Welcome to the third instalment of the 'When IT hurts, it hurts: Mitigation strategies for cyber attack loss' blog series. Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.
Today's blog post looks at two other feared exposures of our survey respondents - business interruption and loss of confidential information and intellectual property.
IT systems form an integral part of the operations of almost all organisations in our technology-dependent and interconnected global economy. If an organisation's key IT systems go down (or, as is increasingly the case, if the IT systems of its cloud or other outsourced service providers go down), the organisation may not be able to operate property - or at all. In the case of a cyber attack, key IT systems may be isolated and shut off to investigate a cyber attack (and to mitigate its fallout). This loss of operational capability may continue as systems are rebuilt.
An organisation's ability to continue to perform under contracts it has with third parties could be adversely affected by the organisation's (or its third party service providers') loss of operational capability arising from a cyber attack. Depending on the terms of those contracts, an organisation could find itself liable for delay costs, service credits or damages claims. Affected counterparties may also decide to terminate their contracts (potentially for cause). And it's not just existing contracts that may be impacted - the organisation's ability to write new business may also take a substantial hit.
Two recent examples of business interruption from the cyber trenches are:
- in July 2015, a number of UAE banks were hit by a distributed-denial-of-service (DDoS) attack which crippled their websites (including their e-banking operations) leaving the banks unable to process transactions or interact with their customers online;  and
- on New Year's Eve 2015, the BBC was hit with what has been widely described as the world's largest DDoS attack, which crashed its website and online media resources.
The mitigation strategy
Ensuring that third party IT service providers maintain backup services for cyber attack events is an obligation that is often expressly included in contracts. However when a cyber attack occurs, it may not always be dealt with properly or efficiently. It is important for the organisation to engage in immediate communication with its internal IT team, as well as its third party IT services providers, to streamline the migration of services across to backup systems and take other mitigation action. The less time systems are down, the better the outcome in terms of continuing normal business functions and keeping revenue flowing.
There are a number of mechanisms that suppliers and customers can include in their contracts to assist with protecting against the risks arising from cyber attack.
For third party suppliers, obligations in a contract which require the supplier to engage in certain activities in relation to assisting a customer to recover from a disaster should be qualified (ie, subject to reasonable commercial measures) in order to avoid the risk of being subject to overly onerous requirements. Flowing on from this, force majeure clauses which specifically reference cyber attacks can be used to excuse the performance of obligations where a major attack occurs restricting the supplier from performing its obligations.
From a customer's perspective, the contract should contain disaster-related service levels which require the third party supplier to return its systems to full capacity within a certain amount of time. Whilst other service levels may be suspended, these disaster-related service levels will be essential in driving the supplier's behaviour towards a quick recovery of systems. Customers should also look to ensure that, where a cyber attack is caused (either, directly or indirectly) by an act or omission of the supplier, it is clear that such an occurrence does not constitute a force majeure event and the supplier is held accountable for the failure.
An up-to-date, well-drafted and comprehensive data breach plan is also critical in the context of a cyber breach, as is proper implementation of the plan. If the plan is deficient, chances are that the business interruption will be greater than necessary. For example, time may be wasted conducting an audit of an affected organisation's systems where the plan refers to legacy IT services.
Key features of a good data breach response plan are as follows:
Click here to view image.
It's bad enough when cyber criminals make off with the personal information of an organisation's customers. However, for an organisation whose business is IP-centric, and that relies on secrecy, confidentiality and IP rights to guard its trade secrets, confidential information and other IP assets, the appropriation or exposure of those assets through a cyber attack may be devastating.
Confidential information may lose its confidentiality once communicated to the public and enforcing copyright and other IP rights across international borders can be difficult and costly. An organisation may lose its competitive edge in the market where its trade secrets and other IP assets are appropriated by a competitor or leaked to the public, or may incur significant legal costs in attempting to protect against unauthorised use of the organisation's IP assets. A prime example of confidential information being misappropriated from a business was the Sony hack in 2014. Countless emails between senior members of Sony's staff were leaked to the media, which exposed deeply private and sensitive conversations revealing racist and sexist views. Among the data extracted from Sony's systems was also a number of unreleased movies, which were subsequently leaked online for internet pirates to download.
The mitigation strategy
A key strategy for protecting valuable IP assets, including confidential and market sensitive strategies and data, is to ensure that those the organisation's networks are appropriately segmented and segregated at all levels. According to the Australian Signals Directorate (ASD), '[n]etwork segmentation involves partitioning the network into smaller networks. Network segregation involves developing and enforcing a ruleset controlling which computing devices are permitted to communicate with which other computing devices'.
Not only does segmentation and segregation assist with restricting the movement of a malicious intrusion to particular network segments, it also assists with detection and response to such an intrusion (as the individual network segments will likely contain audit and alerting capabilities of their own).
The ASD has set out five key principles which, when considered by organisations when segmenting its networks, result in 'best practice' network segmentation and segregation. These are:
- applying technologies at more than just the network layer – hardware-based firewalls are insufficient as the only protective security measure;
- using the principles of least privilege and need-to-know – systems should only communicate with one another where there is a essential reason for communication to occur;
- separating information and infrastructure based on the organisation's security requirements – different hardware for different systems depending on sensitivity of data;
- identifying, authenticating and authorising access for entities based on the organisation's security requirements – only those who need access should be granted access; and
- implementing whitelisting instead of blacklisting – granting access only to connections it is known are safe, rather than blocking those that appear or are known to be malicious.
If, however, it is too late, and key information assets have been misappropriated, you may wish to to increase your surveillance or monitoring of overseas markets, to ensure that your organisation's IP is not infringed in a jurisdiction where it may have the legal means to prevent such infringement.