Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne
Agenda Top 10 legal need-to-knows, including: What is cyber crime What is the current legal position and obligations on businesses What to do in the event of an information breach How to protect your business and benefit from secure information Looking ahead proposed changes to information security requirements 2
1. What is Cyber Crime? 3
1. Key Numbers 4
1. What is Cyber-Crime? "There are two kinds of big companies in the US. There are those who've been hacked, and, those who don't know they've been hacked" FBI Director, James Comey High profile cyber attacks Sony personal email correspondence, employees personal data, executive pay ebay 233 million users personal details were stolen Dominos Received a ransom for $40,000 in exchange for 600,000 Belgian and French customer records 5
1. What is Cyber-Crime? "an attack on the confidentiality, integrity and accessibility of an entity's online/computer presence or networks - and information contained within" - Research Department of the IOSCO and the WFE Four main types: Nuisance hacking Hacking for financial gain: from stealing customer credit card information to targeting a company's financial function to obtain its earnings report before it is publicly released so as to acquire and dump stock Advanced persistent threat: stealthy and continuous computer hacking processes targeting a specific entity Hacktivism: goal is to change or create a public perception about a brand, e.g. obtaining and disclosing sensitive information to the public 6
1. Top Concerns New technologies: Mobile, social and cloud - e.g. mobile devices have their own powerful peer-to-peer networks and employees might not realise the risks being introduced when sharing, sending or receiving corporate information on such devices Increasing sophistication of perpetrators: functions like a business, with management structure, quality control, offshoring etc. Increasing sophistication of attacks: perpetrators are more specific in who they target and play the long-game Global nature: makes it difficult to investigate and prosecute Proposed legislation: compliance burden which could cause the business to lose sight of what really matters 7
2. What laws do I need to be aware of? 8
2. Regulation laws regulating safe processing of personal / confidential information and conduct of financial services. ICO / FCA Statutory duties Criminal sanctions criminal offences for computer misuse, unauthorised obtaining of personal data, unauthorised access to communications data civil claims to recover loss or damage caused due to negligence or breach of statutory duty Civil sanctions injunctive relief and disclosure orders (ISPs) against perpetrators 9
2. Criminal / Civil sanctions Computer Misuse Act 1990 (as amended by PJA 2006) offence to deliberately penetrate, alter or damage computer systems without authorisation Data Protection Act 1998 s.55(1) offence to knowingly or recklessly obtain or disclose personal data or procure the disclosure without consent from the data controller Regulation of Investigatory Powers Act 2000 s.1 offence to deliberately intercept a communication across a public telecommunications system without authorisation Civil liability breach of statutory duty / duty of care breach of confidence breach of contract civil award (injunctive relief / damages) 10
2. UK Cyber Security Strategy Published December 2014 Objectives: make UK one of the most secure places in the world to do business in cyberspace make the UK more resilient to cyber attack help shape an open, vibrant and stable cyberspace build the UK's cyber security knowledge, skills and capability 10 Steps to Cyber Security updated in January Cyber Security Governance Health Check for FTSE350 companies Cyber Essentials Accredited 11
3. Who is responsible for governing compliance? 12
3. Regulators Information Commissioner Office Database owners, data controllers and public communications providers Financial Conduct Authority Regulation of financial service providers National Crime Agency Enforcement against criminals involved in undertaking a cyberattack 13
3. Regulating those who hold the data DPA 7 th principle : take appropriate technical and organisational measures against unauthorised or unlawul processing accidental loss or destruction or damage FCAPRIN 3 : a firm must take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems DPA 8 th principle : only transfer outside EEA where that country ensures adequate level of protection 14
3. Does this affect my business? Processing personal data in the context of a UK establishment? Providing regulated financial services within the UK? Providing a public communications service regulated under the Communications Act? 15
3. What is the risk if I don't comply? Information Security deserves the fullest attention at the highest levels Lloyd s Risk Index 2013: Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world s number three risk overall Risks include: Financial losses Intellectual theft Reputational damage Fraud Legal exposure regulatory fines and law suits Loss of shareholder value Extortion 16
4. What should I do in the event of an attack? 17
4. What to do in the event of an attack Assemble an incident response team Stop additional data loss Commence internal review Contact regulators Instruct experts cybersecurity and forensic Secure evidence Preserve computer logs Document the breach Communicate the breach to customers & media 18
4. What to do in the event of an attack (2) Wider reporting Contact police Conduct interviews of personnel involved Re-issue or force security access changes Do not: probe computers and affected systems turn off computers and affected systems image or copy data, or connect storage devices/ media, to affected systems run antivirus programmes or utilities reconnect affected systems 19
5. Who should be notified in the event of a data breach? 20
5. Who must I notify in the event of a breach? Breach related to activity undertaken by a financial service provider? FCA Breach relating to personal data processed by a service provider offering public communications services? ICO Breach by professional with duty of confidentiality in respect of client's data? Relevant professional body e.g. SRA, Institute of Chartered Accountants 21
5. Who should I notify? If serious loss of personal data? ICO If fraudulent element to crime? National Fraud Authority Action Fraud enables online reporting Notification will trigger a police investigation Internal departments Professional advisors and customers Third parties such as ISPs, insurers and affected persons 22
5. What happens if I don't notify? Failure to report to ICO not itself grounds for formal action however: considered aggravating factor investigations enforcement notices monetary penalties (up to 500,000) Failure to comply with enforcement or monetary penalty notice is a criminal offence fine potential personal liability PRA/FCA Rules power to impose unlimited fines for breach of PRA/FCA rules 23
6. How can I proactively protect my information? 24
6. How can I proactively protect information? Ensure information security is key priority for business Board member with IT understanding Update data protection policy to include general information security requirements Ensure business has a crisis plan in the event of an attack 25
6. Do I need a CISO? Chief Information Security Officer Bridge gap between IT and business risk Work collaboratively with GCs to manage risk Joint response team in the event of a breach 26
7. What is the biggest risk area to address? 27
28
7. Identify risk areas Insider Threats 69% of data breaches arise as a result of insiders (majority of which are careless as opposed to malicious) Balance between managing risk and ensuring flexible working environment BYOD Who is a risk? plants malicious employees careless employees 29
8. What does good practice look like? 30
8. Good practice Having a strategy in place and not just being reactive Having a high-level security chief who reports directly to a senior executive and who can help the management team to think and talk about how security affects business decisions Possessing a deep understanding of the types of security events that have occurred in the organisation Measuring and reviewing the effectiveness of policies and procedures annually Looking at outsourcers' data security practices both before doing business and after appointment Having an appropriate business continuity plan in case of an attack, including a clear plan to respond to data loss incidents including informing and advising affected customers (redress?) When things go wrong identifying what went wrong, how it went wrong and what can be done to prevent it happening again 31
8. What does poor practice look like? Failing to contact customers after their data security is compromised Treating data security as an IT or privacy issue without also recognising the fraud risk A blame culture discouraging staff from reporting data losses Being unsure how suppliers protect data 32
9. What upcoming changes do I need to be aware of? 33
9. What are the upcoming changes? EU Directive for Network and Information Security EU Data Protection Regime Member States must adopt a NIS strategy set up a NIS Authority designate National Computer Emergency Response Teams (CERT); cooperate with other Member States and EC to share early warnings on risks and incidents "market operators" must adopt risk management practices report major security incidents affecting their core services 34
9. Network Information Security Directive (NIS) includes internet payment gateways credit institutions, stock exchanges and counterparty clearing houses regulate market operators; set standards; liaise with ENISA / DPAs / law enforcement NIS strategy NIS authority CERT response team "market operators" (information society services & CI in fields of financial market infrastructure, banking, transport, energy, healthcare) ENISA / EC / US co-operation network coordination with local regulators (FCA / ICO) monitor & respond to incidents; set common standards for reporting and handling incidents and managing risk s implement appropriate measures to manage NIS security risks adopt specific measures to ensure continuity of service notify breaches which have a significant impact on security provide evidence of compliance / information to NIS authority comply with audit requests / instructions given by NIS authority 35
9. EC Data Protection Regulations Headline changes: "personal data breaches" must be reported to the regulator enforcement: fines up to 2% global turnover for negligent / deliberate breaches Extended responsibilities: data processors to be directly responsible for compliance (including adopting appropriate security measures) obligations to carry out routine security risk assessments / audits obligation to appoint DPOs with wide remit to include monitoring compliance with security measures 36
9. How will the changes affect me? Security measures take appropriate and proportionate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems under control and use measures should guarantee a level of security appropriate to the risk presented having regard to 'state of the art'. Business continuity take appropriate measures to prevent and minimise the impact of any incident affecting security of their networks and information systems on the core services they provide to ensure continuity of services Breach notification notify to the (NIS authority) of incidents having a significant impact on the continuity of the core services factors: number, duration, geographic spread voluntary notification sector specific criteria protections for public disclosure Provision of evidence of compliance eg a security audit carried out by a qualified independent body or national authority and make the evidence thereof available to the NIS authority. sectoral decorations Standardisation use IS standards to ensure convergent implementation Information duty provide information to the NIS authority as required to assess the security of networks and information systems Binding instructions comply with instructions from NIS authority 37
10. What are my next steps? Date of presentation 38
10. Checklist (1) Identifying Sensitive Data What data do you (outsource provider) hold? Where is the data located? What laws and regulations apply to the data? What controls are around the data? Is data being sent to third parties? If so, is this done securely? Resources: Are sufficient resources allocated to cybersecurity measures? Management and Reporting: Does management receive sufficient management information to understand and assess the organisation's exposure to cybercrime risk? Are there clear formal upward reporting lines in place for cyber-security? 39
10. Checklist (2) Record-keeping: Do you keep record of information about the frequency, type and/or source of security breaches? And how those breaches have been dealt with? Documented Policy: Do you have a cyber-security policy in place, with the terms cybercrime, cyber-attacks and cyberthreats clearly defined? Is the effectiveness of security policies and procedures reviewed annually? Business Continuity: Does your disaster recovery plan cover cybercrime risk? Do you have a clear strategy for responding to attacks? Employee Awareness: Are employees aware of information security risks if they don't follow company policy? Are they kept up-to-date on new cybercrime threats? 40
10. Checklist (3) Outsource Service Providers: Is the organisation aware of the cyber-security measures in place at its suppliers, including in particular any outsourced service suppliers? Cooperation Arrangements: Are arrangements in place to share information on attempted and successful cybercrime with authorities and regulators? Board level awareness, engagement and action 41
Conclusion Doing nothing is no longer an option Be aware of the requirements and your responsibilities Proactively consider information security strategy don't just react to an attack Monitor future changes 42
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne