Safe in the knowledge Sound cyber strategy for senior management and board members of the payment card industry

Transcription

1 Sound cyber strategy for senior management and board members of the payment card industry

2 Safe in the knowledge 2

3 Sound cyber strategy for senior management and board members of the payment card industry There is no industry more prepared and more determined to combat cyberattacks than the payment card industry. At the same time, there is no more enticing a target for hackers than those companies that handle the vast majority of global payment transactions. Hackers are getting increasingly sophisticated and the threats are continuing to multiply as new merchants and new countries come on line, and more individuals opt to pay with mobile devices. Adding to this expanding threat environment is the rapidly evolving global regulatory and enforcement environment, the ever-increasing prospect of litigation (including litigation aimed at individual directors and officers), the potential for very large card network fines and penalties, and the brand damage (and impact on consumer confidence) that could accompany data breaches. Investing in the latest technological solutions, and incorporating cybersecurity technology into cutting-edge FinTech, goes a long way to mitigating problems especially in preventing credit card fraud. However, it is not a panacea across the enterprise, and it cannot supplant sound, risk-based strategies to help prevent breaches and to respond to them before regulators, courts and card networks. Ultimately, a proactive, holistic, risk-based and well-practiced cyber strategy is needed to prevent and respond to cyberattacks. And, this strategy must start at the very top. This guide is designed to help senior management and board members, who are already inundated with information and data, to decipher the key data points and to make decisions on cyber risk management. Below are some key questions and considerations to help companies formulate a sound cyber strategy. Q. When should upper management get involved? As sophisticated companies know, the time to get upper management involved is now, well before any breach. The involvement of senior leaders is not only a critical component of any sound cyber strategy, but it is also a way of fending off regulatory action before and after an attack and even postbreach litigation. According to one 2017 study, while the average data breach case cost $3.67 million, board-level involvement alone reduced the average cost of a breach by $123,000 (3%). Additionally, a board that is knowledgeable about cyber risk often plays a role in implementing an effective incident response team and participating in threat sharing, two actions that are estimated to reduce the average cost of a breach by $468,000 (13%) and $193,000 (5%), respectively. Furthermore, while already being an essential effective practice to address cybersecurity threats, an active and engaged board will likely prove very beneficial in post-data-breach litigation. For example, at least one court has relied on a board s active engagement in cyber issues to dismiss a derivative action arising out of a cyberattack. Without Board or C-Suite level attention, cyber strategies are more likely to become fragmented, increasingly disregarded and ineffective when a crisis occurs. Recognizing this situation, regulators are increasingly requiring official senior management to sign off and give approval on cybersecurity programs and plans. For example, both the cybersecurity requirements issued by the New York Department of Financial Services and the UK s Financial Conduct Authority (FCA) mandate that the board of directors or senior officers certify compliance annually, with the potential for both significant regulatory sanctions and personal liability if the organization is later found to be non-compliant. Additionally, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation, in their joint October 2016 Advance Notice of Proposed Rulemaking, also announced that they are considering standards that would provide that the board of directors, or an appropriate board committee, of a covered entity must be responsible for approving the entity s cyber risk management strategy and holding senior management accountable for establishing and implementing appropriate policies consistent with the strategy. Additionally, the agencies are considering requiring senior leaders responsible for cyber risk oversight to be independent of business line management. In this regard, they explain, these senior leaders would need to have direct, independent access to the board of directors and would independently inform the board of directors on an ongoing basis of the firm s cyber risk exposure and risk management practices, including known and emerging issues and trends. 3

4 A similar trend may soon follow in China, The new Cybersecurity Law on the protection of critical information infrastructure has introduced new standards and procedures to ensure that organizations that handle data establish internal high-level corporate oversight and security management systems. Fines for breach of standards can be imposed at both the corporate and individual levels, including fines on individuals who are directly responsible for the breach, which could indirectly target senior management. It remains to be seen how the new law will be implemented. Regulatory authorities are expected to issue further guidelines in the near future to clarify the law. Beyond the regulators, director and officer civil liability is an increasing concern. A crisis that creates potential liability for directors and officers is often judged in hindsight, replete with second-guessing by prosecutors, enforcement attorneys and the civil litigation bar, so it will be important to document an active and involved senior leadership. Even in jurisdictions where there are no binding regulations, the increasing number of consultation papers and regulatory guidance will contribute to developing global best practices in relation to cybersecurity. For example, at the beginning of July, the Securities and Futures Commission (SFC) in Hong Kong closed a consultation period on proposals to reduce and mitigate hacking risks associated with internet trading. The proposals incorporated new guidelines which set out baseline cybersecurity requirements for internet brokers to address hacking risks and vulnerabilities and to clarify expected standards of cybersecurity controls. Some of these requirements are already featured in the Code of Conduct or SFC circulars and are being elaborated and consolidated into the proposed guidelines. Additionally, the Hong Kong Monetary Authority is currently undertaking its Cybersecurity Fortification Initiative comprising three pillars: (i) the Cyber Resilience Framework, a self-assessment tool for institutions to assess their vulnerability to cyber risks; (ii) the Professional Development Program aimed at increasing the number and level of skill of cybersecurity professionals in Hong Kong; and (iii) the Cyber Intelligence Sharing Platform, which seeks to improve sharing industry intelligence about cyber threats. Traditionally, if member of upper management act on an informed basis, in good faith and in the honest belief that their actions are taken in the best interests of the company, they will continue to enjoy relative immunity before courts if a cyberattack happens. The bar to successful shareholder derivative suits against directors and officers remains high. However, because cyberattacks affect all industries, and not just those that are data rich, courts evaluating whether directors and officers have met their standard of care will look skeptically on directors and officers of companies that do not have a sound monitoring system, oversight procedures, and mechanisms to prevent, to respond to and to remediate cyber threats before severe damage is done. In other words, a company s failure to implement basic cybersecurity procedures may not appear reasonable, particularly as regulators across industries and global jurisdictions enact regulation requiring cybersecurity procedures, and the consequences of noncompliance are apparent and certain. Q. Who should be in charge of prevention and response? Cybersecurity involves the entire organization and is not limited to the IT Department. The current threat landscape demands that a cyber strategy, including prevention and response, embraces a holistic approach. The core team will vary for specific industries, but executive leadership, Legal, IT, Public Relations, Investor Relations, Customer Relations, Risk Management, Human Resources and Operations should be involved. Traditionally, either a chief information security officer (CISO) or general counsel will be charged with overseeing the cybersecurity program, The responsible individual will need to have the clear responsibility, as well as the authority, to effectively fulfill that role. While delineated authority and responsibility are essential to running an organization, the leader of a company s cybersecurity program needs to have the authority and mandate to identify and allocate resources within an organization. If the CISO s mandate is overseeing cybersecurity, a consistent and rigorous reporting system to the board of directors and/or senior management is required for risk management, monitoring and fluid communication. Of course, the CISO also needs to understand the business and how technology systems can be used and leveraged to improve business functions. The person ultimately in charge of cybersecurity also needs to be an experienced crisis manager, If that person is not a lawyer, this individual should have a trusted, battle-tested, action-oriented attorney by his or her side, to ensure decisions will not have costly legal implications if not executed correctly. Q. What are the legal and industry standards? Cybersecurity implicates a number of federal and state legal and regulatory requirements in addition to industry-imposed standards, all of which need to be considered in advance of a breach, especially since many require preventive action and timely notification of breaches. At the federal level, the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC) have used their regulatory oversight and enforcement authority to impose requirements on regulated entities and to bring post-breach enforcement actions against companies that are victims of a data breach. Most US states have data breach notification laws as well. State attorneys general may rely on state law prohibitions on unfair or deceptive acts and practices to go after companies that have exposed sensitive consumer data in a data breach, similar to the CFPB and the FTC. Many global jurisdictions also have strict cybersecurity and data privacy regulations which impose mandatory reporting requirements, such as the European General Data Privacy Regulation (GDPR) which will come into effect in May 2018; the EU Directive on Security of Network and Information Systems (the NIS Directive ); and the regulatory reporting requirements for financial institutions (e.g., under MiFID and Solvency II). 4

5 In Asia, the Singaporean legislators have released a draft bill on cybersecurity, and China s new Cybersecurity Law came into effect on June 1, 2017, as part of the PRC government s drive to protect internet sovereignty and to ensure secure and trusted network products and services. China s new Cybersecurity Law has now made it an obligation on network operators to cooperate with state security and other government authorities in investigating cybersecurity breaches, to establish mechanisms for reporting violations to authorities and to take proactive steps along the way. It is not difficult to recognize the trend towards increasingly prescriptive legislative and regulatory requirements in this area. The payments industry is also coming to grips with the upcoming implementation of PSD2, the revised EU Payments Services Directive. The increased data sharing with payments service providers that implementation may trigger will also be subject to additional technical security requirements and guidelines produced by the European Banking Authority in conjunction with the European Central Bank. Any company processing or handling payment card data will also be subject to card network rules and the Payment Card Industry Data Security Standards maintained by the PCI Security Standards Council (PCISSC). These standards are imposed on companies under their contracts with networks or member banks that relate to their participation in the payment networks, and are accompanied by fines and penalties for failure to comply with the data security standards. Compliance with these data security standards is not a guarantee against a data security breach. However, a failure to comply not only increases the chances of a breach, but could also result in loss of business and the increased chance of being found to have fallen short of the applicable standard of care (and ultimately the withdrawal of authorizations under scheme rules to process transactions). Q. Is there a technological solution? Technological solutions to cybersecurity are a core component of a cyber strategy especially in preventing credit card fraud. However, the key to preparedness and risk management is a thorough cyber strategy plan that anticipates threats, mitigates potential damage in advance, and plans for remediation when necessary. From a technology standpoint, some questions to consider include whether sensitive data is encrypted while stored and in transit, do networks have adequate encryption, is multi-factor authentication required to gain access to company systems and networks, and are robust firewalls and antivirus software in place and continually updated to keep up with the latest security threats. Identifying and implementing a cyber strategy and plan is not a singular, one-time task. Cybercrime continues to evolve, and new types of attacks are continually developed. To maintain a strong defense, organizations need to be vigilant and consistent in testing and updating their strategy as well as nimbly shifting resources to new areas of vulnerability. Continuous vigilance does have a core IT component, and any successful cyber strategy will incorporate continuous monitoring of internal networks and emerging threats. The IT component of a sound cyber strategy also requires a deep understanding of the information that system logs provide. The IT team, tasked with monitoring systems for internal cybersecurity red flags, should know how to properly manage and oversee these internal systems. This team should also maintain up-to-date knowledge and skills. For example, New York State requires that companies verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. Finally, it is important to consider routinely sharing and receiving cyber threat indicators to help the organization, and the larger economy, inoculate against cyber threats. Q. Should companies just be concerned with data? As the latest string of ransomware attacks show, hackers are increasingly willing to target any company from which they can steal valuable trade secrets, cause disruption, if not destruction, or extract ransom. Payments data and the PII around it is not the only thing that hackers will target. Therefore it is important for companies to systematically look at the businesses across their enterprise, as well as all of their data, to identify what data vulnerabilities exist. Critical questions to ask are: once all data is cataloged, how sensitive is the data, whether commercially, legally or reputationally)? where is critical data stored and used? who has access to it? is it compartmented (so that a breach to it would not bleed over into other parts of the enterprise)? what potential threats exist? what are the potential consequences if hackers were to get the data in some way, shape or form? Once surveying the threat landscape and determining the relative value of data or assets, then the next step is to enact risk-based measures to mitigate those threats in a systematic fashion. One approach is to create an explicit and well-documented layered defense strategy, whereby the most valued assets are provided higher levels of protection than less sensitive or less valuable data and assets. This tailored and informed strategy efficiently saves money and time while preserving employee goodwill; however, this strategy is only effective when a company has knowledge of where the data resides, what kind of data is held and what vulnerabilities exist. Q. What is the role of privilege? A breach is bad enough, but regulatory action and litigation can greatly compound the problem. Before a breach occurs, courts and regulators will increasingly evaluate the risk-based cybersecurity judgments that were made, and the reasoning behind those decisions. Regulators like the SEC, 5

6 OCC and the UK s FCA will not wait until after a breach occurs to ensure that core aspects of a cyber strategy are recorded. Courts handling a breach case will also consider written, pre-breach decisions to determine whether the emerging standard of care was met (usually based on a reasonableness analysis). Therefore, documenting the thought processes, as well as the written response plans, are significant evidentiary pieces that should be drafted with an understanding that these documents may be released. It is important to consider that forensic reports in advance of a known breach are likely not privileged, so company actions regarding the risks and vulnerabilities revealed by that report will become core elements of any post-breach litigation or regulatory action. Q. How concerned should companies be with third parties? If a third-party vendor, supplier or client has access to internal networks or maintains corporate data, it is crucial to evaluate the vendor s cybersecurity policies and procedures and consider due diligence of suppliers to ensure their cybersecurity strategy meets the company s requirements. Third parties are one of the biggest blind spots that large, sophisticated companies have and it s not just third parties like retailers, hotels and restaurants. Regulators such as the OCC, the CFPB and the FTC have taken an increasingly harder look at third-party oversight programs and how financial institutions and other companies that provide financial services control third-party vendor risk. These regulators are holding companies responsible for the shortcomings of their vendors. The first step is to systematically catalog third-party relationships, especially those long-standing relationships that predate the cyber threat. Next is to ensure an appropriate level of cybersecurity and apportion the risk of a breach via contract (and/ or require that the third parties carry adequate cyber insurance). Payment card companies often use this practice for merchants already and enforce it via contractual allocation of risks, fines and litigation but it is also important to look beyond those companies to other third parties as well. Companies should examine comprehensively what level of access vendors have to their networks and systems, even if the type of services provided by the vendor do not seem to pose much risk. For example, the 2013 data breach at Target resulted from hackers compromising an HVAC vendor that had password access to Target s network, which the hackers then used to tunnel into Target s epos systems. Finally the increased reliance of companies on cloud services may require a fundamental and strategic review of information security risk. An off-premise, commodity-hosted service does not lend itself to the application of customer-led security policies. Many major cloud vendors do not have clearly articulated policies on compliance with GDPR. As part of their assessment of the benefits of cloud-first strategy, companies need to carefully review their requirements in all of the following areas: physical and logical security controls, data residency, staff vetting, supply-chain control, disaster recovery and business continuity, including data replication, archiving and back-up, access and audit rights. Q. When should companies call in law enforcement? The decision to call in law enforcement in the event of a breach is an important one, and depends on a number of factors, most of which should be considered in advance of a crisis. The advantages of calling the authorities include the potential to receive classified or otherwise sensitive briefings relevant to the breach; the ability to limit the number of interfaces in multi-jurisdictional breaches; and to better ensure victim-vice-perpetrator treatment. However, each situation is different so there may be disadvantages. It is important to have a decision plan in place ahead of time, and to select outside assistance that has pre-existing relationships with law enforcement. Q. What are the tax implications of a cyber event? While the US Treasury, the Internal Revenue Service and Congress have not yet addressed the tax treatment of certain breaches ransomware in particular there are important tax issues to consider when devising a decision plan, since there is often pressure to resolve ransomware attacks quickly. In the event of a hack that results in a company choosing to pay ransom to release its data, the company will have to face decisions regarding the proper treatment of the payment on its books, and ultimately its tax return, as a non-deductible illegal payment under section 162(c)(2), a deductible theft loss under section 165(c), or potentially as an ordinary and necessary trade or business expense under section 162(a) (and applicable tax rules in other jurisdictions). Thinking through the tax implications in advance may aid in deciding whether to pay. Q. Should companies have insurance coverage? The first step is to determine whether existing coverage is applicable to a cyber incident the company is vulnerable to facing. For example, while computer fraud is typically covered under policies insuring against crime, some common cyber means of fraud may not be (e.g., tricking a company into transferring funds via a fraudulent where the transfer itself is legitimate or not fraudulent). Traditional forms of insurance were not designed to cover cyber risk; many policies will either entirely exclude coverage for cyber-related incidents or limit the scope of coverage that is available for this type of occurrence. Additionally, coverage for damage is often limited to physical damage, which may not be considered the same as stolen, deleted or inaccessible data. If existing coverage is inadequate, the second step is to determine what should be covered. Typically, the first-party component of a cyber policy will cover: data breach notification and response costs; forensic investigation and security costs; PR/crisis management costs; and remediation and rectification costs. It may be prudent to work with insurers to obtain pre-approval for the retention of preferred specialists and advisers so that in the event of a crisis, negotiations with the insurance company would be taken care of prior to a breach. During a breach, time is of the essence, and the organization should be focused on devoting time and resources to mitigation of damage, not negotiation with the insurance company. 6

7 Equally important to know is what is likely not covered by a cyber insurance policy unless negotiated for in advance. It is unlikely that cyber policies will cover the indirect or intangible consequences of a cyber incident such as loss of share price, loss of future business opportunity, or bodily injury or property damage where, for example, an explosion follows a failure of IT systems at a power plant. Losses arising purely under contract (i.e., where there is no concurrent liability in tort or other legal basis) are also typically excluded from coverage. Depending on the jurisdiction, fines and penalties may not be covered. For example, in the UK, the FCA prohibits insurance against its regulatory fines. Director and officer liability coverage may also be excluded to avoid double insurance (i.e., two different types of policies covering the same loss), but care must be taken in advance to ensure there is no coverage gap. Finally, ransoms and cyber extortion may be excluded based on local law. For example, UK and US terrorism laws may prohibit the paying of a ransom if the money ends up supporting terrorist activity. Q. How often should companies practice and update their response plans? Companies should engage in a tabletop exercise or similar evaluation and update the response plan at least annually. Consistent practice will not only improve an actual breach response, but it will also help identify holes or anachronisms to be rectified to better prevent a breach. It is also important to ensure that any standard disaster response plans are applicable to a cyber event. Many companies have disaster recovery or business continuity plans, but not many of these plans directly address cyber incidents. This situation presents unique facets that should not be addressed for the first time in the middle of a crisis. A disaster recovery plan may account for a natural disaster, like a hurricane or flood for example, but may not account for loss of communication or digital systems owing to a data breach of core systems. A number of organizations have recently faced attacks that have shut down critical communication systems which significantly hobbled their abilities to operate over a significant period of time. Additionally, litigation preparedness should be a part of a response plan. Finally it is worth stating that the onus rests on companies to support their staff s compliance without subjecting them to Orwellian levels of control and intrusive monitoring. Q. What should companies not do? A sound cyber strategy is about anticipation, mitigation and then remediation. Accordingly: do not simply assume that things are fine and react if facts prove otherwise. Rather, be sure to ask the right questions in advance, verify the answers and plan ahead. do not leave cybersecurity to IT alone (and just spend money chasing the latest technological solutions ). Rather, be sure to involve many different departments and individuals, particularly senior management. do not consider cybersecurity to be a matter of one-and-done. Rather, cybersecurity requires a sound cyber strategy and a continuous culture of testing and validation. Finally, do not panic. Crises can beget more crises through compounding, panic-born errors. Having a plan and knowing whom to call will help tremendously. Q. How often should employees be trained? Hackers know that people are frequently the weakest link in cybersecurity, and they prey on that vulnerability through phishing and more advanced spear phishing attacks. Regular training on how to recognize and avoid threats and what to do when attacks are successful is critical. Training should be carried out for new employees (including employees joining through an acquisition), agents and contractors and should be repeated at least annually. To be effective, training should be interactive and set against a real-world backdrop. Staff should also understand how to recognize and report suspicious activity. Companies should also consider conducting spot checks and vulnerability assessments to validate compliance with policies. 7

8 For further information, please contact: US: Michael Bahar, US Lead of Global Cybersecurity and Data Privacy Team T: Brian Murphy, Partner T: Bob Pile, Partner T: Mary Jane Wilson-Bilik, Partner T: Asia: Brian Law, Counsel T: Jennifer Van Dale, Partner T: Nigel Stamp, Partner T: Geraldine Ahern, Partner T: Mark Thibodeaux, Associate T: Al Sand, Associate T: UK: Paula Barrett, Global Co-Head of Privacy and Information Law T: Liz Fitzsimons, Partner T: James Hyde, Partner T: Craig Rogers, Partner T:

9 Safe in the knowledge About Eversheds Sutherland We provide a single interface for a full-spectrum, multi-disciplinary approach: Board counseling. Advising boards and senior leaders on the essential elements of a sound, proactive cybersecurity strategy Identifying and mitigating risk. Advising on how to avoid and fix the most common and potentially most devastating blind spots in cyber planning, including the extent and adequacy of existing insurance coverage and the role of third parties and supply chains Global compliance. Providing guidance on current and pending regulatory requirements across jurisdictions, including the European GDPR and the New York State Department of Financial Services Cyber Regulations Embracing tech opportunities. We provide guidance on mitigating risks in adoption of new technologies (including Big Data, the Cloud, AI, fintech, insurtech, Robotics and IoT) IP protection. We not only help protect your IP from convention exploitation, but cyber theft as well Investment decisions. Making sound investment decisions to shore up cybersecurity, as well as to better establish reasonableness before regulators and courts Creating cyber resilience. Putting plans in place to help recover quickly after any breach and to minimize reputational, regulatory and litigation harm M&A. Preparing for cybersecurity due diligence shoring up the value of your company in advance of any sale, or assessing the cyber risks (and price) or any company you wish to acquire Managing risk with third parties. Wisely apportioning cyber risk when contracting with, or absorbing, third parties Competitiveness. Maximizing ability to compete internationally and in all 50 US states in light of rapidly evolving and differentiated cyber laws and requirements Public policy. Engaging law and policy makers on cyber issues Prediction. Anticipating attacks, vulnerabilities and increased regulatory and litigation risks Should a breach occur, we calmly handle all aspects of the crisis response including: requiring notifications multi-jurisdictional litigation (we are one of the few firms that have successfully handled multiple class action lawsuits resulting from a large data breach) regulatory actions congressional or parliamentary investigations obtaining injunctive relief/seeking redress for losses management of claims process with insurers 9

10 eversheds-sutherland.com Eversheds Sutherland All rights reserved. Eversheds Sutherland (International) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit eversheds-sutherland.com