cyber security : preventing and mitigating incidents/media/files/training/2015/fi and amif...“the...
Post on 06-May-2018
215 Views
Preview:
TRANSCRIPT
Cyber Security : preventing and mitigating incidents
Alexander Brown Robert Allen
07 & 08 October 2015
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
1 / B_LIVE_EMEA1:2814833v1
Cyber Security – context of the threat
“The magnitude and tempo of [cyber security attacks], basic or sophisticated, on UK and global networks pose a real threat to the UK’s economic security. The mitigation of these risks and management of these threats – in other words cyber security – is one of the biggest challenges we all face today”
Iain Lobban, Director GCHQ
UK Govt Information Security Breach Survey (2015) – 90% of large organisations had a security breach in last 12 months – Average cost of worst security breach: £1.46m - £3.14m – 41% of organisations : reputational damage had the greatest impact – 68% of large organisations were attacked by an unauthorised outsider in last 12 months – 90% of large organisations suffer a breach each year – 84% of large organisations suffered a malware attack in the last 12 months
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
2 / B_LIVE_EMEA1:2814833v1
Cyber Security – the corporate response
It is rising up the corporate agenda: – 72% of large organisations provide ongoing security awareness training to staff – 82% say that senior management regard cyber security as high / very high priority – 86% have briefed their board on security risks – 72% provide on-going security awareness training to staff – 46% of businesses expect to spend more on cyber security next year
If it is not a priority then it should be: – 72% of companies with poor security policy awareness had staff related breaches (v
56% where the policy was well understood) – 81% of businesses said there was some staff involvement in breaches – Cost of getting it wrong is high (expense / reputation / regulatory intervention)
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
3 / B_LIVE_EMEA1:2814833v1
The Law - data security obligations
Data protection legislation applies to “Personal Data” (according to the Directive/UK Data Protection Act 1998 (DPA))
– data (automatic equipment / “relevant filing system”) – relating to a living individual – identified from that data – or from that data in combination with other data
Definitions can vary across different jurisdictions
Note that whilst data protection legislation protects “personal data”, this and other data may be protected by regulatory requirements/ confidentiality/ contractual obligations
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
4 / B_LIVE_EMEA1:2814833v1
The Law - data security obligations
“Appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access…and against all other unlawful forms of processing” (Directive)
“Appropriate technical and organisational security measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (DPA)
What businesses have to guard against: – destruction/loss – alteration – access/disclosure – all of which are either accidental/unauthorised/unlawful – includes actions of third parties (e.g. hacking)
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
5 / B_LIVE_EMEA1:2814833v1
The Law - data security obligations
Having regard to the state of technology and cost security must be appropriate to:
– the harm that might result from such unauthorised or unlawful processing or accidental loss / destruction / damage
– the nature of the data
Reasonable steps to ensure the reliability of employees who have access to data
Do businesses have to notify – individuals/regulators? – data protection – generally best practice rather than law but some exceptions
(e.g. Germany/US) – sector specific regulatory requirements
Generally an assessment of the harm/risk likely to be suffered by individuals and volume of data
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
6 / B_LIVE_EMEA1:2814833v1
Data Security – proposed EU Regulation
Risk-based approach to the implementation of security measures to protect against loss or unauthorised disclosure of personal data
Data controllers and data processors must implement appropriate security measures and implement a security policy
New, mandatory requirement for data controllers to notify national data protection authorities of security breaches “without undue delay”
Data controllers will be required to notify affected individuals in wide-ranging circumstances
Data controllers will have to keep records of security breaches
Much larger sanctions for breach
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
7 / B_LIVE_EMEA1:2814833v1
Cyber Security – proposed EU Directive The issue? Under EU rules “only telecoms companies and data controllers have to adopt security
measures and telecoms companies alone are required to report significant incidents”
Note “computer crime” laws such as the Computer Misuse Act 1990 (which set out offences relating to hacking and “denial of service” attacks) remain law
Key provisions – In-scope organisations: Applicable to a range of “Market operator” entities – where disruption
/ destruction of infrastructure would have a significant impact on a Member State – Technical and organisational measures: required in relation to network and information
security (NIS), proportionate to risks (similar to current DP law) – Notification: to NIS authority and, where required by NIS authority, to public, incidents which
have a significant impact on the security of the core services they provide – NIS strategy: Requirement upon member states to adopt a national NIS strategy and appoint
competent NIS authorities – Co-operation: Designed to limit cyber risk, requires “co-operation” among NIS network (NIS
authorities and EC) – ability for market operators / technology companies to receive and share information
– CERTs: Requirement upon member states to set up a national Computer Emergency Response Team
– Sanctions: to be set by member states at a level which is “effective, proportionate and dissuasive”
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
8 / B_LIVE_EMEA1:2814833v1
Financial Regulatory Interest & Action
UK Financial Policy Committee – June 2013: – “The dependence of major banks and financial market infrastructure on highly complex information
technology (IT) systems made them potentially vulnerable to cyber attack, where an individual or group sought to exploit vulnerabilities in IT systems to disrupt services or for financial gain. Such attacks were increasing in frequency and sophistication. The Committee recognised that mitigating cyber attack was not a matter of systems enhancements alone but also required changes in processes and culture. All boards of financial institutions needed to consider their own arrangements to ensure effective management of cyber risk.”
FCA Business Plan 2014/2015 – focus on assessing and testing the financial services critical national infrastructure’s resilience to cyber attacks
Link to subject of IT resilience: – 2012: “Dear Chairman” letter to banks – 2014: RBS / Natwest fined £56m by FCA / PRA
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
9 / B_LIVE_EMEA1:2814833v1
Financial Regulation - UK
Relevant FCA principles / rules: – Principle 3: A firm must take reasonable care to organise and control its affairs
responsibly and effectively, with adequate risk management systems – SYSC 3.1.1: A firm must take reasonable care to establish and maintain such systems
and controls as are appropriate to its business. – SYSC 3.2.6: A firm must take reasonable care to establish and maintain effective
systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
– Principle 11: A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.
FCA guidance on information security
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
10 / B_LIVE_EMEA1:2814833v1
RBS / NatWest – IT resilience failings
“Three Lines of Defence”: – Technology Services Risk:
– did not devote sufficient time and attention to specific risk management activity. Focus on reporting risk and “sign off” rather than understanding and managing risk
– did not take initiative to identify risks – they were reactive rather than pro-active – Business Services Risk:
– did not adequately challenge the first line of defence – focused on collating and reporting risk information
– Group Internal Audit: – did not explain its view of IT risk to first and second lines – did not close out IT audit issues; instead they rolled from audit period to audit period – did not highlight that it did not have the necessary documentation to fully test the IT controls
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
11 / B_LIVE_EMEA1:2814833v1
RBS / NatWest – IT resilience failings
The RBS Group had a limited understanding of IT operational risk – their IT function did not have a sufficiently prominent role at Board level or direct
involvement in business prioritisation
Their BCP plans focused on low probability events rather than on more probable events (like software failures)
The BCP plans should have included more on IT resilience and the need to ensure the continuity of systems critical to servicing customers.
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
12 / B_LIVE_EMEA1:2814833v1
Enforcement Action – relevant factors
Nature of the breach – Culpability – Data / systems affected – People affected: type and number – Risk to affected people – Loss / distress caused
Preparedness – Security adopted (technical & organisational) – Policies / plans – Staff training / awareness
Nature of the offender – Repeat offences – Financial resources – Financial benefit from the breach
Reaction to the breach – Speed of response – Quality of the response – Notification to regulators – Co-operation with regulators – Customer protection / redress – Acting on lessons learned
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
13 / B_LIVE_EMEA1:2814833v1
Cyber Security – security measures
UK Govt – Ten Steps To Reduce Cyber Risk – Review data assets and their business criticality – Identify the risks and reconsider as technology use changes – Information risk management regime – User education and awareness – Home and mobile working – Incident management – Manage user privileges – Removable media controls – Monitor systems and networks – Maintain secure configuration – Anti-malware defences
– Protect the network perimeter
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
14 / B_LIVE_EMEA1:2814833v1
What should you do now?
Assess your level of preparedness and current security measures
Do you have an appropriate cyber / data security plan? – What needs to be protected? How should each asset be protected? – Does it cover all probable events (not just the Black Swan)? – Is it reviewed / tested? – Does it have senior management engagement?
Do you have a breach management plan? – How will breaches be detected? – What will you do in the first hour / 6 hours / day / week? – What will the incident management priorities be? – Who needs to be involved? – How will you manage regulators / reputation? – How will you remediate / learn the lessons?
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
15 / B_LIVE_EMEA1:2814833v1
© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.
16 / B_LIVE_EMEA1:2814833v1
simmons-simmons.com elexica.com
This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name “Simmons & Simmons” or one or more of those practices as the context requires. The word “partner” refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP’s affiliated practices. For further information on the international entities and practices, refer to simmons-simmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC352713 and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address.
top related