WIN In-House Counsel Day Sydney - DLA Piper WIN · 2019. 11. 2. · Recent survey by The Consero Group WIN In-House Counsel Day - Sydney 22 March 2016 10. Examples of threats becoming

WIN In-House Counsel DaySydney

Tuesday 22 March 2016

CYBER ATTACKS – HOW CAN IN-HOUSE LAWYERSPROTECT THEIR COMPANY AND CUSTOMERS?

PETER JONES (Partner, IT, DLA Piper)

Overview

Cybersecurity – why now?

Key actors

Examples of emerging information environments – disruptedbusiness models, "big data" and the 'Internet of Things'

Regulatory compliance issues – some examples

Cyber resilience – risks and issues beyond strict regulatorycompliance

What can be done?

22 March 2016WIN In-House Counsel Day - Sydney 1

Macro trends

2

+

+

+

+

22 March 2016WIN In-House Counsel Day - Sydney

http://blog.claricetechnologies.com/wp-content/uploads/2014/02/clarice_consumerization_img.jpg

Current Threat Environment -

Strategic Importance

Diverse and evolving legaland regulatory landscape

Exponential growth ofinformation

Growing protectionchallenge

Corporate requirementsand privacy collide

Data and informationbreaches/disputes

- High cost of mistakes


Not all actors are equalD

AM

AG

EP

OT

EN

TIA

L

Nation State

Hostile Non-State orQuasi-State Actor

Political MovementAnarchist

Business Organisation

Criminal GangFraudster

Prankster

Motivation

Individual Loose aggregation Structured organisation

Ideology/Self-interest

Profit/Financialadvantage

Command/ coercion

Ego

Hacker

ICT SKILLSETS REQUIRED / AVAILABLE POOL


And not all threats are the same

Social engineering

'spoof' emails; VIP impression; phishing/spear phising

Remote Access Tools (RATs)

Compromised computers

'bots; zombies

Watering-holes

compromised legitimate website

DOS/DDOS

'botnets

DDOS extortion – ACSC report

Hacktivism


Yet more "door handles"

Malware

virus (e.g. Zeus Trojan horse); ransomware

zero-day exploits and the grey market

between October 2014 and January 2015, Australian Internet SecurityInitiative reported over 15,000 malware compromises . Per day.

The impact of "Secondary Markets"

The market for zero-day exploits


Data Breaches in the News


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCLuK2avhj8gCFcgN2wod9hYBsA&url=http://www.eudataprotectionlaw.com/learning-from-ashley-madison/&psig=AFQjCNFD9zzZ5Tfor8JlLNiPgThU8k_i6g&ust=1443187171675470

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=709kurH5gSO6LM&tbnid=HmSPVQQsZYLxnM:&ved=0CAUQjRw&url=http://article.wn.com/view/2014/05/06/target_ceo_x2019s_ouster_shows_rising_focus_on_breaches/&ei=vpORU7K6IKrQ7AaDhoHwDg&bvm=bv.68445247,d.ZGU&psig=AFQjCNHgTylu0Pb-bB_HBnOAt7gwG6DMeA&ust=1402135844945824

Target data breach – case study


$145 in 2014 → $154 in 2015

8.5% increase over the periodof a year

But it will never happen to me…will it…?

Total average cost of a databreach is now$3.8 million

Average cost paid for eachlost or stolen record

increased 6 percent

Source: Ponemon Institute 2015 - Global Cost of a Data Breach

In a survey commissioned by the UK government90% of large organizations suffered a breach in the past

year alone, compared to 80% in the previous year.

…and so what if it did?


This is an IT issue though, right?

Boards of Directors increasingly see CEO's as the ones responsible forimplementing and maintaining cybersecurity procedures and protectionmeasures.

But only 31 percent of executives were confident intheir organization's cyber-security posture.

Survey conducted by Raytheon

General counsel listed data privacy/security as one of their topconcerns.

But 60 percent said their companies still lack the properpreparation for a cyber breach.

Recent survey by The Consero Group


Examples of threats becoming reality

– Asia-Pac

High profile examples of data breaches

2011 - Sony's PlayStation Network attack

2013 - Breach of information held by Adobeand theft of Acrobat source code

Data security is a concern in manycountries in the Asia-Pacific region, e.g.:

2013 - Online accounts of staff and students ofthe University of Hong Kong have beenattacked by hackers

2014 - PayPal flaw discovered by tests

2014 - BIGGEST-ever breach of privatesecurity in South Korea


Some specific statistics from Australia

Australian Signals Directorate

Responds to cyber incidents involving Australian Governmentnetworks:

CERT Australia (2014)

2011 2012 2013 2014

No. ofincidents 313 685 940 1131

Increase onprevious year N/A 119% 37% 20%

Sector: EnergyFin.

ServicesComms Defence Trans. Others

Percentageof total: 29% 20% 12% 10% 10% 19%


Data security, privacy and

confidentiality incidents are damaging

'It takes 20 years to build areputation and five minutes to ruinit. If you think about that, you'll dothings differently.' (Warren Buffett)

Public is becoming moreconscious of privacy (and hasgreater willingness/ability topursue breaches)

66% compounding annualisedgrowth rate in attacks, 42.8M in2014 only (PWC report in 2014)


ASIC guidance and requirements

Report 429 - "Cyber resilience: Health check" – published inMarch 2015

ASIC noted that corporates must consider how and when acyber attack may need to be disclosed as market-sensitiveinformation in accordance with continuous disclosureobligations

Directors' obligations to take cyber risksinto account when discharging theirduties in considering risk managementissues

We are seeing more active engagementof the board and senior executives indata management issues


APRA standards and practice guides

• Submit a Risk Management Strategy to APRA• Submit a 3-year Business Plan to APRA (& re-submit annually or if

material changes)• Submit a Risk Management Declaration & Financial Information

Declaration to APRA (annually)• Dedicated risk management function (or role)

CPS 220 – RiskManagement

• Assess, classify & manage data at each stage• Adopt a systematic & formalised approach• Staff awareness• Auditability, desensitisation, end-user computing, outsourcing /

offshoring responsibilities• Identify and develop processes to managed potential data issues• Test data risk management assurance programs frequently

CPG 235 – ManagingData Risk

• Develop, implement & maintain a hierarchy of policies, standardsand procedures

• Adopt a set of high-level IT security principles in order to establish asound foundation for the IT security risk management framework

• User awareness• Regular assessments• Access control, asset management, physical security, monitoring

and management

CPG 234 - Managementof Security Risk in

Information andInformation Technology

Although this is not an exhaustive list…


Privacy – processing of users' data

What data protection law applies?

What consent and authorizations are required?

What data can be accessed?

Transfer of personal data outside Australia

Anonymised/Pseudonominised data?

Ben Grubb takes on Telstra...

Is it just privacy?

consumer protection

contract

negligence


Data Protection: Regional 'heat map'

17

Jurisdiction DP Law? Collection

Restrictions

Transfer

Restrictions

Criminal /

Admin

Liability

Fines /

Prison?

Overall DP

Risk Level

Australia

China

Hong Kong

Indonesia

Korea

New Zealand

Philippines

Singapore

Taiwan

Thailand

Vietnam


And the devil lurks in the detail

DataProtection

in AsiaPac

DataProtection

in AsiaPac

Industry v Omnibus Laws

- China, Thailand, India

- Singapore/Malaysia

Industry v Omnibus Laws

- China, Thailand, India

- Singapore/Malaysia

Direct Marketing

- Hong Kong focus

- DNC – Aus, Singapore

Direct Marketing

- Hong Kong focus

- DNC – Aus, Singapore Regulator Powers

- Broad, HK, Sing, Malaysia

- Recommend – Philippines

- Overlapping – SK

Regulator Powers

- Broad, HK, Sing, Malaysia

- Recommend – Philippines

- Overlapping – SK

Scope of Application of Laws

- Holistic – HK, SK, Aus, Taiwan

- Public sector exclusion – Sing, Malaysia

- Sector exemption – Philippines

Territorial Scope

Extra-terr. approach of Sing, Malaysia

Breach Notification

- No: India, HK

- Yes: Indonesia, Taiwan, SK

Third Party Correction Obligation

- Sing and Malaysia position

Offences: max. jail terms

- HK – 5 years

- Sing – 2 years

- Malaysia – 3 years


An integrated view of cyber-risk

management


Eight key questions

Do you have a strong governance programme in place?

Do you have an incident response plan in place? Have you tested it?

Are you regularly reviewing, assessing and responding to the threatenvironment?

Are you managing upstream and downstream risks? Have you alignedoperations with commitments? What about cloud-based solutions?

Have you addressed cyber risks in M&A transactions?

How will you (and key partners) respond to a breach? Have youensured required resources will be available?

How will you manage changes in the regulatory environment (see theimpact of the decision that held the Safe Harbor regime to be invalid)?

Does your insurance provide financial cover for data breach risk?


Eight cyber-incident threat mitigations

Appropriate IT, Personnel and Device Level policies

Aligning operations with regulatory and contractual commitments

Compliance training and monitoring compliance

Strong and effective contract rights and ongoing governance ofpartners

Develop and regularly test incident response plans – ensure links tocritical vendors are considered

BCP/DR plans and facilities

Information sharing and feedback

Cyber-insurance protection


DLA Piper tools and resources


Documents

WIN In-House Counsel Day Sydney - DLA Piper WIN · 2019. 11. 2. · Recent survey by The Consero Group WIN In-House Counsel Day - Sydney 22 March 2016 10. Examples of threats becoming