Cyber Security: Whose problem is it?
17
Shine Webinar Series Cyber Security: Whose Problem is it? Paula Barrett, Eversheds LLP 27 November 2014
description
As press coverage of ever more sophisticated cyber attack increases so does the realisation that this is no longer the stuff of fiction effecting particular “secret” sectors. Nor can it just be regarded as “IT’s problem”. This session will look at the important role that in-house can play in addressing cyber risk, exploring the legal risks associated with it, the practical steps that can be taken internally and what to do if a cyber penetration occurs.
Transcript of Cyber Security: Whose problem is it?
Shine Webinar SeriesCyber Security: Whose Problem is it?
Paula Barrett, Eversheds LLP27 November 2014
Cyber Attack
What is it?
Why do it?
Whose role/responsibility?
Information Security?
Compliance?
Legal?
Board?
HR?
marketing & comms?
finance?
Where to Start?
Understand the Risks
Prevention
Dealing with Incident
Section break title Verdana 32pt
Sub-heading Times New Roman italic 34pt
Understanding the Risks
Types of Asset to be protected
• Financial information• Sensitive Personal Data• Personal Data e.g. customer and staff
information• Intellectual Property• Other corporate information
•
Understanding Legal Risks
Legal Obligations/Risks Data Protection
Sector specific (e.g. financial services – Prin
3)
Corporate Duties?
Directors Duties Contractual Confidentiality (to others) Negligence
Health & Safety Others?
Risk
International Risk variants? e.g. US class action
Loss of valuable data/competitive advantage
Reputational Damage
Regulatory Sanctions
Financial lossTheft of information,
money, banking information
Disruption to tradingCosts of sorting out the incident and stopping further penetration
Damages claims from individuals or third
parties
Share value/merger opportunities
Contractual sanctions e.g. PCI-DSS Shareholder claims
Section break title Verdana 32pt
Sub-heading Times New Roman italic 34pt
Incident Prevention
Technical/Operational Prevention
• Security Controls – technical, operational• People (including board members) – access
controls, home/mobile working, removable media, information sharing exchanges
• Testing• Back ups• External expertise required?
•
Prevention/Protection – People
Training
Psychology of Security
Align with other programmes
Making it real for staff
Regular reminders/prompts
Protection –Reducing Legal Risk • Record Retention• Contracts
– Review wording in customer, supplier and other third party contracts– What commitments obtained or given– Data Protection Wording– Confidentiality Wording– Breach reporting– Audit– Force majeure– Liability– Public Announcements– Information/Assistance
• Procurement processes – asking due diligence questions of suppliers• Review Policies
– Employee, Supplier and Customer facing– Employees - IT Use, Home/Mobile Working, Social Media, Data Protection
•
•
Keeping Alert
• Monitor strategy• Information gathering/alerts• Keeping abreast of best practice guidance issued• Use of consultants/external advisors• Participation in sector and other groups• Regular board topic?• Insurance
– Check scope and exemptions from existing policies– Worth it?
•
Section break title Verdana 32pt
Sub-heading Times New Roman italic 34pt
Responding to a Cyber Event
Have a Plan A…
Know what to do
Know what to do
Cyber Incident Response Team identified?
Cyber Incident Response Team identified?
Internal notification processes (NB
communications may be down)
Internal notification processes (NB
communications may be down)
Rehearsal?Rehearsal? Disaster Recovery PlanDisaster Recovery Plan Business Continuity PlanBusiness Continuity Plan
InvestigateInvestigate Fact finding/investigation – what type of data, volume,
timing
Fact finding/investigation – what type of data, volume,
timingIdentify the vulnerabilityIdentify the vulnerability Remove ongoing threatRemove ongoing threat Use of legal privilegeUse of legal privilege
NoticesNotices Notifying individuals or third parties whose data is
affected
Notifying individuals or third parties whose data is
affectedNotifying regulators, police or other bodies of attack
Notifying regulators, police or other bodies of attack
Listed businesses – market announcement required? Notifying shareholders
under Listing principles? Price Sensitive
information/ insider notification?
Listed businesses – market announcement required? Notifying shareholders
under Listing principles? Price Sensitive
information/ insider notification?
Ongoing communicationsOngoing communications
Dealing with
incident
Dealing with
incident
IP protection strategy – cease and desist, injunctions etc
IP protection strategy – cease and desist, injunctions etc
Recovery of monies stolenRecovery of monies stolen Cyber extortionCyber extortion Lessons learntLessons learnt
Further reading….
Gov.UK• Cyber risk management: a board level
responsibility• 10 Steps to cyber security: executive companion• 10 steps to cyber security: advice sheets
https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibilityCPNI: http://www.cpni.gov.uk/advice/cyber/
•••
Cyber-security: whose problem is it?
•Paula BarrettDD: 0845 497 4634Intl: +44 113 200 [email protected]
• For further information on our upcoming SHINE events and webinars, please visit our website:
• http://www.eversheds.com/global/en/what/services/in-house-counsel/events.page
Contact
