Cyber Security and Risk

Author: | Published: 5 Jul 2016
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Having inadequate cyber security exposes organisations, whether private or public, to a profusion of risks. The largest cyber attacks are the subject of national headlines (Target, Bangladesh Bank, Sony, Ashley Madison and TalkTalk) with severe consequences for affected organisations. Cyber threat actors include not just the archetypal adolescent hacker, but also organised criminals, corrupt or disgruntled employees, governments, competitors, terrorists and hacktivists. The frequency, professionalism and severity of cyber attacks are also on the rise. Cyber security is now a frequent topic for boardroom and C-Suite discussions.

Cyber attacks vary and can involve the extraction and sale/publication of large volumes of personal data such as email addresses and credit card numbers; fraud by transferring money out of bank accounts; blackmail, which includes the use of ransomware or the threat of disclosing sensitive information; market abuse using stolen market-sensitive information; the theft of intellectual property, such as the stolen F-35 stealth fighter blueprints; and physical damage to critical infrastructure for military or other purposes, for example, the Stuxnet computer virus or the recent attack on the Ukrainian power grid. That said, cyber security incidents generally fall into one of four broad categories:

  • Data exfiltration, where information is removed from an organisation and sold, used for blackmail or to gain a competitive advantage.
  • Data destruction, where information is deliberately destroyed e.g. critical documents or emails, or configuration data for a critical control system.
  • Data manipulation, where data is manipulated to effect a particular outcome, such as changing the payment details of an organisation within a financial payment system to extract money, or interfering with critical infrastructure.
  • Data denial, where access to information or systems is blocked (e.g. ransomware).

Cyber security is not only about networks, passwords and firewalls. Embedding robust security processes; training; and employee awareness and behaviour throughout an organisation does much to improve an organisation's readiness for a cyber attack, as well as mitigating the potential consequences of an attack when the worst does happen. Organisations should assess their existing processes and procedures to identify their valuable assets (for example intellectual property, personal data, including sensitive personal data, financial data, commercially sensitive information, regulated information and critical infrastructure and other systems), assess the specific risks to those assets, and consider the potential effects on the business if those assets were compromised.

Organisations need to consider not only their own business critical systems, but also their position in the supply chain – which external services or companies they depend upon. Third-party contractors have previously been the weak spot in a number of cyber attacks (e.g. Target), so organisations need to undertake comprehensive due diligence regarding the cyber-readiness of their third party contractors, as well as taking steps to ensure that there is a clear contractual allocation of responsibility for preventing, mitigating and responding to cyber attacks, to engender the right behaviours throughout the supply chain. Carrying out specific cyber security due diligence in commercial procurement and M&A is becoming the norm. Ultimately, cyber security is a balancing act weighing different risks against the organisation's agreed risk appetite, and then working out which steps are proportionate and most effective to deal with the specific types of threat that exist at a given time.

Cyber risk and capital adequacy requirements

Regulated firms, and banks in particular, are expected to hold capital against significant risks. Banks will be expected to quantify the potential financial impact of a failure of cyber security.

This assessment should not be limited to the risk of malicious cyber attacks (such as the recent orchestrated attacks on the SWIFT system, affecting over a dozen banks), but must also include the operational risk of technical failure or human error.

Cyber risk is unequivocally one of the major operational risks that the banking and finance industry faces.

Whilst there is no standardised approach to valuing cyber risk, firms seeking to use a model-based approach must understand three factors: (1) the types of threats they face; (2) the firm's vulnerability to such threats; and (3) the potential consequences of those threats. This is inherently difficult for a number of reasons, including that:

  • there is only limited historic data available on the frequency and severity of cyber threats (and even estimates about the costs of historic cyber attacks vary wildly);
  • the nature of the threat is continually evolving (as is the technology used to perpetrate and defend against cyber attacks) making it difficult to predict the nature and severity of future threats;
  • some organisations lack an essential understanding of their data assets and the value of those assets; and
  • the consequences of cyber attacks aren't constrained by geographical borders and cyber attacks might have unpredictable reputational consequences.

By understanding cyber risks and taking appropriate steps to mitigate them, firms with a strong security posture put themselves in a better position when negotiating capital assessments with their regulators. Likewise, firms seeking to take out cyber insurance policies may benefit from better premiums and coverage if they can demonstrate that they have effective cyber security procedures in place.

Reporting requirements and an increased risk of fines

When the worst happens and organisations suffer a cyber attack, one of the first questions to be asked is often whether or not any notification needs to be made to the regulators.

At present, the European ePrivacy Directive requires certain organisations (essentially telecoms operators) to notify their data protection regulator if they have suffered a personal data breach. However, there is no equivalent obligation imposed upon data controllers in general by the European Data Protection Directive (which has been implemented into the UK by the Data Protection Act 1998). The Data Protection Directive only requires data controller organisations to implement appropriate technical and organisational security measures to protect personal data. It is however worth noting that the UK data protection regulator, the Information Commissioner's Office (the "ICO") has said that it expects to be notified of "serious" personal data breaches, albeit that there is no technical legal requirement for organisations to do so.

The EU's forthcoming General Data Protection Regulation (GDPR) and Network and Information Security Directive (also known as the Cyber Security Directive) will change the picture significantly.

The GDPR has now been published in the Official Journal and will apply from 25 May 2018. It introduces a new mandatory requirement for all data controllers to notify their regulatory authority of a personal data breach within 72 hours of becoming aware of it, providing the regulator with a significant amount of information about the breach at the same time. Furthermore, the GDPR provides stiff sanctions for data protection breaches. A maximum fine of up to EUR 10 million or 2% of annual worldwide turnover (whichever is greater) will be imposed for failure to notify the regulator of a personal data breach. A maximum fine of up to EUR 20 million or 4% of annual worldwide turnover (whichever is greater) can also be imposed for breaches of the fundamental requirement to implement appropriate technical and organisational security measures. This is a steep increase from the current maximum fine of £500,000 which can be levied by the ICO under the Data Protection Act 1998. For organisations in certain regulated sectors, additional fines may also apply. For example, the Financial Conduct Authority in the UK has historically issued fines in excess of £3 million in respect of data breaches.

At the time of writing, the Cyber Security Directive has yet to be finally approved by the European Parliament and published in the Official Journal. As such, we do not currently have a final date for when it will come into effect. However, the Directive will oblige certain operators of essential services (designated by member states based on criteria set out in the Directive) and digital service providers to report major security incidents to either the national competent authority (e.g. the ICO) or to a new Computer Security Incident Response Team set up by the government. As with the GDPR, the Cyber Security Directive envisages the prospect of fines for breach of its provisions, although it does not set out any detail regarding such possible fines, and refers instead to proportionate sanctions.

The FCA also takes a significant interest in cyber security incidents, having issued fines in excess of £3m for cyber related data breaches. The biggest fine so far for an IT related issue is the £42m fine levied by the FCA (and the additional £14m levied by the PRA) in respect of a software problem that led to unavailability of banking services to 6.5m customers, though the underlying cause was accidental rather than malicious.

Mandatory reporting and increased fines are intended to act as an incentive for organisations to invest more time and resources in cyber security and IT resilience. The impact of these kinds of mandatory reporting requirements will add an extra dimension to the normal internal investigation needed following a significant cyber attack, forcing organisations to communicate promptly with regulators with a view to avoiding or mitigating any regulatory fine or public censure.

The practical reality and cumulative effect of different obligations to different regulators must also be considered, particularly if the breach is multi-jurisdictional. Different regulators have different requirements (for example, the requirement of the Monetary Authority of Singapore to notify incidents within one hour), but will also often talk to each other, making it crucial that a consistent and contemporaneous account of the facts is given across the board. As a general principle, it is often best to provide the regulator with a brief and factually accurate but necessarily incomplete notification shortly after the organisation becomes aware of the potential cyber attack, informing the regulator that further updates will follow as the assessment and investigation continues. The alternative is often that the regulator's first exposure to the incident comes through media coverage or via customer complaints.

As well as any reporting obligations under legislation, often the perpetrators will have committed various criminal offences; for example, blackmail, fraud or offences under the Computer Misuse Act 1990. The victim organisation may therefore wish to report the incident to the police and/or other law enforcement authorities. In the UK, it can be useful to report any incidents to Action Fraud; the National Cyber Crime Unit and the National Computer Emergency Response Team (CERT-UK) can also provide guidance.

Cyber security and crisis management

Central to effective cyber security is a proactive attitude to managing risk and incident response planning, not just as a one-off but as a continually evolving lifecycle. Examples of the proactive steps include arranging for a third party to carry out penetration testing of critical systems, networks and applications; establishing an incident response plan and team, including representatives from all key stakeholders to make the organisation more resilient, providing for business continuity in the event of a cyber attack, improving customer and stakeholder confidence and reducing the financial impact of a cyber attack.

Another key step to mitigate the risk of a cyber attack is employee awareness and training. According to the 2015 Information Security Breaches Survey commissioned by the UK Government, three-quarters of large organisations suffered a staff-related information security breach (including through both inadvertent human error and intentional unauthorised access) in 2014/15 and nearly one-third of small organisations had a similar occurrence (up from 22% the previous year). When questioned about the single worst security breach suffered, half of all organisations attributed the cause to inadvertent human error. It is therefore important for organisations to have appropriate cyber security employee policies in place and to ensure that employees are aware of their responsibilities and obligations under such policies. Regular employee training is also a vital step in the war against cyber attacks, and cyber security needs to be embedded within the culture of an organisation from the top down. Other employee awareness initiatives could include cyber security awareness campaigns, promoting an incident reporting culture, and testing employee awareness through internally-run phishing campaigns, for example.

Should a cyber incident occur, the subsequent reactive steps fall under the wider umbrella of crisis management.

Organisations may not be the first to detect that they have been a victim of a cyber attack. If the affected organisation does so, then it is important that it is acted on quickly, with rapid escalation to senior management and the incident response team. Underestimating the impact of a cyber attack, or not acting swiftly upon it, risks needlessly exacerbating its effects. Furthermore, the public revelation in the media or in the published report of a regulator that an organisation was aware of a vulnerability or had suspicions of an imminent cyber attack, but failed to act swiftly and decisively, can be particularly damaging to its reputation. Where a third party such as an affected customer, the media, third-party security researchers, the attackers, a regulator or the police contact the organisation regarding a cyber attack, it will immediately be on the back foot and will often need to dedicate additional resources to mitigate the breach.

Early assessment of a cyber attack can be a particularly challenging process. The organisation will need to make key decisions under considerable time pressure and on the basis of incomplete information about the cyber attack. If the cyber attack appears to have been an inside-job, then it may be necessary to involve external advisors to assess the cyber attack - particularly if there are suspicions regarding the integrity of internal teams.

Containment of a cyber attack may require an organisation to shut down compromised systems to prevent further unauthorised access or loss of data. This can have major knock-on effects if customer facing systems, websites and applications are offline for a period of time. It can be important to maintain effective communication with customers during this downtime whether by e-mail, social media or conventional media.

Investigations are best managed by an in-house or external legal team in order to preserve legal privilege. In practice, the technical investigation will be carried out by in-house and external IT, security and forensic experts under the supervision of the legal team.

For regulated organisations, it will be important to consider whether notification to the appropriate regulator is necessary. Regulators, including the ICO, expect to be notified promptly, and this can cause difficulties when the precise details of a cyber incident are still under investigation. This is particularly so where it could still transpire that an incident is a false alarm.

In recent years, regulators have carried out large scale cyber security exercises in order to test the defences and incident response capabilities of significant financial institutions. In the USA, the Securities Industry and Financial Markets Association (SIFMA) conducted its Quantum Dawn 3 exercise on 16 September 2015, which involved 650 participants from more than 80 financial institutions. This involved a simulated attack on infrastructure used for the clearance and settlement process for equities. In the UK, the Bank of England carried out its Waking Shark II exercise on 12 November 2013 – the emphasis was on collaboration and communication between financial institutions, due in particular to the knock-on effects that an attack on one of them could have on others.

Andrew Moir is a partner and is Head of the Global Cyber Security Practice, Andrew Procter is a partner, Miriam Everett is a Professional Support Consultant, Nic Ruesink-Brown is a senior associate and Ben Worrall is an associate, at Herbert Smith Freehills, London.

About the author
 

Andrew Moir
Partner, Herbert Smith Freehills
Head of the Global Cyber Security Practice

T +44 20 7466 2773
andrew.moir@hsf.com

Andrew leads Herbert Smith Freehills' global cyber security practice. With a background in the electronics, IT and software engineering fields, he specialises in matters which require an understanding of technical issues.

His experience includes advising clients on cyber-readiness and resilience, incident response including dealing with regulators, notification requirements, damage limitation and breach containment, as well as cyber security in the context of transactional and projects work.

Recently recognised in the Financial Times Innovative Lawyers awards as a "rising star", whose experience has "allowed him to bridge the gap between law and technology", Andrew also has significant experience in intellectual property and confidential information matters – particularly relevant where proprietary information has been exfiltrated from an organisation as a result of a cyber incident.


About the author
 

Andrew Procter
Partner, Herbert Smith Freehills
Financial Services Regulation

+44 20 7466 7560
andrew.procter@hsf.com

Andrew is a leading global financial services regulatory expert and a highly regarded senior figure across the financial services industry around the world. He is a Herbert Smith Freehills partner in the Financial Services Regulatory practice in London.

Andrew's client work includes hundreds of regulatory investigations and the design and practical implementation of compliance and risk control programs covering a very wide range of businesses, jurisdictions and risks.

Andrew has held a number of high profile in-house and regulatory positions, most recently Global Head of Compliance, Government and Regulatory Affairs at Deutsche Bank. Prior to that he was head of the Enforcement Division at the UK Financial Services Authority, and held senior positions at the Hong Kong Securities and Futures Commission and the Australian Securities Commission.


 

The magazine

September 2018

Raising the bar

Asia is improving corporate governance. But some companies aren’t jumping at the opportunity

International briefings

Quick Poll

Is consolidation a good thing for the EU financial sector?


Women in Business Law Group

IFLR's Wibl networking group provides a platform for inclusive debate around fostering female talent in the profession.

Visit its LinkedIn page to find out more, and IFLR's awards page for details on the annual ceremonies.


close Register today to read IFLR's global coverage

Get unlimited access to IFLR.com for 7 days*, including the latest regulatory developments in the global financial sector, updated daily.

  • Deal Analysis
  • Expert Opinion
  • Best Practice

register

*all IFLR's global coverage published in the last 3 months.

Read IFLR's global coverage whenever and wherever you want for 7 days with IFLR mobile app for iPad and iPhone

"The format of the Review has changed over the years; the high quality of its substantive content has not."
Lee C Buchheit, Cleary Gottlieb

register