As an observer of the recent census debacle, what do you see as the - PowerPoint PPT Presentation

Poll 1 As an observer of the recent census debacle, what do you see as the key cause?: A. Technology failure B. Use of a third party service provider C. The threat landscape is too huge D. Ignorance / hubris

A Revolution in Cyber Threats? Greg Austin Australian Centre for Cyber Security, UNSW Canberra Professorial Fellow, EastWest Institute, New York G.Austin@adfa.edu.au | gaustin@ewi.info

States: Most Dangerous, Most Capable Wikileaks releases 20,000 hacked DNC emails 22/7/2016 Trump “invites” Russia to hack Clinton 27/07/2016 White House: “we are in the midst of a revolution of the cyber threat — one that is growing more persistent, more diverse, more frequent and more dangerous every day” 26/7/2016

PWC 2016 Global Economic Crime Report

Eight Vectors of Attack

Symantec 2016

Threat Trend Capability TECHNOLOGY CRIMINALS CORPORATES & CITIZENS GOV’T POLICY POLICE Time

Q&A Please submit your questions using Zeetings

Poll 2 Cyber risks are a major concern for all businesses, where do you see the largest impact to your business from a cyber incident?: A. Business interruption B. Brand & reputation C. Customer churn D. All of the above

Current Cyber Risk Legal Landscape Obligations and Opportunities... Scott Thiel Partner, DLA Piper

AsiaPac cyber & privacy regimes at a glance Before (2011) At 2016

Continuing evolution of the Asian legal landscape DLA Piper Cybertrak

Australia Privacy Amendment (Notification of Serious Data Breaches) – Bill 2015  Imposes a compulsory notification mechanism upon entities when a serious data breach occurs A serious data breach occurs if: "unauthorised access to, or unauthorised disclosure of, any of personal information, credit reporting information, credit eligibility information, tax file number information “will result in a real risk of serious harm to any of the individuals to whom the information relates”, or any of that information is of a kind specified in the regulations", and; "there is a real risk of serious harm to the individual to whom the information relates as a result of the data breach"  Note – definition of "harm" and "real risk" is very broad and all- encompassing

Current Regulatory Framework – China • Major Combination of various laws, e.g. criminal law; civil law; tort law; and Mandates constitution, with limited legal effect • Decision of the Standing Committee of the National People's Congress for Enhancing the protection of Internet based Information • CIS Regulation and IT Banking Guideline  Data Controller must take appropriate technical and organizational Security O measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal data.  No mandatory requirement Breach O  Yes for security breach notices to authorities may be required, as in the Notification following examples:  Public Security bureaus  Telecom authorities  China Banking Regulatory Commission

Proposed cyber security laws in the PRC  Draft Cyber Security Law of the People's Republic of China Data Localization  Second draft published in July 2016  National-level law exclusively devoted to cybersecurity and data privacy issues  App operation regulations Content control and censorship Imposes cybersecurity obligations on network Personal data privacy operators (incl. and data protection? censorship requirements)

Current Regulatory Framework – Hong Kong • Major Mandates Personal Data (Privacy) Ordinance ("PDPO") • Sector-specific Codes and Guidelines • Hong Kong Monetary Authority (HKMA) - Supervisory Policy Manual • Securities and Futures Commission (SFC) - Circular to all licensed corporations on Information technology management • Guidance for Government Agencies  Security O Data users are required by law to take all practicable steps to protect personal data  Where 3 rd party processor is engaged  contractual / other means required for security and period of retention  Breach O No mandatory requirement under the PDPO  Notification Yes for authorised institutions to notify HKMA of major security breaches  e.g. In 2012, HSBC was under global cyber-attacks and HSBC had notified HKMA and prepared a report

Current Regulatory Framework – Australia • Major Mandates A mix of Federal and State/Territory legislation: • Federal Laws, e.g. Federal Privacy Act 1988 (Cth) ("Privacy Act"), Healthcare Identifiers Act 2010, Personally Controlled Electronic Health Records Act 2012, etc. • State and Territory Laws, e.g. Information Act 2002 (Northern Territory), Privacy and Personal Information Protection Act 1998 (New South Wales), etc. • Sector-specific requirements • Prudential Standards enforced by the Australian Prudential Regulation Authority  Appropriate security measures (ie 'take reasonable steps') to protect any personal Security O information it retains from misuse and loss and from unauthorised access, modification or disclosure  Reasonable steps to destroy or permanently de identify personal information if it is no longer needed for the purpose(s) for which it was collected  No mandatory requirement under the Privacy Act but note guidance issued by the Breach O Notification Office of the Australian Information Commissioner  Yes for Health sector and Finance Sector

Current Regulatory Framework – Singapore • Major Computer Misuse and Cybersecurity Act • Mandates Technology Risk Management (TRM) Guidelines and Notice • Personal Data Protection Act ("PDPA") formally enacted in January 2013 Reasonable security arrangements Security O  No specific legislative requirements regarding data protection breaches Breach O  Financial institutions are required to notify the Monetary Authority of Notification Singapore (MAS) of a range of serious IT security incidents and malfunctions

Current Regulatory Framework – Japan • Major The Act on the Protection of Personal Information ("APPI") and various Mandates sector specific guidelines regarding APPI • Act on the Prohibition of Unauthorized Computer Access • Cybersecurity Strategy and Ministry Guidelines addressing issues related to the APPI and IT Measures  Specific guidance set out in Ministry guidelines Security O  These necessary and appropriate measures generally include ‘Systematic Security Control Measures’, ‘Human Security Control Measures’, ‘Physical Security Measures’ and ‘Technical Security Control Measures’.  No general requirement under APPI, but specific ministry guidelines Breach O Notification provided for business operators

Current Regulatory Framework – South Korea • Major Act on the Protection of Information and Communications Mandates Infrastructure • Combination of laws – Personal Information Protection Act ("PIPA", effective 30/09/11) • The Act on Promotion of IC Network Utilization and Information Protection (IC Network Act)  Mandatory security arrangements, e.g. Security O  establishment and implementation of an internal control plan for handling Personal Data in a safe way  installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to Personal Data  Yes, required in case of leakage/ intrusion/ theft of data (including Breach O Notification health care and financial information)

Current Regulatory Framework – Thailand • Combination of laws – Constitution of Thailand/ Thai Penal Code/ Child Major Mandates Protection Act • Computer Crime Act • Electronic Transaction Act • Personal Information Protection Act (Drafting)  Specific Businesses – maintain level of security Security O  Non-Specific businesses – prevention of unauthorized access  No requirement Breach O Notification

Cyber compliance as a competitive advantage

General perception towards cyber security  74% of US executives expressed in survey* that the main purpose of cyber security is to reduce risk – rather than to enable growth  General perception:  Costly  Complex  Inefficient  Hinders productivity  Too difficult  Won't happen to me  However… What I will tell you is that cyber security is:  Not a "doom & gloom" matter  Much more than an "insurance policy" in IT  Think of it as something that helps your business grow

Benefits:- Competitive Advantage  Reassuring from a customer's point of view  Cyber security is often one key area customers look out for  This is often brought up as a matter of importance in pitches and contracts  Transactions often involve large amounts of customer's private data  Customers will not want to take unnecessary risks  Being cyber secure is something you can proudly advertise in your portfolio of strategic assets  Data analytics capability is a desirable attribute