Cyber security affects all businesses and industries and is a Board level agenda item.
Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA.
- EU Cyber Security Directive agreed
- EU General Data Protection Regulation agreed
- UK doubles cybercrime funding
- Morrisons sued by employees for cyber security breach
- Whaling is the new Phishing
- TalkTalk UK data breach estimated to cost the company up to £35 million
- Vtech data breach compromises 6.4 million children's accounts
- Update on the UK cyber insurance market
- French National Agency for Information Systems Security sends cyber security referral agents in French regions
- HKMA urges management of authorised institutions to get on top of cyber risk management
- Monetary Authority of Singapore issues Circulars on Cyber Security
- China begins drafting guidelines on cyber security review related to information technology products
- New proposal for mandatory reporting of data breaches in Australia
- Veda publishes 2015 "Cybercrime and Fraud Report"
- Ransomware the fastest growing form of computer malware in Australia
- US enacts new cyber legislation aimed at encouraging businesses to share more data with US authorities
- Judge's ruling limits authority of US Federal Trade Commission in data breach cases
- Closely-watched dispute between Microsoft and US Government over customer emails remains pending on appeal
- T-Mobile/Experian hack highlights difficulties of dealing with a third party cyber security breach
EU Cyber Security Directive agreed
The European Parliament, Council of the EU and European Commission have reached an agreement on the first EU-wide legislation on cyber security – the Network and Information Security Directive.
Although the final text of the Directive has yet to be released, as part of the Directive Member States will be required to adopt a national 'NIS strategy' which will define strategic objectives and appropriate policy and regulatory measures in relation to cyber security. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams responsible for handling incidents and risks and to promote swift and effective operational cooperation on specific cyber security incidents and sharing information about risks.
Critically for organisations, the Directive will require certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority. The original text of the Directive defined these operators broadly to include information service providers – internet payment gateways, social networks, search engines, cloud computing providers and app stores – and operators of critical infrastructure, such as electricity and gas suppliers, operators of oil and natural gas, air carriers, maritime carriers, railways, airports and ports, traffic management operators, banks, financial market infrastructure and health care providers. However, the final agreement between the European institutions provides that Member States will identify the operators in their jurisdiction to fall within the scope of the Directive, based on clear criteria laid down in the text. Digital service platforms will be subject to different requirements from those applicable to operators of essential services. However, the details of these requirements and the criteria for operators of essential services have not yet been published.
The text of the Directive will now have to be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will then have 21 months to implement the Directive into their national laws and six further months to identify operators of essential services in their jurisdiction.
EU General Data Protection Regulation agreed
After almost four years of debate, the European Commission, Parliament and Council have finally reached political agreement on the proposed General Data Protection Regulation (the "GDPR"). The final text of the GDPR will now need to be formally approved by the European Parliament and the Council at the beginning of 2016. There will then be a two year implementation period before the GDPR comes into effect, meaning that organisations should expect the new rules to apply from sometime in 2018.
The final text of the GDPR has not yet been released. However, it is expected to impose mandatory data breach notification requirements for all data controller organisations in the EU. It has also been reported that fines under the GDPR will be increased from the current maximum of £500,000 in the UK to up to 4% of global annual turnover.
For further information, please see our eBulletin, available here.
UK doubles cybercrime funding
The UK Chancellor George Osborne has announced that the UK is going to double its funding to fight cybercrime to £1.9 billion a year by 2020.
In a speech given by the Chancellor on 17 November 2015 at GCHQ in Cheltenham, he confirmed that the increased budget for cyber security defence would support a national cyber plan. As part of that plan, the Chancellor announced the establishment of a single National Cyber Centre (the "Centre") in 2016, which will report to the Director of GCHQ.
The Centre will be a unified source of advice and support for the economy, replacing the current array of bodies with a single point of contact. According to Mr Osbourne, the Centre will make it easier for industry to get the support it needs from Government, and make it easier for Government and industry to share information on the cyber threat to protect the UK. Reporting to GCHQ will also mean that the Centre can draw on the necessarily secret expertise within this organisation.
Other parts of the UK's national cyber plan include the establishment of an Institute for Coding to enable training of the nation’s next generation of coders, increased investment in the National Cyber Crime Unit, and apprenticeships for cyber-security specialists.
Morrisons sued by employees for cyber security breach
In what is believed to be Britain’s biggest ever claim in relation to a breach of data, Morrisons supermarket is being sued by more than 2,000 employees after some of their personal and financial details were posted online.
In July 2015, Andrew Skelton (a former Morrisons employee) was jailed for eight years after he was found guilty of stealing and illegally sharing the bank, salary and national insurance details of almost 10,000 of his former colleagues with news outlets and data sharing websites.
The data breach, which happened in 2014, has reportedly already cost the company more than £2 million to rectify. And now, more than 2,000 Morrisons staff are pursuing a group litigation order against the supermarket group, arguing Morrisons should have done more to protect their data.
The court has given the case a four-month waiting period from October 2015, for other Morrisons staff to join the group claim.
Whaling is the new Phishing
According to a BBC article, there has been a rise in the number of "spear phishing" or "whaling" CEO/CFO fraud emails being perpetrated against organisations in the UK.
Organisations are suffering these types of attacks where, for example, the attacker spoofs the CEO's address and emails the CFO, or other person with financial authority, and requests urgent payment to a new account. These types of attacks are also known as BEC (Business Email Compromise) attacks and have been around for a while, but in the last few months an increase in activity has been noted across all sectors.
Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 US companies that have been victimised—with total dollar losses exceeding $740 million.
In the UK, IT security firm NNC Group announced in October 2015 that it had also been targeted by whaling fraud. In its blog, the NCC Group described an attempted whaling fraud incident which took place in September 2015. Although the attempted fraud was caught by the organisation's internal controls, the security firm noted the following interesting aspects to the case:
- The attempt appeared to be a purely financially-motivated phishing attempt.
- The domain nccgrrouptrust.com (extra r) had been registered, when the NCC Group's actual domain is nccgroup.trust, showing the obviously targeted nature of the attempt.
- The domain was registered on the day of use and used that morning - very quickly.
TalkTalk UK data breach estimated to cost the company up to £35 million
In October 2015, telecommunications company TalkTalk suffered and "significant and sustained" cyber attack. At the time, the company said that it did not know how many of its customers had been affected, leading to speculation that financial data of up to four million customers could have been compromised. However, following an investigation, the company was able to confirm that a much smaller number (157,000) of its customers' personal details had been accessed. Of these customers, 15,656 bank account numbers and sort codes were accessed.
Following the investigation, Dido Harding the Chief Executive of the group, told the BBC that "the estimated one-off costs [of the attack] are between £30 million and £35 million - that's covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result".
In response to the cyber attack, TalkTalk has offered its customers the following:
- Free credit monitoring for 12 months.
- Free upgrade: the type of upgrade offered depends on the kind of package customers already had.
- Free contract termination: TalkTalk will waive contract termination fees in limited circumstances, being where: (i) the customer has had money taken from his/her account without consent and has incurred a financial loss as a result; (ii) the money was taken on or after the 21st October 2015; and (iii) the customer has contacted Action Fraud and obtained a Crime Reference Number.
This highlights that companies that suffer data breaches may need to take steps to preserve goodwill with their customers, and incur costs in so doing.
Vtech data breach compromises 6.4 million children's accounts
In November 2015, Vtech, a company which specialises in electronic toys and educational material for children, suffered a data breach. According to the Vtech website, an unauthorised party accessed Vtech customer data on the company's Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows Vtech customers to download apps, learning games, e-books and other educational content to their Vtech products. Kid Connect is an app that allows children and parents to exchange voice and text messages, photos, drawings and fun stickers between Vtech tablets, DigiGo and parents’ smartphones.
The compromised data included parent account information such as name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password. Children's profiles were also compromised, including name, genders and birthdates. However, no credit card information or personal identification data (such as ID card numbers, Social Security numbers or driving licence numbers) was included in the customer data.
In total 6.4 million children's accounts were affected and 4.8 million parental accounts were accessed. The majority of customers affected were in the USA, followed by France and the United Kingdom.
In response to the attack, Vtech temporarily suspended the Learning Lodge website, Kid Connect and a number of other sites.
This example illustrates the breadth of companies and sectors that are subject to cyber threats. Any company is potentially at risk, particularly where there is personal data involved.
Update on the UK cyber insurance market
The development of standalone cyber insurance policies continues a-pace in the London market. Uptake of cyber insurance products is increasing in the UK and that trend may well gather further pace given the frequency of reported cyber incidents in the media and the impending approval of the final text of the General Data Protection Regulation. Policy wordings for standalone cyber insurance policies vary to a greater degree than for other classes of business, mainly due to rapid changes in the risk environment and the relative infancy of the London market. This provides opportunities for innovation. Lloyd’s of London recently launched its first ever Innovation Awards and notably two of the three awards related to cyber insurance. In particular recognition was given to the development of a new product by Tokio Marine Kiln covering reputational damage (based on loss of income) following cyber breach events that appear in the media. Reputational damage is, of course, one of the main cyber security risks faced by large organisations – as incidents such as the recent TalkTalk and Ashley Madison breaches show – whereas many standalone cyber insurance policies limit cover for reputational damage to the costs of employing a PR firm in the aftermath of an incident.
But innovation and change may come at a price. Most of the main risks can now be insured against subject to financial limits. However, in addition to considering the heads, limits and price of cover, the terms of cover must also be carefully scrutinised and negotiated as appropriate, including not least sub-limits, exclusions and claims conditions; and the lack of uniformity in wordings will inevitably generate fertile ground for future coverage disputes.
French National Agency for Information Systems Security sends cyber security referral agents in French regions
As part of the National Cybersecurity Plan launched by the French Government in June 2015, the French National Agency for Information Systems Security ("ANSSI") began sending cyber security referral agents in to the French regions in December 2015.
These cyber security referral agents will work in synergy with existing local structures and public authorities to reinforce cyber security at a local level. They will also target prevention of cyber security issues and raise awareness of cyber security good practice amongst local public authorities and private stakeholders, in order to support the local economy and protect SMEs and individuals.
For further information, please click here.
HKMA urges management of authorised institutions to get on top of cyber risk management
In a circular issued on 15 September 2015 entitled "Cyber Security Risk Management", the Hong Kong Monetary Authority ("HKMA") has made clear its expectations that the board and senior management of authorised institutions ("AIs") strengthen their oversight of AIs' cyber security controls.
Cyber security refers to the ability to protect or defend against cyber attacks, which are attacks that target an institution’s IT systems and networks with an aim to disrupt, disable, destroy or maliciously control an IT system / network, to destroy the integrity of the institution’s data, or to steal information from it.
The HKMA is of the view that conventional risk management philosophies and controls currently practised by AIs might need to be adjusted or enhanced to address cyber risks. It expects the board and senior management of AIs to strengthen their oversight in at least the following areas:
- risk ownership and management accountability;
- periodic evaluations and monitoring of cyber security controls;
- industry collaboration and contingency planning; and
- regular independent assessment and tests.
The HKMA expects concrete progress to be evidenced in the remaining meeting(s) of the board in 2015 or otherwise in early 2016. In particular, the AIs’ cyber security controls should be evaluated against the credible benchmarks endorsed by the board. Specific deliverables will be requested by HKMA to be submitted in order to assess the output or progress of work.
Please click here to read our eBulletin on the circular.
Monetary Authority of Singapore issues Circulars on Cyber Security
The Monetary Authority of Singapore ("MAS") has recently issued two circulars to Financial Institutions ("FI") supervised by MAS focusing on cyber security related issues. The first circular concerned technical and internal control processes FIs should implement to enable the early detection of cyber intrusions, while the second outlined the expectation of MAS that FIs should put in place technology risk and cyber security training programmes for Board members and senior management.
The MAS circulars are further evidence of the increasing focus of regulators across sectors in the South East Asia region on cyber security for organisations and on the responsibility of boards and senior management for oversight of this business critical area.
For further information, please click here to view our eBulletin on the circulars.
China begins drafting guidelines on cyber security review related to information technology products
A set of guidelines, entitled the "Information Technology Products Cybersecurity Review Technical Implementation Rules" (the "Guidelines"), is currently being drafted by China's Ministry of Public Security and Ministry of Industry and Information Technology. The Guidelines are expected to act as a code of practice for companies in relation to how to carry out both procedural and technical reviews, in accordance with recent and upcoming legislation, for example, China's National Security Law and the Cyber Security Law.
It has been reported that the Guidelines are one of 40 ongoing projects in China related to cyber security, as China seeks to step up legislative efforts to enhance cyber security. Besides examining the scope of cyber security review to be undertaken by companies, the Guidelines also seek to provide guidance on risk assessments relating to an organisation's "core" technology. It is anticipated that the Guidelines will address issues or risk relating to organisations which are dependent upon foreign technology not owned by China.
Drafting of the Guidelines has already commenced. Although it usually takes two to three years to draft this type of guidance in China, it is possible that the drafting process could be reduced to just one year with sufficient government impetus to get the Guidelines agreed.
New proposal for mandatory reporting of data breaches in Australia
The Australian Federal Government has released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. The Bill is designed to add a new data breach notification regime to the Privacy Act 1988 (Cth).
The Bill will require organisations to notify "serious data breaches" to affected individuals and the Australian Information Commissioner. This mandatory reporting scheme will not be limited to telecommunications service providers. It will apply to all entities who are bound by the Privacy Act, namely Federal Government agencies, private sector organisations with an annual turnover above AUS $3 million (and their related companies) and some others. This will represent a new compliance obligation for business and the changes would need to be considered and planned for when handling data security incidents.
The Government has invited public submissions on the proposed Bill which must be received by 4 March 2016.
Please click here to read our eBulletin on the proposed Bill.
Veda publishes 2015 "Cybercrime and Fraud Report"
Australian credit and data analytics company Veda has published its 2015 "Cybercrime and Fraud Report" (the "Report"). The Report features and discusses a number of key trends in Australian domestic cybercrime, identity fraud and data breaches.
According to the Report, Australia has seen a 12.6% rise in the reported volume of online credit application fraud incidents compared to 2013/14, as credit lenders move towards online application systems. Online credit application fraud now represents 50% of all credit application fraud in the country, rising by 3% compared to the previous financial year.
Identity theft is also reported to be on the rise, up 59% over the last two years, and costing the country approximately AU$2 billion per annum.
Data breaches also feature as a key space to watch. The Report shows that the Office of the Australian Information Commissioner has recorded 117 notified data breaches in 2014/15. However, due to the present lack of mandatory reporting requirements in Australia, the true scale of data breaches is unknown. Overseas experience suggests that the reported breaches are only the tip of the iceberg. Better data may become available if the current Federal Government proposed mandatory data breach reporting Bill (see above for further details) becomes law in 2016.
The Report also predicts that health sector and retail databases will increasingly be targeted by cybercriminals. Furthermore, social media will offer criminals new opportunities to exploit unsuspecting individuals with identity fraud.
Ransomware the fastest growing form of computer malware in Australia
The Australian Cyber Security Centre, in partnership with CERT Australia, has published a cyber security report finding that ransomware is the fastest growing form of computer malware in Australia.
The report found that there has been a significant surge in the number of ransomware incidents, with four times the number of respondents reporting ransomware incidents in 2015 (72%) as compared to 2013 (17%). Ransomware also affected every sector that had experienced a cyber security incident, which demonstrates the indiscriminate targeting and the sophistication of this type of threat. Perhaps unsurprisingly, ransomware was also the threat of most concern amongst respondents (72%), followed by theft or breach of confidential information (70%) and Advanced Persistent Threats (66%).
Ransomware refers to extortion through the use of malware that typically locks a computer’s content and requires victims to pay a ransom to regain access. The ransom is usually paid via bitcoins so that it is more difficult to trace. Although the advice from experts is never to pay, lots of organisations who fall victim to this type of attack do pay up, not least because they need to gain access to their files. Without paying, the only way to retrieve files might be to rely on a backed-up version.
However, it is not just Australia that is suffering from the rise of ransomware. Recent research by Palo Alto Networks in the USA suggested one family of ransomware known as CryptoWall had generated about US$325 million for the gang behind it.
Please click here to view a copy of the ACSC report.
US enacts new cyber legislation aimed at encouraging businesses to share more data with US authorities
On 18 December 2015, both chambers of the US Congress passed, and the US President signed into law, cyber security legislation that aims to encourage private businesses to monitor their networks and voluntarily share information with the federal government about hacking and cyber attacks by giving businesses protection from certain kinds of lawsuits, such as suits over violations of electronic privacy protections.
This legislation was in the works for some time. Earlier in the past year, the US Senate and the US House of Representatives passed different versions of cyber security legislation (with the House passing, in April, two cyber security bills, the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act, and the Senate, in October, approving its own version, the Cybersecurity Information Sharing Act). The legislation that was eventually passed, which combines elements from all three bills, has been dubbed the Cybersecurity Act of 2015, and was included as part of a broad omnibus spending package that Congress also approved. The law was hailed as the biggest step taken to date by the US to curtail data breaches, or at least the effect of such breaches, while critics argued that the measures will not prevent cyber attacks but will restore certain US agencies' surveillance capabilities that legislation enacted earlier in 2015 (the USA Freedom Act) sought to limit.
In brief, the new law makes the Department of Homeland Security the primary portal for reporting cyber threats to the government. It also requires the US Attorney General and the Department of Homeland Security to jointly issue policies and procedures relating to the federal government's receipt of cyber threat indicators and defensive measures, as well as guidelines relating to privacy and civil liberties that govern the retention, use and dissemination of cyber threat indicators received by the government.
Judge's ruling limits authority of US Federal Trade Commission in data breach cases
On 13 November 2015, an administrative law judge dismissed a complaint brought by the US Federal Trade Commission ("FTC") against medical testing laboratory LabMD, Inc. in what may prove to be an important decision in FTC data breach enforcement actions.
In recent years, the FTC has settled dozens of data security enforcement actions against companies brought under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. As noted in our previous quarterly cyber security round-up (available here), a US federal appellate court recently upheld the FTC's authority to bring civil enforcement suits against companies whose allegedly deficient cyber security policies fail to protect consumer data from cyber attacks (see FTC v Wyndham Worldwide Corp, et al., No. 14-3514 (3d Circuit 2015)).
Here, the FTC's complaint alleged that LabMD violated the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorised access to consumers' personal information. In contrast to many companies facing FTC scrutiny in this arena, LabMD elected to litigate instead of settling with the FTC. In a lengthy decision, the judge found that the FTC failed to carry its burden of proving that LabMD's alleged failure to employ reasonable data security constituted an unfair trade practice, because the FTC failed to prove that the allegedly unreasonable conduct caused or was likely to cause substantial injury to consumers, as required by the FTC Act.
By requiring a showing of probable – not just possible – consumer injury in order for the FTC to sustain a data security claim under Section 5, the judge's decision moves the FTC's burden in enforcement cases closer to that required by private plaintiffs in litigation over data breaches.
On 24 November 2015, the agency filed its appeal of the decision, which is now pending. Thus, the ultimate effect of this ruling remains to be seen.
Closely-watched dispute between Microsoft and US Government over customer emails remains pending on appeal
As discussed in our previous quarterly cyber security round-up (available here, Microsoft has appealed a US federal court ruling requiring it to produce, to the US Government, Microsoft customer e-mails stored in the EU. The US Court of Appeals for the Second Circuit is expected to rule on the appeal soon.
T-Mobile/Experian hack highlights difficulties of dealing with a third party cyber security breach
In October 2015, T-Mobile USA announced that it had been notified by its outsourced service provider, Experian North America, that it had suffered a data breach.
On 15 September 2015, Experian discovered that an unauthorised party had accessed T-Mobile data housed in an Experian server. The hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s licence, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed, although no payment card or banking information was obtained. Experian's own consumer credit database was not accessed.
Although Experian responded to the breach by offering free credit monitoring for two years and identity resolution services for as long as the affected customers required it, the Chief Executive of T-Mobile nevertheless stated that the company would institute a thorough review of its relationship with Experian.
The incident highlights the potential pitfalls for organisations utilising third party services and especially the assurances and checks to confirm that information is, and will remain, secure. As companies embrace "The Cloud", care needs to be taken to understand how information will be stored and protected, especially as more and more sensitive information is given to third parties to safeguard.