Upload
buidung
View
219
Download
2
Embed Size (px)
Citation preview
Cyber-security: legal implications for financial institutionsIAPP Europe Data Protection Intensive 2013
Cyber-security in the commercial context
Vivienne Artz
Managing Director and General Counsel, Citi
Cyber threat landscape
Kris McConkey
Director, Cyber Threat Detection & Response, PwC
Legal risks faced by financial institutions and the evolving regulatory frameworks in the EU and US
Nigel Parker
Senior Associate, Allen & Overy
Cyber-security in the commercial contextApril 2013
Vivienne Artz
Managing Director and General Counsel, Citi
Cyber-security in the commercial context
Cyber-security – fiction to fact
Examples of cyber-security attacks
‒ Financial services perspective
‒ Cyber-security in the broader risk landscape
1
Cyber-security in the commercial context
To fact…
New York Blackout (2003) –suggested cause a cyber-attack on
power grid infrastructure
3
Cyber-security in the commercial context
A teenage boy who hacked into a Polish tram system used it like "a giant train set", causing chaos and derailing four vehicles
Stuxnet – attack on Iran’s uranium enrichment
centrifuges Evernote – 50m user passwords
compromised
Sony - data on 77 million global gamers
compromised
4
Network Intrusions
Lin Mun Poo
32-year-old Malaysian National
Intrusion Federal Reserve Bank, Cleveland
Intrusion into DOD Contractor
UC Operation lures Poo to U.S.
Arrested in NYC with 400,000 Credit CardNumbers on laptop
Forensic Analysis revealed hacks into U.S.Government and Banking Sector Systems
5
Attacks on High Net Worth Clients
Igor Klopov
24-year-old Russian National
Expert in “mining the internet”
Brokerage & Home Equity Line of Credit (HELOC)compromises
Targeted Wealthy American Businessmen
Recruited U.S. Based Accomplices
Actual Loss $15 MM6
Cyber-security in the commercial context
“On the outskirts of Shanghai, in a run-downneighbourhood dominated by a 12-story whiteoffice tower, sits a People’s Liberation Armybase for China’s growing corps ofcyberwarriors.” (New York Times, February2013)
NY Times article reported on the release byMandiant of a report which concluded thatnearly 150 sophisticated hacking attemptsagainst American corporations and governmentagencies over the past decade almost certainlyoriginated from this single Shanghai officebuilding controlled by People's LiberationArmy)
8
Distributed Denial of Service Attacks
In 2012 a number of US financial institutions were
subjected to distributed denial of service attacks, intended to
disrupt online banking services
9
Distributed Denial of Service Attacks (DDoS)
Since early September 2012, the Financial Service sector has been the target of an escalating series of DDoS Attacks.
10
Cyber-security in the commercial context
Citi (10-K):
– “Citi’s Operational Systems and Networks Have Been, and Will Continue to Be, Subject to anIncreasing Risk of Continually Evolving Cybersecurity or Other Technological Risks, Which CouldResult in the Disclosure of Confidential Client or Customer Information, Damage to Citi’sReputation, Additional Costs to Citi, Regulatory Penalties and Financial Losses.”
– “Although Citi devotes significant resources to maintain and regularly upgrade its systems andnetworks with measures such as intrusion and detection prevention systems and monitoring firewallsto safeguard critical business applications, there is no guarantee that these measures or any othermeasures can provide absolute security.”
11
Cyber-security in the commercial context
Bank of America (10-K):
– “A failure in or breach of our operational or security systems or infrastructure, or those of third partieswith which we do business, including as a result of cyber attacks, could disrupt our businesses, resultin the disclosure or misuse of confidential or proprietary information, damage our reputation,increase our costs and cause losses.”
– “Although to date we have not experienced any material losses relating to cyber attacks or otherinformation security breaches, there can be no assurance that we will not suffer such losses in thefuture. Our risk and exposure to these matters remains heightened because of, among other things,the evolving nature of these threats, our prominent size and scale and our role in the financialservices industry, our plans to continue to implement our Internet banking and mobile bankingchannel strategies and develop additional remote connectivity solutions to serve our customers whenand how they want to be served, our expanded geographic footprint and international presence, theoutsourcing of some of our business operations, the continued uncertain global economicenvironment, threats of cyberterrorism, and system and customer account conversions.”
12
Cyber-security in the commercial context
JP Morgan (10-K)
– “JPMorgan Chase and other financial services institutions and companies engaged in data processinghave reported breaches in the security of their websites or other systems, some of which haveinvolved sophisticated and targeted attacks intended to obtain unauthorized access to confidentialinformation, destroy data, disable or degrade service, or sabotage systems, often through theintroduction of computer viruses or malware, cyberattacks and other means. The Firm and severalother U.S. financial institutions have also experienced several significant distributed denial-of-serviceattacks from technically sophisticated and well-resourced third parties which were intended to disruptconsumer online banking services.”
13
Cyber-security in the commercial context
Importance of cyber-technology is increasing:
– In the private sector, banks have led defence against attacks; because they have been a primary target
– Threat landscape is rapidly evolving with regard to perpetrators, their motivations and capabilities
Privacy/data-related risks include:
– Loss or destruction of data
– Unauthorised access to data
– Unauthorised alteration of data
– Unauthorised use of data
– Account takeovers
14
Cyber-security in the commercial context
Financial crime – criminal, often highly organised and well-funded, using technology to steal money or other assets
Corporate espionage – e.g. theft of trade secrets, other IP
Government driven – states attacking private sector organisations and especially the critical national infrastructure
Terrorism – terrorist groups against attacking either state or private assets
Hacktivism – attacks are undertaken by proponents of an idealistic cause
1
3
2
4
515