As an observer of the recent census debacle, what do you see as the - - PowerPoint PPT Presentation

Poll 1 As an observer of the recent census debacle, what do you see as the key cause?:

• A. Technology failure
• B. Use of a third party service provider
• C. The threat landscape is too huge
• D. Ignorance / hubris

A Revolution in Cyber Threats?

Greg Austin Australian Centre for Cyber Security, UNSW Canberra Professorial Fellow, EastWest Institute, New York G.Austin@adfa.edu.au | gaustin@ewi.info

States: Most Dangerous, Most Capable

Wikileaks releases 20,000 hacked DNC emails 22/7/2016 Trump “invites” Russia to hack Clinton 27/07/2016 White House: “we are in the midst of a revolution of the cyber threat—one that is growing more persistent, more diverse, more frequent and more dangerous every day” 26/7/2016

PWC 2016 Global Economic Crime Report

Eight Vectors of Attack

Symantec 2016

Threat Trend

Capability TECHNOLOGY CRIMINALS CORPORATES & CITIZENS GOV’T POLICY POLICE Time

Q&A

Please submit your questions using Zeetings

Poll 2 Cyber risks are a major concern for all businesses, where do you see the largest impact to your business from a cyber incident?:

• A. Business interruption
• B. Brand & reputation
• C. Customer churn
• D. All of the above

Current Cyber Risk Legal Landscape Obligations and Opportunities...

Scott Thiel Partner, DLA Piper

AsiaPac cyber & privacy regimes at a glance

Before (2011) At 2016

Continuing evolution of the Asian legal landscape

DLA Piper Cybertrak

Australia Privacy Amendment (Notification of Serious Data Breaches) – Bill 2015

• Imposes a compulsory notification mechanism upon entities when a

serious data breach occurs

• Note – definition of "harm" and "real risk" is very broad and all-

encompassing

A serious data breach occurs if:

"unauthorised access to, or unauthorised disclosure of, any of personal information, credit reporting information, credit eligibility information, tax file number information “will result in a real risk of serious harm to any of the individuals to whom the information relates”, or any of that information is of a kind specified in the regulations", and; "there is a real risk of serious harm to the individual to whom the information relates as a result of the data breach"

Current Regulatory Framework – China

Major Mandates

• Combination of various laws, e.g. criminal law; civil law; tort law; and

constitution, with limited legal effect

• Decision of the Standing Committee of the National People's Congress

for Enhancing the protection of Internet based Information

• CIS Regulation and IT Banking Guideline

Security O

• Data Controller must take appropriate technical and organizational

measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal data. Breach Notification O

• No mandatory requirement
• Yes for security breach notices to authorities may be required, as in the

following examples:

• Public Security bureaus
• Telecom authorities
• China Banking Regulatory Commission

Proposed cyber security laws in the PRC

• Draft Cyber Security Law of the People's Republic of China
• Second draft published in July 2016
• National-level law exclusively devoted to cybersecurity and data privacy issues
• App operation regulations

Imposes cybersecurity

• bligations on network
• perators (incl.

censorship requirements) Personal data privacy and data protection? Content control and censorship Data Localization

Current Regulatory Framework – Hong Kong

Major Mandates

• Personal Data (Privacy) Ordinance ("PDPO")
• Sector-specific Codes and Guidelines
• Hong Kong Monetary Authority (HKMA) - Supervisory Policy Manual
• Securities and Futures Commission (SFC) - Circular to all licensed

corporations on Information technology management

• Guidance for Government Agencies

Security O

• Data users are required by law to take all practicable steps to protect

personal data

• Where 3rd party processor is engaged  contractual / other means required

for security and period of retention Breach Notification O

• No mandatory requirement under the PDPO
• Yes for authorised institutions to notify HKMA of major security breaches
• e.g. In 2012, HSBC was under global cyber-attacks and HSBC had

notified HKMA and prepared a report

Current Regulatory Framework – Australia

Major Mandates

• A mix of Federal and State/Territory legislation:
• Federal Laws, e.g. Federal Privacy Act 1988 (Cth) ("Privacy Act"), Healthcare

Identifiers Act 2010, Personally Controlled Electronic Health Records Act 2012, etc.

• State and Territory Laws, e.g. Information Act 2002 (Northern Territory),

Privacy and Personal Information Protection Act 1998 (New South Wales), etc.

• Sector-specific requirements
• Prudential Standards enforced by the Australian Prudential Regulation

Authority Security O

• Appropriate security measures (ie 'take reasonable steps') to protect any personal

information it retains from misuse and loss and from unauthorised access, modification or disclosure

• Reasonable steps to destroy or permanently de identify personal information if it is

no longer needed for the purpose(s) for which it was collected Breach Notification O

• No mandatory requirement under the Privacy Act but note guidance issued by the

Office of the Australian Information Commissioner

• Yes for Health sector and Finance Sector

Current Regulatory Framework – Singapore

Major Mandates

• Computer Misuse and Cybersecurity Act
• Technology Risk Management (TRM) Guidelines and Notice
• Personal Data Protection Act ("PDPA") formally enacted in January

2013 Security O Reasonable security arrangements Breach Notification O

• No specific legislative requirements regarding data protection breaches
• Financial institutions are required to notify the Monetary Authority of

Singapore (MAS) of a range of serious IT security incidents and malfunctions

Current Regulatory Framework – Japan

Major Mandates

• The Act on the Protection of Personal Information ("APPI") and various

sector specific guidelines regarding APPI

• Act on the Prohibition of Unauthorized Computer Access
• Cybersecurity Strategy and Ministry Guidelines addressing issues

related to the APPI and IT Measures Security O

• Specific guidance set out in Ministry guidelines
• These necessary and appropriate measures generally include

‘Systematic Security Control Measures’, ‘Human Security Control Measures’, ‘Physical Security Measures’ and ‘Technical Security Control Measures’. Breach Notification O

• No general requirement under APPI, but specific ministry guidelines

provided for business operators

Current Regulatory Framework – South Korea

Major Mandates

• Act on the Protection of Information and Communications

Infrastructure

• Combination of laws – Personal Information Protection Act ("PIPA",

effective 30/09/11)

• The Act on Promotion of IC Network Utilization and Information

Protection (IC Network Act) Security O

• Mandatory security arrangements, e.g.
• establishment and implementation of an internal control plan for

handling Personal Data in a safe way

• installation and operation of an access control device, such as a

system for blocking intrusion to cut off illegal access to Personal Data Breach Notification O

• Yes, required in case of leakage/ intrusion/ theft of data (including

health care and financial information)

Current Regulatory Framework – Thailand

Major Mandates

• Combination of laws – Constitution of Thailand/ Thai Penal Code/ Child

Protection Act

• Computer Crime Act
• Electronic Transaction Act
• Personal Information Protection Act (Drafting)

Security O

• Specific Businesses – maintain level of security
• Non-Specific businesses – prevention of unauthorized access

Breach Notification O

• No requirement

Cyber compliance as a competitive advantage

General perception towards cyber security

• 74% of US executives expressed in survey* that the main purpose of cyber security is to

reduce risk – rather than to enable growth

• General perception:
• Costly
• Complex
• Inefficient
• Hinders productivity
• Too difficult
• Won't happen to me
• However… What I will tell you is that cyber security is:
• Not a "doom & gloom" matter
• Much more than an "insurance policy" in IT
• Think of it as something that helps your business grow

Benefits:- Competitive Advantage

• Reassuring from a customer's point of view
• Cyber security is often one key area customers look out for
• This is often brought up as a matter of importance in pitches and contracts
• Transactions often involve large amounts of customer's private data
• Customers will not want to take unnecessary risks
• Being cyber secure is something you can proudly advertise in your portfolio
• f strategic assets
• Data analytics capability is a desirable attribute

Benefits:- Cyber Intelligence

• Compliance is a big driver in the adoption of cyber intelligence:-
• Complying with relevant mandates is an important step in understanding

your data assets and data mining opportunities

• Cyber compliance will often get attention and budget
• Intelligence aids both regulatory and internal policy compliance by logging

and proactively monitoring diverse information across the enterprise in real time, providing accountability, transparency and measurability.

• Become Data Aware….

Benefits:- Productivity Enhancement

• Results in cost savings and

productivity enhancements

• Saves time (and therefore

manpower and cost) in troubleshooting service issues

• Security tools can effectively isolate

faults and assist get back online much faster

• Enables mobile productivity
• Workplace is no longer just restricted to servers,

workstations, or email accounts, but rather we need to consider mobile devices and the culture of BYOD

• Increasingly important for entities to be able to allow

their employees to work anywhere, anytime, on mobile devices

• With the adoption of enhanced security solutions,

you can enable enhanced mobile adoption and productivity whilst maintaining full security and compliance

Benefits:- Mobile Working Enabler

Benefits:- Capacity Planning

• Assists IT with capacity planning
• Security is all about visibility into a network
• With that visibility comes the added benefit of

gaining a handle on what resources are being used – essential for an informed decisions

• n:-
• Internal or external capacity management
• Migration to offshore and cloud based

solutions

DLA Piper CyberCert

Q&A

Please submit your questions using Zeetings

Poll 3 What do you see as the most important factor in mitigating cyber risk:

• A. People, policies and procedures
• B. Advanced defensive technologies
• C. Ongoing assessments, audits and remediation
• D. Incident response planning and ongoing

management

Defending the Defender: Can I Insure My Way Out of Trouble?

Tim Fitzgerald Vice President / Chief Security Officer @ Tim_Fitzgerald1

The Big Question: Can I Insure My Way Out of Trouble?

Security Risk Control Maturity

Advanced capabilities and incident readiness Basic security controls

Five Trends That Are Converging

Data

Mobility

• 7 billion phones by 2020 (Gartner)

Cloud – Apps & Data Center

• 69% of all workloads will be in the cloud by 2017 (Cisco)
• 500K new apps in the past three years. Over 1.8M global

apps; downloaded >10.9 B times (Gartner)

• 33% of Symantec apps are cloud-based and growing; we’ve

deployed our first private cloud data center

Data – Structured & Unstructured

• IDC estimates that 90% of big data is unstructured

Identities – Personal & Professional

• Personal and professional identities are blurring
• In “connected countries” there are between 24 - 30 digital identities

per person (IDC)

The Internet of Things

• Will exceed 26 billion by 2020 (Gartner)

Mobility

Cloud Data Identities IoT

Security Challenge

Threats are Increasing!*

• Frequency and duration are increasing (1)
• A large business attacked once in 2015 is now

likely to be attacked 3 more times

• Symantec discovered more than 430 million new

unique pieces of malware in 2015, up 36 percent from the year before

• 38% increase in detected information security

incidents in 2015 (1)

• 56% increase in theft of “hard” intellectual

property in 2015 (1)

• 2014 Verizon report on over 63,000 incidents:

almost every incident involved human error

• Digital extortion on the rise (2)
• 45x more people had devices held hostage in

2014

Threats Threats

Symantec’s Global Security Office…

…Ensures Customer Trust in the Symantec Brand

Physical Security & Safety Security Architecture & Engineering Security Intelligence Operations Security Governance Risk & Compliance Security Strategy & Implementation Customer Integrity & Security

Symantec Security Architecture

41

Security Cycle – Management Communications

8

External Threats

Ongoing

• Smarter
• Stay longer
• Do more damage
• Change quickly

Security Strategy

• Establish and deliver

strategic programs

• Refine delivery models

and assess value

• Socialize with critical

stakeholders

• Know your employee

threats

Periodic

Foundational Elements

• Policy / process
• Risk management
• Security technology and

control implementation

• Monitoring and incident

response

• Security architecture

Ongoing

• Security Council

(Symantec senior leadership)

• Validate security

program direction and investment strategies

• As necessary, set

priorities

Management Oversight & Direction

Twice a quarter

• Crystalize / up level

risk to the board

• Answer these

questions: 1.What should your board be aware of 2.Concerned about and 3.Take action on

Board

• f Directors

Every 6 months Periodic

Risk / Gap Analysis

• Assess control

completeness and efficacy

• Scorecard of how

we’ve done

• Identify investment

strategies

Strategic Initiatives

43

Source Code Protection Physical Security & Employee Safety Security Monitoring, Analysis & Response Cloud Security & Risk Management 2 1 4 3

Terminology Gap Risk Communication Gap Understanding Gap

Managing and Communicating Security Risk

The Big Question: Can I Insure My Way Out of Trouble?

45

Security Risk Control Maturity

Advanced capabilities and incident readiness Basic security controls

Q&A

Please submit your questions using Zeetings

Poll 4 Considering the cyber threat landscape is constantly evolving, what do you see as the next steps for risk reduction?:

• A. Technology and professional services spend
• B. Acquire cyber risk insurance
• C. Tighten up existing policies and procedures
• D. Invest in managed security services
• E. None of the above

Digital Transformations in Organisations

Kevin P. Kalinich, Esq. Aon Global Cyber Practice Leader

Social Media Network security, privacy, and social engineering Phishing / Spear Phishing Australia and International Regulatory Environment IoT - The Internet of Things Smart workplaces Reliance on technology & increasing automation Cloud Computing / Big Data Analytics Increased use of outsourced service providers Cloud provider risk oversight/security Ransomware

• Australia faces ‘unprecedented’

cyber threat (AUSTRAC) Aug. 2016

• Australia Contracting Trends =

higher/no Contractual Limitation of Liability

• AECOM Unit Pays $201 Million to

Settle Australia Toll-Road Lawsuit (A$1.68 billion lenders to RiverCity relied on forecasts) + $4.8 B Arup – Air Link

• April 2015 Telstra acquisition of Pacnet

for $697 million + data breach

• Australian Bureau of Statistics says

website attacked by overseas hackers (August 2016)

2016 Cyber Exposure Trends

Selected Data Breach Incidents: 2013 – 2014

Date Company Incident Severity Estimated Cost/Loss August 2013 Toyota/Ford White hat demo hack of Toyota Prius and Ford Escape to wrest control of breaks, steering, and acceleration N/A N/A December 2013 Target Corp. Attacker leveraged access to a third party network of Target's 110M individuals affected $264M+ January 2014 Neiman Marcus A customer information database was hacked 1.1M individuals affected TBD January 2014 Michaels Stores Inc. Point-of-sale (POS) malware 2.6M individuals affected TBD February 2014 Wyndham Worldwide Intruders gained unauthorized access to Wyndham’s computer network 619,000 individuals affected TBD July 2014 JPMorgan Chase System was hacked 83M accounts and 7M small businesses affected $250M spent on cybersecurity September 2014 Home Depot Massive breach of credit card information for an intrusion first reported in April of 2014 56M individuals affected $232M+ November 2014 Sony Pictures Cyber extortion and hack potentially related to the release of “The Interview” 47,000 SSN information stolen $15M+ December 2014 Staples Cyber criminals stole customer card data from a subset of Staples locations 1.16M individuals affected TBD December 2014 German Steel Mill Massive physical damage to plant arising

• ut of malware on system

Not disclosed TBD

Selected Data Breach Incidents: 2015 – 2016

Date Company Incident Severity Estimated Cost/Loss February 2015 Anthem, Inc. Information technology system hacked 80M individuals affected $100M+ May 2015 IRS website Criminals used stolen data to file fraudulent tax returns 100K people affected $50M June 2015 Office of Personnel Management Hacker stole government data 21.5M records stolen TBD July 2015 Ashley Madison Users' data was stolen and threatened to be released >25 gigabytes of data TBD July 2015 Fiat Chrysler Recall over a vulnerability in dashboard computers 1.4M vehicles TBD July 2015 General Motors White hat hackers broke into GM OnStar system N/A N/A August 2015 Tesla White hat hackers implanted malware into the car’s central computer Patch of car computer software required N/A October 2015 T-Mobile Data breach at financial credit processing firm Experian 15M individuals affected TBD December 2015 Ukraine Power Grid Hackers implant operation-specific malicious firmware with coordinated DDoS attack against customer call centers 230,000 left without power for 6 hours Unknown April 2016 Mossack Fonseca (The Panama Papers) 11.5 million confidential documents (2.6 TB of data) containing information on >214,000 offshore companies. Anonymous source made data available in batches to German newspaper Süddeutsche Zeitung beginning in early 2015 11.5M confidential documents TBD

Pokémon​ Inspired Family Tour to Australia & New Zealand

http://www.zicasso.com/luxury-vacation-australia-new-zealand-tours/pok-mon-inspired-family-tour-australia-new-zealand

Evolving Threat of Cyber to Clients

Across all industries, our clients are continuing to invest in deploying digital technologies to stay competitive and drive quality and efficiency objectives Automation Connectivity

Technological Drivers Business Drivers Risk Drivers

Material Damage Business Interruption Product Liability Data Breach Media Liability I.P. Infringement

Evolving Cyber Equation

Typical Client Cyber Requirements

Client Questions and Requirements

“What cyber exposures do we have?” “How bad could the risks be to the balance sheet?” “What coverage do we have / could we have?” “How can we mitigate cyber exposures?” “How can we

• ptimise self-

retention?” “How can we expedite cyber claims payment?”

Companies value PP&E Higher than Information Assets

$848 $815 $0 $100 $200 $300 $400 $500 $600 $700 $800 $900 Total value of PP&E Total value of information assets Extrapolated value ($millions)

The PML value for PP&E and Information Assets

$617 $648 $0 $100 $200 $300 $400 $500 $600 $700 The value of the largest loss (PML) that could result from the theft and/or destruction of information assets The value of the largest loss (PML) that could result from damage or the total destruction of PP&E Extrapolated value ($millions)

The Impact of Business Disruption to Information Assets and PP&E

$207 $98 $0 $50 $100 $150 $200 $250 Estimated loss to information assets Estimated loss to PP&E Extrapolated value ($millions)

The percentage of PP&E and Information Assets Covered by Insurance

51% 12% 0% 10% 20% 30% 40% 50% 60% The percentage of potential loss to PP&E assets covered by insurance The percentage of potential loss to information assets covered by insurance

Basis of Liability of Loss is different in Australia

I. CONTRACTS

• A. Payment Card Industry (PCI DSS fines & penalties can be

considered contractual)

• $125 MM Heartland
• $143 MM Global Payments
• $19 MM Target – Raytheon (April 2015)
• B. Breach of Implied Contract

(See Schnucks v. First Data Merchant Services) II. TORT

• A. Asia less litigious (e.g. Japan “Double Derivative

shareholder litigation)

• B. EMEA Less Litigious

(see Google v. Videll-Hall: Damages under Data Protection Act of 1998 for non-pecuniary losses

• C. U.S. (customers, 3rd parties, shareholders)

Spokeo v. Robbins (US Supreme Court) ($10 MM settlement in Target Class Action)

• 1. Negligence
• 2. Strict Liability
• 3. Negligent Misrepresentation

III. STATUTORY (lack of uniform IT Security Standards)

 Asia - Pacific (Mandatory & non-mandatory regulations)  EMEA

• Upcoming EU Data Protection Amendments
• 4% worldwide revenue fine & 24 HR notice
• Various Country Data Protection Authorities

 U.S.

• A. HIPAA, 42 U.S.C. Section 1320d-5/HITECH
• B. FTC Act, 15 U.S.C Section 45 (a)
• C. FCC ($25 MM Fine against AT & T in 2015)
• D. 47 State Breach Laws & Attorney’s General
• E. GLBA/FINRA
• F. SEC
• IV. FIRST PARTY
• A. Incident/Event Management
• 1. Forensics
• 2. Investigations
• 3. Breach Notification
• 4. Public Relations
• B. Business Interruption (Proof of Loss challenges)
• C. Cyber Extortion
• D. Extra Expense
• 1. External vs. Internal Costs
• 2. Remediation vs. Upgrade

Australia Cyber Value Proposition

Industry Knowledge

2016 Aon Captive Cyber Benchmarking Survey

Source: 2016 Aon Captive Cyber Benchmarking Survey by Industry Cyber—The Fast Moving Target: Benchmarking views and attitudes by industry: http://www.aon.com/risk-services/cyber.jsp

Cyber Loss Spectrum

1st Party 3rd Party Financial Tangible Cyber Loss Spectrum

Any major cyber event will result in

• PR, response, and continuity costs
• Immediate and extended revenue loss
• Restoration expenses
• Defense costs

Third parties will seek to recover

• Civil penalties and awards
• Consequential revenue loss
• Restoration expenses

Physical damage is possible

• 1st party property damage
• 1st party bodily injury

Physical damage may cascade to others

• 3rd party property damage
• 3rd party bodily injury

Scope of Cyber Insurance Coverage

Expense / Service Sections First Party Sections Liability Sections

• Failure of Network Security
• Failure to Protect /

Wrongful Disclosure of Information, including employee information

• Privacy or Security related

regulator investigation

• All of the above when committed

by an outsourcer

• Wrongful Collection of

Information (some policies)

• Media content infringement /

defamatory content

• Network-related Business

Interruption

• Extra Expense
• System Failure Business

Interruption (some policies)

• Dependent

Business Interruption (some policies)

• Intangible Asset damage
• Crisis Management
• Breach-related

Legal Advice

• Call Center
• Credit Monitoring, Identity

Monitoring, ID Theft Insurance

• Cyber Extortion

Payments Defense Costs + Damages + Regulator Fines Insured’s Loss Expenses Paid to Vendors

Optimal Cyber Program

Optimal Program

Insurable Risks Contractual Requirements Budget Risk Tolerance Maximum Probable Loss Peer Purchasing Data Scope of Coverage / Control Market Limitations

Q&A

Please submit your questions using Zeetings

Morning Tea Break

Please reconvene in respective panel session room after the break

Understanding your cyber risk profile / alignment to risk transfer strategies

Panel Session

Cyber risk profiling – where do we start?

What can go wrong? How bad can it be? How am I protected? Will our insurance respond?

Exposure Assessment Tailored Solution Design Mitigation & Maturity Scenario Quantification

Identify

• Key stakeholders

engaged

• Identification of key

Cyber scenarios

• Prioritise key risks for

further analysis

Measure

• Matching Cyber Scenarios

to business impacts / consequences

• Detailed quantitative

assessment of business impacts

• Risk modelling

Mitigate

• Audit of controls,

procedures

• Evaluation of effectiveness
• f risk mitigation processes

and procedures

• Determination of maturity of

control environment

Transfer

• Analysis of insurability of

identified cyber scenarios

• Review of gaps vs.

current insurances

• Design a tailored “stand-

alone” solution

Tools to support the analysis: what are the key vulnerabilities? 1

NSP / CYBER RISK MAPPING Identify sources of risk, causes and consequences with key stakeholders

HEAD OF IT SECURITY & CIO RISK MANAGER CFO & INTERNAL AUDIT BRAND & COMMUNICATIONS TEAM LEGAL COUNSEL & PRIVACY OFFICER

2

RISK MANAGEMENT ANALYSIS Recommendations as to risk control, process and mitigation techniques

3

GAP ANALYSIS Evaluation of inherent risks against current insurance program

4

TAILORED RISK TRANSFER SOLUTIONS: Enhance current portfolio with new and extended coverage to protect your organisation

Will mandatory data breach notification legislation change things?

• The length of time between the event, the fall in share price and the capitulation of senior executives is reducing
• Publicly traded companies have come to expect class actions will ensue post a significant data breach incident
• It remains to be seen if Australian Mandatory Data Breach Notification laws will result in a similar outcome to the US

experience

• Data breach response planning is becoming even more critical

Cyber event insights: sources of losses

Property General Liability Crime/ Bond K&R PI Cyber 1st Party Data Protection Privacy Risks Network Interruption Cyber Extortion Data Restoration, Recollection, Recreation (Determination and Action) Employee sabotage of Data Virus/ Hacker damage to Data Denial of Service attack Physical damage to Data Only 3rd Party Data Protection Privacy Risks Breach of Personal Information Breach of Corporate Information Outsourcing Liability / Vicarious Liability Contamination of Third Party Data by any unauthorised software, computer code or virus Denial of access to third party data Theft of an access code from the Company’s premises Destruction, modification, corruption, damage or deletion of Data Physical theft of the Company’s hardware Data disclosure due to a Breach of Data Security Costs and expenses for legal advice and representation in connection with an Investigation Data Administrative Fines Repair of Company / Individuals Reputation Media Content Liability (IP, Plagiarism, defamation, trespassing) Notification Costs Monitoring Costs (with identity theft education and credit file or identity monitoring

Coverage Provided This is an example only Coverage Possible No Coverage

Testing key scenarios against the insurance programme

OAIC guide to developing a data breach response plan “Your actions in the first 24 hours after discovering a data breach are

• ften critical to the success of your

response…” “You should create and test your plan before a data breach

• ccurs…”

“Response team membership: ensure that the relevant staff, roles and responsibilities are identified and documented…”

QUESTIONS?

Summary

Global Threats Legal Influences Technology Risk transfer