FINANCIAL SERVICES Cybersecurity 2.0: The Role of Counsel in Addressing Destructive Cyberattacks



Similar documents
Nuclear Security Requires Cyber Security

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Incident Response. Proactive Incident Management. Sean Curran Director

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Cybersecurity: Protecting Your Business. March 11, 2015

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Law Firms and Cyber Security

September 20, 2013 Senior IT Examiner Gene Lilienthal

I ve been breached! Now what?

Cybersecurity y Managing g the Risks

White Paper on Financial Industry Regulatory Climate

Collateral Effects of Cyberwar

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Into the cybersecurity breach

Information Security Addressing Your Advanced Threats

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Defending Against Data Beaches: Internal Controls for Cybersecurity

CYBER SECURITY SPECIALREPORT

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

OCIE Technology Controls Program

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Cybersecurity Awareness. Part 1

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

IIABSC Spring Conference

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates

FACT SHEET: Ransomware and HIPAA

Cybersecurity Workshop

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Internet threats: steps to security for your small business

EY Cyber Security Hacktics Center of Excellence

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Seven Strategies to Defend ICSs

Breaking the Cyber Attack Lifecycle

Network Security & Privacy Landscape

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

James R. Clapper. Director of National Intelligence

What Data? I m A Trucking Company!

How Secure is Your SCADA System?

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

PwC Cybercrime US Center of Excellence

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

KEY STEPS FOLLOWING A DATA BREACH

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

WRITTEN TESTIMONY OF

Data Center security trends

By Daniel E. Frank and Don Borelli

Security and Privacy

How-To Guide: Cyber Security. Content Provided by

Security & privacy in the cloud; an easy road?

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

How To Protect Your Business From A Cyber Attack

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Cybersecurity Risks, Regulation, Remorse, and Ruin

Cybersecurity Vulnerability Management:

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Establishing a Data-Centric Approach to Encryption

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Practical Steps To Securing Process Control Networks

Cybersecurity The role of Internal Audit

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Cybersecurity Policies and Best Practices: Protecting small firms, large firms, and professional services from malware and other cyber-threats

Presented By: Corporate Security Information Security Treasury Management

Cybersecurity Opportunities. Presented to: National Professional Science Masters Association November 13, 2013

Cyber Security Threats: What s Next and How Do We Reduce the Risks?

Cyber Security Strategy

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Cybersecurity. Are you prepared?

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cybercrime: risks, penalties and prevention

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Surviving the Ever Changing Threat Landscape

HIPAA Security Alert

Reducing Cyber Risk in Your Organization

PROMOTION // TECHNOLOGY. The Economics Of Cyber Security

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Privacy and Cybersecurity Task Force

Corporate Spying An Overview

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

U. S. Attorney Office Northern District of Texas March 2013

Energy Cybersecurity Regulatory Brief

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Transcription:

FINANCIAL SERVICES Cybersecurity 2.0: The Role of Counsel in Addressing Destructive Cyberattacks By David Fagan and Ashden Fein Covington & Burling It is well understood that cyber threats evolve and, in turn, require constant vigilance and evolution of defenses. It is less common among enterprises to have a precise understanding of what it means for cyber threats to evolve. Many enterprises view such evolution as focusing on the means of attack, such as new malware or vectors of attack. However, a risk-based approach to cybersecurity which is generally the practical legal mandate for enterprises should recognize a more significant evolution of the cyber threat: the evolution of the type and effect of the cyber-based threat from data loss (e.g., lost backup tapes or laptops), to data theft (e.g., nation-state infiltrations for economic espionage or criminal hacks for profit), to more destructive attacks that have arisen with greater frequency over the past few years. In more personal terms, the difference between data loss or theft (which may be viewed as Cybersecurity 1.0 ) and data and property destruction ( Cybersecurity 2.0 ) is the difference between having your house robbed and having your house burned to the ground. It is, of course, a best practice to protect homes from both risks to have security alarms and fire detection and suppression systems. Yet on the cyber front, many enterprises (to the extent that they are prepared or focused at all on the risks) are principally training their resources and defenses on protecting their data from exfiltration. There is no question that the risk of data exfiltration is very real and must be addressed, but resources, including legal resources, should also be trained on the possibility of more advanced threats committed to destruction, not just theft. The Evolution of Cybersecurity The majority of cyber-related attacks focused on enterprises have been opportunistic in nature not targeted at any particular individual or company and conducted by relatively unskilled hackers. These data-focused attacks are both the most common and least dangerous types of attacks, and they also are minimally successful because the majority of people know not to open spam email or click on links in their email. According to Verizon s 2015 Data Breach Investigations Report, only 23% of recipients open phishing emails. Dating back several years, however, there has been a proliferation of more targeted attacks from nation states and sophisticated criminal organizations that demonstrate persistence (multiple efforts to find vulnerabilities over the course of months or years) and sophistication (exploiting unknown vulnerabilities and covering traces once inside an organization) to steal data. For example: ATM-processing companies suffered breaches that resulted in customers ATM cards numbers and PINs being stolen and used by thieves. In one case, in less than 12 hours in 2008, Eastern European hackers infiltrated RBS WorldPay and stole customers ATM card data and encrypted PINs, cracked the card users PINs, and further stole more than $9.5 million from those accounts. [1] In May 2011, Lockheed Martin suffered a cyberattack through the unauthorized use of its employee remote connection application. The attack was enabled by the fruits of a previous cyberattack on RSA Security, the electronic token vendor that provided remote access security to Lockheed Martin. [2] 1

Since 2005, more than 75 data breaches have been publicly disclosed in which bad actors compromised 1 million or more records, including Heartland Payment Systems (130 million records, 2009), Target (110 million records, 2013), Home Depot (190 million records, 2014), and Anthem (80 million records, 2015). [3] See also In a Candid Conversation, FBI Director James Comey Talks About the Evil Layer Cake of Cybersecurity Threats, The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015); and In a Candid Conversation, FBI Director James Comey Discusses Cooperation among Domestic and International Cybersecurity Law Enforcement Communities (Part Two of Two), Vol. 1, No. 6 (Jun. 17, 2015). In response to these threats, companies continue to develop institutional controls to defend against and mitigate data theft resulting from cyberattacks, and counsel are increasingly involved in such risk mitigation efforts. These controls include, among other things, developing incident response plans focused primarily on data loss, assessing vendors for their ability to protect data and shifting liability risks for data loss through contractual arrangements, establishing insider threat detection programs focused on employee or contractor access to sensitive data, and obtaining insurance coverage for data breaches. With the exception of a few industries, these controls continue to focus principally on protecting data from being exfiltrated or accessed by unauthorized persons, or mitigating and remediating any data-related losses, and not specifically protecting the integrity of IT systems or preventing physical destruction resulting from hacked networked devices. The more disturbing trend in cyberattacks, however, is squarely focused on destruction. These malicious attacks are directed at harming a business rather than directly benefiting the attacker. The most infamous of such attacks is the one perpetrated against Sony Pictures Entertainment (SPE) in November 2014, which reportedly rendered unusable nearly half of every computer at SPE. [4] In its FY14 20-F to investors, Sony Corporation reported that, as of March 31, 2015, SPE spent approximately $41 million to investigate and remediate the cyberattack on its network and IT infrastructure, and that cost did not include any losses from the impact on its intellectual property or from any litigation or regulatory actions. Sony, however, is not the only entity to suffer such an attack: On a single day in 2012, Saudi Aramco suffered a cyberattack resulting in approximately 30,000 of its internal network computers being destroyed, with its data erased and replaced with an image of a burning American flag. [5] The malware used in the attack had an imbedded timer that was programmed to execute across the entire enterprise at the exact same time and also had code that rewrote the computers master boot record, effectively disabling the system. [6] In February 2014, hackers released malware that destroyed the information technology infrastructure of the Sands Casino. The company executives managed to stop the attack the same day it began, by quickly removing the entire company from the Internet. [7] In December 2014, Bloomberg reported the cause of an August 2008 explosion in a crude oil pipeline just outside of Rehafiye, Turkey to be that of Russian state-sponsored hackers. [8] These hackers exploited a vulnerability in networked surveillance cameras meant to protect the pipeline, to gain access to the industrial control systems and cause super-pressurized crude oil to explode. The explosion caused extensive damage to the pipeline, spilled more than 30,000 barrels of oil into an aquifer, required companies to pay $5 million in transit tariffs per day for three weeks while the pipeline was inoperative, and cost the Republic of Azerbaijan $1 billion in export revenue. [9] In January 2015, Wired.com reported that the German Federal Office for Information Security released a report detailing a cyberattack on a German steel mill resulting in large-scale damage. [10] The report outlined that hackers used a sophisticated phishing scheme to gain access to 2

the plant s business network to further gain access to the plant s industrial control systems. According to Wired.com, the hackers were able to manipulate and disrupt the control systems to cause the blast furnace to fail to shutdown properly, resulting in massive though unspecified damage. [11] On July 21, 2015, Wired.com reported that researchers were able to wirelessly carjack a Jeep Cherokee by remotely controlling the dashboard, transmission, brakes and steering through accessing the vehicle s Internet-connected technology. [12] Although this cyberattack occurred in a somewhat controlled environment, it is another example of a present-day vulnerability that can have a destructive effect in the physical domain and not just isolated to IT systems. Implications of Destructive Cyberattacks for the Role of Counsel The emergence of destructive cyberattacks underscores the importance for legal departments to have an understanding of their enterprise s operations, supply chains, IT dependencies and cyber-threat profile. Counsel should adequately advise on compliance, governance, risk management, litigation and other core legal issues surrounding cyber-threats, especially as the frequency and severity continue to increase. There are several steps that counsel can take to help their organizations manage the risk from such attacks: Incident Response Preparation Cyber-related incident response and business continuity plans should train for destructive cyberattacks, not only loss of data, and should ensure that appropriate resources are identified that can manage the attack and make a decision to shut down a network in order to preserve it. Counsel s active involvement in the training under such plans, including tabletop exercises, can establish and preserve privilege and protect the results of such simulations. See also Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two), The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015). Vendor Assessment and Contracts It is fairly standard for vendors to be assessed for their ability to protect data that may be shared with them, and, in turn, for vendor contracts to impose data security requirements and apportion liability for breaches involving data. Such assessments and contractual terms, however, often do not focus on underlying risks that could contribute to destructive cyberattacks, such as steps a vendor has taken to assure the availability, integrity and reliability of its network. Likewise, for vendors of connected devices or other IT equipment, most supply assessments and contracts do not include terms that address the importance of the equipment to the availability, integrity and reliability of the network in which the equipment is installed or, for that matter, impose other than the most basic requirements on the vendor for its own supply chain and assurance practices. In a world of destructive cyberattacks, it may behoove counsel to review such assessments and contractual terms to ensure that, in appropriate circumstances, they account for and address the possibility of such attacks. Governance and Disclosure Since 2011, the SEC s Division of Corporation Finance has recognized that cyber incidents could result in disruption to operations that could require disclosure to shareholders and the SEC as a risk factor. [13] Counsel should plan on potentially having to disclose destructive attacks, but only after taking into account the occurrence, frequency and severity of prior cybersecurity incidents, as well as the potential costs and other consequences associated with such incidents. Counsel can work with their IT departments and businesses to understand the possible effects of destructive cyberattacks and be prepared to conduct a materiality analysis very quickly following such an incident. 3

Insurance Policies In May 2014, the insurance industry introduced broader cyber-related exclusions to the standard commercial general liability policy, in an apparent effort to confine such coverage to the specialty cyber risk policies that many insurers have sold in recent years. These cyber policies are not standardized, however, and many contain limiting conditions and exclusions, including exclusions for physical injury and property damage. Counsel should carefully examine these cyber policies, alongside the other lines of coverage in a company s insurance program, to determine whether potential cyberattacks resulting in destruction of IT systems or physical infrastructure, and not just loss of data, might fall within a coverage gap. See also Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps, The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). Conclusion In addressing cybersecurity threats, legal counsel, just like other aspects of an organization, should recognize the evolving nature of the threat and ensure that their organization is properly focused, from a legal standpoint, on the possibility of destructive cyberattacks and not just data theft. David Fagan, a partner in Covington s global privacy and data security and international practice groups, counsels clients on preparing for and responding to cyber-based attacks on their networks and information, developing and implementing information security programs, and complying with federal and state regulatory requirements. He has been lead investigative and response counsel to companies in a range of cyber and data security incidents, including matters involving millions of affected consumers. Ashden Fein is an associate in Covington s global privacy and data security, litigation and white collar defense & investigations practice groups He focuses on representing companies and individuals in government and internal investigations, including clients in the defense, cybersecurity and national security industries; regulatory matters concerning national security law; and global privacy and data security. Before joining Covington, Fein served in the United States Army as a prosecutor where he specialized in cybercrime and national security investigations. 4

[1] Kim Zetter, Russian Convicted of $9 Million RBS WorldPay Hack Avoids Jail, Wired (Feb. 9, 2011). [2] Christopher Drew & John Markoffmay, Data Breach at Security Firm Linked to Attack on Lockheed (May 27, 2011). [3] Keith Collins, A Quick Guide to the Worst Corporate Hack Attacks, Bloomberg (March 18, 2015). [4] Peter Elkind, Inside the Hack of the Century, Fortune (Jul. 1, 2015). [5] Reuters, Saudi Arabia Says Cyber Attack Aimed to Disrupt Oil, Gas Flow (Dec. 9, 2012) [hereinafter Reuters ]; Jack Clark, Shamoon Malware Infects Computers, Steals Data, Then Wipes Them, ZDNet (Aug. 17, 2012); Nicole Perlroth, Connecting the Dots After Cyberattack on Saudi Aramco, New York Times (Aug. 27, 2012). [6] See Reuters. [7] Ben Elgin & Michael Riley, Now At The Casino: An Iranian Hacker in Every Server, Bloomberg (Dec. 11, 2014). [8] Jordan Robertson & Michael A. Riley, Mysterious 08 Turkey Pipeline Blast Opened New Cyberwar, Bloomberg (Dec. 10, 2014). [9] Id. [10] Kim Zetter, A Cyberattack Has Caused Physical Damage for the Second Time Ever, Wired (Jan. 8, 2015). [11] Id. [12] Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway With Me In It, Wired (Jul. 21, 2015). [13] See Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity (Oct. 13, 2011). 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information