Data loss and information management. Risks and solutions

Data loss and

information management

The opportunities and risks of new information technologies are probably more evident in the finance industry than in any other sector. Today, so much data is processed and transferred between different locations inside and outside the company that it is difficult to maintain an overview. Cases of data loss which have become known to the public clearly demonstrate the dangers associated with the new technologies: staff use Facebook, Twitter or blogs to spread confidential or falsified information; competitors use information technologies for industrial espionage; confidential information is stolen and sold for a fee to third parties, whereupon nations also appear among the potential buyers.

As the risks of data loss rise, the regulatory requirements are also increasing. It is to be expected that effective information management, from the point of view of the industry and of the supervisory authorities, will be part of the minimum requirements in the foreseeable future.

Information is one of the most valuable resources of any company. Yet despite the dangers, even larger banks have difficulties protecting themselves against data loss effectively. For instance, surveys show that only a quarter of companies have sufficient protection against misuse of information. In this publication, we make clear the need for action. And we demonstrate the specific steps with which the protection of critical data and information can be improved.

It is essential to include the new dangers in the management’s and board of directors’ risk map and they must be monitored continually within the framework of risk reporting. Information management is a priority strategic task for top management and is not to be delegated to IT specialists. The means of information processing available today are to be well-coordinated with processes and people and to be further developed on an ongoing basis with regard to preventative and forensic measures. Establishing effective and efficient data protection in this way takes up time and resources, which is why it makes sense to bring in external experts.

We hope you find this to be a motivational read. Should you have any questions for us, or if you would like to discuss individual aspects in more detail, please contact a member of our team. We look forward to hearing from you.

1 Executive summary

5

2 Information security under threat

6

3 Increasing regulatory requirements

8

4 Major risks – insufficient protection

10

5 Preventative solutions

14

6 Forensic solutions

20

Information security under threat

Technological development has significantly increased the risks of loss and misuse of critical information. Over 90 percent of information is now stored in digital form. With the means available today, misuse can be realized easily and at little cost. Political and societal changes promote the criminal use of such instruments. In addition, negligent handling of communication media and data carriers can cause considerable damage to a company, particularly banks and insurance companies.

Increasing regulatory requirements

Legislators around the globe are intensifying the regulations for protection of critical information. At the same time, new supervisory laws and expectations of authorities are increasing the pressure on the regulated companies. At present, it is very difficult to see where this trend is leading and what costs it will entail, but it is certain that the risks will increase if institutions do not adhere to the new requirements.

Negligence leads to major damage

Most companies are insufficiently protected against attacks. The consequences of this negligence are reflected in the significant scale of data losses: since 2005, over 250 million customer data entities with sensitive or confidential information have been lost or stolen in the banking sector worldwide. Noteworthy improper disclosures of information on the Internet demonstrate further weak points.

1 Executive summary

Information management and risk management as strategic tasks

In view of the potential threats, information management is a priority strategic task for top management. It is essential to include the risks presented by data loss in the management’s and board of directors’ risk map and to review them regularly (risk reporting). Tailored solutions

For modern information management, there are no standard solutions which suit all threats. Every concept must match the requirements of the institution and the risk profile. Every solution focuses on the information and the corresponding data and data processing media, as well as on the people and processes. Preventative and detective protection measures must be directed at these elements.

Forensic measures

There is no such thing as complete protection of sensitive data. If misuse of critical information has been detected, forensic measures must be taken immediately, so as to prevent or minimize further damage and to secure evidence. Comprehensive clarification is necessary, not only from a regulatory point of view, but also in order to eliminate weak points and to prevent further damage in future. Often, there is also official pressure to expose misuse and to hold guilty parties accountable.

Every company has information which must be protected. This is particularly true in the financial sector, as here the customer data contains a lot of sensitive information (in the remainder of this publication, most statements refer to banks for reasons of simplification, but they apply to financial intermediaries in general). The risks, if such data falls into the wrong hands, are correspondingly high.

Technological development is contributing greatly to the growing risks. Today, an increasing number of bank applications can be conducted at different locations, processing is decentralized and banks have local databases. At the same time, mobile devices, in

2 Information security under threat

Data leakage prevention (DLP)

These measures, also referred to as data loss prevention, include tools and processes for identification, monitoring and protection of sensitive data or information. DLP concentrates on two things: that certain data does not leak out of a company and that unauthorized access to, or forwarding of, sensitive data is discovered early.

which new security holes are being discovered on a regular basis, are becoming more widespread. Facebook, Twitter, blogs and other Internet media are leading to a voluntary “transparent intimacy”, but can also be misused for criminal purposes. The boundary between conveying personal information and divulging confidential data from the workplace is becoming blurred. Such betrayal can occur through negligence or misuse, but is always preceded by access to data and transport thereof. Appropriate protection and monitoring of this data are key elements of information management, which fall under the heading of “data leakage prevention”.

Manifold threats to information security

The loss of sensitive data can have various causes, as the examples in this overview illustrate.

Threats to

information

security

at financial

institutions

Theft of intellectual property or data by disappointed staff Inappropriate access rights to systems, which lead

to cases of fraud

Organized crime which targets customers and leads

to financial damage (e.g. phishing attacks) Staff who send

sensitive or inappropriate information via email

without protection Loss of notebooks, portable storage media (e.g. USB sticks and CDs)

or backup tapes

Loss of paper documents with sensitive data (e.g. customer output

from banks)

Publication of false information on the Internet (exchange rate

manipulation, damage to reputation)

Loss of credit card details

In addition to the rules regarding credit risks and market risks, legislators and supervisory authorities have, in recent years, also intensified the requirements pertaining to management of operational risks (e.g. Sarbanes-Oxley and ICS). Just as the financial crisis has resulted in additional regulations, specific cases of information misuse and data theft have motivated regulators to increase data protection requirements. These requirements increase pressure for comprehensive preventative solutions against data loss and

3 Increasing regulatory requirements

theft (data leakage prevention). The IT analyst company Gartner expects these tools to be an indispensable part of good company management (code of practice) in Europe by 2015.

Already today, numerous national and supranational regulations have a direct or indirect influence on the protection of data and thus on information management, as the examples in the following overview illustrate:

Regulation

of information

management

Banking laws and

stock exchange laws

Regulations for

increased tax

transparency

(OECD, U.S.

and others)

Penal laws and

competition laws

Regulations on

outsourcing and

offshoring

EU Data

Protection Directive

Data protection

laws

Violation of professional secrecy: Professional secrecy is anchored within banking laws and stock exchange laws. Anyone who reveals secrets, with which they have been entrusted in their role as an agent, employee or representative of an institution, must expect imprisonment or a fine.

Violation of industrial or trade secrets: The violation of industrial or trade secrets is governed by penal laws. Anyone who has a legal or contractual obligation to keep such secrets and breaches it can face imprisonment or a fine. Competition laws apply in the event that someone uses, or conveys to third parties, trade secrets that become known to them through illicit means. Such breaches of the rules of fair competition are prosecuted.

Data protection: National data protection laws express data protection in concrete terms and stipulate that personal data be protected against unauthorized handling by means of suitable technical and organizational measures.

Outsourcing and offshoring: Specific outsourcing regulations establish the principles which must be adhered to when outsourcing functions or processes. Among other things, these include the protection of trade secrets and data. In cases of outsourcing, the responsibility for information security generally resides with the outsourcing bank. In cases of offshoring, a bank generally has to adhere to the same data protection rules that apply to outsourcing. Cross-border data exchange: Increased internationalization has meant that data is transferred across national borders more often. For this reason, various laws govern the manner in which cross-border transactions are to be conducted. The most significant factors here are the storage and archiving of data, for instance in connection with money laundering and counter-terrorism. International context: Of importance at supranational level is the European Union’s Data Protection Directive on Privacy and Electronic Communications (Directive 2002/58/EC). Also relevant in the international context is the tightening up of tax legislation, which numerous nations and supranational organizations like the OECD have implemented in order to combat tax evasion. Also worthy of note is the obligation to furnish information in the event that sensitive data is lost, as introduced in the U.S. and Germany.

Governance and liability risk

Once the information management guidelines are an integral part of good company management, it is imperative that banks adhere to the conditions. As a result, the institutions can be held responsible in this regard. Thus, if data falls into unauthorized hands, the liability risk comes on top of the material damage and loss of image. This means that institutions and persons in charge at the bank can be prosecuted for data loss accordingly.

Thus, governance becomes a key factor. Today, it is already conceivable that many of these new tasks rest on the shoulders of management and the board of directors. The top executive committees must take the steps necessary to meet the requirements. Section 5 describes the measures with which banks can prepare themselves for the tasks to be faced.

The scale of data loss is considerable. Privacy Rights Clearinghouse has calculated that since 2005, when records of data breaches began, over 250 million customer data entities with sensitive or confidential information have been lost or stolen worldwide. A study by the computer manufacturer Dell also shows how often sensitive data is lost. In 2008, Dell investigated the hundred most important American airports and discovered that at these airports around 12,000 laptops are lost each week. Only 30 percent of them are found again. In Los Angeles alone, 1,200 computers are lost weekly. Dell concluded from this that considerably more devices are lost than companies indicate. The fact that around half of the surveyed business travelers stated that their laptops contained customer data or other confidential business information is quite telling in this context.

4 Major risks – insufficient protection

As regards the danger of external attacks, the cases which have become public demonstrate that larger organizations are increasingly forming actual networks in order to access information. The scale of this organized criminal activity can also be estimated on the basis of the flourishing online trade in stolen customer data, credit card numbers and access rights. The software needed in order to seek out such data is also on offer.

Insufficient security precautions

Ernst & Young’s Global Information Security Survey in 2009 makes clear that only a minority of financial institutions use the available technologies and processes in order to improve information security.

Only a quarter of the surveyed companies use tools for the prevention of data loss. Thus, three out of every four companies are inadequately protected. It is also remarkable that today just 41% of companies encrypt laptops, despite the fact that the required technology is available at affordable prices. Digital rights management, i.e. protection of intellectual property rights in the digital domain, is still in its infancy. This can ensure, for example, that only those staff with the corresponding rights have access to digital information. In this regard, the classification of information and documents is a key prerequisite.

Content monitoring and filter programs

Data leakage prevention tools

Desktop encryption

Digital rights management

Email encryption

Encryption of mobile media

Laptop encryption Technology 69% 9% 10% 12% 25% 22% 28% 25% 15% 12% 34% 39% 14% 10% 31% 45% 35% 15% 25% 25% 25% 19% 29% 27% 41% 17% 23% 19%

Currently in place Planned in 1 year Under evaluation Not used Source: 2009 EY Global Information Security Survey

At any rate, companies are aware of the need for action. According to the survey, some of the tools are to be introduced or evaluated within a year. The growing awareness also comes across in the responses to the question on the three most important security aspects of the coming year. A total of 47% mention improvement of risk management relating to information security, 40% intend to use or improve data leakage prevention technologies and 39% want to train staff and to raise staff awareness.

Environment Data Culprit Opportunity Procedure

Inappropriate access rights to applications with sensitive data

Customer identification data

Frustrated staff Export of sensitive data into a file which was copied onto a CD.

Standard data export procedure.

System development or migration

Complete tables with sensitive data

Software developer The culprit was given authorized access to sensitive customer data in the course of his regular work.

Database tables were copied into files before they were loaded onto the new system. Exploitation of

weaknesses in a database’s development environment

Customers’ account numbers, names and other identification information

Database administrator with understanding of test procedures

The data anonymization algorithm was changed so that data flowed into a hidden table.

Database script for reading the data was executed while the supposedly anonymized data was being transferred. Breach of trust between developers Customers’ transaction data Experienced IT developer Inexperienced

IT developer who asked the culprit for support; the culprit was given privileged access to a protected system.

The combination of illicitly viewed linking data with anonymized data to which the culprit had regular access led to the loss of confidential data. Data loss in front office Screenshots of

bank systems

Call center staff member belonged to a ring of fraudsters

Culprit was unsupervised and worked on

the weekend.

Screenshots were saved on a USB stick.

Data interception in intermediate systems

Customer statements IT contractor on a secondary IT system

Data was intercepted upon printing of statements and during preparatory work on

Data was diverted from an insecure proxy server.

Manifold dangers

Below is a summary of various actual cases, which have been anonymized for this publication. The table clearly shows the risks which institutions face.

This overview demonstrates the spectrum of possible data loss. Given a certain amount of criminal energy, it seems that any kind of data can be diverted. It is also notable that not every case requires sophisticated procedures to be carried out by IT specialists, but that often standard procedures or even simple screenshots are enough for data theft.

There are no standardized turnkey solutions for data leakage prevention. The protective measures which can be taken are as diverse as the possible attacks on data security. Some of these are preventative steps, taken in order to prevent attacks effectively. Others are reactive tools of importance when data loss has occurred; these forensic measures are addressed in more detail in section 6.

5 Preventative solutions

The data security model developed by Ernst & Young has proven effective in coordinating the various data protection tools with each other and tailoring them to suit the individual requirements of an institution. The model is implemented according to the principle of using the suitable security measures which already exist within the company and consistently directing them towards the topic of information management requirements.

Data security model

Relevant organizational units

Data classification

IT _resourcesHuman Internal and external _{communication} Components of the data protection program Data protection governance Moved data

Perimeter security Data leakage _{prevention encryption}Email _monitoringAuditing &

Edited data

Protection of intellec-tual property rights

Encryption methods Data leakage prevention Data preparation Management of identity and access

Data concealment

Auditing & monitoring Encryption

Stored data

Database

encryption Encryption of stored data Encryption of moved data Data leakage prevention monitoringAuditing & Personal

protection

Raising of awareness & training

Data protection Configuration management Components of the data protection program Access control Protection of system and data

Emergency response plan

Physical protection

Emergency procedures

The model is based on the data. This also includes classification thereof. A bank must know which data is sensitive and which is not. The volume of information collected is too large for the strictest security requirements to be met for all of it. The basis of the model also includes data-oriented management, auditing and reporting, as well as data governance and compliance.

The data is at the center of the model. Most of this is in electronic form: companies store over 90 percent of information digitally. Here, a distinction can be made between three types: moved data, edited data and stored data. Specific tools are important for each of these groups.

These tools are supplemented by general data protection programs, the components of which include, for instance, guidelines, access controls and training programmes.

Particular attention is to be paid to three organizational units: the IT domain, human resources and internal and external communication. In these areas, highly sensitive data is handled, which is why the correct implementation of information management measures is absolutely vital here.

Solution dimensions

The measures for protection of critical information cover different dimensions:

•

Data security model: enables coordination of all preventative and reactive tools

•

Risk management: the risks which data leakage entails must be identified and continually monitored (e.g. risk map and risk reporting)

•

Top-down: guarantees a holistic approach, so as to coordinate the realms of people, processes and technology

Risk identification and risk assessment

Only when a bank has precise knowledge of the threats in information management, can it take the right precautions. This makes thorough analysis of the risks all the more important. Therefore, it is essential to include the threats presented by data loss in the management’s and board of directors’ risk map and to review them regularly (risk reporting). In this regard, a distinction can be made between the following five risk dimensions:

Reputation risk: If confidential customer data falls into the wrong hands via theft, loss or disclosure, this can do significant harm to a bank’s image.

Legal risks: If legal requirements are not observed, this opens up the possibility of various legal steps, such as claims for damages lodged by aggrieved bank customers, legal action taken by supervisory authorities and criminal lawsuits. This can affect the companies as well as the involved agents.

System-inherent risks: The development of information technology and communication technology entails significant operational risks, due both to the electronic storage and transfer of confidential customer data and to possible technical defects and weak points. The human being as a risk factor:In cases of negligent or intentional data loss, staff are usually involved. Besides personal issues, their behavior is also influenced by personnel policy, the employment relationship, control and supervision.

Financial risks: Misuse of sensitive data entails significant costs for the affected institution. In addition to the losses caused by loss of image and payment of damages come the costs for clearing and processing the incident.

Risk assessment is aided by self-assessment. This method clarifies where a bank stands with regard to data leakage prevention. Here, maturity models are generally used, so as to be able to draw conclusions about the quality of the measures already taken.

Holistic approach

If an institution wants to address the challenge of data leakage holistically, a top-down approach is essential. Those in charge must not be under the illusion that information management is a technical task which can be delegated to the IT department. Instead, top management must be actively involved, so as to detect threats early (risk management) and to raise awareness of the task throughout the entire company.

Three areas are important: people, processes and technology. Only if these areas are addressed and the measures are coordinated with each other can effective protection of sensitive data be achieved.

•

Roles

•

Governance

•

Communication

•

Strategy

•

Procedures

•

Infrastructure

•

Access controls

•

Network-based

•

Host-based

•

End user security

•

Data classification

•

Emergency response plan

•

Audit and monitoring

People

Processes

Technology

Time frame

There are many indications that data leakage prevention will be a prerequisite for good business conduct by 2015 and that the regulators will adopt these requirements. It is essential to address the challenge of data leakage early, because analysis, evaluation and introduction of the necessary measures take up time and resources. Implementation Selection of DLP technology Definition of strategy Profitability analysis Further information Identification of drivers and hurdles

Review of current DLP measures Risk assessment Understanding data

Immediately:

First comes self-assessment regarding data loss and data protection. The driving forces for DLP and the hurdles are also to be identified immediately. Further information is also to be incorporated into these analyses, covering aspects ranging from the legal, IT and audit departments, to stakeholders, right through to suppliers and competitors.

In one month:

The top management must understand all data collected. This includes the sensitivity, as well as the processes for handling, storage and transfer (life cycle). In the same time frame, risk assessment has to be conducted with regard to people, processes and technology. Existing DLP programs are to be reviewed.

In the next six months:

The next step is to conduct a profitability analysis. A strategy and plan of action can then be compiled. Attention is to be paid to people and processes before technology.

In one year:

Only when a bank has taken these steps and defined a clear strategy, should providers of DLP technologies be identified and thoroughly evaluated.

In the next 18 months:

Sufficient time must be allowed for implementation of the selected DLP measures. Furthermore, in order to adapt processes and to train staff, the necessary internal and external resources must be provided.

Project kick-off

•

Project set-up

•

Securing of evidence

•

Search for information

•

Preparation of the system

Fact gathering

•

Data analysis

•

Creation of scenarios

•

Testing of scenarios Chronology of events

•

Interviews

•

Inspection of documents

•

Consolidation of information

Investigation

There is no such thing as complete protection of sensitive data. In view of gross negligence or criminal energy of staff or external parties, a residual risk of data loss remains. Therefore, in such cases it is essential that a bank takes the right steps to limit the damage and to clarify the circumstances. Such cases often result in civil or criminal proceedings (claims for damages, charges, work processes, etc.) or public enquiries (e.g. investigation carried out by supervisory authorities or public prosecutors). For this reason, an affected institution not only has to know exactly what happened, but it also has to be able to explain it with suitable evidence. This can only be achieved with the aid of forensic measures.

Methodically, a distinction can be made between four groups of tools: firstly the preparation and restoration of data (computer forensics), secondly the analysis of unstructured data, for example email correspondence (eDiscovery), thirdly the analysis of access rights (records management) and fourthly the analysis of structured data, e.g. customer data, or data from SAP systems (forensic data analytics).

6 Forensic solutions

The cases of data theft which have recently become known to the public all have one thing in common: the affected institutions were not sufficiently prepared. Insufficient knowledge and inadequate methods enabled more data to leak out and evidence to be destroyed, increasing the damage suffered.

A four-step approach

One of the greatest difficulties with data loss is that an affected bank often only learns that such an incident has occurred after hearing about it from the authorities or the media. At that point, the bank does not know where the data leak occurred, or what data was leaked.

A thorough investigation provides clarity. It runs in four phases, as shown in the following diagram:

Improvements

Phase I

Ph

as

e

IV

Ph

as

e II

Once a bank learns that data has been lost, crisis management takes on utmost importance (phase I). Part of this is to stop the leakage of further data. At the same time, the bank must do everything to secure evidence. Anyone who does this without the necessary specialist knowledge, particularly when electronic data is involved, runs the risk of altering or destroying valuable information, meaning that it cannot be used in court.

One key aspect when processing a case of damage is the creation of possible scenarios (phase II). This involves drawing up hypotheses about the nature of a possible instance of data loss. Due to the fact that at the start it is often the case that little is certain about the quantity and quality of the lost data and about the persons involved, only the most likely possibilities can be looked into here, as regards the channels via which certain data may have left the company. The plausibility of these scenarios is examined in the next step. The goal must be to be in a position to estimate the damage, i.e. to know how many customers are affected, how much data has leaked out and how significant this information is. On the basis of the most likely scenarios, it is then possible to look into who the culprit could be (phase III). In-depth clarification narrows the circle, whereby there may also be accomplices to identify.

What to do in the case of damage

•

Immediately close outgoing data channels

•

Secure evidence

•

Initiate clarification measures in good time, in order to enable a complete reconstruction of what actually took place

•

Crisis management

Only those who understand a case of damage in detail can react to it adequately in the course of crisis management. Precise clarification is also important with regard to regulatory aspects. This is because in order to be able to adhere to the requirements of the Swiss Financial Market Supervisory Authority, a bank must identify and remove the source of the damage. Ultimately, the identification of weak points is also in the bank’s best interests, as this is the only way to prevent future damage.

Data leakage, the outflow of sensitive data, represents a threat which is to be taken seriously. Technological development has caused data volumes to rise rapidly and the increased use of mobile devices heightens the risk that unauthorized parties could gain access to sensitive data. The supervisory authorities have also recognized these risks, which is why the regulatory requirements for banks are becoming stricter.

Many institutions are still inadequately protected against data attacks. There is considerable need for action in the financial sector. However, the elimination of weak points is not necessarily to be achieved with hasty steps, such as the introduction of new technical tools. A holistic approach is called for, so as to coordinate people and processes with the technology.

Information management is a priority task for the top management level and is not just a matter of defining a strategy, but is part of risk management and includes ongoing monitoring and raising the aware- ness of all staff. Such processes require time and resources, which is why external support, such as that provided by Ernst & Young, is advantageous.

Contact details

Jürg Brun, Partner Financial Services

Phone +41 58 286 3203 Email juerg.brun@ch.ey.com Dr. Michael W. Faske, Partner

Fraud Investigation & Dispute Services Phone +41 58 286 3292

Email michael.faske@ch.ey.com Tom Schmidt, Senior Manager Financial Services

Phone +41 58 286 6477 Email tom.schmidt@ch.ey.com Steven Ebling, Manager

Fraud Investigation & Dispute Services Phone +41 58 286 4643

Ernst & Young

Assurance | Tax | Legal | Transactions | Advisory

Ernst & Young is a leading provider of audit, tax, transaction and advisory services. Our 144,000 employees around the world provide quality services by combining our common values with consistent commitment. In Switzerland, Ernst & Young is a leading audit and advisory company offering services in the area of tax and legal issues, as well as in transactions and accounting. Our 1,940 employees in Switzerland generated revenue of CHF 546 million in the 2008/2009 business year. We stand out as a company because we help our employees, clients and stakeholders to realize their full potential. Further information can be found on our website at www.ey.com/ch. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, UK, does not provide services for clients.

www.ey.com/ch

© 2010 Ernst & Young Ltd All Rights Reserved KKL 0910