Cyber security affects all businesses and industries and is a Board level agenda item.
Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA.
Malware remains top of the list of the ENISA Threat Landscape for 2016
In January 2017, the European Union Agency for Network and Information Security ("ENISA") published the ENISA Threat Landscape 2016, a summary of the most prevalent cyber threats from the previous year. The report classifies "the efficiency of cyber-crime monetisation" as the trend of 2016 and, unfortunately, warns that the trend is here to stay.
The development and optimisation of malware to make a profit remains the main objective in attack methods, tools and tactics. Attacks including various channels and multiple layers seem to be "state-of-the-art" for advanced threats, while efficiently managed flexible tools continue to be available, even to low capability threats. The figure here sets out the top 15 cyber threats and trends from the report compared to the threat landscape of 2015. Malware tops the list of cyber threats for another year with over 600 million samples identified per quarter with mobile malware, ransomware and information stealers being the key areas of criminal malware innovation. The report suggests that the increase in sophistication of attackers has given rise to the need for more sophisticated "defenders" (i.e. ways for an organisation to mitigate the risk of an attack).
The report goes on to note that the maturity of cyber security defenders has indeed increased too. 2016 saw: increases in operations coordinated by law enforcement authorities that were able to disrupt malicious activities, including exploitation of weaknesses in anonymisation infrastructures, tools and virtual currencies; invaluable insights into major attacks, particularly Distributed Denial of Service attacks, that will assist the prevention of future attacks; and the recognised importance of cyber security in professional education and training to mitigate the risk of a future skills shortage.
ENISA is a centre of network and information security for the EU, its member states, the private sector and Europe's citizens. In addition to specific "mitigation vectors" for each of the 15 top threats identified, ENISA also set out in the report high level policy, business and research conclusions arising from the threat landscape to be taken into account in its future activities as well as the activities of its stakeholders.
It is hoped that this type of cyber threat intelligence will play an active role in helping organisations to protect assets and assess the efficiency of their existing protection measures, relative to the cyber threats they face.
Click here for a copy of the ENISA Threat Landscape Report 2016
Government to implement requirements for Cyber Security Directive despite Brexit
The UK government has confirmed that it will set out the "scope and security requirements for NIS implementation" in 2017, informed by the work of the National Cyber Security Centre (see below) and other relevant government departments. The statement was made in the context of a Cyber Security Regulation and Incentives Review published by the government on 21 December 2016 (the "Cyber Review") and provides useful guidance on the government's position in respect of the EU Network and Information Security Directive (the "Cyber Security Directive"), in light of Brexit.
The Cyber Security Directive requires certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority. As a "directive", Member States have until 9 May 2018 to adopt appropriate national legislation to comply with the directive and such legislation will apply from 10 May 2018. By 8 November 2018, for each sector and subsector referred to in the Directive, Member States are also required to identify the "operators of essential services" with an establishment in their territory. If Parliament gives effect to the referendum result, these deadlines clearly fall prior to the UK's exit from the EU, which could be in March 2019 at the earliest if Article 50 is triggered during March 2017 in line with the government's current plans.
The Cyber Review forms part of a government commitment to ensure the UK has the right regulatory framework in place for cyber security across the wider economy (i.e. not just "operators of essential services"). It was led by the Department for Culture, Media and Sport with input from a range of stakeholders and it considered businesses across the economy as well as non-commercial organisations. The Cyber Review went on to highlight the role of data protection in cyber security and the government concluded that, for now, it would not pursue further general cyber security regulation for the wider economy beyond the Cyber Security Directive and the EU General Data Protection Regulation. It would, however, consider whether additional regulation is necessary for critical sectors, particularly in light of the Cyber Security Directive.
It remains to be seen whether post-Brexit the government decides to reform cyber security regulation at a national level. However, given the practicality of the Cyber Security Directive and the benefits of an aligned approach to cyber security across Europe, it seems unlikely that the UK will want, or be able, to stray far from the principles set out in the directive.
UK's new National Cyber Security Centre to host private sector secondments
The UK's National Cyber Security Centre ("NCSC") has issued an open invitation for up to 100 secondments from the private sector. Speaking at the official launch of the NCSC on 14 February 2017, UK Chancellor Philip Hammond announced "Industry 100" – an initiative that will integrate up to 100 personnel from industry into the NCSC by the end of the financial year 2017/2018. The NCSC forms part of the UK's intelligence agency (GCHQ). It was set up to help protect the UK's critical services from cyber attacks, manage major incidents and improve the underlying security of the internet in the UK through technological improvement and advice to citizens and organisations.
The Chancellor set out the initiative against the back drop that "65% of large businesses reported a cyber breach or attack in the past 12 months" however "nine out of ten businesses don’t even have an incident management plan in the event of a cyber breach". He also emphasised the importance of a team effort, commenting that "the government cannot protect businesses and the general public from the risks of cyber-attack on its own".
The aim of the initiative is twofold:
- it will allow the government to draw on industry expertise – working collaboratively to share best practice whilst also having its thinking challenged; and
- the training received whilst at the NCSC aims to drive change within the industry and better equip the "secondees" to tackle cyber threats on returning to their original day jobs.
At the time of publication, the roles sought by the NCSC included network defenders and analysts from critical infrastructure sectors, namely finance, energy, transport, telecoms and heath, for two days a week over a six-month period. Industry is expected to fund the roles.
The Chancellor's full speech can be accessed here.
Article 29 Working Party: First GDPR guidance puts data portability in the spotlight
The data protection regulatory regime in Europe is in the process of being overhauled. Data protection is currently regulated in the UK by the Data Protection Act 1998. However, a new EU General Data Protection Regulation ("GDPR") will apply from 25 May 2018, following a two year implementation period.
Towards the end of December last year the Article 29 Working Party ("WP29"), an advisory body comprising national data protection officers from across EU Member States, adopted and published its first guidelines and FAQs on the GDPR. The guidelines cover the three areas outlined below and are considered by the WP29 to be of particular priority:
- The right to data portability: The guidelines clarify how organisations should interpret and implement the new GDPR right to data portability and recommend practices and tools that support compliance with this new right.
- Data Protection Officers ("DPOs"): This opinion provides further information about the designation and role of a DPO.
- Identifying a Lead Supervisory Authority: The guidelines contain detail on the identification and designation of a lead supervisory authority. This is relevant where a controller or processor is carrying out cross-border processing of personal data.
Of particular interest, the right to data portability allows for data subjects to receive the personal data which they have provided to a data controller in a structured, commonly used and machine-readable format and to transmit them to another data controller. This is a new right for data subjects - it differs from the existing right of access and is intended to "empower" data subjects, to give them more control over their own personal data. As the right enables direct transmission of personal data from one data controller to another, it is seen as a key tool to support the free flow of personal data in the EU, to encourage competition between controllers and to support switching between service providers. The guidance also recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to provide the requirements of the right to data portability.
Whilst having "appropriate technical and organisational measures" in place from a data security perspective is not a new concept under the GDPR, the likely rise in transmission of data from one information system to another as a result of the new data portability right, may give rise to an increased security risk - particularly the risk of data breaches during the transmission. The guidelines acknowledge this potential source of risk and confirm the data controller is responsible for taking all security measures needed to ensure that personal data is securely transmitted (e.g. by use of encryption) to the right destination (e.g. by use of additional authentication information). Such measures must not, however, be obstructive in nature or prevent users from exercising their rights. Where data subjects retrieve their personal data online, they should be made aware of the risk that their own system may be less secure than that provided by the service. Data controllers could also suggest appropriate format(s) and encryption measures to assist data subjects mitigate the associated security risks themselves.
Stakeholders had until 15 February 2017 to comment on the guidelines. The WP29 has also announced that further GDPR opinions and guidance will follow later this year, including in respect of Data Protection Impact Assessments and Certification. Organisations will, no doubt, welcome the WP29 guidance as they continue efforts to prepare for GDPR compliance.
The first three sets of guidelines and FAQs can be accessed here.
Joint Committee inquiry into UK cyber security
On 10 January 2017 the Joint Committee on the National Security Strategy (the "Joint Committee") announced an inquiry into UK cyber security. The Joint Committee comprises 22 members appointed from both the House of Commons and the House of Lords and was created to "monitor the implementation and development" of the UK government's National Security Strategy.
The inquiry follows:
- the 2015 National Security Strategy and Strategic Defence and Security Review that identified "the impact of technology, especially cyber threats" as one of the four key security challenges facing the UK; and
- the subsequent second National Cyber Security Strategy which was launched in November 2016 with a total budget of £1.9 billion for 2016 to 2021 to address cyber security challenges.
In the context of the inquiry, Margaret Beckett, the Chair of the Joint Committee, commented that "while the digital revolution has opened up a whole host of opportunities, it has also created new vulnerabilities. The national security implications of the leap to cyber are a matter of increasing concern".
As part of the inquiry the Joint Committee has invited submissions on a number of areas in which it is particularly interested, including:
- the types and sources of cyber threats faced by the UK;
- whether the UK has committed sufficient human, financial and technical resources to address the scale of the cyber security challenge;
- the development of offensive cyber capabilities and the norms governing their use;
- the balance of responsibilities between the government and private sector in protecting critical national infrastructure;
- the appropriate role for government in regulating and legislating in relation to cyber both nationally and internationally; and
- how the UK can co-operate with allies and partners on the development of capabilities, standard setting and intelligence sharing.
This national inquiry, along with the recent launch of the UK's National Cyber Security Centre and the government's Cyber Security Regulation and Incentives Review (see above), demonstrate that the government is not only taking a threat-based approach to cyber security (i.e. simply looking at the likely types of attack) but is also proactively progressing the way in which it addresses cyber security going forward. Stakeholders had until 20 February 2017 to respond to the inquiry.
Insurers handling hundreds of data breach claims
Recent figures indicate that insurance claims for data breaches are being made at an increasing rate. Lloyd's of London’s underwriting agency, CFC Underwriting, reports that it handled over 400 claims under cyber insurance policies in 2016, an increase of some 78% on 2015. The lion's share of these claims related to privacy breaches (31%) and financial loss or theft (22%). Hand-in-hand with this, CFC reports a 50% growth in UK insurance policies taken out against cyber attacks during 2016.
It seems that this uptake in insurance buying and claims is partly a reflection of the fact that one of the major exposures faced by UK businesses is privacy liability for data breaches in the event of loss of personal data or valuable confidential information of customers or other third parties. It is therefore critical to crisis-manage cyber incidents efficiently to prevent further damage from being caused and limit exposure. This can be a time sensitive and complex process. Small and medium sized businesses in particular may not be equipped to deal with incident response or have the financial resources to absorb the related costs. The capability of insurers to assist with incident response and provide coverage against liabilities and other financial loss, therefore appears to be of increasing attraction for UK businesses.
These drivers of insurance buying will, no doubt, be magnified for some businesses in view of the mandatory notification regime and increased sanctions exposure (maximum fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is the greater) under the EU General Data Protection Regulation which applies from May 2018. The trends reported by the CFC may therefore represent merely the tip of the iceberg over the coming years.
Healthcare sector: An increasingly attractive cyber target
A recent cyber attack targeting medical equipment in hospitals has re-highlighted the potential vulnerability of the healthcare sector to such attacks. In late October 2016, the Northern Lincolnshire and Goole Hospitals NHS Trust Foundation was forced to shut down its IT systems and cancel all non-urgent operations, outpatient appointments and diagnostic procedures for a number of days, following the discovery of a computer virus. Whilst the exact nature of the reported "ransomware" attack has not yet been disclosed, it is thought that out of date legacy hospital IT systems were susceptible to malware installed via a phishing attack (e.g. by staff opening a link or attachment in an email) – restricting access to those systems and any hospital equipment attached to it (often by encrypting files) and demanding a ransom to obtain access.
This is not an isolated incident. Research conducted by the NCC Group, one of the world's largest software escrow providers, found that 47 per cent of the 60 NHS Trusts in England surveyed have been subject to a ransomware attack in the past twelve months. The Information Commissioner's Office also reported that between April-June 2016, the health sector accounted for the highest number of data security breaches, due in part to the size of the UK health sector, the NHS' mandatory reporting of incidents and the sensitive nature of the data involved.
The unique challenges posed by health and care systems in the context of cyber security were further recognised in the second National Cyber Security Strategy launched in November 2016 (see above). As part of the strategy, the government confirmed it will work with health and social care organisations to implement new data security standards for the health and social care systems in England, alongside a method for testing compliance with these standards and a new patient consent model in respect of data sharing in health and social care. These standards and models were recommended by National Data Guardian, Dame Fiona Caldicott, in July 2016. The Department of Health launched a related consultation on the recommendations which ended in September 2016 and the outcome is still awaited (following its expected publication at the end of 2016).
Investigatory Powers Act called into question
Whilst recent controversial legal developments around requirements for the bulk retention of communications data may help prevent and solve criminal activity, including cyber-crime, they may also create tempting targets for cyber attacks.
The Investigatory Powers Act (the "IPA") was given Royal Assent on 29 November 2016, despite being described by Edward Snowden as "the most extreme surveillance in the history of western democracy". The legality of parts of the legislation has, however, been called into question by the subsequent European Court of Justice ("CJEU") decision in the Watson/Tele2 case at the end of last year (the DRIPA Case), which considered whether certain obligations under the Data Retention and Investigatory Powers Act 2014 ("DRIPA") were compatible with EU law.
At its core, the IPA is a consolidation of existing legislation such as DRIPA, the Regulation of Investigatory Powers Act 2000 and certain provisions of the Telecommunications Act 1984. That being said, the IPA does more than simply consolidate existing laws and in certain places it significantly extends existing requirements.
The main source of criticism and concern regarding the IPA has been around the requirements for bulk retention of data and the ability of public authorities to access such data.
- Retention of Communications Data: Communications data is the ‘who’, ‘where’, ‘when’, ‘how’ and ‘with whom’ of a communication, but not the content. The IPA requires communications service providers ("CSPs") to retain communications data when served with a notice requiring them to do so. The IPA allows the police, intelligence agencies and other public authorities to access communications data from CSPs without a warrant and, in turn, assists with solving criminal activity (including cyber crime). Recently the scope and extent of authorities able to access communications data has been the source of much criticism, particularly in the context of the DRIPA case where the CJEU held that the general and indiscriminate retention of traffic data and location data (under DRIPA) was incompatible with the e-Privacy Directive (2002/58/EC), taking into account the Charter of the Fundamental Rights of the European Union. The case also determined that Member States may provide for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is limited to what is strictly necessary.
- Retention of Internet Connection Records: For the first time ever, the IPA also requires the collection and retention of internet connection records ("ICRs"), being records of the internet services that have been accessed by a device.
Another interesting issue raised by the bulk collection of this data centres around security. The government intends to create centralised software that will allow queries to be made across multiple databases using "request filters". That presumably means that a single program will have access to all communications data and ICR databases, creating a tempting target for those wishing to gain access to the information stored.
Certain provisions of the IPA are currently in force, including those relating to the retention of communications data – replacing certain DRIPA provisions which expired on 31 December 2016. The government has confirmed that other provisions in the legislation will require extensive testing and will not be in place for "some time". The Home Office is expected to announce its plans for implementing the remaining provisions during the course of 2017. However, given that the IPA was drafted prior to the guidance in the DRIPA case and, at the date of publication, civil liberties advocacy group, Liberty, is seeking to crowd fund a judicial review of the core bulk powers under the IPA, it seems only a matter of time before the legislation will be subject to further legal challenge.
To view a copy of the IPA, please click here.
The growing need for a cyber "security culture" in the financial services sector
As online financial services are becoming more popular, financial institutions are facing an increasing number of organised cyber attacks and multi-channel threats. According to a report published in February 2017, financial technology (FinTech) companies in particular are experiencing an increasing number of cyber attacks from those taking advantage of alternative lending and payment models as well as exploiting gaps and loopholes in what are predominantly digital systems designed for superfast processing and agile product innovation. This is according to the latest Cybercrime Report published by ThreatMetrix, a security company that monitors more than 20 billion online transactions worldwide per year.
The growing threat of cyber-criminal activity in the financial sector as a whole was highlighted by the Financial Conduct Authority's ("FCA") Director of Specialist Supervision, Nausicaa Delfas in September 2016. In her speech delivered at the FT Cyber Security Summit, she outlined: (i) how the FCA is meeting the challenge posed by cyber risk; (ii) the FCA's expectations of financial services firms; and (iii) the key emerging risk areas. Delfas also acknowledged that "cyber resilience" is a priority matter for the FCA, not least due to the evolving and ever increasing risks and threats – it is understood the FCA received 75 cyber attack reports in 2016 (up to September) compared to 5 such reports in 2014.
To date the FCA has worked closely with industry given the shared interest and responsibility for cyber security and intends to further that co-operation. It has engaged both nationally and internationally to ensure a co-ordinated approach to cyber security threats and has conducted resilience exercises with both industry and other regulators – examples include the "Resilient Shield", a joint endeavour between the US and the UK under which the FCA focussed on the collective response to a transatlantic cyber event, information sharing, incident response handling and public communications. The FCA intends to repeat such exercises, with the aim of helping both countries enhance their cyber programmes.
Whilst a firm's cyber security compliance strategy is likely to be bespoke to its own requirements, the FCA expects an organisation to adopt a "security culture", driven from the board and senior management down to employees and has set out some key principles with which firms ought to adhere:
- good governance: with engagement from the board and senior management;
- identification and protection of key assets: for example through defence testing, staff training and security screening;
- adequate detection capabilities: for example through the use of artificial intelligence to detect network vulnerabilities;
- recovery and response: systems and controls to allow a firm to continue operating and protect essential data in the event of an interruption, for example, through upgrading business continuity plans; and
- information sharing: while a material breach must be reported under Principle 11 of the FCA Handbook, firms are also encouraged to share information with others on the Cyber Information Sharing Partnership in order to identify and tackle patterns of attack.
The key emerging risk areas also identified were:
- ransomware: in particular the risk of self-replicating ransomware which can spread throughout a network;
- data storage/outsourcing: firms adopt the threat profile of cloud based service providers (plus other outsourced services providers), and remain responsible for any data breaches; and
- the skills gap: initiatives such as the government's FastTrack cyber apprenticeship scheme should be used to help narrow the skills gap.
With the theft of £2.5 million from 9,000 accounts of Tesco's banking arm in November 2016 and the statistics set out in the latest ThreatMetrix Cybercrime Report, concerns still remain about the methods used by financial services firms to detect and mitigate cyber attacks.
The FCA speech can be accessed here.
Hong Kong regulator issues restriction notices to two brokers to freeze client account linked to suspected account hacking and market manipulation
On 16 December 2016, the Hong Kong Securities and Futures Commission ("SFC") announced that it had issued restriction notices (notices 1 and 2) to two brokers prohibiting them from dealing with certain assets held in a client account. The SFC suspects the assets are the proceeds of market manipulation and fraud conducted in conjunction with unauthorised internet trades in hacked securities accounts at other firms between 7 and 15 October 2015. The SFC also acknowledged the assistance provided by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force.
The SFC is not investigating either of the brokers, who have cooperated with the SFC’s ongoing investigation. The notices do not affect the operations of the two brokers or their other clients.
The notices prohibit the two brokers, without the SFC’s prior written consent, from dealing with the suspected proceeds or processing any instructions from the client, or any authorised representative, for those proceeds. These prohibitions include: (i) entering into securities or futures transactions; (ii) withdrawing securities, futures or cash; and/or (iii) transferring sales proceeds of securities or futures. The two brokers must notify the SFC if they receive any account instructions.
The Hong Kong Securities and Futures Commission announcement is available here.
Implementation details of cyber security fortification initiative for authorised institutions published
The Hong Kong Monetary Authority ("HKMA") has published a circular setting out implementation details of the Cybersecurity Fortification Initiative ("CFI") for Authorised Institutions ("AIs"). The CFI, announced by the HKMA in May 2016, consists of three "pillars", namely: (i) the Cyber Resilience Assessment Framework ("C-RAF"); (ii) the Professional Development Programme ("PDP"); and (iii) the Cyber Intelligence Sharing Platform ("CISP").
Snapshot of each pillar
The C-RAF is an assessment tool to help AIs evaluate their cyber resilience. The assessment comprises three stages: (i) Inherent Risk Assessment; (ii) Maturity Assessment; and (iii) Intelligence-led Cyber Attack Simulation Testing ("iCAST").
The HKMA will adopt a phased approach to implementation. The first phase will cover around 30 AIs including all major retail banks, selected global banks and a few smaller AIs. Depending on industry feedback and the experience gathered from the first phase, the second phase will cover all the remaining AIs.
The expected timeline for completing the C-RAF assessment is June 2018 for the first phase and the end of 2018 for the second phase (the HKMA will take into account the assessment results of the second phase in determining a timeframe for the remaining AIs to complete the iCAST).
The PDP seeks to provide a local certification scheme and training programme for cyber security professionals. It was rolled out in early December 2016. A list of professional qualifications that are considered to be equivalent to the certification provided under the PDP is set out in the Annex to the circular. A person holding the relevant PDP certification or an equivalent professional qualification for a C-RAF component (e.g. iCAST testing) may perform those assessments and tests.
In parallel to the PDP, the HKMA has also published an Enhanced Competency Framework on Cybersecurity (see below).
Access to the CISP has been made available to banks from December 2016. This platform enables banks to share cyber threat intelligence among themselves to enhance collaboration and uplift cyber resilience.
The circular can be accessed here.
HKMA publishes Enhanced Competency Framework on Cybersecurity
Following consultation with the banking industry, the HKMA published an industry-wide Enhanced Competency Framework on Cybersecurity ("ECF-C") and accompanying guidance on 19 December 2016.
The ECF-C prescribes core competences of "Relevant Practitioners" engaged by AIs who undertake "cybersecurity roles". A "Relevant Practitioner" is defined as: "a new entrant or an existing practitioner engaged by an AI to perform in roles ensuring operational cyber resilience" and would include personnel involved in IT Security Operations and Delivery, IT Risk Management and Control and IT Audit. Details of the scope of application, qualification structure, recognised certificates and continuing professional development requirements to equip Relevant Practitioners with the right skills, knowledge and behaviour can be found in the accompanying guidance.
The objectives of the ECF-C are twofold: (i) to develop a sustainable pool of cyber security practitioners; and (ii) to raise and maintain the professional competence of cyber security practitioners in the banking industry. Although it is not mandatory for AIs to adopt the ECF-C, the HKMA encourages them to do so. In addition, the HKMA considers that AIs' adoption of the ECF-C would include the following:
- to serve as a benchmark to determine the level of competence required and to assess the ongoing competence of individual employees;
- to support relevant employees to attend training programmes and examinations that meet the ECF-C benchmark;
- to support the continuing professional development of individual employees; and
- to serve as one of the criteria for recruitment purposes.
The HKMA will assess AIs' progress of implementing the ECF-C and enhancing staff competence in this area as part of its supervision of AIs.
The Guide to Enhanced Competency Framework on Cybersecurity can be accessed here.
China's new Cyber Security Law – Highlights
China's new Cyber Security Law was approved by the Standing Committee of the National People's Congress on 7 November 2016, following a third reading. The Chinese government has downplayed suggestions that the new law would be used to drive foreign technology and products out of the Chinese market. One beneficial aspect of the new law is that it provides a tighter definition of critical information infrastructure, making it less likely that the operations of foreign-invested enterprises in China will be caught by strict implementation of the new law.
China's new Cyber Security Law will take effect from 1 June 2017.
For further details, please view the entire article here.
Singapore to implement Cybersecurity Strategy, including the introduction of a new Cybersecurity Act in 2017
The South-East Asian City State's Prime Minister launched the country's Cybersecurity Strategy on 10 October 2016 during Singapore International Cyber Week, an annual event held for the first time in 2016 designed to promote international exchanges on cyber security and cybercrime issues.
Singapore's strategy is based on four pillars:
- building a resilient infrastructure;
- creating a safer cyberspace;
- developing a vibrant cyber security ecosystem; and
- strengthening international partnerships.
One of the main structural developments in 2017 will be the introduction of a new Cybersecurity Act. The new legislation is designed to protect Singapore's Critical Information Infrastructure ("CII") which supports essential services (including financial services), utilities and transport. It will put more responsibility for securing systems with operators and owners of CII and encourage timely reporting of cyber security incidents, as well empower the Cyber Security Agency ("CSA") and other regulators to work more closely with affected parties to resolve incidents. The new Cybersecurity Act will be a standalone piece of legislation and is set to be tabled in Parliament this year.
Singapore will also further implement its National Cybercrime Action Plan ("NCAP") to combat the rising incidence of cybercrime. The NCAP was launched in July 2016 and sees the government working together with global institutions, industry partners and Internet Service Providers to actively monitor the Internet's health and identify cyber threats more quickly, reducing malicious traffic. As part of the NCAP, the government's capability to combat cybercrime will be increased by boosting investigation capabilities, equipping public officers with relevant skills and strengthening coordination between the Singapore Police Force and government agencies such as the CSA.
The Singaporean government is keen to work with industry partners, professional associations, educational and research institutions to establish a professional cyber security workforce by defining clear career pathways and encouraging up-skilling and re-skilling opportunities. As part of this strategy, the government seeks to both attract and nurture small companies and start-ups with advanced cyber security capabilities. The National Cybersecurity R&D Programme will continue to support research into the technological and human-science aspects of cyber security and seek to create a stronger public-private partnership in this area.
Lastly, Singapore is committed to nurturing strong international partnerships by forging international and regional (ASEAN) cooperation to counter cyber threats and crime, championing international and regional cyber capacity-building initiatives and facilitating exchanges on norms and legislation.
New Mandatory Data Breach Reporting Law passed
On 13 February 2017, the Australian Federal Government passed the Privacy Amendment (Notifiable Data Breaches) Act 2016 which amends the Privacy Act 1988 (the "Privacy Act") now to include mandatory notification obligations for certain data breaches.
This was the government's third attempt at legislating for data breach notification following recommendations from the Australian Law Reform Commission dating back to 2008. The rules are aimed at directing entities to become proactive in protecting their data, implementing data breach response plans and taking steps to protect individuals whose information has been compromised. While this is a much anticipated change, it is nonetheless a significant development which will impact a wide range of organisations operating in Australia.
The new law will apply to all entities bound by the Privacy Act, namely Federal Government agencies, private sector organisations with an annual turnover above AU$3 million (and their related companies) and some others. Those entities are now required to provide notification where the entity has reasonable grounds to believe that an "eligible data breach" has occurred. An "eligible data breach" happens where:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
As with many other requirements under the Privacy Act, serious and repeated breaches will be subject to enforcement action including civil penalty orders of up to AU$1.8 million.
The new regime takes effect on 22 February 2018.
Click here to read the full article on data breach risk assessments, when a notification is required and what a notification actually involves.
Optus business invests in cyber security
Australian telecoms company Optus is seeking to cement its place in the cyber security sector, announcing in late October an AU$8 million investment to create a new Advanced Security Operations Centre ("ASOC"). The Optus ASOC is to be the ninth global centre established through Optus’ parent company Singtel, following its US$810 million acquisition of the managed security services firm Trustwave in 2015. Optus is partnering with several cyber security firms (FireEye, Palo Alto Networks, Checkpoint and Akamai) to provide a packaged managed security service through the ASOC. The ASOC will share intelligence with Singtel’s other eight centres throughout the world in real time, and will enable Optus to communicate critical threats to its customers effectively.
Managing director of Optus Business, John Paitaridis told the Australian Financial Review that cyber security is now the largest area of investment for Optus Business. Mr Paitaridis stated that as a major telco and network operator, Optus is “uniquely placed to support customers for distributed denial of service and other cyber advances”.
The move follows Optus’ recent announcement of a partnership with La Trobe University to develop a market-leading cyber security degree. Earlier in the year, Optus also announced a partnership with Macquarie University to establish the Optus Macquarie University Cyber Security Hub to “support businesses and government to recognise and protect themselves from increasing cyber threats”.
National Cybersecurity Commission releases report assessing the state of cyber security in the US and recommending actionable steps for government
On 1 December 2016, the White House Commission on Enhancing National Cybersecurity (the "Commission") released its Report on Securing and Growing the Digital Economy (the "Report"). The Report assesses the state of cyber security in the US and recommends steps that the government, the private sector and the US as a whole can take to bolster cyber security, while still fostering innovation and ease of use.
The Commission, which included leaders from industry and academia, organised its findings into six major imperatives, namely to: (1) protect, defend and secure today's information infrastructure and digital networks; (2) innovate and accelerate investment for the security and growth of digital networks and the digital economy; (3) prepare consumers to thrive in a digital age; (4) build cyber security workforce capabilities; (5) better equip government to function effectively and securely in the digital age; and (6) ensure an open, fair, competitive and secure global digital economy.
Per the Report, the goal is to achieve enhanced cyber security while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the discovery and development of new solutions. In particular, the Commission's recommendations call for deepening public-private cooperation to better protect critical infrastructure and respond to cyber incidents when they occur and increasing investments in research and development to improve the security of products and technologies. The Report calls for regulatory agencies to harmonise existing and future regulations with the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. Further, the Commission recognises the application of international law to cyberspace, promoting voluntary international norms of state behaviour and the enabling of greater cross-border data sharing between law enforcement agencies.
Various aspects of the Report were geared towards the Trump Administration, and the President has previously indicated his support for increasing cyber security effectiveness as part of national security. Whilst the Report endeavours to set out a road map to address cyber security, which specific aspects of the Report will ultimately be pursued by the new Administration will remain to be seen.
The Report can be accessed here.
US transportation agency adopts cyber security best practices report
In October 2016, the US National Highway Traffic Safety Administration ("NHTSA") issued a nonbinding guidance of best practices for improving motor vehicle cyber security, the Cybersecurity Best Practices for Modern Vehicles (the "Cybersecurity Guidance"). This follows the NHTSA's issuance of the Federal Automated Vehicles Policy in September, a policy which aims to facilitate the safe introduction and deployment of self-driving vehicles in the US and which considers cyber security as one of the important safety areas for automated vehicles.
The Cybersecurity Guidance recommends that the automotive industry follow the National Institute of Standards and Technology ("NIST")'s 2014 Framework for Improving Critical Infrastructure Cybersecurity to develop layered cyber security protections for vehicles. NIST's Cybersecurity Framework is structured around five principal functions: identify, protect, detect, respond, and recover. Regarding IT security controls, the NHTSA recommends that the automotive industry review and consider the IT security suite of industry standards, such as the ISO 27000 series standards, and other best practices, such as the Center for Internet Security ("CIS")'s Critical Security Controls for Effective Cyber Defense.
Generally, the Cybersecurity Guidance advocates that the motor vehicle industry follow a "robust product development process based on a systems-engineering approach" that makes cyber security a priority by using a systematic and ongoing process to evaluate risks. This process should include a safety risk assessment step that is appropriate for the full life cycle of the vehicle. In addition to identifying risks and analysing potential threats, the industry should establish rapid detection and remediation capabilities and collect information on any potential attacks.
While vehicle cyber security is not currently covered by an existing US Federal Motor Vehicle Safety Standard, motor vehicle and motor vehicle equipment manufacturers are required by US law to ensure that systems are designed free of unreasonable risks to motor vehicle safety, including those that may result from potential cyber security vulnerabilities.
Cyber security issues regarding vehicles are not simply theoretical concerns, as evidenced by the fact that, in July 2015, the NHTSA used its enforcement authority to recall almost 1.5 million vehicles due to cyber security vulnerabilities.
The Guidance can be accessed here.
US Treasury issues advisory for Financial Crimes Enforcement Network on cyber-events and cyber-enabled crime
The US Treasury Department's Financial Crimes Enforcement Network ("FinCEN") issued an advisory on 25 October 2016 to financial institutions on cyber-events and cyber-enabled crime. The advisory states that financial institutions should report cyber-enabled crime and cyber-events using Suspicious Activity Reports ("SARs") under the US Bank Secrecy Act ("BSA").
FinCEN's stated mission is to safeguard the financial system from illicit use, to combat money laundering, and to promote US national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities. Per the advisory, a financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to US$5,000 or more. If a financial institution knows or has reason to suspect that a cyber-event was intended to conduct, facilitate, or affect a transaction(s), it should be considered part of an attempt to conduct a suspicious transaction or series of transactions. Cyber-events targeting financial institutions that could affect a transaction(s) would be reportable as suspicious as they are unauthorised, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities. In addition, FinCEN encourages, but does not require, a financial institution to report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR.
The advisory also addresses the inclusion of available cyber-related information (e.g. internet protocol addresses with timestamps, virtual-wallet information, device identifiers) in SARs; collaboration between BSA/anti-money laundering units and in-house cyber security units to identify suspicious activity; and the sharing of information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.
The advisory is available here.
US Senate committee calls for an increase in statutory protection of children's personal information
On 14 December 2016, a US Senate committee issued a report recommending steps to mitigate data security and privacy risks in children's connected toys. The report (Children's Connected Toys: Data Security and Privacy Concerns) recommends that toymakers build in effective security from a connected toy's inception, and increase parental awareness of privacy issues. It also recommends that the US Federal Trade Commission ("FTC") monitor the connected toy space and exercise its authority when appropriate, in FTC's role as the federal regulator that enforces the Children's Online Privacy Protection Act ("COPPA") and the Federal Trade Commission Act ("FTC Act").
These two federal laws have important ramifications for manufacturers. Generally, COPPA gives parents control over the information that is collected online from their children. COPPA applies to operators of websites or online services that are directed to children and to operators of general audience sites or services that have knowledge they are collecting information from a child. Before a covered operator collects personal information from a child younger than age 13, the operator must provide that child's parents with notice about the operator's data collection and use practices and obtain verifiable parental consent. In the context of children's toys, a maker of a connected device that collects children's information could violate the FTC Act if it misrepresents its data collection and use practices. Even without a misrepresentation, if the toymaker fails adequately to protect the data it collects and uses, that failure could be deemed an unfair or deceptive trade practice in violation of the FTC Act.
While this issue is framed within the context of "smart toys" and the issues they raise regarding the unique sensitivity of children's personal information, it underlines the strict oversight that US officials generally give to children's privacy issues. Additional follow-up in this area seems likely.
The Report can be accessed here.
Update: Court of Appeal split vote upholds ruling prohibiting US Government from seizing emails stored outside the United States
We previously reported (see our previous update, available here on a US appellate court ruling (issued 14 July 2016) that handed a major victory to Microsoft by finding that US authorities cannot compel US tech companies to disclose email content they store on servers located outside the United States. The US government filed a petition for rehearing on 13 October 2016, seeking to undo the appellate court's ruling. In January 2017, a vote taken by the judges of the United States Court of Appeals for the Second Circuit on whether the case should be reheard, was split 4-4, which effectively resulted in Microsoft's victory being upheld. The US Department of Justice is expected to seek a review of this decision in the Supreme Court.
The decision may also add pressure on Congress to update the Stored Communications Act to better align the legal framework with 21st century technological realities.
US Food & Drug Administration issues cyber security guidance for medical devices
The US Food & Drug Administration ("FDA") has issued a guidance document setting forth FDA's (nonbinding) recommendations for "managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices".
FDA has recognised that, like other connected technologies, medical devices are vulnerable to security breaches. Unlike in most other cyber security scenarios, however, security breaches involving medical devices can directly impact the health and very life of patients. As FDA notes, "[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury or death.", FDA Guidance, at 12. This vulnerability increases as medical devices are ever more connected to the internet and medical/hospital networks, as well as to other devices. This most recent FDA guidance represents another step in the agency's efforts to balance the increased cyber risks of connected medical devices with the benefits that such devices provide in terms of improved health care delivery and treatment.
Via the guidance, FDA encourages medical device manufacturers to take security into account throughout a product's entire lifecycle, including ongoing monitoring and identification of threats, and detection of vulnerabilities in the code these devices run. Per FDA, medical device stakeholders should focus on the risk of patient harm via assessment of the potential vulnerabilities in medical devices and the severity of patient harm if such vulnerabilities were exploited. To manage postmarket cyber security risks for medical devices, FDA recommends that companies implement a structured program to cyber risk management, which among other things includes (i) monitoring cyber security information sources for identification and detection of vulnerabilities; (ii) maintaining "robust software lifecycle processes" that include mechanisms for monitoring third party software components for new vulnerabilities, as well as for design verification and validation for software updates and patches that are used to remediate problems; (iii) detecting and assessing the presence and impact of a vulnerability; (iv) adopting a coordinated vulnerability disclosure policy; and (v) using "threat modeling to define clearly how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk", FDA Guidance, at 13-14. In addition, FDA encourages application of the voluntary Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST) in 2014 with input from the public and private sectors: FDA Guidance, at 6.
Without question, the cyber security of medical devices will remain a key FDA concern as technology continues to evolve, and the recent guidance document will not be the agency's last word on this issue.
The guidance can be accessed here.
Attacks on crypto-currency start-ups highlight the limits of "permissionless" blockchains
Since Bitcoin's inception in 2008, there have been over one thousand crypto-currency start-ups launched, using Bitcoin's underlying technology, the blockchain. Hackers have recently been targeting both the digital wallets, which store the digital money, as well as the blockchains, where the transactions of virtual currencies are recorded. The significant rise in the number of crypto-currency start-ups being attacked signals the growing interest of cyber attackers in seeking to understand the boundaries of the new technology. More particularly, these hacks also highlight the distinction between "permissionless" and "permissioned" blockchains. Novice crypto-currency start-ups typically operate via "permissionless" blockchains, where anyone can authenticate transactions to be added to the ledger. They also have fewer "miners" in their network to ensure that the blockchain is kept consistent, complete and unaltered, but in turn they must compete with hackers who potentially enjoy superior processing power, making "permissionless" blockchains potentially vulnerable to the so-called 51% attack.
In contrast, several banks and financial institutions have invested in projects based on "permissioned" blockchains, which consist of a closed and monitored ecosystem where only authorised participants can contribute to the network. As such, they are generally less susceptible to attack. Developments in blockchain technology by financial institutions to date include the "Utility Settlement Coin", a new form of digital currency developed by UBS, Deutsche Bank, Santander, BNY Mellon and broker ICAP, which will facilitate payment and settlement for institutional financial markets and aims to achieve commercial introduction by early 2018. "Visa B2B Connect" is another blockchain-based platform aimed at providing a faster, more secure and transparent way for businesses to make payments. However, "permissioned" blockchains are not without their own downsides - an important one being that (for now) the technology has a narrower range of uses when compared with the alternative open network model, often being restricted to a specific financial instrument or sector. Currently, the fundamental trade-off is control and security versus the ability to scale. In any event, experts insist that the rise in recent blockchain attacks should not diminish the value of a rapidly evolving technology which is capable of several model variants (including hybrids) that can be adapted depending on the particular business case.