Embed Size (px)
Citation preview
Cyber-Breach TrendsHigh-Impact in a Hostile
World
MacDonnell (Don) Ulsch
Managing Director, Cybercrime & Breach Response
PricewaterhouseCoopers LLP
Topics
Information Targets
Disturbing Trends
Cyber Breach Case Histories
U.S. Securities and Exchange Commission Cyber Breach Reporting Guidelines
Board Questions
Information Targets
Advanced Materials (key to shipping & logistics)
Advanced Manufacturing & Automation (key to shipping & logistics)
Resource & Environment Technology (key to shipping and logistics)
Energy Technology
M&A Information
Cost Data
Electronic Medical Records
Disturbing Trends
Integrated Nation-State & Transnational Crime
Targeting executives and their families
Franchising criminal scam sites
Using military-grade encryption to block access to corporate data
Average of 300 days from date of intrusion to date of discovery
Many breaches remain undetected for more than 1,825 days
The greater the gap the greater the impact
Nation-States and Criminal enterprises research efforts
Industrial control access
Case History 1:Insider, Vendor, Organized Crime Large company targeted by organized crime
Determined easiest access through third-party vendor
Social media used to monitor for vulnerable employees
Employee with sensitive access identified and agreed to sell information
Post-breach: vendor refuses to cooperate with first-party over litigation concerns
Case History 2: Nation-State Economic Espionage
Nation-state hacking “into the computers of commercial entities … to steal information … The conspirators also stole sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the
American entities.”
--Federal Grand Jury Indictment, Western District of Pennsylvania
Case History 2, continued
1,700 servers at one large industrial compromised: names and descriptions of the servers acquired. These servers controlled physical plant access and mobile device access to the networks
M&A data of these industrial companies was acquired
Many thousands of emails and attachments
Network credentials for virtually every employee of the company—more than 10,000 employees
Case History 2, continued
Technical and design specifications
Market strategy
Cost data
Analysis of what would happen if the Nation-State and the joint-venture partner became competitors
Case History 3: Nation-State as Economic CompetitorNation-State launches attack against neighboring Nation-State
Attack designed as a smokescreen, political sites the apparent target
Real target a sophisticated shipping and logistics industrial company
Another Nation-State believed to sponsor the attack as part of its industrial and economic strategy for shipping and logistics advantage
Use of third-party Nation-State for plausible deniability
Case History 4: Nation-State Economic EspionageIn a highly confidential transaction, a multi-billion dollar U.S.
enterprise is preparing to close on the acquisition of a company in order to strengthen its market position
Without warning, the target company withdraws from final negotiations
Weeks later, it was learned that a Nation-State state-owned enterprise acquired the company
Conclusion is that the Nation-State hacked into either the acquiring company or the law firm engaged to structure the acquisition
Case History 5: Transnational Organized Crime
"Liberty Reserve has emerged as one of the principal means by which cyber-criminals around the world distribute, store and launder the proceeds of their illegal activity."
--U.S. District Court for the Southern District of New York
Case History 5, continued
Corporate Web Site
Compromise
TOC FranchiseStrategy
Proximity Wireless Attack
Personal Brand
Compromise
Impact Analysis:Executive Displacement │Deficient Security │Increased
Federal Scrutiny │Possible Foreign Penetration
Third-Party Vendor Linked to Original Breach
Extortion Demand: $1MM to Deactivate Each WebsiteUp to 100 websites
Case History 6: Lone Wolf
Former IT vendor male employee in intimate relationship with female company employee
Vendor employee has access to web site code
The affair ends, broken off by company employee
Vendor ex-employee plans extortion
Develops child pornography web site and links it to ex-lover’s company web site
Type in company web site, redirected to his site
Top 85-90 customers and partners listed on porn site, potential protracted litigation, brand concern
U.S. Securities and Exchange Commission Cyber Breach Reporting Guidelines
In the words of former U.S. Senator John D. “Jay” Rockefeller IV:
“Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risk.
“Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cyber security efforts seriously…
“Though managing information security risk is not an exact science, it is a core responsibility shared by leaders and managers throughout all levels of a business.”
S.E.C., continued
Registrants should disclose the risk of cyber incidents if … these issues are among the most significant factors that make an investment in the company speculative or risky
Registrants are:Expected to evaluate cybersecurity risks
Take into account all available relevant information
Include prior cyber incidents and the severity and frequency of those incidents
S.E.C., continued
Registrants should:Consider the probability of cyber incidents occurring
Quantitative and qualitative magnitude of those risks
Include potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption
Consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate
Consider risks to that security
Include threatened attacks of which they are aware
S.E.C., continued
Discuss aspects of business or operations that give rise to material cybersecurity risks and the potential costs and consequences
To the extent the registrant outsources functions that have material cybersecurity risks, describe those functions and how the registrant addresses those risks
Describe cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
Describe risks related to cyber incidents that may remain undetected for an extended period
Describe of relevant insurance coverageRegistrants should provide sufficient disclosure to allow investors to
appreciate the nature of the risks faced by the particular registrant!
Board Questions
Attorney-Client Privilege
External legal representation
Is company currently under attack
On-call cyber attack response agreement
Level of self-insurance
Types of cyber insurance and convergence with CGL
Internet of Things, industrial controls, and potential liability
S.E.C. 10K and 8K reporting on cyber risk
What don’t we know: nation-state technology transfer
Contact me if you want a copy of Cyber Threat! and want to be on our distribution list
MacDonnell Ulsch
Managing Director
PricewaterhouseCoopers LLP
Cybercrime & Breach Response
125 High Street, Boston, Massachusetts 02110
Telephone +1.617.530.6390 Mobile +1.617.634.9800
Interactive Discussion #1:
Mechanics of a Data Breach andInitial Response—Assembling the Team
Richard (Rick) Bortnick, Traub Lieberman Straus and Shrewsberry, LLP
Maureen Kenning, Risk Management Specialist, Jack Links Beef Jerky
Allyson G. Krause, General Counsel, Promethean World, PLC
Karen P. Randall, Connell Foley, LLP
Richard Sheinis, Hall Booth Smith, P.C.
Every Team Needs A Leader
Attorney
Law Enforcement
C-level
IT
•Attorney – client privilege
• Statutory Compliance
•Manage Others On Team
Attorney
•Must Be On Board
• Ensure Cooperation of Others Throughout The Organization
C-Level
• IT Inside and Out
IT
Law Enforcement
•Know whom you will call
•HR
•Customer Relations
•Public Relations
• Insurance
Interactive Discussion #2:
Working with Forensic Experts—Determiningthe Extent of the Breach
Vickie B. Ahlers, Baird Holm LLP
John Jablonski, Goldberg Segalla, LLP
Darrell Switzer, Director of Incident Management, FishNet Security
Working with Forensic Experts
• Computer Forensics
• Protecting Privileges
• The Attorney-Forensic Relationship
• Response Team Management
• Law Enforcement
• Evidence
• Communicating Results
• Protecting Against Liability
• Cost Recovery
Interactive Discussion #3:
Dealing with the Loss of Consumer andThird-Party Financial, Health & Personal Data
Vickie B. Alhers, Baird Holm, LLP
Patricia Hilbrands, Privacy Officer, Arthrex Inc.
Susan Childers North, LeClairRyan
State Breach Notification Laws• 48 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers
(including employees) after unauthorized access to PII/PHI
• No consistency among state laws - impossible to craft single letter to all affected• Varying definitions of personal information and what triggers reporting
• Many require notification of State AG/State patrol (some in advance of notice to consumers)
• Timelines for response vary widely; many “without unreasonable delay”; some as short as 5 days
• Prescribed content varies from state to state
• Despite laws - how promptly is prudent? • Forensic investigation can take significant time and what you believe to be true on day 2 will
likely be incorrect on day 7
• Disclosure to media before individual notice? (Additional scams likely to target customers)
Federal Breach Notification - HIPAA• Federal standard for notification of breach of “Protected Health
Information”
• Any unauthorized “use” (internal) or “disclosure” (external) presumed to be a reportable breach unless 4-part risk analysis proves low probability of compromise• Type of information
• To whom was the information disclosed/by whom improperly accessed
• Was the information actually acquired or viewed
• Extent to which the risk to PHI has been mitigated
• Notice to individual and OCR; if over 500, notice to media outlets
Regulatory Investigations and Enforcement
• Multiple State and Federal Agencies can/will investigate same incident• Office for Civil Rights if involving PHI• FTC – “unfair” or “deceptive” trade practices• State Attorneys General – State consumer protection laws; HITECH gave State
AGs authority to enforce HIPAA
• Investigation considerations• Should you disclose prior security risk assessments highlighting risk areas
(may or may not have been exploited in current breach)• Should you waive the attorney client privilege in connection with the
investigation?
Civil Lawsuits – Moving Target of Damages• Race to the Courthouse
• Anthem notified media Feb. 4; first lawsuit filed Feb.6 – individuals still not personally notified of compromise
• Issues: “Standing” and “Damages”• Clapper v Amnesty Int’l (Sup Ct 2013)
• Threatened future identity theft insufficient• Possible future injury must be “certainly impending”
• A few courts finding potential damages sufficient • Difficulty in proving damages caused by this breach• New look at damages – breach of contract; unjust enrichment
• Resnick v. AvMed (11th Cir.)• In re LinkedIn Privacy Litigation• Suits filed against Anthem include these counts
Interactive Discussion #4:
The Potential Consequences of Data Breach on Compromise or Infringement of Intellectual
Property Including Trade Secrets
Henry M. Sneath and Kelly A. Williams
Picadio Sneath Miller & Norton, P.C.
Types of Intellectual Property That Can Be Implicated
• Trade secrets
• Trade dress
• Patents
• Copyrights
• Trademarks
• Non-disclosure agreements
• Rights of publicity
Trade Secrets
• Governed by state law• 48 states have adopted Uniform Trade Secrets Act
• Requirements:• information that provides an economic advantage
• that is not already generally known, and
• is reasonably protected and kept secret
• Types of information that can be a trade secret (very broad):Analyses Financial & pricing info Manuals & notebooks
Customer & vendor lists Forecasts Methods & procedures
Drawings/designs/plans Formulas & recipes Software
Potential Causes of Action
• Misappropriation of trade secrets• Conversion• Unjust enrichment• Unfair competition• Breach of contract• Breach of fiduciary duty• Breach of the duty of loyalty• Intentional interference with contract and prospective contract• Computer Fraud and Abuse Act—18 U.S.C. § 1030• Federal Economic Espionage Act—18 U.S.C. §§ 1831
Computer Fraud and Abuse Act—18 U.S.C. § 1030
• Provides for civil (compensatory damages) and criminal penalties
• Multiple provisions prohibiting different types of conduct:• Improperly obtaining information—§ 1030(a)(2)• Fraudulently obtaining information—§ 1030(a)(4)• Causing damage or loss—§ 1030(a)(5)• Trafficking in passwords—§ 1030(a)(6)• Extortion—§ 1030(a)(7)
• Generally requires• Protected computer (meaning involved in interstate commerce)• Accessing without authorization or by exceeding authorization• $5,000 or more in damages or damage to 10+ computers
Potential Remedies
• Compensatory damages
• Punitive damages
• Royalties
• Attorneys’ fees
• Injunctive relief to prevent:• Disclosure• Further harm• Another’s use• Employment of an individual
• Criminal charges and fines
Interactive Discussion #5:
Recovery of Damages, Indemnification Claims, Subrogation and Affirmative Use of Contractual
Limitations and Remedies Provisions
Patricia Hilbrands, Privacy Officer, Arthrex Inc.
Michael Steinlage, Larson King, LLP
Nicole Hughes Waid, Roetzel & Andress
Recovery of Damages, Indemnification and Subrogation
• Plan ahead—before you have a problem
• Pay attention to contract provisions
• Handle breach response with an eye toward third-party recoveries
What do you vendor and supplier contracts say?
• Standards for protecting information
• Authorization/Verification of Compliance
• Indemnification
• Damage/Warranty Disclaimers
• Choice of Law
• Timing and venue for a claim
Insurance Considerations
• Confirm coverage under your own insurance policies for loss caused by third-party vendors.
• Additional Insured Status / Certificates of Insurance
In re Deepwater Horizon, No. 13-0670 (Tex. Feb. 13, 2015) - a Cautionary Tale
Handle Breach Response with an Eye Toward Third-Party Recoveries
• Pay attention to contract notice provisions
• Be mindful of descriptions / explanations about cause of breach
• Avoid admissions when providing notices
• Impairment of subrogation rights could jeopardize coverage
• How will costs be paid? ― Early coordination with accounting to document and assign costs
Interactive Discussion #6:
Insurance Coverage and Working With Your Insurance Carrier. Do You Have Coverage for
Defense, Damages and Reputation?
Richard (Rick) Bortnick, Traub Lieberman Strauss and Shrewsberry, LLP
Karen P. Randall, Connell Foley, LLP
Michael Steinlage, Larson King, LLP
Other Insurance & Overlapping Coverage
Liability coverage may overlap and converge with other insurance products:
• Part A of CGL Policies• Part B of CGL Policies• Pure Cyber & Technology Policies• Professional Liability Policies• Crime & Fidelity Policies• Directors & Officers Liability Policies• First-Party Property Policies• Business Interruption Policies • EPLI Policies
Data Privacy & Security
• Annual premium volume information about the U.S. Cyber Risk market is hard to come by, but in reviewing the market, we have concluded that the annual gross written premium is in the $1 Billion range (up from $800 million in last year’s report). **Betterly Report June 2012
• 30+ Carriers have some kind of a Cyber Liability Product
• Commonly called the next EPLI
Cyber Liability Market
Coverage
• Liability side is usually written on a claims made & reported form; loss
to the insured is usually written occurrence
• Packaging approach common
• Mix of first and third party coverage
• Also available as add-on coverage to other professional & some CGL
policies
Coverage
Unauthorized Access
• Access gained as the result of fraud or deception
• Authorized user for unauthorized purposes
• Introduction of fraudulent or destructive code
• The threat to initiate malware for the purpose of extorting money or other
valuable consideration
• Loss of a laptop or other digital storage device
• Whether or not for profit or gain
Coverage
Coverage should apply to:
• Potential Unauthorized Access
• Loss/improper disposal of paper records
Coverage
“Damages”
The monetary portion of any judgment, award or settlement, expressly including punitive damages where insurable and some coverage for fines/penalties
“Claim”
A written demand for damages, service of suit, or the institution of a charge or administrative proceeding brought by a governmental authority.
Coverage
Sublimits:
Notification Costs
Credit Monitoring
Public Relations Expenses
Forensic Costs
Extortion Costs
Reward Reimbursement
Coverage
Loss to the Insured:
1. Reasonable costs to restore the system & data
2. Extra expense to remain functional
3. Reasonable expenses to reduce loss payments
4. Lost money, securities
5. Business interruption
Websites
• Electronic Media Injury
• Some presented as traditional media liability, on an occurrence basis but usually claims-made or claims made & reported
• Most are written on a “named perils” basis
• Usually sold with a data security policy but can be found on a stand alone basis
• Social Media
Websites
Intellectual Property
• Tags
• Links or Framing
• Words and images including photos,
quotes, music published in the site
Coverage – Common Exclusions
Infringement of intellectual property/trade secret or value of proprietary information
Fraud, but look for severable & final adjudication
Employee theft of monies or securities
Cost of upgrading the system
EPLI, Pollution, Discrimination, Contractual
Coverage
Exclusions Continued
Insured vs. Insured What about employee data?
Coverage
Not so common exclusions
• Failure to encrypt data (mobile devices)
• Failure to maintain or take reasonable steps to maintain security
• Coverage limited to web site and internet activities only
• Widespread virus / Spyware
• Failure to comply with PCI standards
• Wireless
Coverage
• Territory – driven by where the claim is made or where the breach takes place?
• Subject to a deductible, SIR and/or co-pay obligations
• Cost inclusive
• Frequent use of sub-limits – especially for regulatory actions, notification expenses, credit monitoring, extortion, forensics
Data Security & Identity Theft Coverages
Underwriting
Underwriting
Each insurer will have its own expectation of technical controls. Furthermore, the level of control required for any given risk will vary by the size of the organization and the nature of the operations.
Underwriting
Underwriting Considerations
Type of data processed
How much data is stored or transmitted
Basic security controls
Industry
Back up procedures for 1st party cover
History of prior incidents
Media Usage / Response Procedures
Security StandardsThe beauty of standards is that there are so many to choose from!
Existing Security Standards
• CRAMM
• Dutch A&K Analysis
• EBIOS, ETSI, FAIR, FIRM, FMEA, FRAP, ISAMM
• ISO 27000 Series (ISO 27001:2005)
• ISO 31000 Methodology
• Open Source Approaches – OSSTMM
• PCI/DSS
• State Standards such as MA 201 CMR
17
• Other methodologies such as COBIT
and OCTAVE
• And many more!
Risk Management
Basic controls do go a long way, but there are no cookie cutters, no simple checklists
Picking a standard and randomly implementing controls is not the right approach
Compliance with industry standards doesn’t negate liability
And no system is guaranteed to be secure
Interactive Discussion #7:
Risk Management; Best Practices; Practice Tips: The Role of Corporate Counsel in Cyber Security, Data Breach Responses and Protection of Intellectual
Property (Takeaways)
Richard (Rick) Bortnick, Traub Lieberman Straus and Shrewsberry, LLP
Patricia Hilbrands, Privacy Officer, Arthrex Inc.
John J. Jablonski, Goldberg Segalla, LLP
Richard Sheinis, Hall Booth Smith, P.C.
Nicole Hughes Waid, Roetzel & Andress
Preventative Actions & TakeawaysWith the support of the CEO, CIO, upper management
• Develop a enterprise-wide security program that encompasses:• Access controls• Data Classification • Data cryptography and encryption ( when stored and at rest (hard drive and tapes)• Data backups• Data breach Security incident response• Remote access• Log monitoring (Security Information and Event Management)• Patch and Vulnerability Management• 3rd Party Risk Assessment (including BAAs with CloudServe and sub-contracting companies)• Risk Management• Etc.
• Implement a Security Awareness Training Program• Train on data security procedure for travelling abroad• Train on handling sensitive information• Train on reporting hardware loss (laptops, mobile phones etc.)• Train on how to avoid being the victim of a phishing scheme and other fraudulent hacker methods
• Conduct Annual Security Audits
