![Page 1: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/1.jpg)
© Copyright 2014 by K&L Gates LLP. All rights reserved.
Thursday 2 October 2014
Cyber Risk and Global Security Issues: is your business fully prepared
![Page 2: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/2.jpg)
klgates.com klgates.com
Identifying cyber risks and how they impact your business
![Page 3: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/3.jpg)
klgates.com klgates.com
![Page 4: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/4.jpg)
klgates.com klgates.com
The Spectrum of Cyber Attacks
Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled
employees Lost or stolen laptops and mobile devices Inadequate security and systems: third-
party vendors
![Page 5: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/5.jpg)
klgates.com klgates.com
The Practical Risks of Cyber Attacks Loss of “crown jewels,” IP and trade secrets Compromise of customer information, credit
cards and other PII Loss of web presence and online business Interception of email and data communications Loss of customer funds and reimbursement of
charges Brand tarnishment and reputational harm Legal and regulatory complications
![Page 6: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/6.jpg)
klgates.com klgates.com
Advanced Persistent Threats
Targeted, persistent, evasive and advanced Nation state sponsored
P.L.A. Unit 61398 “Comment Crew”
![Page 7: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/7.jpg)
klgates.com klgates.com
Advanced Persistent Threats
United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”
Source: New York Times, June 1, 2013.
![Page 8: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/8.jpg)
klgates.com klgates.com
Advanced Persistent Threats
The Director-General of MI5 warned that one London business suffered £800 million in losses following an attack
The UK’s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards**
*Source: Cyber crime a global threat, MI5 head warns (2012) http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9354373/Cyber-crime-a-global-threat-MI5-head-warns.html ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010)
![Page 9: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/9.jpg)
klgates.com klgates.com
Advanced Persistent Threats
A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were “woefully inadequate”
Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection?
When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates
*Source: BCS – The Chartered Institute for IT -http://www.bcs.org/content/conWebDoc/49048
![Page 10: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/10.jpg)
klgates.com klgates.com
Advanced Persistent Threats
Penetration: 67% of organisations admit that their current security
activities are insufficient to stop a targeted attack.* Duration: average = 356 days**
Discovery: External Alerts 55 percent are not even aware of intrusions*
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
![Page 11: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/11.jpg)
klgates.com klgates.com
Advanced Persistent Threats: Penetration
Spear Phishing
Watering Hole Attack rely on insecurity of frequently visited
websites Infected Thumb Drive
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng
es/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
![Page 12: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/12.jpg)
klgates.com klgates.com
Advanced Persistent Threats
Target Profiles Industry:
Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma
Activities: Announcements of China deals China presence
![Page 13: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/13.jpg)
klgates.com klgates.com
Advanced Persistent Threats
![Page 14: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/14.jpg)
klgates.com klgates.com
The Spectrum of Cyber Attacks
Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled
employees Lost or stolen laptops and mobile devices Inadequate security and systems: third-
party vendors
![Page 15: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/15.jpg)
klgates.com klgates.com
Cybercriminals, Exploits and Malware
![Page 16: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/16.jpg)
klgates.com klgates.com
Cybercriminals, Exploits and Malware
60,000 known software vulnerabilities 23 new zero-day exploits in 2014
Risk = threat + vulnerability
![Page 17: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/17.jpg)
klgates.com klgates.com
Cybercriminals, Exploits and Malware
Ransomware
CryptoLocker UK Law Enforcement
![Page 18: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/18.jpg)
klgates.com klgates.com
The Spectrum of Cyber Attacks
Advanced Persistent Threats (“APT”) Cybercriminals, Exploits and Malware Denial of Service attacks (“DDoS”) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled
employees Lost or stolen laptops and mobile devices Inadequate security and systems: third-
party vendors
![Page 19: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/19.jpg)
klgates.com klgates.com
Inadequate security and systems: third-party vendors
Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale
![Page 20: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/20.jpg)
klgates.com klgates.com
Inadequate security and systems: third-party vendors
![Page 21: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/21.jpg)
klgates.com klgates.com
Cybercriminals, Exploits and Malware
*Source: UK Government press release, 29 April 2014 https://www.gov.uk/government/news/cost-of-business-cyber-security-breaches-almost-double
In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013
For large organisations the worst breaches cost between £600,000 and £1.158 million (up from £450-£850k a year ago)
![Page 22: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/22.jpg)
klgates.com klgates.com
Cybercriminals, Exploits and Malware
*Source: Symantec Internet Security Trend Report 2014
Cost Per Record: $158 Notification Costs: $509,000 Post-Breach Costs: $1.6M Business Loss: $3.3M
![Page 23: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/23.jpg)
klgates.com
Dangers of new and emerging risks
![Page 24: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/24.jpg)
klgates.com klgates.com
Cloud Computing Risks
Exporting security function and control Geographical uncertainty creates
exposure to civil and criminal legal standards Risk of collateral damage
![Page 25: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/25.jpg)
klgates.com klgates.com
Mobile Device Risks
52% of mobile users store sensitive files online 24% of mobile users store work and personal
info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security
![Page 26: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/26.jpg)
klgates.com klgates.com
Social Media Risks
Consumer harm and reputational damage
![Page 27: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/27.jpg)
klgates.com klgates.com
Example – “Peter Pan virus” phishing email (September 2014) Email purportedly came from real company BH
Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded
viruses BH Live inundated with phone calls from worried recipients
![Page 28: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/28.jpg)
klgates.com
Protection and Risk Mitigation
![Page 29: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/29.jpg)
WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales
survive if no one could access its website? What would be the impact on its sales if no one was
prepared to enter their credit card details?
klgates.com
![Page 30: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/30.jpg)
LEGAL CONSEQUENCES
The Data Protection Act 1998 (“DPA”) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data.
Regulatory penalties may be imposed on the company for
breach of the DPA including: Fines; Enforcement notices; and Director disqualification
Personal data owners may claim compensation from the data controller for such breaches under the DPA.
klgates.com
![Page 31: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/31.jpg)
PRACTICAL CONSEQUENCES
As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business.
Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the
Data Protection Act, especially if the hacker cannot be identified.
Prevention of sales. Retailers with an online presence that are subject to a Denial of
Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back?
This risk is heightened at times of traditional high online sales
klgates.com
![Page 32: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/32.jpg)
PRO-ACTIVE MANAGEMENT AT BOARD LEVEL
Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended.
Ensure that a cybercrime management policy is part of the company’s governance framework and that this is given the same level of attention as financial and other risk management regimes.
klgates.com
![Page 33: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/33.jpg)
PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this
cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from
attacks of this nature?
klgates.com
![Page 34: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/34.jpg)
Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company.
Understand what data you hold how sensitive the data is which systems control the management of key
information how critical is the information to the management of
the business klgates.com
PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3)
![Page 35: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/35.jpg)
ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in
place to ensure the security of documents away from the office.
Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted.
Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company’s IT systems.
Implement an incident response plan to ensure effective response to a cyber attack.
klgates.com
![Page 36: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/36.jpg)
ENSURING INTERNET SAFETY AND NETWORK SECURITY (2)
Create an incident management team and provide specialist training to it who can carry out this process.
Control and limit access - Only allow employees access to the information they require to carry out their roles.
Scan all media before incorporating them into IT systems to detect any malware.
Monitor ICT systems for unusual activity. Implement malware protection to all business areas and
produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Ex-
employees should immediately be denied access.
klgates.com
![Page 37: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/37.jpg)
ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including
deliberate attacks, technology issues or simple human error or negligence.
Every company has a cyber defence weak spot in its own employees.
An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies.
klgates.com
![Page 38: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/38.jpg)
ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to
report concerns regarding other members of staff non- compliance with polices
Not knowing what devices are held significantly increases a
company's cyber risk profile Every company should draft and implement a home and
mobile working policy, and train staff to adhere to it
klgates.com
![Page 39: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/39.jpg)
ONGOING MANAGEMENT
Planning and analysis of risk serves no purpose unless a company also properly implements its findings.
As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business.
klgates.com
![Page 40: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/40.jpg)
IMMEDIATE DAMAGE TO REPUTATION
Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen.
Exacerbated by online communication forums that spread news of such an attack
Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences.
klgates.com
![Page 41: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/41.jpg)
IMMEDIATE DAMAGE TO REPUTATION (2)
82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011)
Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online.
IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage.
klgates.com
![Page 42: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/42.jpg)
POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY
Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable.
Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack
klgates.com
![Page 43: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/43.jpg)
A GROWING ISSUE
Consumers are becoming increasingly receptive to interacting with businesses online
As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information.
A cyber attack that results in a loss of customer information can cause huge reputational damage
The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed.
klgates.com
![Page 44: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/44.jpg)
COFFEE BREAK
![Page 45: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/45.jpg)
Personal Data Breaches and Notifications – a U.S. Perspective
![Page 46: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/46.jpg)
LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health
Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act
State Privacy Laws/Consumer Protection Statutes http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS)
46
![Page 47: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/47.jpg)
FEDERAL PRIVACY LAWS
Gramm-Leach-Bliley Act U.S. financial services organisations “shall establish
appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards--
1. (1) to insure the security and confidentiality of customer records and information;
2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” (15 U.S.C. §6801.)
47
![Page 48: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/48.jpg)
FEDERAL PRIVACY LAWS HIPAA “A covered entity or business associate must, in accordance with
§164.306 [“Security standards: General rules”] … [i]Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart….” (45 C.F.R. §164.316(a).)
HITECH “A covered entity that accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information … shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.” (42 U.S.C. §17932.)
![Page 49: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/49.jpg)
FEDERAL PRIVACY LAWS
Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act “It is the purpose of this subchapter to require that consumer
reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter.” (15 U.S.C. §1681.)
Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR § 681.1.)
49
![Page 50: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/50.jpg)
FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to “prevent . . . unfair or deceptive acts or
practices in or affecting commerce”: The Commission is hereby empowered and directed to prevent
persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. § 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. § 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. § 45(a)(2).)
50
![Page 51: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/51.jpg)
STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act
“(a) General rule.--An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. … [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.” (73 P.S. § 2303(a).)
“The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation
51
![Page 52: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/52.jpg)
SEC CYBERSECURITY GUIDANCE “[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations
that give rise to material cybersecurity risks and the potential costs and consequences”;
“To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;
“Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;
“Risks related to cyber incidents that may remain undetected for an extended period”; and
“Description of relevant insurance coverage.”
52 Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
![Page 53: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/53.jpg)
NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework—provides a common
taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the
context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about
cybersecurity risk.
The Framework is voluntary (for now)
53
![Page 54: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/54.jpg)
NIST CYBERSECURITY FRAMEWORK
54
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
85% of security budgets currently go here
According to Gartner: By 2020, 75% of security budgets will go towards detection and response
![Page 55: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/55.jpg)
NIST CYBERSECURITY FRAMEWORK
55
![Page 56: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/56.jpg)
PCI DSS
“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.”
56
![Page 57: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/57.jpg)
TRENDS—ARTICLE III STANDING—CLAPPER
57
![Page 58: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/58.jpg)
TRENDS—ARTICLE III STANDING—GALARIA
![Page 59: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/59.jpg)
TRENDS—ARTICLE III STANDING—NEIMAN MARCUS
59
![Page 60: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/60.jpg)
TRENDS—ARTICLE III STANDING—SONY
60
![Page 61: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/61.jpg)
TRENDS—ARTICLE III STANDING—MICHAELS STORES
61
![Page 62: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/62.jpg)
TRENDS—ARTICLE III STANDING—ADOBE
62
![Page 63: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/63.jpg)
TRENDS—SHAREHOLDER LITIGATION—TARGET
63
![Page 64: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/64.jpg)
TRENDS—SHAREHOLDER LITIGATION—WYNDHAM
64
![Page 65: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/65.jpg)
TRENDS—FTC REGULATORY ACTION—WYNDHAM
65
![Page 66: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/66.jpg)
TRENDS—FTC REGULATORY ACTION—WYNDHAM
66
![Page 67: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/67.jpg)
TRENDS—SEC—“THE NEW SHERIFF”
67
![Page 68: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/68.jpg)
Personal Data Breaches and Notifications – a UK perspective
![Page 69: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/69.jpg)
LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.
No prescriptive requirements, unless sector specific regulation. No “one size fits all” but three principles:
1. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach.
2. Reliability of employees 3. Vet your data processors – written contracts
Guidance from regulator (UK Information Commissioner’s Office): Encryption? Data storage vs. transmission. International Standard 27001 / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies – IT Internet use / data retention and destruction / data security / training Processes and security protocols – staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing
![Page 70: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/70.jpg)
DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR 2003 - Notifications only compulsory for “publically available
electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection.
Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying.
Notify data subjects? Do they need to take steps to protect themselves?
Contractual obligation to notify? Public sector bodies may have own requirements – health
service organisations – IG Toolkit Incident Reporting Tool. Financial institutions – FCA / FMSA. Police / insurers / professional bodies / bank or credit card
companies.
![Page 71: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/71.jpg)
UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to £500,000 – serious breaches “contravention deliberate or the data controller knew or ought to
have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA).
Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences – failure to comply with an Information /
Enforcement Notice (Directors can also be prosecuted).
![Page 72: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/72.jpg)
ENFORCEMENT TRENDS Leading video games provider (Jan 2013)
Network platform subject to several DDoS (“distributed denial of service”) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn’t keep up to date with technical developments. Didn’t deal with system vulnerabilities even though update available Didn’t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn’t react quickly enough Voluntarily reported (mitigating factor) £250,000 fine Internal cost to Data Controller thought to be in region of $171 million.
Booking agent for travel services (Dec 2012)
SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active).
Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills)
No evidence of actual harm / fraud Voluntarily reported (mitigating factor) £150,000 fine.
![Page 73: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/73.jpg)
APRIL – MARCH 2014
![Page 74: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/74.jpg)
APRIL – MARCH 2014
![Page 75: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/75.jpg)
FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks
defeated by basic security practices Nov 2011 - Cyber Security Strategy produced. Set agenda for 2015. Set up
National Cyber Security Programme (NCSP) with £650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2013. Most recent progress published on 10 Sep 2014.
September 2012 - BIS issued guidance for companies 5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to
demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified.
CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive.
No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive.
![Page 76: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/76.jpg)
Personal Data Breaches and Notifications – a German perspective
![Page 77: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/77.jpg)
LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal
Data Protection Act (BDSG)
Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular:
1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access.
2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to.
3. Input control: Ensuring possibility to trace alteration or deletion of data.
4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions
5. Availability control: Ensuring personal data is protected against accidental destruction or loss
![Page 78: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/78.jpg)
WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT?
Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy)
Threatening serious harm to the rights or legitimate interests of data subjects
klgates.com
General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG):
Information to DPA:
Without undue delay Nature of the disclosure and possible harmful consequences
Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is
not endangered Nature of the disclosure; recommendations to minimise possible harm
![Page 79: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/79.jpg)
ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG):
Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections
Notify data subjects in case of violation and report to prosecution authorities
Order measures to remedy violations (e.g. prohibiting data processing)
Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)
![Page 80: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/80.jpg)
ENFORCEMENT TRENDS There still is no common code of practice among DPAs,
which leads to varying practices in different German states (“Länder”).
In the past, German DPAs were not very strict in enforcing data protection laws by raising fines.
Example 1: Google StreetView (2008-2010): Google provides panorama pictures for ‘Street View’ While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000
Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA
![Page 81: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/81.jpg)
NUMBERS AND TABLES No absolute numbers on breaches and notifications; all
DPAs are obliged to publish data protection reports, but they vary and can hardly be compared
Statement of Federal Commissioner for Data Protection: March 2011 – October 2013: 501 notifications in total
TelCom Sector: 2012: 27 notifications 2013: 66 notifications
![Page 82: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/82.jpg)
FUTURE DEVELOPMENTS
Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector
Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation
![Page 83: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/83.jpg)
Personal Data Breaches and Notifications A French perspective
![Page 84: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/84.jpg)
LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act
of 1978 Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August
2010
“Breach of personal data” - The French definition and
scope Any breach of security leading accidentally or unlawfully to the
destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public.
Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed “by electronic
communication service providers operating electronic communication networks with open public access.”
![Page 85: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/85.jpg)
LEGISLATIVE REQUIREMENTS Two categories of notifications
1. To the French DPA Within 24 hours of the effective knowledge, through an
electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach
Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the “affected parties”, Spontaneous information of the “affected parties”.
![Page 86: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/86.jpg)
LEGISLATIVE REQUIREMENTS
Two categories of notifications 2. To the “affected parties”
If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual.
Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach.
Failing this, the French DPA may serve the service provider with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach.
![Page 87: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/87.jpg)
LEGISLATIVE REQUIREMENTS
Recording of all breaches Each provider of electronic communication services
must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies.
![Page 88: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/88.jpg)
ANALYSIS PERFORMED BY THE FRENCH DPA
The DPA has up to two months to: Consider the potential impacts of the breach on data
security and privacy protection; Estimate whether security measures implemented
before the breach were appropriate; Evaluate whether information measures taken
towards the "affected parties" were sufficient.
![Page 89: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/89.jpg)
ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform
“affected parties” or the general public. Apply any administrative fine up to €150,000
After an adversarial public or closed procedure where the company may be assisted by its counsel.
Publish a description of the breach: on its website, or on any appropriate medium at the company’s expense.
Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company’s expense.
![Page 90: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/90.jpg)
ENFORCEMENT As of now: 7 condemnations in 2013 16 between January and September 2014 Fines between €20,000 and €150,000 (max.) The French DPA has systematically been publishing its
rulings regarding data breaches
Next year: A draft bill will be discussed starting January 2015:
extending data breach notification requirements to any data controller or processor, in any sector (public or private)
providing for penalties up to: €1,000,000, or 2% of the global annual turnover, whichever the highest.
![Page 91: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/91.jpg)
New Draft EU Data Protection Regulation – Mandatory Data Breach Notification
![Page 92: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/92.jpg)
INTRODUCTION
Draft EU Data Protection Regulation COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC
What are the goals ?
Protection of individuals with regard to the processing of personal data
Free movement of personal data
Protection of the fundamental rights and freedoms of natural persons
Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; co-operation and consistency; remedies, liability and sanctions
![Page 93: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/93.jpg)
THE "DATA BREACH" REGULATION 2013/611 “Electronic communications service providers” must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves.
The notification requirement targets Internet service providers and telco operators. Email service providers are not impacted… yet.
The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016)
Non-compliance with the notification requirement is subject to criminal sanctions
![Page 94: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/94.jpg)
MANDATORY NOTIFICATION OBLIGATION - DETAILS
Who has to notify? All data processors and
commissioned data processors
To whom? Data processors to the competent
DPA Commissioned data processors to
data processor
Reason? Personal data breach
To whom? Data subject
Who has to communicate? All data processors
Reason? Personal data breach is likely to adversely affect the protection of
personal data or privacy
klgates.com 94
Art. 31: Notification Art. 32: Communication
![Page 95: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/95.jpg)
MANDATORY NOTIFICATION OBLIGATION - DETAILS
klgates.com 95
When has to be notified? Without undue delay and where
feasable not later than 24 hours after having become aware of the breach
What has to be notified? Nature and consequences of the
breach, contact information, measures to mitigate possible
adverse effects
What has to be communicated? Nature of the breach and measures
to mitigate the possible adverse effects
When has to be communicated? After notification to DPA without
undue delay
Art. 31: Notification Art. 32: Communication
![Page 96: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/96.jpg)
ENFORCEMENT
Competent supervisory authority may sanction administrative offences
Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority
Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher
klgates.com
![Page 97: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/97.jpg)
Maximising insurance coverage for cyber risks
![Page 98: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/98.jpg)
AGENDA
What do Cyber Policies Actually Cover? The Types of Risk Covered What About the Risk Associated With Vendors/Outsourcing? What About Paper Records?
Can We Not Simply Reply On The Coverage Provided by Existing Policies?
Potential Coverage The Limitations of “Legacy” Policies
Questions for Any Insured Thinking Of Taking Out Cyber Cover What Happens in the Event of a Claim or Investigation Which
Impacts the Policy? Conclusion And Takeaways
98
![Page 99: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/99.jpg)
What do cyber policies actually cover?
![Page 100: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/100.jpg)
klgates.com back
100
![Page 101: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/101.jpg)
Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data
breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats
Regulatory Liability Provides coverage to deal with regulators and liability arising out of
administrative or regulatory investigations, proceedings, fines and penalties
Crisis Management Provides coverage for forensics experts to determine the cause of the
breach, notify individuals whose PII may have been compromised, call centers, ID theft monitoring, PR and other crisis management activities
Media Liability Provides coverage for liability (defense and indemnity) for claims alleging
invasion of privacy, libel, slander, defamation, infringement of IP rights (not patent), and other web-based acts (e.g., improper deep-linking)
THE TYPES OF RISK COVERED
101
![Page 102: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/102.jpg)
Network Interruption And Extra Expense (and CBI) Coverage lost business income and extra expense caused by
malicious code, DDoS attacks, unauthorised access to, or theft of, information, and other security threats to networks (e.g., a website goes down and orders cannot be taken).
Information Asset Coverage Coverage for damage to or theft of the insured’s own systems
and hardware, and may cover the cost of restoring or recreating stolen or corrupted data.
Extortion Coverage for losses resulting from extortion (payments of an
extortionist’s demand to prevent network loss or implementation of a threat).
THE TYPES OF RISK COVERED
102
Emerging Market For First-Party Property Damage
Emerging Market For Third-Party Bodily Injury and Property Damage Coverage
![Page 103: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/103.jpg)
THE TYPES OF RISK COVERED—A TARGET INCIDENT
103
Defense And Indemnity For
Claims
Regulatory Defense, Fines And Penalties
Crisis Management
![Page 104: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/104.jpg)
104
![Page 105: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/105.jpg)
105
![Page 106: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/106.jpg)
Can we not simply rely on the coverage provided by existing policies?
![Page 107: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/107.jpg)
Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
Property? Commercial General Liability (CGL)?
107
POTENTIAL COVERAGE
![Page 108: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/108.jpg)
Coverage B provides coverage for damages because of “personal and advertising injury”
“Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” What is a “Person’s Right of Privacy”? What is a “Publication”?
POTENTIAL COVERAGE
108
![Page 109: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/109.jpg)
109
LIMITATIONS OF “LEGACY” POLICIES
![Page 110: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/110.jpg)
LIMITATIONS OF “LEGACY” POLICIES
110
![Page 111: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/111.jpg)
111
LIMITATIONS OF “LEGACY” POLICIES—SONY
![Page 112: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/112.jpg)
STATE OF THE UK CYBER INSURANCE MARKET
![Page 113: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/113.jpg)
Recognition of need for a specialist market First Cyber policy AIG 1997
Emergence of Lloyd’s Syndicates in 2000s 2008 Growth - 36 Insurers writing US domiciled business
18 Insurers/MGA writing UK domiciled business More joining, but question on capability
Move from a policy to a service proposition – but why? Attritional loss concern
113
THE CHANGING "TRADITIONAL CYBER" MARKET
![Page 114: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/114.jpg)
Data owners – retail, financial institutions Network dependent – hospitality, retail Those able to financially quantify a loss Toe in the water v Catastrophic
Confusion about what to buy – security/privacy, breach,
cyber business interruption 114
WHAT UK COMPANIES ARE CURRENTLY PURCHASING?
![Page 115: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/115.jpg)
QUESTIONS FROM INSUREDS THINKING OF TAKING OUT CYBER COVER
![Page 116: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/116.jpg)
What disclosures are required in terms of IT and Network security?
As such a new market, you cannot have had any claims? Do the policies vary much in terms of coverage?
What extent can we amend the policy wordings? How much limit is available? / What limit should we
purchase?
116
COMMON QUESTIONS
![Page 117: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/117.jpg)
What happens in the event of a claim or investigation which impacts the policy?
![Page 118: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/118.jpg)
THE IMPORTANCE OF PROMPT NOTICE Notification to insurers may seem “low agenda”
item in event of data breach or cyber attack BUT most cyber policies impose time restrictions
regarding notification of claims or events to insurers
Can vary from specified time limit, to immediately or as soon as practicable
Compliance with notice provisions essential to avoid potential denials of cover
klgates.com 118
![Page 119: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/119.jpg)
THE IMPORTANCE OF PROMPT NOTICE Many cyber policies provide for notification of
potential claims or circumstances Can prove beneficial to insured as operates as
extension of cover Also avoids potential gaps in cover at renewal Crystal ball gazing: real risk of a claim or loss
(not remote or fanciful) Particular issues in cyber context: discovery,
awareness and communication klgates.com 119
![Page 120: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/120.jpg)
CLAIMS CO-OPERATION Cyber policies typically impose express obligation on
insured not (without prior consent of insurer) to: incur defence costs settle any claim make any admissions of liability
Another reason prompt notification essential Many policies also impose express duty to mitigate Reinforces need for pro-active approach to cyber risk
klgates.com 120
![Page 121: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/121.jpg)
CONDUCT AND DEFENCE OF CLAIMS Cyber policies typically provide for insured to conduct
and to co-operate with insurer in defence and management of any claim, investigation or event
BUT many policies are silent as to choice of law firm or provide for insurers own panel firms
Consider reserving right to appoint own choice of firm or agreeing suitable firms up front
Selection of lawyers important issue in cyber context : most claims require specialist legal counsel with particular experience in this area klgates.com 121
![Page 122: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/122.jpg)
TAKE-AWAYS
![Page 123: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/123.jpg)
TAKE-AWAYS
More traditional policies unlikely to provide sufficient cover for cyber risks
Consider the need for specific cyber insurance Adopt a pro-active approach both to mitigating
risk and to assessing adequacy of cover Identify suitable legal counsel at an early stage Avoid delays in notification which can jeopardise
insurance cover
klgates.com 123
![Page 124: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/124.jpg)
ANY QUESTIONS?
![Page 125: Cyber Risk and Global Security Issues: is your business ... · PDF fileIdentifying cyber risks and how they impact your business . ... Corporate impersonation and Phishing ... a government](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa934747f8b9a86188c78f3/html5/thumbnails/125.jpg)