Out-Law News | 18 Jul 2014 | 10:17 am | 6 min. read
The Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
Financial services firms have privately expressed worry that cyber security professionals are losing the war against cybercriminals, and have agreed that dealing effectively with threats is more important than trying to build systems that fruitlessly hope to eliminate them.
I spent some of this week chairing the Financial Services Cyber Security Summit, whose Chatham House rules allowed executives to speak freely about their fears and their strategies for tackling the danger.
The frank admission that cyber security professionals are not winning the war against cyber criminals resonated with all attendees. Disturbingly, one speaker suggested that we may even be experiencing a level of de-sensitisation to cybercrime. He said that those in industry he talked to estimated that while share prices do take a hit following a significant data loss or security breach, they then tend to recover within 24 weeks and some people regarded that as acceptable.
The session was held at One America Square, where we could gaze on remnants of London's Roman City Wall. We considered the effectiveness of such barriers and that just as total reliance on keeping intruders out would not be a good way to defend an empire, neither is it a good way to defend a modern corporation.
Organisations need not to try to be like coconuts, with an impermeable shell, but accept that they are more like mangos and that outer defences will be breached. What matters is how you deal with breaches, or even whether you notice that they have happened at all.
Here are some elements of a cyber security strategy that the group agreed were vital.
Effective security means prioritising critical assets and data, which means identifying and protecting the most valuable material.
It is also dependent on a good understanding of your network's 'normal' operation. Until you have as complete as possible of the normal and legitimate state of activities that take place on your networks, you cannot effectively detect and prevent 'abnormal', criminal activities. This requires careful analysis, monitoring and profiling of the behaviours of individual.
Cyber resilience requires organisations to assume that intrusion will happen, and top cyber risks will come to pass. Monitoring and recovery should be prioritised above the fanciful notion that all intruders can be kept out.
'Threat intelligence' is a goal worth pursuing. It requires organisations to mount more effective attack simulations and to collaborate more effectively with the government.
Before thinking about anything else organisations should focus on practising the most basic principles of good cyber hygiene – encryption and robust access controls management. They should also get better at automation, which hackers already make the most of. They must respond to breaches in real-time, not simply report on breaches after the fact.
It is also important for an organisation's culture to reflect an understanding that no matter how much is spent on cyber security, absolute protection can never be guaranteed.
The commercial parts of the business cannot hope to reap the rewards of these technical protections if they do no participate in the process. Cyber security strategies cannot be effective without buy-in at all levels across the organisation, and without active involvement on the issue at board level. In particular, more attention needs to be paid to security risks within the supply chain.
The regulatory framework
On the whole, the audience was appreciative of the recent regulatory efforts made to introduce security standards. The general 10 Steps to Cyber Security and Cyber Essential frameworks are proving useful.
There is however appetite for the development of an industry focused set of standards, and some suggested there should be minimum mandatory ones while others disagreed. Again, frank admissions were made that industry regulators may not as yet be in a position to develop standards tailored to the needs of the sector that would be any more effective than the generalised approach taken in the Cyber Essentials scheme.
In my view, the UK regulators have taken the correct approach here. Considering the pace of change of technology, it seems to me that a principle-based approach to regulating cyber protection measures is better than a mandatory and prescriptive one, which at best would quickly become out-dated, at worst, hamper progress.
Three legal and regulatory issues stood out. These were the changing cyber breach reporting regimes; data protection law and its impact on monitoring and profiling for security purposes, and the security of the supply chain.
Discussion focused on detecting intrusion, but also on the growing responsibility that comes with that to keep others informed. The ICO's view is that it should be informed of all 'serious breaches'. It defines a serious breach in terms of detriment to individuals, volume of data loss and sensitivity of data involved. Notably, detriment need not be financial or physical and "emotional distress" is enough. The loss of 100 records if sensitive would suffice.
The financial industry regulators have not yet been specific about when they expect to be informed. The rules simply say that they must be notified if a matter could have a significant adverse impact on the firm's reputation or affect its ability to continue to provide adequate services.
New mandatory reporting regimes will be brought in as a result of the EU's proposed Data Protection Regulation and Network and Information Security Directive (NIS) Directive, and they may be backed up by significant enforcement powers. Under the Regulation, firms may be required to report all 'personal data breaches'. This phrase is not defined in either the Commission's version of the proposal or the later version passed by the European Parliament. Both allow some leeway for balancing privacy against security concerns. The recitals to both say that "A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation" and that " the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay" in notifying regulators than that proposed by the proposed Regulation's provisions.
The NIS Directive, which will apply to certain parts of the industry, sets out a broader notification regime. It provides for notification of all security 'incidents' which are defined as "any circumstance or event having an actual adverse effect on security."
Financial services firms need to prepare now to make sure they can comply with these changing requirements.
Privacy and profiling
The participants were more concerned about whether cyber security staff could monitor and profile employees, customers and others who access corporate systems under the proposed laws.
Current laws impose limits on the purposes for which data indentifying individuals may be used and the Regulation gives individuals a right not to be subject to measures which analyse or predict "performance at work, economic situation, location, health, personal preferences, reliability or behaviour".
Yet, this is exactly what almost all of the proponents of cyber resilience contended needs to be done in order to implement effective cyber protection strategies. While the Regulation proposes a 'non-profiling right', it does not propose that this right be absolute and respected in all instances. Nevertheless, given the outcome of recent EU court decisions on data-related matters, it is unlikely that securing systems and data would not be seen as legitimate grounds for mass general surveillance activities.
What is not changing is the freedom to use personal data when consent is first obtained. Compliance strategies may therefore need to focus more closely on making customers, employees and contractors fully aware of their need to monitor behaviour in order to adequately protect systems and data.
Plugging supply chain risk
Last year when retailer Target was hacked and 40 million credit card numbers taken from its systems, the weak point in its security was found to be the fact that a heating and air-conditioning supplier had system access rights.
This had everyone thinking about managing security supply chain risks. But again, it did not seem clear that enough in the industry are taking technology supply chain cyber risk seriously. A more integrated approach to risk management, tying together contractual, insurance and practical means is needed.
Whether it is a Roman City Wall or the hard shell of a coconut, the consensus was that rigid, absolute protection just does not work, and as one speaker put it, corporate organisations need to realise that they are more like soft mangos when it comes to security. They may now need to reflect this view in the expectations they create, in their systems and controls and technical and organisational protection measures, and in their compliance strategies.