Patrick Kelliher FIA CERA
Definition Recent loss events and other examples Data protection legislation and GDPR Mitigation Modelling Conclusion
Information Security Risk: Risk to a firm from the theft, loss or inadvertent disclosure of customer and other stakeholder data; and from breach of data protection legislation Cyber Crime Risk: Risk to a firm from malicious cyber attacks including theft or damage to data; theft of own and/or client assets; interruption to operations; and reputation damage
Data Theft - Physical Interception of e-mail and Impersonation redirection of payments Failure to properly Data Theft - Laptop delete / destroy data Cyber Theft of Assets e.g. Bangladesh Central Bank Loss of Data Data Theft - Cyber Information Cyber DDOS Security Risk Crime Risk Ransomware Cyber Cyber Espionage Vandalism Inadvertent Disclosure (Website, mailing etc.) 3 rd party theft / Infrastructure Attack Viruses loss / breach / Cyber Warfare Technical Breach of Data Protection Legislation (no loss event)
Target, US Retailer, Q4 2013 ◦ 70m card details stolen – had to pay banks to replace these ◦ US$291m offset by US$90m cyber insurance policy recovery Anthem, US Health Insurer, February 2015 ◦ 78m records stolen including ca.40m legacy records ◦ Sophisticated APT attack; cost to date US$260m TalkTalk, UK Telecoms Provider, Q4 2015 ◦ 157k records stolen ◦ ICO fine of £400k = 80% of current maximum ◦ Remediation cost = £42m but also ca.£15m in indirect costs (higher churn, lower sales) More recently: Yahoo!, Equifax etc.
Ransomware ◦ WannaCry – highlighted need to apply patches and the risks of unsupported software ◦ NotPetya – cost both Maersk, Merck ≈ US$300m Cyber Theft of Assets ◦ Bangladesh Central Bank $100m loss; “near miss” US$850m ◦ Interception of e-mail correspondence with clients, changing bank a/c for payments ◦ Impersonation Cyber espionage / warfare Dedicated Denial of Service (DDOS) Cyber vandalism and viruses
Non-cyber theft of data ◦ Theft of physical data e.g. paper records of patients ◦ Theft of laptop with data (2007: Nationwide fined ≈£1m) Loss of data ◦ HSBC firms fined £3.2m by FSA in 2009 for losing pension scheme data in the post ◦ 2010: FSA fined Zurich £2.275m for losing 46,000 customers details in transfer of data to South African outsourcer Failure to destroy data in a secure manner Inadvertent disclosure ◦ Customers able to see others details on a website ◦ Mailing sensitive details to the wrong address
3 rd party theft or loss ◦ 2014: 20m South Korean bank customers details stolen by a contractor at a credit rating agency used by the banks Breach of data protection legislation including: ◦ Not having legal basis (e.g. consent) to hold data; ◦ Not observing data subjects rights (e.g. to access data); ◦ Failure to keep records up to date; ◦ Failure to keep data safe… ◦ ….or prevent loss or damage to data (e.g. losing data due to inadequate business continuity plans); and ◦ Retaining data longer than necessary. ◦ Note: doesn’t need to be a breach / loss event – poor controls in themselves could give rise to fine.
General neral Data a Pr Protection ection Regu gulation ation (GDPR): DPR): ◦ New EU-wide data protection regulation which effectively replaces the EU Data a Protecti tection Direc ectiv ive e (DPD) of 1995 and related national legislation such as the UK Data a Protec ectio ion Act (DPA) A) of 1998. ◦ Seeks to update DPD to reflect developments such as modern technology capabilities and cloud computing; and also aims for greater consistency in data protection regulation. th May 201 ◦ Due to come into force in the UK from the 25 25 th 018, , Brexit notwithstanding. ◦ Post-Brexit, GDPR may still apply in some form as UK regulations will need to offer similar protection if UK firms are to be allowed process the data of EU citizens. ◦ 99 9 Article icles – but most rest relate to regulation and are not directly relevant to firms.
What’s new ? ◦ Data a protecti tection by design ign and d by defau ault lt (Article 25) – data protection needs to be an integral part of the design and development of business processes for products and services. ◦ Records ecords of f Proce cessi sing g Activi tivitie ties (man andat datory ory docum cumen entat atio ion) n) (Article 30) adds new requirements for firms to document personal data processing, including identification of data flows, risk assessments, whether it is being transferred outside the EU; how long it should be retained etc.. ◦ No Notific ificat atio ion: Article 33 requires that any material breach of personal data is communicated to regulators within 72 hours of discovery. Previously only telecoms and internet service providers had to report breaches. Article 34 requires the breach to be communicated “without undue delay” to individuals affected if the breach poses a high risk to them.
What’s new ? ◦ Data a Protec ectio ion Impac pact Assessmen essments ts (DPIAs IAs) (Article 35) – DPIAs are required where processing is likely to result in a high risk to the rights and freedoms of individuals. These would include where new technologies are being used and/or which involve sensitive data such as the person’s health. A firm will need to assess the risk to individual and cover the security measures that will be put in place to mitigate these. ◦ Prior or Con onsult sultat atio ion (Article 36) requires the Data Protection Officer to consult with the regulator prior to processing data if the DPIA highlights that processing likely to result in a high risk to data subjects which cannot be mitigated against. The firm must not process data until the Regulator has given authority to proceed. Once referred, the regulator can invoke any of its investigative or corrective powers (see Article 58).
What’s new ? ◦ Data a Protec ectio ion Offic icer er (DPO) O) (Articles 37-39) – this is a new role required for organisations which process personal data extensively. The DPO will be the first point of contact for regulators on data protection issues and should aim to ensure firms comply with GDPR. While similar to a compliance officer, they also need to have some expertise in IT and data protection to ensure data risks are properly managed across the organisation. The DPO is an important new role: they should have access to adequate resources; be able to act independently; and report in directly to the Board
What’s new ? ◦ New individual rights including: Righ ght of Erasu sure e (Article 17) replaces the current “right to be forgotten” and gives the individual the right to request all personal data relating to them to be erased (subject to certain conditions such as the legal need to retain data). Righ ght to Data a Porta tabil ility ity (Article 20) – the individual has the right to receive some classes of their data their data in a structured, electronic, machine readable format that can then be transferred directly to another data controller or the data subject.
Higher Fines: ◦ Higher of 4% of global turnover or €20m for, inter alia, breach of basic principles for processing (Articles 5-9) or individuals rights (Articles 12-22) – see Article 83, 5.; ◦ Higher of 2% of global turnover or €10m for other breaches (Article 83, 4.) ◦ Fines could increase up to 50x fold or more e.g.TalkTalk fine based on 80% of max 4% of turnover = £58.8m vs £0.4m Other sanctions - ◦ Article 58, 2. gives regulators a wide range of powers… ◦ …including (f) the right to impose a ban on processing, say if a DPIA indicated a high risk to individual’s data. ◦ Possible Reverse Stress Testing scenario!
GDPR raises the bar in terms of compliance with existing data protection legislation: ◦ GDPR requires a higher quality of consent ◦ Article 22 retains existing legislation giving individuals the right not to be subject to a decision based on automated processing if it has a significant impact on them, which could have a significant impact on those using data science to profile and underwrite individuals ◦ Accuracy of records – cost of getting it wrong increases: E.g. Prudential were fined £50,000 by the ICO in 2012 or 10% of current maximum when, having inaccurately merged the records of two customers with the same name, they failed to correct this when the customers highlighted this
GDPR forcing firms to raise their game in terms of Information Security, but pressure also coming from regulators: “Our work in the financial sector has shown us that firms continue to struggle to get the basics right….” April 2017 speech by Nausicaa Delfas, Executive Director (now COO) at the FCA
Firms should at a minimum comply with basic standards such as the NCSC’s 10 steps Ensure software up to date and patched Create a “secure culture” within firms Contingency planning – how do we respond ? Penetration Testing Cyber insurance ◦ Unlikely to cover regulatory fines (?) while other items of loss (e.g. litigation) may not be covered ◦ Coverage may be invalidated if firm does not have basic controls in place
Recommend
More recommend