win in-house counsel day sydney - dla piper win · 2019. 11. 2. · recent survey by the consero...
TRANSCRIPT
WIN In-House Counsel DaySydney
Tuesday 22 March 2016
CYBER ATTACKS – HOW CAN IN-HOUSE LAWYERSPROTECT THEIR COMPANY AND CUSTOMERS?
PETER JONES (Partner, IT, DLA Piper)
Overview
Cybersecurity – why now?
Key actors
Examples of emerging information environments – disruptedbusiness models, "big data" and the 'Internet of Things'
Regulatory compliance issues – some examples
Cyber resilience – risks and issues beyond strict regulatorycompliance
What can be done?
22 March 2016WIN In-House Counsel Day - Sydney 1
Macro trends
2
+
+
+
+
22 March 2016WIN In-House Counsel Day - Sydney
Current Threat Environment -
Strategic Importance
Diverse and evolving legaland regulatory landscape
Exponential growth ofinformation
Growing protectionchallenge
Corporate requirementsand privacy collide
Data and informationbreaches/disputes
- High cost of mistakes
22 March 2016WIN In-House Counsel Day - Sydney 3
Not all actors are equalD
AM
AG
EP
OT
EN
TIA
L
Nation State
Hostile Non-State orQuasi-State Actor
Political MovementAnarchist
Business Organisation
Criminal GangFraudster
Prankster
Motivation
Individual Loose aggregation Structured organisation
Ideology/Self-interest
Profit/Financialadvantage
Command/ coercion
Ego
Hacker
ICT SKILLSETS REQUIRED / AVAILABLE POOL
22 March 2016WIN In-House Counsel Day - Sydney 4
And not all threats are the same
Social engineering
'spoof' emails; VIP impression; phishing/spear phising
Remote Access Tools (RATs)
Compromised computers
'bots; zombies
Watering-holes
compromised legitimate website
DOS/DDOS
'botnets
DDOS extortion – ACSC report
Hacktivism
22 March 2016WIN In-House Counsel Day - Sydney 5
Yet more "door handles"
Malware
virus (e.g. Zeus Trojan horse); ransomware
zero-day exploits and the grey market
between October 2014 and January 2015, Australian Internet SecurityInitiative reported over 15,000 malware compromises . Per day.
The impact of "Secondary Markets"
The market for zero-day exploits
22 March 2016WIN In-House Counsel Day - Sydney 6
Data Breaches in the News
22 March 2016WIN In-House Counsel Day - Sydney 7
Target data breach – case study
22 March 2016WIN In-House Counsel Day - Sydney 8
$145 in 2014 → $154 in 2015
8.5% increase over the periodof a year
But it will never happen to me…will it…?
Total average cost of a databreach is now$3.8 million
Average cost paid for eachlost or stolen record
increased 6 percent
Source: Ponemon Institute 2015 - Global Cost of a Data Breach
In a survey commissioned by the UK government90% of large organizations suffered a breach in the past
year alone, compared to 80% in the previous year.
…and so what if it did?
22 March 2016WIN In-House Counsel Day - Sydney 9
This is an IT issue though, right?
Boards of Directors increasingly see CEO's as the ones responsible forimplementing and maintaining cybersecurity procedures and protectionmeasures.
But only 31 percent of executives were confident intheir organization's cyber-security posture.
Survey conducted by Raytheon
General counsel listed data privacy/security as one of their topconcerns.
But 60 percent said their companies still lack the properpreparation for a cyber breach.
Recent survey by The Consero Group
22 March 2016WIN In-House Counsel Day - Sydney 10
Examples of threats becoming reality
– Asia-Pac
High profile examples of data breaches
2011 - Sony's PlayStation Network attack
2013 - Breach of information held by Adobeand theft of Acrobat source code
Data security is a concern in manycountries in the Asia-Pacific region, e.g.:
2013 - Online accounts of staff and students ofthe University of Hong Kong have beenattacked by hackers
2014 - PayPal flaw discovered by tests
2014 - BIGGEST-ever breach of privatesecurity in South Korea
22 March 2016WIN In-House Counsel Day - Sydney 11
Some specific statistics from Australia
Australian Signals Directorate
Responds to cyber incidents involving Australian Governmentnetworks:
CERT Australia (2014)
2011 2012 2013 2014
No. ofincidents 313 685 940 1131
Increase onprevious year N/A 119% 37% 20%
Sector: EnergyFin.
ServicesComms Defence Trans. Others
Percentageof total: 29% 20% 12% 10% 10% 19%
22 March 2016WIN In-House Counsel Day - Sydney 12
Data security, privacy and
confidentiality incidents are damaging
'It takes 20 years to build areputation and five minutes to ruinit. If you think about that, you'll dothings differently.' (Warren Buffett)
Public is becoming moreconscious of privacy (and hasgreater willingness/ability topursue breaches)
66% compounding annualisedgrowth rate in attacks, 42.8M in2014 only (PWC report in 2014)
22 March 2016WIN In-House Counsel Day - Sydney 13
ASIC guidance and requirements
Report 429 - "Cyber resilience: Health check" – published inMarch 2015
ASIC noted that corporates must consider how and when acyber attack may need to be disclosed as market-sensitiveinformation in accordance with continuous disclosureobligations
Directors' obligations to take cyber risksinto account when discharging theirduties in considering risk managementissues
We are seeing more active engagementof the board and senior executives indata management issues
22 March 2016WIN In-House Counsel Day - Sydney 14
APRA standards and practice guides
• Submit a Risk Management Strategy to APRA• Submit a 3-year Business Plan to APRA (& re-submit annually or if
material changes)• Submit a Risk Management Declaration & Financial Information
Declaration to APRA (annually)• Dedicated risk management function (or role)
CPS 220 – RiskManagement
• Assess, classify & manage data at each stage• Adopt a systematic & formalised approach• Staff awareness• Auditability, desensitisation, end-user computing, outsourcing /
offshoring responsibilities• Identify and develop processes to managed potential data issues• Test data risk management assurance programs frequently
CPG 235 – ManagingData Risk
• Develop, implement & maintain a hierarchy of policies, standardsand procedures
• Adopt a set of high-level IT security principles in order to establish asound foundation for the IT security risk management framework
• User awareness• Regular assessments• Access control, asset management, physical security, monitoring
and management
CPG 234 - Managementof Security Risk in
Information andInformation Technology
Although this is not an exhaustive list…
22 March 2016WIN In-House Counsel Day - Sydney 15
Privacy – processing of users' data
What data protection law applies?
What consent and authorizations are required?
What data can be accessed?
Transfer of personal data outside Australia
Anonymised/Pseudonominised data?
Ben Grubb takes on Telstra...
Is it just privacy?
consumer protection
contract
negligence
22 March 2016WIN In-House Counsel Day - Sydney 16
Data Protection: Regional 'heat map'
17
Jurisdiction DP Law? Collection
Restrictions
Transfer
Restrictions
Criminal /
Admin
Liability
Fines /
Prison?
Overall DP
Risk Level
Australia
China
Hong Kong
Indonesia
Korea
New Zealand
Philippines
Singapore
Taiwan
Thailand
Vietnam
22 March 2016WIN In-House Counsel Day - Sydney 17
And the devil lurks in the detail
DataProtection
in AsiaPac
DataProtection
in AsiaPac
Industry v Omnibus Laws
- China, Thailand, India
- Singapore/Malaysia
Industry v Omnibus Laws
- China, Thailand, India
- Singapore/Malaysia
Direct Marketing
- Hong Kong focus
- DNC – Aus, Singapore
Direct Marketing
- Hong Kong focus
- DNC – Aus, Singapore Regulator Powers
- Broad, HK, Sing, Malaysia
- Recommend – Philippines
- Overlapping – SK
Regulator Powers
- Broad, HK, Sing, Malaysia
- Recommend – Philippines
- Overlapping – SK
Scope of Application of Laws
- Holistic – HK, SK, Aus, Taiwan
- Public sector exclusion – Sing, Malaysia
- Sector exemption – Philippines
Territorial Scope
Extra-terr. approach of Sing, Malaysia
Breach Notification
- No: India, HK
- Yes: Indonesia, Taiwan, SK
Third Party Correction Obligation
- Sing and Malaysia position
Offences: max. jail terms
- HK – 5 years
- Sing – 2 years
- Malaysia – 3 years
22 March 2016WIN In-House Counsel Day - Sydney 18
An integrated view of cyber-risk
management
22 March 2016WIN In-House Counsel Day - Sydney 19
Eight key questions
Do you have a strong governance programme in place?
Do you have an incident response plan in place? Have you tested it?
Are you regularly reviewing, assessing and responding to the threatenvironment?
Are you managing upstream and downstream risks? Have you alignedoperations with commitments? What about cloud-based solutions?
Have you addressed cyber risks in M&A transactions?
How will you (and key partners) respond to a breach? Have youensured required resources will be available?
How will you manage changes in the regulatory environment (see theimpact of the decision that held the Safe Harbor regime to be invalid)?
Does your insurance provide financial cover for data breach risk?
22 March 2016WIN In-House Counsel Day - Sydney 20
Eight cyber-incident threat mitigations
Appropriate IT, Personnel and Device Level policies
Aligning operations with regulatory and contractual commitments
Compliance training and monitoring compliance
Strong and effective contract rights and ongoing governance ofpartners
Develop and regularly test incident response plans – ensure links tocritical vendors are considered
BCP/DR plans and facilities
Information sharing and feedback
Cyber-insurance protection
22 March 2016WIN In-House Counsel Day - Sydney 21
DLA Piper tools and resources
22 March 2016WIN In-House Counsel Day - Sydney 22