CYBER LIABILITY AND CYBER SECURITYMelanie Kamilah WilliamsSenior Legal Officer – Financial Services Commission

EXAMPLES OF E-COMMERCE, COMMONALITIES FOR USERS

Commercial providers offering market platforms to traders Internet payment gateways Social media pages (FB, Instagram, Twitter) Search engines Cloud technology

CHALLENGES FACED BY BUSINESSES

Potential areas of cyber liability Weak systems to protect IP, website,

customer information Data capture and protection Preserving confidentiality of email

communication, intellectual property, Liability associated with website

content, use of celebrity images User privacy, use of cookies, sale of

information to third parties

Solutions: Cyber liability insurance Corporate Governance Training staff on use of social

media, emails Training staff on basic security

measures to protect data Use of layered security measures Contingency Plans

LEGISLATION RE CYBER LIABILITY IMPACTING FSC’S LICENSEES

DATA STORAGE and DATA PRESERVATION MAINTAINING TRANSACTIONAL DATA MAINTAINING THE CONFIDENTIALITY OF

CLIENT INFORMATION, BENEFICIARY INFORMATION RE PENSION PLANS

DATA RETRIEVAL SUSPICIOUS TRANSACTION REPORTS KNOW YOUR CUSTOMER – E-COMMERCE CLOUD, NETWORK AND DATA BREACHES MANAGING FINANCIAL INFORMATION FOR

CLIENTS, TAX AUTHORITIES

Securities Act and RegulationsPensions (Superannuation Funds and Retirement Schemes) Act and RegulationsInsurance ActPOCA, Cybercrimes

CYBERCRIMES ACT

Prohibits: Unauthorized access to any program or data held in a computer

Unnecessary to establish any intention to access a specifically identifiable program or data or any specific computer

Section 3

CYBERCRIMES ACT

Prohibits: Any act which the person knows is likely to cause an

authorized modification of the contents of any computer Irrelevant whether the modification is permanent or temporary

or intended to Section 5

CYBERCRIMES ACT

Prohibits: Securing unauthorized access to any computer in order to

obtain, either directly or indirectly any computer service Unauthorized interception of any function of a computer Section 6

CYBERCRIMES ACT

Prohibits: A person, without authorization or lawful justification or excuse, willfully

causing either directly or indirectly: A degradation, failure, interruption or obstruction of the operation of a

computer Denial of access to, or impairment of, any program or data stored in a

computer Section 7 of the statute

CYBERCRIMES ACT

Prohibits: A person, without authorization or lawful justification or excuse,

willfully causing either directly or indirectly: A degradation, failure, interruption or obstruction of the operation

of a computer Denial of access to, or impairment of, any program or data stored in

a computer

EXAMPLES OF FSC’S POWERS

Section 67H (3) (d) of Securities Act – FSC can require any applicant, licensee or registrant to produce any data or information pertaining to its business in a form usable by the FSC for making legible copies

FSC can remove the data for purpose of copying – section 67H (4) (b)

“Anti-shredding” provision – section 67H (6) – any person who withholds, destroys, conceals, refuses to give or produce any data commits an offence

EXAMPLES OF FSC’S POWERS

Section 68A of Securities Act – FSC can obtain a court order which prevents disposal of any assets by a person suspected of a breach

Section 68C – FSC can obtain an order prohibiting any person from dealing with property (including profits obtained from a securities offence) [Restraint and preservation of property order]

EXAMPLES OF FSC’S POWERS

Section 68D – FSC’s right of access to examine books, records and information of affiliates of licensees or a group of companies

Section 68D(6) – Purpose of obtaining information, including from Internal Audit Committee is assessing their evaluation of risks as part of risk management

Section 68E – FSC may have access to communications data, in keeping with the powers given to it under section 16 (3A) of the Interception of Communications Act for any securities offence in Part V of the Securities Act

EXAMPLES OF FSC’S POWERS

FSC can share information with its counterparts – Overseas Regulatory Agencies to support other investigations

See section 68F of the Securities Act and the FSC (Overseas Regulatory Authorities) Regulations

INTERNATIONAL TRENDS – US REGULATION

Maintaining privacy of client information In US, the Gramm Leach Bliley Act, financial institutions are

required to have appropriate standards to preserve client’s financial information

Payment Card Industry Data Standard – to protect clients’ payment information

INTERNATIONAL TRENDS - USA

National Institute of Standards and Technology (NIST) – Cybersecurity Framework (issued in Feb. 2014)

Securities Exchange Commission – Office of Compliance, Inspections and Examinations (cybersecurity initiative)

SEC’s recent statements on management of cyber risks by the Board of Directors’ of securities intermediaries

SEC’s Commissioner Aguilar – Cybersecurity is a Board Responsibility

INTERNATIONAL TRENDS - EUROPE

ENISA, the European Union Agency for Network and Information Security (ENISA)

EU’s cybersecurity agency REGULATION (EU) No 526/2013 OF THE EUROPEAN

PARLIAMENT AND OF THE COUNCIL (new regulation in June 2013)

ENISA will be working closely with Europol and member states of the EU

INTERNATIONAL TRENDS - EUROPE

In March, EU Council and Parliament considered the Cybersecurity Directive (formerly Network Information and Security Directive)

General Data Protection Regulation (draft) - 2013 On October 30, 2014, over 600 firms across Europe

participated in cybersecurity exercise

RESOURCES

SYMANTEC INTERNET SECURITY THREAT 2014 NIST SECURITIES AND EXCHANGE COMMISSION’S CYBER GUIDANCE NET DILIGENCE – 2013 REPORT ON CYBER LIABILITY AND DATA

BREACH REPORT VERIZON 2014 REPORT ON DATA BREACH INVESTIGATIONS ENISA, REGULATION ON DATA PROTECTION AND CYBER

SECURITY

THANK YOU FOR YOUR KIND ATTENTION

For additional information, please contact the Financial Services Commission at 39 – 43 Barbados Avenue, Kingston 5

www.fscjamaica.org