy and Cloud Computing for Australian Government Agencies

Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cloud Software Services for Schools

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

How To Protect Your Data From Hackers

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

DATA BREACH COVERAGE

EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32. A call for views and evidence

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

ISO27001 Controls and Objectives

How To Write An Article On The European Cyberspace Policy And Security Strategy

Human Resources Policy documents. Data Protection Policy

Cybersecurity and the Threat to Your Company

Merthyr Tydfil County Borough Council. Data Protection Policy

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Information Governance Policy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Data Security Breach Management - A Guide

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

NHS Business Services Authority Information Security Policy

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

UK Data Risks Incident RoadMap

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Cyber Insurance Research Paper

So the security measures you put in place should seek to ensure that:

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Transcription:

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne

Agenda Top 10 legal need-to-knows, including: What is cyber crime What is the current legal position and obligations on businesses What to do in the event of an information breach How to protect your business and benefit from secure information Looking ahead proposed changes to information security requirements 2

1. What is Cyber Crime? 3

1. Key Numbers 4

1. What is Cyber-Crime? "There are two kinds of big companies in the US. There are those who've been hacked, and, those who don't know they've been hacked" FBI Director, James Comey High profile cyber attacks Sony personal email correspondence, employees personal data, executive pay ebay 233 million users personal details were stolen Dominos Received a ransom for $40,000 in exchange for 600,000 Belgian and French customer records 5

1. What is Cyber-Crime? "an attack on the confidentiality, integrity and accessibility of an entity's online/computer presence or networks - and information contained within" - Research Department of the IOSCO and the WFE Four main types: Nuisance hacking Hacking for financial gain: from stealing customer credit card information to targeting a company's financial function to obtain its earnings report before it is publicly released so as to acquire and dump stock Advanced persistent threat: stealthy and continuous computer hacking processes targeting a specific entity Hacktivism: goal is to change or create a public perception about a brand, e.g. obtaining and disclosing sensitive information to the public 6

1. Top Concerns New technologies: Mobile, social and cloud - e.g. mobile devices have their own powerful peer-to-peer networks and employees might not realise the risks being introduced when sharing, sending or receiving corporate information on such devices Increasing sophistication of perpetrators: functions like a business, with management structure, quality control, offshoring etc. Increasing sophistication of attacks: perpetrators are more specific in who they target and play the long-game Global nature: makes it difficult to investigate and prosecute Proposed legislation: compliance burden which could cause the business to lose sight of what really matters 7

2. What laws do I need to be aware of? 8

2. Regulation laws regulating safe processing of personal / confidential information and conduct of financial services. ICO / FCA Statutory duties Criminal sanctions criminal offences for computer misuse, unauthorised obtaining of personal data, unauthorised access to communications data civil claims to recover loss or damage caused due to negligence or breach of statutory duty Civil sanctions injunctive relief and disclosure orders (ISPs) against perpetrators 9

2. Criminal / Civil sanctions Computer Misuse Act 1990 (as amended by PJA 2006) offence to deliberately penetrate, alter or damage computer systems without authorisation Data Protection Act 1998 s.55(1) offence to knowingly or recklessly obtain or disclose personal data or procure the disclosure without consent from the data controller Regulation of Investigatory Powers Act 2000 s.1 offence to deliberately intercept a communication across a public telecommunications system without authorisation Civil liability breach of statutory duty / duty of care breach of confidence breach of contract civil award (injunctive relief / damages) 10

2. UK Cyber Security Strategy Published December 2014 Objectives: make UK one of the most secure places in the world to do business in cyberspace make the UK more resilient to cyber attack help shape an open, vibrant and stable cyberspace build the UK's cyber security knowledge, skills and capability 10 Steps to Cyber Security updated in January Cyber Security Governance Health Check for FTSE350 companies Cyber Essentials Accredited 11

3. Who is responsible for governing compliance? 12

3. Regulators Information Commissioner Office Database owners, data controllers and public communications providers Financial Conduct Authority Regulation of financial service providers National Crime Agency Enforcement against criminals involved in undertaking a cyberattack 13

3. Regulating those who hold the data DPA 7 th principle : take appropriate technical and organisational measures against unauthorised or unlawul processing accidental loss or destruction or damage FCAPRIN 3 : a firm must take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems DPA 8 th principle : only transfer outside EEA where that country ensures adequate level of protection 14

3. Does this affect my business? Processing personal data in the context of a UK establishment? Providing regulated financial services within the UK? Providing a public communications service regulated under the Communications Act? 15

3. What is the risk if I don't comply? Information Security deserves the fullest attention at the highest levels Lloyd s Risk Index 2013: Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world s number three risk overall Risks include: Financial losses Intellectual theft Reputational damage Fraud Legal exposure regulatory fines and law suits Loss of shareholder value Extortion 16

4. What should I do in the event of an attack? 17

4. What to do in the event of an attack Assemble an incident response team Stop additional data loss Commence internal review Contact regulators Instruct experts cybersecurity and forensic Secure evidence Preserve computer logs Document the breach Communicate the breach to customers & media 18

4. What to do in the event of an attack (2) Wider reporting Contact police Conduct interviews of personnel involved Re-issue or force security access changes Do not: probe computers and affected systems turn off computers and affected systems image or copy data, or connect storage devices/ media, to affected systems run antivirus programmes or utilities reconnect affected systems 19

5. Who should be notified in the event of a data breach? 20

5. Who must I notify in the event of a breach? Breach related to activity undertaken by a financial service provider? FCA Breach relating to personal data processed by a service provider offering public communications services? ICO Breach by professional with duty of confidentiality in respect of client's data? Relevant professional body e.g. SRA, Institute of Chartered Accountants 21

5. Who should I notify? If serious loss of personal data? ICO If fraudulent element to crime? National Fraud Authority Action Fraud enables online reporting Notification will trigger a police investigation Internal departments Professional advisors and customers Third parties such as ISPs, insurers and affected persons 22

5. What happens if I don't notify? Failure to report to ICO not itself grounds for formal action however: considered aggravating factor investigations enforcement notices monetary penalties (up to 500,000) Failure to comply with enforcement or monetary penalty notice is a criminal offence fine potential personal liability PRA/FCA Rules power to impose unlimited fines for breach of PRA/FCA rules 23

6. How can I proactively protect my information? 24

6. How can I proactively protect information? Ensure information security is key priority for business Board member with IT understanding Update data protection policy to include general information security requirements Ensure business has a crisis plan in the event of an attack 25

6. Do I need a CISO? Chief Information Security Officer Bridge gap between IT and business risk Work collaboratively with GCs to manage risk Joint response team in the event of a breach 26

7. What is the biggest risk area to address? 27

28

7. Identify risk areas Insider Threats 69% of data breaches arise as a result of insiders (majority of which are careless as opposed to malicious) Balance between managing risk and ensuring flexible working environment BYOD Who is a risk? plants malicious employees careless employees 29

8. What does good practice look like? 30

8. Good practice Having a strategy in place and not just being reactive Having a high-level security chief who reports directly to a senior executive and who can help the management team to think and talk about how security affects business decisions Possessing a deep understanding of the types of security events that have occurred in the organisation Measuring and reviewing the effectiveness of policies and procedures annually Looking at outsourcers' data security practices both before doing business and after appointment Having an appropriate business continuity plan in case of an attack, including a clear plan to respond to data loss incidents including informing and advising affected customers (redress?) When things go wrong identifying what went wrong, how it went wrong and what can be done to prevent it happening again 31

8. What does poor practice look like? Failing to contact customers after their data security is compromised Treating data security as an IT or privacy issue without also recognising the fraud risk A blame culture discouraging staff from reporting data losses Being unsure how suppliers protect data 32

9. What upcoming changes do I need to be aware of? 33

9. What are the upcoming changes? EU Directive for Network and Information Security EU Data Protection Regime Member States must adopt a NIS strategy set up a NIS Authority designate National Computer Emergency Response Teams (CERT); cooperate with other Member States and EC to share early warnings on risks and incidents "market operators" must adopt risk management practices report major security incidents affecting their core services 34

9. Network Information Security Directive (NIS) includes internet payment gateways credit institutions, stock exchanges and counterparty clearing houses regulate market operators; set standards; liaise with ENISA / DPAs / law enforcement NIS strategy NIS authority CERT response team "market operators" (information society services & CI in fields of financial market infrastructure, banking, transport, energy, healthcare) ENISA / EC / US co-operation network coordination with local regulators (FCA / ICO) monitor & respond to incidents; set common standards for reporting and handling incidents and managing risk s implement appropriate measures to manage NIS security risks adopt specific measures to ensure continuity of service notify breaches which have a significant impact on security provide evidence of compliance / information to NIS authority comply with audit requests / instructions given by NIS authority 35

9. EC Data Protection Regulations Headline changes: "personal data breaches" must be reported to the regulator enforcement: fines up to 2% global turnover for negligent / deliberate breaches Extended responsibilities: data processors to be directly responsible for compliance (including adopting appropriate security measures) obligations to carry out routine security risk assessments / audits obligation to appoint DPOs with wide remit to include monitoring compliance with security measures 36

9. How will the changes affect me? Security measures take appropriate and proportionate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems under control and use measures should guarantee a level of security appropriate to the risk presented having regard to 'state of the art'. Business continuity take appropriate measures to prevent and minimise the impact of any incident affecting security of their networks and information systems on the core services they provide to ensure continuity of services Breach notification notify to the (NIS authority) of incidents having a significant impact on the continuity of the core services factors: number, duration, geographic spread voluntary notification sector specific criteria protections for public disclosure Provision of evidence of compliance eg a security audit carried out by a qualified independent body or national authority and make the evidence thereof available to the NIS authority. sectoral decorations Standardisation use IS standards to ensure convergent implementation Information duty provide information to the NIS authority as required to assess the security of networks and information systems Binding instructions comply with instructions from NIS authority 37

10. What are my next steps? Date of presentation 38

10. Checklist (1) Identifying Sensitive Data What data do you (outsource provider) hold? Where is the data located? What laws and regulations apply to the data? What controls are around the data? Is data being sent to third parties? If so, is this done securely? Resources: Are sufficient resources allocated to cybersecurity measures? Management and Reporting: Does management receive sufficient management information to understand and assess the organisation's exposure to cybercrime risk? Are there clear formal upward reporting lines in place for cyber-security? 39

10. Checklist (2) Record-keeping: Do you keep record of information about the frequency, type and/or source of security breaches? And how those breaches have been dealt with? Documented Policy: Do you have a cyber-security policy in place, with the terms cybercrime, cyber-attacks and cyberthreats clearly defined? Is the effectiveness of security policies and procedures reviewed annually? Business Continuity: Does your disaster recovery plan cover cybercrime risk? Do you have a clear strategy for responding to attacks? Employee Awareness: Are employees aware of information security risks if they don't follow company policy? Are they kept up-to-date on new cybercrime threats? 40

10. Checklist (3) Outsource Service Providers: Is the organisation aware of the cyber-security measures in place at its suppliers, including in particular any outsourced service suppliers? Cooperation Arrangements: Are arrangements in place to share information on attempted and successful cybercrime with authorities and regulators? Board level awareness, engagement and action 41

Conclusion Doing nothing is no longer an option Be aware of the requirements and your responsibilities Proactively consider information security strategy don't just react to an attack Monitor future changes 42

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information