cyber security : preventing and mitigating incidents/media/files/training/2015/fi and amif...“the...

Cyber Security : preventing and mitigating incidents

Alexander Brown Robert Allen

07 & 08 October 2015

© Simmons & Simmons LLP 2015. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities.

1 / B_LIVE_EMEA1:2814833v1

Cyber Security – context of the threat

“The magnitude and tempo of [cyber security attacks], basic or sophisticated, on UK and global networks pose a real threat to the UK’s economic security. The mitigation of these risks and management of these threats – in other words cyber security – is one of the biggest challenges we all face today”

Iain Lobban, Director GCHQ

UK Govt Information Security Breach Survey (2015) – 90% of large organisations had a security breach in last 12 months – Average cost of worst security breach: £1.46m - £3.14m – 41% of organisations : reputational damage had the greatest impact – 68% of large organisations were attacked by an unauthorised outsider in last 12 months – 90% of large organisations suffer a breach each year – 84% of large organisations suffered a malware attack in the last 12 months


2 / B_LIVE_EMEA1:2814833v1

Cyber Security – the corporate response

It is rising up the corporate agenda: – 72% of large organisations provide ongoing security awareness training to staff – 82% say that senior management regard cyber security as high / very high priority – 86% have briefed their board on security risks – 72% provide on-going security awareness training to staff – 46% of businesses expect to spend more on cyber security next year

If it is not a priority then it should be: – 72% of companies with poor security policy awareness had staff related breaches (v

56% where the policy was well understood) – 81% of businesses said there was some staff involvement in breaches – Cost of getting it wrong is high (expense / reputation / regulatory intervention)


3 / B_LIVE_EMEA1:2814833v1

The Law - data security obligations

Data protection legislation applies to “Personal Data” (according to the Directive/UK Data Protection Act 1998 (DPA))

– data (automatic equipment / “relevant filing system”) – relating to a living individual – identified from that data – or from that data in combination with other data

Definitions can vary across different jurisdictions

Note that whilst data protection legislation protects “personal data”, this and other data may be protected by regulatory requirements/ confidentiality/ contractual obligations


4 / B_LIVE_EMEA1:2814833v1


“Appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access…and against all other unlawful forms of processing” (Directive)

“Appropriate technical and organisational security measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (DPA)

What businesses have to guard against: – destruction/loss – alteration – access/disclosure – all of which are either accidental/unauthorised/unlawful – includes actions of third parties (e.g. hacking)


5 / B_LIVE_EMEA1:2814833v1


Having regard to the state of technology and cost security must be appropriate to:

– the harm that might result from such unauthorised or unlawful processing or accidental loss / destruction / damage

– the nature of the data

Reasonable steps to ensure the reliability of employees who have access to data

Do businesses have to notify – individuals/regulators? – data protection – generally best practice rather than law but some exceptions

(e.g. Germany/US) – sector specific regulatory requirements

Generally an assessment of the harm/risk likely to be suffered by individuals and volume of data


6 / B_LIVE_EMEA1:2814833v1

Data Security – proposed EU Regulation

Risk-based approach to the implementation of security measures to protect against loss or unauthorised disclosure of personal data

Data controllers and data processors must implement appropriate security measures and implement a security policy

New, mandatory requirement for data controllers to notify national data protection authorities of security breaches “without undue delay”

Data controllers will be required to notify affected individuals in wide-ranging circumstances

Data controllers will have to keep records of security breaches

Much larger sanctions for breach


7 / B_LIVE_EMEA1:2814833v1

Cyber Security – proposed EU Directive The issue? Under EU rules “only telecoms companies and data controllers have to adopt security

measures and telecoms companies alone are required to report significant incidents”

Note “computer crime” laws such as the Computer Misuse Act 1990 (which set out offences relating to hacking and “denial of service” attacks) remain law

Key provisions – In-scope organisations: Applicable to a range of “Market operator” entities – where disruption

/ destruction of infrastructure would have a significant impact on a Member State – Technical and organisational measures: required in relation to network and information

security (NIS), proportionate to risks (similar to current DP law) – Notification: to NIS authority and, where required by NIS authority, to public, incidents which

have a significant impact on the security of the core services they provide – NIS strategy: Requirement upon member states to adopt a national NIS strategy and appoint

competent NIS authorities – Co-operation: Designed to limit cyber risk, requires “co-operation” among NIS network (NIS

authorities and EC) – ability for market operators / technology companies to receive and share information

– CERTs: Requirement upon member states to set up a national Computer Emergency Response Team

– Sanctions: to be set by member states at a level which is “effective, proportionate and dissuasive”


8 / B_LIVE_EMEA1:2814833v1

Financial Regulatory Interest & Action

UK Financial Policy Committee – June 2013: – “The dependence of major banks and financial market infrastructure on highly complex information

technology (IT) systems made them potentially vulnerable to cyber attack, where an individual or group sought to exploit vulnerabilities in IT systems to disrupt services or for financial gain. Such attacks were increasing in frequency and sophistication. The Committee recognised that mitigating cyber attack was not a matter of systems enhancements alone but also required changes in processes and culture. All boards of financial institutions needed to consider their own arrangements to ensure effective management of cyber risk.”

FCA Business Plan 2014/2015 – focus on assessing and testing the financial services critical national infrastructure’s resilience to cyber attacks

Link to subject of IT resilience: – 2012: “Dear Chairman” letter to banks – 2014: RBS / Natwest fined £56m by FCA / PRA


9 / B_LIVE_EMEA1:2814833v1

Financial Regulation - UK

Relevant FCA principles / rules: – Principle 3: A firm must take reasonable care to organise and control its affairs

responsibly and effectively, with adequate risk management systems – SYSC 3.1.1: A firm must take reasonable care to establish and maintain such systems

and controls as are appropriate to its business. – SYSC 3.2.6: A firm must take reasonable care to establish and maintain effective

systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

– Principle 11: A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.

FCA guidance on information security


10 / B_LIVE_EMEA1:2814833v1

RBS / NatWest – IT resilience failings

“Three Lines of Defence”: – Technology Services Risk:

– did not devote sufficient time and attention to specific risk management activity. Focus on reporting risk and “sign off” rather than understanding and managing risk

– did not take initiative to identify risks – they were reactive rather than pro-active – Business Services Risk:

– did not adequately challenge the first line of defence – focused on collating and reporting risk information

– Group Internal Audit: – did not explain its view of IT risk to first and second lines – did not close out IT audit issues; instead they rolled from audit period to audit period – did not highlight that it did not have the necessary documentation to fully test the IT controls


11 / B_LIVE_EMEA1:2814833v1

RBS / NatWest – IT resilience failings

The RBS Group had a limited understanding of IT operational risk – their IT function did not have a sufficiently prominent role at Board level or direct

involvement in business prioritisation

Their BCP plans focused on low probability events rather than on more probable events (like software failures)

The BCP plans should have included more on IT resilience and the need to ensure the continuity of systems critical to servicing customers.


12 / B_LIVE_EMEA1:2814833v1

Enforcement Action – relevant factors

Nature of the breach – Culpability – Data / systems affected – People affected: type and number – Risk to affected people – Loss / distress caused

Preparedness – Security adopted (technical & organisational) – Policies / plans – Staff training / awareness

Nature of the offender – Repeat offences – Financial resources – Financial benefit from the breach

Reaction to the breach – Speed of response – Quality of the response – Notification to regulators – Co-operation with regulators – Customer protection / redress – Acting on lessons learned


13 / B_LIVE_EMEA1:2814833v1

Cyber Security – security measures

UK Govt – Ten Steps To Reduce Cyber Risk – Review data assets and their business criticality – Identify the risks and reconsider as technology use changes – Information risk management regime – User education and awareness – Home and mobile working – Incident management – Manage user privileges – Removable media controls – Monitor systems and networks – Maintain secure configuration – Anti-malware defences

– Protect the network perimeter


14 / B_LIVE_EMEA1:2814833v1

What should you do now?

Assess your level of preparedness and current security measures

Do you have an appropriate cyber / data security plan? – What needs to be protected? How should each asset be protected? – Does it cover all probable events (not just the Black Swan)? – Is it reviewed / tested? – Does it have senior management engagement?

Do you have a breach management plan? – How will breaches be detected? – What will you do in the first hour / 6 hours / day / week? – What will the incident management priorities be? – Who needs to be involved? – How will you manage regulators / reputation? – How will you remediate / learn the lessons?


15 / B_LIVE_EMEA1:2814833v1


16 / B_LIVE_EMEA1:2814833v1

simmons-simmons.com elexica.com

This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name “Simmons & Simmons” or one or more of those practices as the context requires. The word “partner” refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP’s affiliated practices. For further information on the international entities and practices, refer to simmons-simmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC352713 and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address.

cyber security : preventing and mitigating incidents/media/files/training/2015/fi and amif...“the...

Documents