Cyber security affects all businesses and industries and it is now a Board level agenda item. This is the first of our e-Bulletins that will provide a round-up of best practice, news and legislative developments concerning cyber security.
- International Chamber of Commerce launches new cyber security guide for business
- Carefirst BlueCross BlueShield data breach affects 1.1 million customers
- IBM creates cloud-based cyber security network
- The UK: Update on the EU Cyber Security Directive
- The USA (1): US agencies issue additional cyber security guidance to companies
- The USA (2): Recent legislation aimed at increasing information sharing of cyber risks
1. International Chamber of Commerce launches new cyber security guide for business
The International Chamber of Commerce has launched a cyber security guide for businesses. The guide is free to download and is the first of its kind to be issued by an international business organization. It is complemented by an online appendix of resources which provides more specific advice, including on standards of practice and technical standards, and other resources and contacts which will be added to over time.
The guide, informed by global cyber security guidelines and national strategies, is intended to help companies of all sizes to manage their approach to cyber security and mitigate threats posed by cybercrime.
The guide advocates using a risk management process to improve a business's cyber security. Key features include a security self-assessment questionnaire, a set of five principles for reducing cyber-related risk and a checklist of six essential steps every company should be taking to maintain a high calibre of information security.
To view a copy of the guidance, please click here.
2. Carefirst BlueCross BlueShield data breach affects 1.1 million customers
On May 20, 2015, Carefirst BlueCross BlueShield revealed that it was the target of a data breach that was initially discovered in June 2014. Following the Anthem and Premera breaches that affected 90 million consumers, this will be the third data breach involving a healthcare insurer in 2015.
Although the breach was discovered almost a year ago, Carefirst believed that their actions at the time were sufficient to contain the attack and prevent further access. The full extent of the attack was not discovered until April 2015, when the company hired Mandiant, a security firm, to perform a security audit in light of the Anthem and Premera breaches.
The targeted database contained information concerning the names, birth dates, email addresses and subscriber identification numbers of 1.1 million current and former customers. Fortunately, the database did not include any credit card information, financial data, Social Security numbers or medical information.
However, according to experts, the stolen information is still sufficient to put customers at risk of "phishing" attempts or other fraud. In response, Carefirst is offering affected members credit monitoring and identity theft protection for two years.
3. IBM creates cloud-based cyber security network
According to IBM, over 1,000 companies – including several of the world's largest banks and retailers – have joined its new cyber threat data sharing project, dubbed X-Force Exchange. The cloud-based cyber security network contains terabytes of information on cyber security threats and allows participants to anonymously share information about hacking attempts and to access IBM's accumulated data.
The arrival of X-Force Exchange reflects a broader push towards greater data sharing and collaboration among companies, as well as government agencies, to combat cyber security threats. For example, in February, US President Obama signed an Executive Order entitled "Promoting Private Sector Cybersecurity Information Sharing." But antitrust, customer liability, and privacy concerns have hampered those efforts and led to calls by IBM and others for legislation, such as the bills described below, to facilitate cyber security data sharing among companies.
4. The UK: Update on the EU Cyber Security Directive
The Bank of England has published a note produced by the UK Department for Business, Innovation and Skills on the progress of the proposed EU Directive on Network and Information Security.
In February 2013, the European Commission published its proposed Directive (known as the Cyber Security Directive) with the aim to put measures in place in order to ensure a high level of network and information security across the EU. However, almost two and a half years later, the Directive is still being negotiated between the various EU institutions.
One key area of debate still being discussed is the scope of the Directive. The European Commission believes that digital services such as search engines and social media websites should be included within the scope of the Directive, whereas the European Parliament would like to see them excluded, and the Council remains undecided. Any organisations covered by the Directive would be required to notify local government agencies in the event of a cyber incident that had an impact on their core services.
According to the published note, it is possible that negotiations on the Directive will not be concluded until autumn. Member States would then have two and a half years to implement the requirements into national law.
5. The USA (1): US agencies issue additional cyber security guidance to companies
Both the US Department of Justice ("DOJ") and the US Securities and Exchange Commission ("SEC") recently issued additional guidance to private organisations regarding mitigation of cyber security risks.
The DOJ's "Cybersecurity Unit" issued a 15-page guide suggesting "best practices" for victims and potential victims of cyber security breaches "to assist organisations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident." The guide – which reflects "lessons learned" by federal prosecutors handling cyber investigations, as well as input from the private sector – describes a number of suggested practices, such as:
- Identifying mission critical data (the "Crown Jewels") and instituting tiered security measures;
- Creating an actionable incident response plan;
- Collecting and preserving data related to cyber incidents; and
- Avoiding the use of compromised systems to communicate during an ongoing intrusion.
The guide also emphasises the importance of engaging qualified legal counsel before a cyber incident occurs, noting that an "organisation faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws."
The SEC's Division of Investment Management separately issued a cyber security guidance update specifically addressed to registered investment companies and advisors. The guidance highlights the need for funds and advisors to review their cyber security procedures and discusses measures that funds and advisors may wish to consider when addressing cyber security risks, such as conducting periodic assessments of vulnerabilities and implementing a strategy designed to prevent, detect, and respond to cyber security threats through written policies and training.
The DOJ and SEC's suggestions are not only helpful, but also may become de facto standards, considered by judges, juries, and regulators for purposes of determining whether an organisation acted reasonably or unreasonably in managing its cyber security risks and, consequently, whether to impose legal or regulatory liability following a data breach.
To view a copy of the DOJ's Guide, please click here.
To view a copy of the SEC's Guidance Update, please click here.
6. The USA (2): Recent legislation aimed at increasing information sharing of cyber risks
On April 22 and 23, 2015, the House of Representatives passed the Protecting Cyber Networks Act ("PCNA") and the National Cybersecurity Protection Advancement Act ("NCPAA"). The complementary bills are aimed at encouraging companies to share cyber threat and risk information with the government. Both bills also include provisions to protect against the disclosure of confidential information and government surveillance of individuals.
Despite this safeguard, opponents of the bills are concerned about the degree of access the government will have to personal information. The PCNA, in particular, has drawn the attention of civil rights groups, such as the ACLU, who believe that the bill will significantly increase government access to individual information, and allow the use of such information for purposes unrelated to cybersecurity.
The two bills are expected to be consolidated before they are brought before the Senate for review. They will be considered alongside the Senate's own version of an information sharing bill, the Cybersecurity Information Sharing Act ("CISA").