Technological Evolution

(1)

Technological

Evolution

The Impact of Social Media, Big Data and Privacy on Business

Cybersecurity: Promoting Prevention and Resilience Steven Chabinsky

General Counsel and Chief Risk Officer

CrowdStrike

William Ridgway

Assistant US Attorney

US Department of Justice

Marcus Christian

Partner

Mayer Brown LLP

James Woods

Partner

(2)

Steven Chabinsky

General Counsel and Chief Risk Officer

CrowdStrike

William Ridgway

Assistant US Attorney

Department of Justice

Marcus Christian

Partner

Mayer Brown LLP

James Woods

Partner

(3)

Cybersecurity and

Insurance Companies

(4)

Insurers Under Cyber Attack

State Insurance Regulators

NYDFS Bank Audit Bulletin & Regulation 169 Anthem:

CA, IN, ME, MO, NH, ND, SC, NY, AR, IL, CT, KY, MS, NE, NV, PA, RI Drop in: Consumer confidence; Investor confidence NAIC Cybersecurity Task Force Federal Law Enforcement

US Attorneys General FBI

Secret Service Job loss:

Amy Pascal, Sony

Consumer lawsuits S/H Derivative Actions

Po ss ib le Is su es & Laws

Computer Fraud Act Stored Communications Act

St at e Re gu la to ry Ac tio ns Insurer Cybersecurity Breach

State security breach laws, privacy laws and unfair competition laws

Vendors/Affiliates Agents/Producers

S/H Derivative Actions Class Actions

Goal: To eliminate or mitigate consequences of cybersecurity breaches through external audits and law enforcement/regulatory partnerships to prevent the

Po ss ib le Li ce ns e Is su es & Fi ne s Phishing insurer

consumers after breach State AGs/Anthem:_Connecticut Illinois

Massachusetts Arkansas N. Carolina

Trojan Horses

Stored Communications Act Electronic Communications Bribery Act

Economic Espionage Act ERISA

HIPAA

Red Flag Rules (FACT Act) Gramm–Leach–Bliley Act Fair Credit Reporting Act Federal Trade Commission Act

Agencies HHS CMM Possible Fines Possible Remedial Action & Damages

(5)

The Need for a Privacy Assessment

Why should an insurer perform a privacy assessment? There are three main reasons:

1. Ensuring Regulatory Compliance

An insurer must ensure that it is complying with laws and regulations governing

handling of nonpublic personal information (“Confidential Information”). A failure to comply by an insurer or its vendor could adversely impact customer relationships and future business.

future business.

2. Avoiding Government Regulatory Actions

An insurer must work to reduce the risk of expensive and public regulatory enforcement actions by its federal or state regulators (e.g., FINRA, SEC, State

Insurance Departments, and other government agencies). A regulatory action would bring unwanted negative publicity to an insurer.

3. Private Class Actions

Care must be taken to reduce the chance of a class action lawsuit based on a security breach. Class actions after security breaches may result in costly litigation and

(6)

Cybersecurity: Three-Prong Approach

A three-prong approach to mitigate consequences,

including damages, from a cybersecurity breach is:

1. Legal Audit

2. Forensic Audit

(7)

Overview

(8)

Prediction

“The use of automated data systems containing

information about individuals is growing in both the

public and private sectors.... At the same time, there is a growing concern that automated personal data systems present a serious potential for harmful consequences, present a serious potential for harmful consequences, including infringement of basic liberties. This has led to the belief that special safeguards should be developed to protect against potentially harmful consequences for

privacy and due process.”

– U.S. Department of Health, Education and Welfare Secretary Elliot Richardson (1972)

(9)

Prevention

• “Given the scope of the cyber threat, agencies across the

federal government are making cybersecurity a top

priority.... We want to predict and prevent attacks, rather than reacting after the fact.”

than reacting after the fact.”

– FBI Director James Comey (May 21, 2014, testimony before

(10)

Resilience

• “There are only two types of companies: those that have

been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”

be again.”

(11)

Home Depot

• On March 23, 2007, a password-protected Home Depot laptop, which contained

employees’ Social Security numbers, was stolen

• In October 2007, a breach was made public in which a laptop containing the Social

Security numbers and home addresses of about 10,000 Home Depot employees was stolen from a regional manager’s car

• In April 2012, a breach was disclosed in which a Home Depot employee accessed human

resources information and obtained other employees’ Social Security numbers and drivers’ license numbers

• In February 2014, information was released about the arrest of a Home Depot employee

who stole employee information

• In September 2014, a breach of Home Depot’s point of sale systems was disclosed in

(12)

United Parcel Service

The UPS Store, Inc. Notifies Customers of Potential Data Compromise and Incident Resolution

San Diego, August 20, 2014

“The UPS Store, Inc., among many other U.S. retailers, recently received “The UPS Store, Inc., among many other U.S. retailers, recently received

a government bulletin regarding a broad-based malware intrusion not identified by current anti-virus software. Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations. The UPS

Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. . . .”

(13)

Risks and Threats

(14)

Widespread Risk

According to recent Securities and Exchange Commission report:

• 88% of registered broker-dealers had a computer security incident

resulting from a direct attack or one through a vendor

74% of registered investment advisers had been the subject of a

• 74% of registered investment advisers had been the subject of a

computer security-related incident after being attacked directly or through a vendor.

• According to a 2014 Ponemon Institute study, “The results show

that a probability of a material breach over the next two years involving a minimum of 10,000 records is nearly 19 percent.”

(15)

• Trade secrets

• Personally identifiable information

– Financial information – Healthcare information

What Is at Stake?

– Healthcare information

• The integrity and availability of business-critical systems

• Cash and other assets

(16)

• Hackers have demonstrated their ability to compromise

almost anything connected to a network

– PCs and network assets (e.g. zero days such as Heartbleed and

Shellshock; unpatched devices)

Hackers’ Tools and Opportunities: Technical Vulnerabilities

– Mobile (e.g. mobile banking malware; BYOD risk) – The cloud (e.g. iCloud hack)

– Industrial control systems (e.g. Stuxnet, Sandworm)

– Peripherals (e.g. a botnet propagated by logistics scanners)

• Researchers already have demonstrated new frontiers,

(17)

• Various reports have identified the following categories of

employees as posing particular risks of both error and malicious conduct:

– Remote workers;

Hackers’ Tools and Opportunities: Human Error

– Remote workers;

– Senior management; – Low paid workers; and – Disgruntled employees.

(18)

Advanced Persistent Threat

• Hackers alleged to have:

– Infected computers with malware – Stolen trade secrets

– Captured personal and security information – Captured personal and security information

(19)

(20)

Insiders

Insiders can cause grave damage to an organization:

• In South Korea, an IT contractor hired to improve security

at a credit-evaluation company allegedly used a USB stick over the course of a year to steal the personal information over the course of a year to steal the personal information of approximately 20 million South Korean credit card

holders—more than one-half of the country’s working-age population.

(21)

Hacktivists

In March 2012, the Justice Department announced the

indictment of leaders of Anonymous and LulzSec for crimes affecting more than one million people, including charges relating to:

Hacking the websites of Visa, MasterCard, and PayPal as

– Hacking the websites of Visa, MasterCard, and PayPal as

retaliation for not processing donations to Wikileaks;

– Hacking into the computer systems of PBS in retaliation for

perceived unfavorable news coverage; and

– Hacking into the personal email account of an officer with

Ireland’s national police service and using the information to access and record an international law enforcement conference call on the Anonymous investigation.

(22)

The Black Market

• Cyber and data black market—a marketplace for stolen data

and goods and services that can be used to obtain confidential information, compromise data or system integrity, or affect data or system availability.

– The black market has grown and matured significantly since the mid-– The black market has grown and matured significantly since the

mid-2000s

– The black market has allowed data thieves to increase their

productivity

– The black market has allowed participants to lower the risks of

monetizing data crimes

– Because of the black market, criminals do not need much computer

(23)

(24)

Selected Federal Statutes

• Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030)

• Electronic Communications Privacy Act (18 U.S.C. §§

2510-2522)

• Stored Communications Act (18 U.S.C. §§ 2701-2712)

• Wire Fraud Statute (18 U.S.C. § 1343)

• Economic Espionage Act (18 U.S.C. § 1831)

(25)

Incident Response

(26)

THERE IS NO SUBSTITUTE FOR

PLANNING AND PREPARATION

• Planning

• Staffing • Training

• Simulating

(27)

Law Enforcement

• Businesses should establish relationships with key law

enforcement agencies before an incident

• Businesses should understand the pros and cons of

working with law enforcement working with law enforcement

• Federal law enforcement agencies gather evidence for

(28)

Notification, Support, and Sharing

• Notification to prudential regulators

– Managing regulatory risk

• Notification to customers

– Legally required notices

– Optional notices and customer services

• Customer support services

• Information sharing within appropriate channels

– Sharing signatures

(29)

Recovery: Restoring Stronger Systems

• Restoring the confidentiality, integrity, and availability of

network assets

– Goal: System restoration and eradication

– Prioritizing restoration across different network assets

• Learning from a compromise

– What happened and when?

– How well did the response team and its processes work?

– What corrective actions can prevent similar incidents in the future? – What additional tools and resources are needed?

(30)

Good Technical Cybersecurity Practices

Before a targeted attack:

• Consolidate and monitor Internet egress

points

• Implement a tiered active directory

administration model

• Implement centralized logging

Responding to a targeted attack:

• Do not power down • Preserve all logs

• Establish out-of-band communication

channels

• Include legal counsel immediately • Implement centralized logging

• Have an incident response services retainer

in place

• Identify, isolate and log access to critical

data and systems

• Patch, patch and patch

• Subscribe to cyber intelligence feeds • Review reporting requirements

• Include legal counsel immediately • Contact an incident response services

company

• Scope the incident • Remediate the attack • Report

(31)