Cybersecurity.

(1)

(2)

Our cybersecurity

_practice

But the continued growth of “cyber” technologies and

the growing phenomenon of cyber-attacks pose

significant business risks. Cyber attackers are often

quick to spot the potential vulnerabilities of new

technologies and to exploit them to commit civil

and criminal offences (and to frustrate detection of

those activities).

Unlike most tangible goods, the value of data has

increased as the volume of data that is available and

capable of being collected, processed and retained by

organisations has exploded. The more data companies

have access to, the better they get to know the market

and their customers and the more value they can extract

from it. In common with other valuable “assets”, data is

therefore subject to heightened risk of misuse, alteration,

theft or loss.

Cyber-security is about prevention of (and/or preparation

for) cyber-attacks, but also about incident response

once the risk has realised. It requires an integrated

approach across traditional security disciplines

proactively to understand, detect and respond to

advanced and evolving threats. Our integrated team

of diverse practitioners reflects this requirement.

Computers, the internet, mobile devices and electronic transactions all play an

important and ever-increasing role within the corporate environment, particularly

for businesses with a strong online presence or with high volumes of customer

data or other electronically stored information.

Loss of IP and

confidential

information

Litigation

Costs

Regulatory

_sanctions

Business

interruption

Financial

loss

Damage to

(3)

PreventIOn

InCIDent resPOnse

The task of managing legal risk in relation to the threat of cyber-attacks has many different components.

Our experience in preventing cyber and information breaches includes advising on:

Allen & Overy’s cross-practice team of cyber-incident response specialists supports clients to ensure they are

resilient to cyber-attacks or other data breaches which may impact them or their customers or clients. We act as

a partner to make sure you react quickly and effectively.

Our experience in reacting to cyber and information breaches includes advising on:

Practices

Investigations

Policies

Coordination

Contracts

reporting

Governance

Civil remedies

Insurance

“Wash up”

standards

Communications

including with respect to data security, data retention and destruction; privacy impact assessments and risk assessments.

including coordination, managing internal stakeholders and including awareness and understanding of available standards and guidance (eg from NIST, BIS, ENISA, EC3, ISO and others).

including advising on approach to, and facilitating, including education and training programmes, employee monitoring (including ILP and other measures); and penetration testing.

including assisting with investigations by law enforcement authorities and regulators

including advising on appropriate structures and processes (eg with respect to service provider selection and management).

including pro-active response and civil remedies (such as Emergency Injunctions,

including review and drafting of provisions concerning imposition of security standards (eg specifications, testing and rights to participate, certification, audits, training), governance and control (eg reporting requirements, step in rights, control of announcements and communications with authorities) and liability (eg force majeure, recoverable losses, insurance).

including advising on reporting obligations (eg to markets, insurers, counterparties, regulators).

including reviewing coverage especially exclusions.

including dealing with post-incident actions, including liaison with regulators, defence

(4)

Overview of

_{threats and trends}

This table is sourced from the European Networking and Information Security Agency publication, ENISA Threat Landscape – Overview of current and emerging cyber-threats, December 2014.

Top 10 Threat Trends in Emerging Areas

Top Threats Current _Trends Cyber-Physical _{Systems and CIP} Mobile _Computing Cloud _Computing Trust _Infrastr. Big Data Internet of _Things Netw. _{Virtualisation} 1. Malicious code:

Worms/Trojans

Ý

2. Web-based attacks

Ý

Ü

Ý

3. Web application attacks /

Injection attacks

Ý

4. Botnets

Þ

Ý

5. Denial of service

Ý

Ü

Ý

6. Spam

Þ

Ý

7. Phishing

Ý

8. Exploit kits

Þ

Ý

9. Data breaches

Ý

10. Physical damage/theft/loss

Ý

11. Insider threat

Ü

Ý

12. Information leakage

Ý

13. Identity theft/fraud

Ý

14. Cyber espionage

Ý

15. Ransoware/ Rogueware/ Scareware

Þ

Ý

Trends

Þ

Declining

Ü

Stable

Ý

Increasing

(5)

A US-based global

bank

on developing a pro-active strategy for responding to cyber-attacks, including participation in wargames and preparation of court papers for the purpose of pursuing remedies through the courts.

A global financial

services group

on an electronic denial-of-service attack set up by a former customer combined with threats and other offences.

A major UK

retailer

on responding to a data breach perpetrated by an employee, including liaison with the ICO and other law enforcement authorities.

A leading provider

of financial

messaging

services

on the legal aspects of the security of its global network, including provision of penetration testing by third party vendors.

the administrators

of a UK retailer

in administration on responding to a data breach affecting customer data.

A fund manager

on an assessment of its approach to cyber-risk management, including a training programme targeting all levels of the organisation.

toyota Motor

europe

on the review of data retention and encryption issues relating to the IT security policy code of Toyota Motor Europe.

An online

services provider

in relation to third party disclosure applications, requesting customer information for asset-tracing purposes. We successfully defended a number of these Norwich Pharmacal applications on behalf of our client.

An international

bank

on cyber attacks co-ordinated by botnets (in particular, fraudsters infecting customers’ computers with trojans which hid on their computers until the customer navigated to the online banking website, and subsequently client information was captured and uploaded by malware

Several

Luxembourg

financial

sector actors

(including banks and electronic payment services providers) on the approach to be taken in responding to a data breach affecting customer data from both, a banking regulatory

A global bank

on assessing its risk of different modes of cyber-attacks from different actors/jurisdictions.

A media

organisation

on freedom of information request issues and reputation management aspects following a widely publicised attack on its networks.

An international

bank

on the legal risks associated with taking private action against attacks on its online banking platform co-ordinated by botnets.

A major

international

hedge fund

in relation to the hacking and theft of highly valuable confidential information and trading strategies by a rogue employee. This was a critical case for the client and involved civil and criminal proceedings in multiple

A global provider

of service solutions

to the power generation industry, on data privacy issues in connection with the rollout of data loss prevent software. This advice covers 18 jurisdictions.

(6)

Key team

_members

Krystyna Szczepanowska-

Kozlowska

Partner – Warsaw

Tel +48 22 820 6176

krystyna.szczepanowska-kozlowska @allenovery.com

Benjamin Bai

Partner – Shanghai

Tel +86 21 2036 7001

[email protected]

William White

Partner – Washington, D.C.

Tel +1 202 683 3876

[email protected]

Jane Finlayson-Brown

Partner – London

Tel +44 20 3088 3384

[email protected]

(7)

(8)

Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee

or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings.

Bangkok Barcelona Beijing Belfast Bratislava Brussels Doha Dubai Düsseldorf Frankfurt Hamburg Hanoi

Jakarta (associated offi ce)

Johannesburg London Luxembourg Madrid Milan Paris Perth Prague

Riyadh (cooperation offi ce)

Rome São Paulo Sydney Tokyo Warsaw Washington, D.C. Yangon