Professional Documents
Culture Documents
Cyber Decoder Newsletter Issue 40
Cyber Decoder Newsletter Issue 40
RED FLAGS RULE CYBER SECURITY PORTS TARGETED ALSO IN THIS ISSUE
Voya agrees USD 1 million Regulators have been Ports of Barcelona and Cyber insurance guide 7
settlement with the SEC issuing large fines for San Diego fell victim to
Digital transformation 9
over charges of deficient data breaches and cyber attacks in September
cyber security lapses in cyber security this year Cyber war games 11
Top tweets 12
Starting on 1 November 2018, private The data breach notification regime was OPC, an increase of 22% from the year
sector organisations in Canada will created via amendments to Canada’s before. The majority of incidents related
be required to notify the Office of the data protection legislation, the Personal to theft and unauthorised access (67%),
Privacy Commissioner of Canada (OPC) Information Protection and Electronic followed by accidental disclosure (29%).
and any affected individuals of any Documents Act (PIPEDA), in 2015.
breach involving personal information The requirements of the new regime GUIDANCE
that it believes may create a “real risk of were set out in the April 2018 Breach of
The OPC recently published draft
significant harm”.Organisations must also Security Safeguards Regulations (BSSR).
guidelines on mandatory breach reporting
maintain records of every detected data
According to the OPC’s recently that are intended to help organisations
breach and provide it to the OPC upon
published annual report, data breaches comply with breach reporting and
request. Failure to report a breach or have increased in frequency-the number record-keeping obligations under PIPEDA.
maintain records is punishable by a fine reported to the regulator has doubled Consultation ended in October and the
of up to CAD 100,000. since 2014. In 2017-18, 116 private OPC says it will publish final guidance by
sector breaches were reported to the November 1st.
Continued on page 2
2 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
According to law firm Blake, Cassels & PRIVACY POWERS the OPC, and even called for additional
Graydon, much of the information in the measures inspired by Europe’s GDPR.
In addition to the notification
draft guidelines is simply a reiteration of In June 2018, the Canadian government
requirements, Canadian data protection
the legal requirements set out in PIPEDA responded to ETHI’s recommendations
and privacy laws could soon get even
and the BSSR. However, the draft to amend PIPEDA and conceded that
tougher. At the end of September, the
guidelines provide some useful guidance changes are required to Canada’s privacy
OPC Commissioner Daniel Therrien
in certain areas, such as how to assess regime pending consultation.
called on the federal government to
the reporting threshold of “real risk of give the regulator greater powers to
significant harm”. hold organisations to account. CYBER STATISTICS
The Commissioner said that data The notification regime kicks-in at a
According to the OPC, significant harm
breaches at Equifax, Uber and Nissan time of heightened cyber risk for
would be defined as: bodily harm,
Canada Finance, as well as the alleged Canadian companies and a potential
humiliation, damage to reputation or
misuse of Facebook user data by lack of preparedness. According to the
relationships, loss of employment,
Cambridge Analytica, should act as a
business or professional opportunities, Canadian Survey of Cyber Security and
‘wake-up call’ to government.
financial loss, identity theft, negative Cybercrime, just over one-fifth (21%)
effects on the credit record, and Canada’s privacy legislation gives of Canadian businesses said they were
damage to or loss of property. companies “wide latitude” to use impacted by a cyber security incident in
personal information for their own benefit, 2017. More than half (54%) of impacted
The guidelines also set out the minimum according to Mr Therrien, who says that businesses reported that cyber security
information required when recording a the “time of self-regulation is over”. He incidents prevented employees from
data breach or reporting a breach to called for the drafting of “stronger privacy carrying out day-to-day work, while over
the OPC, the regulator responsible for laws,” as well as greater powers and half (58%) of businesses experienced
enforcing the rules. The regulator has resources for the OPC to enforce them. some downtime as a result of
already published a draft report form that an incident.
In particular, the OPC needs new powers
organisations can use to report a breach.
to make orders, issue fines and conduct Worryingly, just 13% of businesses had
The OPC says it will pay particular inspections to ensure businesses respect a written policy in place to manage or
attention to how organisations address the law. The Commissioner also called report cyber security incidents. Only 10%
security vulnerabilities and assess the real for the government to increase the
of businesses impacted by a cyber
risk of significant harm. It will also monitor resources of the OPC, in part to meet
security incident reported it to authorities.
how breach records are maintained by its obligations under the new breach
While almost all Canadian businesses
organisations, a new obligation reporting regulations that come into
surveyed employed some form of cyber
under PIPEDA. force in November.
security to protect themselves, many
While mandatory notification is a move In February 2018, the Canadian House smaller firms failed to adopt basic cyber
in the right direction towards enhancing of Commons Standing Committee on hygiene. Almost a quarter did not use
Access to Information, Privacy and Ethics anti-malware software or email security,
privacy protection, the OPC said that
(ETHI), which has been tasked with while a third did not have network
it would have liked the regulations go
reviewing Canada’s privacy laws, called security, such as firewalls.
further. Canada’s mandatory notification
for changes to PIPEDA as proposed by
regime is more limited in scope than
the GDPR, and the OPC says that
reporting requirements will not generate
the information it requires to assess the
adequacy of an organisation’s safeguards.
It also says it will receive no additional
funding or resources to enforce the rules.
ZERO TOLERANCE successful cyber-attack occurring in the failing to protect personal information
first place. In July the FCA published a – ranging from names and addresses
One of the largest penalties came from
discussion paper about strengthening the to financial information - of up to 15
the UK’s financial services regulator, the
operational resilience of financial services million UK citizens during a cyber-attack
Financial Conduct Authority (FCA). It fined
firms with regard to cyber-attacks and in 2017. The incident, which happened
Tesco Personal Finance (Tesco Bank)
other disruptive operational incidents. between 13 May and 30 July 2017
GBP 16.4 million for failing to exercise
in the US, affected 146 million
“due skill, care and diligence” in protecting
The regulator warned that it has customers globally.
its personal current account holders.
In November 2016, cyber attackers “no tolerance” for banks that The ICO’s investigation was carried out
exploited deficiencies in Tesco Bank’s under the Data Protection Act 1998 (DPA),
financial crime controls and its financial
fail to protect customers from
rather than the EU’s GDPR, as the
crime operations team to steal some GBP foreseeable risks cyber-attack occurred before the stricter
2.4 million over 48 hours. laws came into force in May 2018. The
UK banks have been plagued by IT fine is the maximum allowed under the
Mitigating factors led to a discounted fine
outages, the largest being the weeks of DPA. However, under the GDPR, the ICO
for Tesco, including the early settlement
service disruption suffered by TSB Bank can issue fines of up to Euro 20 million or
and high level of cooperation, as well 4% of annual global turnover, whichever
customers, following a problematic IT
as the bank’s redress programme for is highest.
platform migration in April. In September,
affected customers. Absent the discounts
a number of UK banks were hit by
for mitigating factors, the FCA would have Although the data breach took place in
unrelated glitches and outages, including
imposed a penalty of GBP 33.6 million, the US, the ICO concluded that the
TSB, HSBC, RBS and Barclays. The
it says. Issuing the fine, the regulator UK arm of the company failed to take
FCA discussion paper suggests that the
warned that it has “no tolerance” for appropriate steps to ensure its US parent
regulator intends to take a more active
Equifax Inc was protecting the information.
banks that fail to protect customers from role in driving cyber resilience in the
The investigation revealed multiple failures
foreseeable risks. financial services sector.
at the credit reference agency that led
The FCA says Tesco had not responded to personal information being retained
to the November 2016 cyber-attack with MAXIMUM FINES for longer than necessary and made
sufficient rigour, skill and urgency. It also The UK’s Information Commissioner’s vulnerable to unauthorised access.
concluded that Tesco Bank had failed to Office (ICO) has dished-out a number
The Equifax fine is just the latest issued
take appropriate action to prevent the of large fines in the past few months,
by the ICO, which earlier indicated that
foreseeable risk of fraud. including a (pre-GDPR) maximum fine it would fine Facebook GBP 500,000 for
for credit monitoring firm Equifax. the alleged misuse of user information by
Commenting on the Tesco Bank cyber-
attack, the FCA called on banks to On 20 September, the ICO issued data analytics firms, including Cambridge
Equifax with a GBP 500,000 fine for Analytica. It also recently fined health
focus on resilience, reducing the risk of a
www.jlt.com | Cyber Decoder 5
insurer Bupa GBP 175,000 for “systemic” which exposed the details of 57 million agreed to put in place more secure
failings related to a pre-GDPR data customers and drivers. Uber was found systems and accept greater oversight
breach (an employee stole the personal to have breached state notification laws of cyber security by the Federal
information of 547,000 Bupa customers by not reporting or disclosing the data Trade Commission.
and offered it for sale on the dark web); breach - instead Uber paid hackers
Yahoo also agreed a multi-million dollar
while Heathrow Airport was fined USD 100,000 to destroy the data.
settlement in September for its failure
GBP 120,000 for failing to ensure that
The payment settles legal action brought to disclose a large data breach in 2014.
personal data was properly secured after
by the US government and 50 states Altaba Inc, formerly known as Yahoo, said
an employee lost a USB stick.
over Uber’s failure to disclose details of that it expects to incur a total of USD 47
the data loss. The company has yet to million in litigation expenses to settle three
UBER SETTLEMENT settle legal action brought by drivers, class action cases for failing to disclose
In the US, Uber agreed to pay USD customers and the cities of Los Angeles the 2014 cyber security breach. The
148 million to settle a legal action and Chicago over the 2016 data breach. settlement is said to draw a line under
related to its massive 2016 data breach, As part of the settlement, Uber has litigation related to the data breach.
The Port of Barcelona reported a cyber- affected, including park permits, public Both attacks followed a ransomware
attack on 20 September, although few record requests and business services. attack against shipping company
details of the attack were made public. The port, which operates cargo and COSCO in July. The Chinese group
The port had initially warned that cargo cruise terminals and is home to hotels, said its vessels were not affected by the
may experience delays, however, the restaurants, marinas and museums, attack, although COSCO’s terminal at
attack was contained and shipping was confirmed that it had received a ransom the Port of Long Beach was impacted
largely unaffected. note, although the value of the ransom and customer communications were
Just days later, the Port of San Diego in demand was not disclosed. disrupted. Damage from the attack was
California revealed that it had suffered a reportedly contained because COSCO
ransomware attack. On 25 September,
Public access to some port isolated its internal networks across
a cyber-attack disrupted the port’s services was affected, including its global operations, and because of
information technology systems, ‘work-arounds’ that enabled cargo
park permits, public record
although operations were unaffected. handling to continue without allowing
Public access to some port services was requests and business services the virus to spread.
6 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Ports were also affected by the global Mediterranean Shipping Company are as a precautionary measure. Flights were
malware attacks of 2017, which shut investing in smart container technology unaffected, but the airport had to
down terminals and disrupted shipping that enables them to track and monitor resort to whiteboards to keep
and cargo operations. Shipping company shipments in real-time. passengers informed.
Maersk – which operates some 76 ports
In the past, operating technology (OT), A ransomware attack against the city
and nearly 800 vessels - was forced to
including industrial control systems, of Atlanta earlier this year caused the
switch off its global IT network. It took 10
has been kept separate from wider IT city’s Hartsfield-Jackson International
days for the company to rebuild its entire
systems, but it is increasingly becoming airport to take some of its systems
network of 4,000 servers and 45,000
integrated. According to Darktrace, offline. Passengers at London’s Gatwick
personal computers.
the creation of ‘smart’ ports and the airport were also forced to resort to
convergence of IT and OT systems will using whiteboards, after a damaged
SMART PORTS challenge cyber security. communications cable took-out flight
Unlike the 2017 attacks, which affected information boards in August. In 2016,
Maritime cyber security consultant Naval
businesses indiscriminately, those hackers attacked the website of Vietnam
Dome warned that cyber-attacks against
against the ports of Barcelona and San Airlines and the flight information screens
shore-based infrastructure, like that
Diego appear to have been targeted, in Hanoi and Ho Chi Minh City airports.
suffered by COSCO, could easily spread
according to Darktrace Industrial, which
to ships. Shore-based and ship-based According to a report from PA Consulting
provides cyber security to a number of
IT systems are linked, and can act as a Group, the number of airport-related
ports. The company speculates that the
gateway to vessels and leave them highly cyber threats has grown significantly
success of last year’s WannaCry and
susceptible to an attack, it says. Naval in recent years - there are 1,000
NotPetya malware attacks may have
Dome says it is aware of a number of cyber-attacks on aviation systems each
inspired attackers to pursue the maritime
serious cyber-attacks this year against month, says the European Aviation Safety
sector specifically.
companies in the maritime sector that Agency (EASA). Like the maritime sector,
Ports are likely to become more have not been made public. airports and airlines have been affected
vulnerable to cyber-attacks with growing by ransomware and other cyber-attacks.
LATAM Airlines had data encrypted
automation. Many ports and shipping AIRPORT ATTACKS
companies are in the midst of a digital by WannaCry, while Ukraine’s Boryspil
Airports have also been affected by International Airport lost access to its
transformation – last year the port of
cyber-attacks in recent months. Bristol systems during NotPetya. LOT Polish
Barcelona launched its Digital Port
Airport was hit by a ransomware attack Airlines was also affected by a
project with 54 initiatives to create digital
in September that took down departure cyber-attack on its flight planning
applications, products and services.
and arrival boards for two days. The computers in 2015.
Shipping companies like Maersk and
airport said it had taken systems offline
www.jlt.com | Cyber Decoder 7
The guide has been developed by conscious of the need to manage their Any organisation wishing to implement
the Federation of Risk Management cyber security exposures, yet many some form of risk mitigation for its cyber
Associations (FERMA), working with companies still struggle to translate their risks—including insurance—must first
the European Federation of Insurance cyber security concerns into concrete assess as accurately as possible its
Intermediaries (BIPAR) and Insurance action, FERMA said. exposures and potential vulnerabilities.
Europe, the European insurance trade As a first step, an organisation needs
body. It follows FERMA’s 2017 report on An organisation needs to to conduct internal research and build
cyber risk governance, which sets out a a picture of its cyber risks and how it
conduct internal research and manages them. However, conducting
framework to identify and quantify cyber
risk in order to weigh-up risk mitigation build a picture of its cyber risks this research can be challenging, the
report says.
strategies and insurance. and how it manages them
OVERCOMING HURDLES The market for cyber insurance in the TARGETED INFORMATION
EU has yet to reach its full potential, The guide gives advice on how companies
‘Preparing for cyber insurance’ is written
according to the report. One reason can best prepare for discussions with
from the insurance buyers’ perspective
for this is the difficult task insurers face insurance intermediaries and insurers.
and is intended as a practical guide
when quantifying risks that are constantly For example, it helps buyers to prepare
to help organisations understand their
evolving and that can rapidly spread the most valuable underwriting information
cyber risks and potential need for cyber
worldwide. Similarly, organisations can for insurers; outlining what information is
insurance. Recent cyber events have
find it hard to accurately assess their required, how it is used in underwriting
made organisations much more aware
cyber security exposures and how best and where that information is likely to be
of the cyber risks they face and more
to use insurance to mitigate them. found within the organisation.
8 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Once upon a time, there was a The conversation needs to start with risk If we look at Digital Transformation, we
digital transformation (DX) leader. and follow through by identifying assets can start the conversation around three
This transformation leader delivered a and the likelihood and impact of attacks, areas: infrastructure, people and risk/
technology project that met objectives, including dollar values. The objective is threat landscape.
delivered on schedule and on budget. to simply ensure the company’s (security)
Everyone was delighted, until the risks are identified and accounted for, by We know infrastructure is constantly
company’s corporate data appeared balancing security controls against the changing and evolving. With users,
for sale on a dark web forum. transformation functions. If this is done both internal and external, being the
from the beginning of the project plan, the benefactors of the new technology,
Sadly, that transformation manager is business can rest assured that they’ve but also a conduit to attacks. Evolving
no longer with the company. This little helped to minimise the impact of attacks threat vectors and the actors behind the
fable is unfortunately a reality for more (or system failures) to the business. threats are currently stepping up their
companies than the statistics indicate.
attacks against both.
We’re going to review a couple of Digital transformation is about digitising
oversights that largely contribute to processes, services and business We’re getting better at installing
these statistics and how to avoid models that yield agility, efficiency and security protection kits, like firewalls
going from hero to zero. competitive advantage. Gartner says and intrusion prevention systems, but
by 2020, 60% of digital businesses will today’s attacks are focusing more
Far too often, transformation initiatives, suffer major service failures due to the on people and the transformational
or just platform upgrades, don’t include inability of IT security teams to manage
sufficient security risk input throughout applications they use. Most enterprises
digital risk effectively.
the various project lifecycles. The are not going to improve their risk levels
business case needs to, not only extol This staggering statistic forces the by stacking up more security systems,
all the business benefits and competitive discussion about balancing digital risk with when their general staff are inadvertently
advantages of a new technology, but also sought-after transformational functions. installing malicious software anyway.
include a comprehensive risk review.
10 FINANCIAL LINES GROUP NEWSLETTER | Cyber Decoder | October 2018
Moreover, protection devices aren’t attacks figure in over 90% of breaches resolve the issue before the hackers
going to stop loss of data if the and losses today, so it’s a good place took advantage.
transformational applications are not to start looking to reduce your risk. In
The lessons here are: Focus on the
properly tested. As it stands, the terms of attack evolution, this year’s
evolving risks surrounding the people on
leading method for extracting data trends show that many phishing emails
both sides of your digital systems, internal
don’t include malicious links or feature
from organisations is through the very and external, including partners and supply
malware infested attachments. Hackers
applications deployed to transform chain vendors. Second, review and test
are more patient now, they know that
the business. the applications underpinning your digital
with a little more social engineering effort,
transformation programs.
they can obtain the information they need
Phishing and business email to advance an attack on the business. As Verizon’s Data Breach Report 2018
has shown, web applications continue
compromise attacks figure There are well publicised breaches, such
to be the number one method that bad
as Deloitte’s O365 migration project,
in over 90% of breaches and that involve hackers accessing emails
actors employ to steal enterprise data.
Frequent web application scanning
losses today using stolen admin credentials. This led
should be adopted, along with an
to the exposure of over 244,000
independent web application penetration
employee email accounts and customer
Security awareness training can test that includes the underlying web
communications. Worse yet, a massive
significantly improve an organisation’s server infrastructure. The objective is not
breach at Equifax exposed private data
resilience. More than just informative to be 100% impenetrable, but just secure
of almost half the US population.
emails, a training program that integrates enough to be too difficult and thus costly
An investigation has shown how difficult
email phishing tests goes a long way for bad actors to make you another
it is to keep all of a company’s systems
to make the training stick, given the updated. The company knew about the breach statistic.
interaction and educational quizzes. vulnerability within a particular application,
Phishing and business email compromise but didn’t have the resources to
www.jlt.com | Cyber Decoder 11
Conference app
compromises
personal data