Cyber-security: legal implications for financial institutionsIAPP Europe Data Protection Intensive 2013

Cyber-security in the commercial context

Vivienne Artz

Managing Director and General Counsel, Citi

Cyber threat landscape

Kris McConkey

Director, Cyber Threat Detection & Response, PwC

Legal risks faced by financial institutions and the evolving regulatory frameworks in the EU and US

Nigel Parker

Senior Associate, Allen & Overy

Cyber-security in the commercial contextApril 2013

Vivienne Artz

Managing Director and General Counsel, Citi

Cyber-security in the commercial context

Cyber-security – fiction to fact

Examples of cyber-security attacks

‒ Financial services perspective

‒ Cyber-security in the broader risk landscape

1

Cyber-security in the commercial context

From fiction…

2

Cyber-security in the commercial context

To fact…

New York Blackout (2003) –suggested cause a cyber-attack on

power grid infrastructure

3

Cyber-security in the commercial context

A teenage boy who hacked into a Polish tram system used it like "a giant train set", causing chaos and derailing four vehicles

Stuxnet – attack on Iran’s uranium enrichment

centrifuges Evernote – 50m user passwords

compromised

Sony - data on 77 million global gamers

compromised

4

Network Intrusions

Lin Mun Poo

32-year-old Malaysian National

Intrusion Federal Reserve Bank, Cleveland

Intrusion into DOD Contractor

UC Operation lures Poo to U.S.

Arrested in NYC with 400,000 Credit CardNumbers on laptop

Forensic Analysis revealed hacks into U.S.Government and Banking Sector Systems

5

Attacks on High Net Worth Clients

Igor Klopov

24-year-old Russian National

Expert in “mining the internet”

Brokerage & Home Equity Line of Credit (HELOC)compromises

Targeted Wealthy American Businessmen

Recruited U.S. Based Accomplices

Actual Loss $15 MM6

Hacktivists

Anonymous

Hacktivists

7

Cyber-security in the commercial context

“On the outskirts of Shanghai, in a run-downneighbourhood dominated by a 12-story whiteoffice tower, sits a People’s Liberation Armybase for China’s growing corps ofcyberwarriors.” (New York Times, February2013)

NY Times article reported on the release byMandiant of a report which concluded thatnearly 150 sophisticated hacking attemptsagainst American corporations and governmentagencies over the past decade almost certainlyoriginated from this single Shanghai officebuilding controlled by People's LiberationArmy)

8

Distributed Denial of Service Attacks

In 2012 a number of US financial institutions were

subjected to distributed denial of service attacks, intended to

disrupt online banking services

9

Distributed Denial of Service Attacks (DDoS)

Since early September 2012, the Financial Service sector has been the target of an escalating series of DDoS Attacks.

10

Cyber-security in the commercial context

Citi (10-K):

– “Citi’s Operational Systems and Networks Have Been, and Will Continue to Be, Subject to anIncreasing Risk of Continually Evolving Cybersecurity or Other Technological Risks, Which CouldResult in the Disclosure of Confidential Client or Customer Information, Damage to Citi’sReputation, Additional Costs to Citi, Regulatory Penalties and Financial Losses.”

– “Although Citi devotes significant resources to maintain and regularly upgrade its systems andnetworks with measures such as intrusion and detection prevention systems and monitoring firewallsto safeguard critical business applications, there is no guarantee that these measures or any othermeasures can provide absolute security.”

11

Cyber-security in the commercial context

Bank of America (10-K):

– “A failure in or breach of our operational or security systems or infrastructure, or those of third partieswith which we do business, including as a result of cyber attacks, could disrupt our businesses, resultin the disclosure or misuse of confidential or proprietary information, damage our reputation,increase our costs and cause losses.”

– “Although to date we have not experienced any material losses relating to cyber attacks or otherinformation security breaches, there can be no assurance that we will not suffer such losses in thefuture. Our risk and exposure to these matters remains heightened because of, among other things,the evolving nature of these threats, our prominent size and scale and our role in the financialservices industry, our plans to continue to implement our Internet banking and mobile bankingchannel strategies and develop additional remote connectivity solutions to serve our customers whenand how they want to be served, our expanded geographic footprint and international presence, theoutsourcing of some of our business operations, the continued uncertain global economicenvironment, threats of cyberterrorism, and system and customer account conversions.”

12

Cyber-security in the commercial context

JP Morgan (10-K)

– “JPMorgan Chase and other financial services institutions and companies engaged in data processinghave reported breaches in the security of their websites or other systems, some of which haveinvolved sophisticated and targeted attacks intended to obtain unauthorized access to confidentialinformation, destroy data, disable or degrade service, or sabotage systems, often through theintroduction of computer viruses or malware, cyberattacks and other means. The Firm and severalother U.S. financial institutions have also experienced several significant distributed denial-of-serviceattacks from technically sophisticated and well-resourced third parties which were intended to disruptconsumer online banking services.”

13

Cyber-security in the commercial context

Importance of cyber-technology is increasing:

– In the private sector, banks have led defence against attacks; because they have been a primary target

– Threat landscape is rapidly evolving with regard to perpetrators, their motivations and capabilities

Privacy/data-related risks include:

– Loss or destruction of data

– Unauthorised access to data

– Unauthorised alteration of data

– Unauthorised use of data

– Account takeovers

14

Cyber-security in the commercial context

Financial crime – criminal, often highly organised and well-funded, using technology to steal money or other assets

Corporate espionage – e.g. theft of trade secrets, other IP

Government driven – states attacking private sector organisations and especially the critical national infrastructure

Terrorism – terrorist groups against attacking either state or private assets

Hacktivism – attacks are undertaken by proponents of an idealistic cause

1

3

2

4

515

Cyber-security in the commercial context

4.0

3.5

3.0

3.0 3.5 4.0

Imp

ac

t

Likelihood

Water supply crisis

Chronic fiscal imbalance

Severe income disparity

Rising greenhouse gas

emissions

Cyber attacks

Source: Global Risks 2012World Economic Forum

16