patrick kelliher fia cera · theft of physical data e.g. paper records of patients theft of laptop...
TRANSCRIPT
Patrick Kelliher FIA CERA
Definition
Recent loss events and other examples
Data protection legislation and GDPR
Mitigation
Modelling
Conclusion
Information Security Risk:
Risk to a firm from the theft, loss or inadvertent disclosure of customer and other stakeholder data; and from breach of data protection legislation
Cyber Crime Risk:
Risk to a firm from malicious cyber attacks including theft or damage to data; theft of own and/or client assets; interruption to operations; and reputation damage
Data Theft - Cyber
Information
Security Risk Cyber
Crime Risk
Ransomware
Technical Breach of Data
Protection Legislation
(no loss event)
Data Theft - Physical
Data Theft - Laptop
Loss of Data
3rd party theft /
loss / breach
Inadvertent Disclosure
(Website, mailing etc.)
Impersonation Interception of e-mail and
redirection of payments
Cyber Theft of Assets e.g.
Bangladesh Central Bank
DDOS
Cyber Espionage Cyber
Vandalism
Viruses Infrastructure Attack
/ Cyber Warfare
Failure to properly
delete / destroy data
Target, US Retailer, Q4 2013◦ 70m card details stolen – had to pay banks to replace these
◦ US$291m offset by US$90m cyber insurance policy recovery
Anthem, US Health Insurer, February 2015◦ 78m records stolen including ca.40m legacy records
◦ Sophisticated APT attack; cost to date US$260m
TalkTalk, UK Telecoms Provider, Q4 2015◦ 157k records stolen
◦ ICO fine of £400k = 80% of current maximum
◦ Remediation cost = £42m but also ca.£15m in indirect costs (higher churn, lower sales)
More recently: Yahoo!, Equifax etc.
Ransomware◦ WannaCry – highlighted need to apply patches and the risks
of unsupported software
◦ NotPetya – cost both Maersk, Merck ≈ US$300m
Cyber Theft of Assets ◦ Bangladesh Central Bank $100m loss; “near miss” US$850m
◦ Interception of e-mail correspondence with clients, changing bank a/c for payments
◦ Impersonation
Cyber espionage / warfare
Dedicated Denial of Service (DDOS)
Cyber vandalism and viruses
Non-cyber theft of data◦ Theft of physical data e.g. paper records of patients
◦ Theft of laptop with data (2007: Nationwide fined ≈£1m)
Loss of data ◦ HSBC firms fined £3.2m by FSA in 2009 for losing pension
scheme data in the post
◦ 2010: FSA fined Zurich £2.275m for losing 46,000 customers details in transfer of data to South African outsourcer
Failure to destroy data in a secure manner
Inadvertent disclosure ◦ Customers able to see others details on a website
◦ Mailing sensitive details to the wrong address
3rd party theft or loss◦ 2014: 20m South Korean bank customers details stolen by a
contractor at a credit rating agency used by the banks
Breach of data protection legislation including:◦ Not having legal basis (e.g. consent) to hold data;
◦ Not observing data subjects rights (e.g. to access data);
◦ Failure to keep records up to date;
◦ Failure to keep data safe…
◦ ….or prevent loss or damage to data (e.g. losing data due to inadequate business continuity plans); and
◦ Retaining data longer than necessary.
◦ Note: doesn’t need to be a breach / loss event – poor controls in themselves could give rise to fine.
General Data Protection Regulation (GDPR):◦ New EU-wide data protection regulation which effectively
replaces the EU Data Protection Directive (DPD) of 1995 and related national legislation such as the UK Data Protection Act (DPA) of 1998.
◦ Seeks to update DPD to reflect developments such as modern technology capabilities and cloud computing; and also aims for greater consistency in data protection regulation.
◦ Due to come into force in the UK from the 25th May 2018, Brexit notwithstanding.
◦ Post-Brexit, GDPR may still apply in some form as UK regulations will need to offer similar protection if UK firms are to be allowed process the data of EU citizens.
◦ 99 Articles – but most rest relate to regulation and are not directly relevant to firms.
What’s new ?◦ Data protection by design and by default (Article 25) – data
protection needs to be an integral part of the design and development of business processes for products and services.
◦ Records of Processing Activities (mandatory documentation)(Article 30) adds new requirements for firms to document personal data processing, including identification of data flows, risk assessments, whether it is being transferred outside the EU; how long it should be retained etc..
◦ Notification: Article 33 requires that any material breach of personal data is communicated to regulators within 72 hours of discovery. Previously only telecoms and internet service providers had to report breaches. Article 34 requires the breach to be communicated “without undue delay” to individuals affected if the breach poses a high risk to them.
What’s new ?◦ Data Protection Impact Assessments (DPIAs) (Article 35) –
DPIAs are required where processing is likely to result in a high risk to the rights and freedoms of individuals. These would include where new technologies are being used and/or which involve sensitive data such as the person’s health. A firm will need to assess the risk to individual and cover the security measures that will be put in place to mitigate these.
◦ Prior Consultation (Article 36) requires the Data Protection Officer to consult with the regulator prior to processing data if the DPIA highlights that processing likely to result in a high risk to data subjects which cannot be mitigated against. The firm must not process data until the Regulator has given authority to proceed. Once referred, the regulator can invoke any of its investigative or corrective powers (see Article 58).
What’s new ?◦ Data Protection Officer (DPO) (Articles 37-39) – this is a new
role required for organisations which process personal data extensively. The DPO will be the first point of contact for regulators on data protection issues and should aim to ensure firms comply with GDPR. While similar to a compliance officer, they also need to have some expertise in IT and data protection to ensure data risks are properly managed across the organisation. The DPO is an important new role: they should have access to adequate resources; be able to act independently; and report in directly to the Board
What’s new ?◦ New individual rights including:
Right of Erasure (Article 17) replaces the current “right to be forgotten” and gives the individual the right to request all personal data relating to them to be erased (subject to certain conditions such as the legal need to retain data).
Right to Data Portability (Article 20) – the individual has the right to receive some classes of their data their data in a structured, electronic, machine readable format that can then be transferred directly to another data controller or the data subject.
Higher Fines:◦ Higher of 4% of global turnover or €20m for, inter alia, breach
of basic principles for processing (Articles 5-9) or individuals rights (Articles 12-22) – see Article 83, 5.;
◦ Higher of 2% of global turnover or €10m for other breaches (Article 83, 4.)
◦ Fines could increase up to 50x fold or more e.g.TalkTalk fine based on 80% of max 4% of turnover = £58.8m vs £0.4m
Other sanctions -◦ Article 58, 2. gives regulators a wide range of powers…
◦ …including (f) the right to impose a ban on processing, say if a DPIA indicated a high risk to individual’s data.
◦ Possible Reverse Stress Testing scenario!
GDPR raises the bar in terms of compliance with existing data protection legislation:◦ GDPR requires a higher quality of consent
◦ Article 22 retains existing legislation giving individuals the right not to be subject to a decision based on automated processing if it has a significant impact on them, which could have a significant impact on those using data science to profile and underwrite individuals
◦ Accuracy of records – cost of getting it wrong increases:
E.g. Prudential were fined £50,000 by the ICO in 2012 or 10% of current maximum when, having inaccurately merged the records of two customers with the same name, they failed to correct this when the customers highlighted this
GDPR forcing firms to raise their game in terms of Information Security, but pressure also coming from regulators:
“Our work in the financial sector has shown us that firms continue to struggle to get the basics right….”
April 2017 speech by Nausicaa Delfas, Executive Director (now COO) at the FCA
Firms should at a minimum comply with basic standards such as the NCSC’s 10 steps
Ensure software up to date and patched
Create a “secure culture” within firms
Contingency planning – how do we respond ?
Penetration Testing
Cyber insurance◦ Unlikely to cover regulatory fines (?) while other items of loss
(e.g. litigation) may not be covered
◦ Coverage may be invalidated if firm does not have basic controls in place
Data: many useful studies on cyber attacks
Ponemon in particular is a valuable source of reference but has issues:◦ Only consider breaches with < 100,000 records
◦ Need to separate out indirect losses such as lapses (covered under Insurance Risk) and lower sales (the value of which is not allowed for in Own Funds)
Likelihood◦ Firm may experience frequent low level attacks which could
be used in modelling incidences
◦ 7-steps of cyber attack/defence could serve as a basis for a Bayesian Network or other model for the likelihood of a major attack succeeding, leading to large loss of data
Useful to consider 7-steps of cyber attack:◦ Reconnaissance – seeking to identify vulnerable targets
◦ Scanning – probing to identify a weak point to gain access
◦ Access and Escalation – once in, seek to gain wider access, particularly systems administrator rights
◦ Exfiltration of data – access and steal confidential data; encrypt this with ransomware, or worse, delete data
◦ Sustainment – having gained access, hackers may seek to stay in place quietly, installing malware allowing them to return
◦ Assault – hackers may seek to alter or disable hardware e.g. Stuxnet attack on Iran’s nuclear program
◦ Obfuscation – while some hackers may wish to leave a “calling card”, others may wish to cover their tracks e.g. clearing logs
Severity – bespoke assessment necessary
Exposure – need to consider:◦ # systems including not just those holding customer data but
as also staff, pensioner and other systems
◦ # records on each system including legacy records
◦ Whether multiple systems could be breached e.g. if hackers obtained administrator rights to systems
Impacts – these might include:◦ Regulatory fines (post-GDPR)
◦ Section 166 reports and other consultancy costs to identify control failings and remediation required
◦ Cost of overtime and external resource to fix systems and remediate deficiencies
Impacts – these might include:◦ Cost of overtime and temporary staff to re-key data and deal
with backlogs (e.g. as a result of a DDOS)
◦ Replacement costs for IT assets damaged or stolen
◦ Notification costs
◦ Compensation to those affected (though perhaps ex-gratia goodwill payments should not count ?)
◦ Credit monitoring of those affected to ensure they are not subject to fraud (and compensation if they are)
◦ Cost of replacing bank cards where details are stolen
◦ Litigation by those affected
◦ Complaints and FOS costs
Non-capital impacts – exclude from modelling:◦ Reputation damage ? – impact will results in lost sales (see
below) and higher lapses (covered under Insurance Risk)
◦ Lost sales ? – value generally excluded from Own Funds
◦ Theft of strategy plans ? – could result in lost sales if a competitor exploited these, but see above
◦ Theft of IP ? – typically value in terms of ability write profitable new business excluded from Own Funds
◦ Relations with regulators ? – difficult to assess
◦ Management focus and effort ? – again difficult to assess possibly opportunities missed or impact on existing business of management focus on dealing with cyber attacks
…though still important to capture these!
Information Security and Cyber Crime Risks give rise to many diverse sources of loss
The frequency and sophistication of cyber attacks is increasing
Regulators are raising the bar with GDPR etc.
The cost of breaches is increasing, both in terms of the impact of attacks or other incidents; and the risk of regulatory fines
The economic capital requirements of these risks could be significant
Including our Briefing Note on GDPR, as well as our Guide to Strategy and Risk in UK Life Insurance, visit:
http://www.crystalriskconsulting.co.uk/