Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties Thursday, October 5, 2017 Presented by: Gerrit Nel, Senior Manager, Cyber Security, KPMG Sunny Handa, Partner, Montreal Cathy Beagan Flood, Partner, Toronto de Lobe Lederman, Associate, Calgary
Cyber Security Threat Landscape (Data Breaches) Gerrit Nel, Senior Manager, Cyber Security October 5, 2017
Agenda Threat Landscape (focus on data breaches) Cyber Defensible Position (manage threat risk and impact of breaches) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 3
Cyber Security Threat Landscape Incidents vs Breaches We hear and talk a lot about Cyber Security incidents and breaches. What is the difference? Let s do some definitions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosure - not just potential exposure - of data to an unauthorized party. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 4
Cyber Security Threat Landscape Global Study on Data Breaches Ponemon Institute 2017 Cost of Data Breach Study 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 5
Cyber Security Threat Landscape Mega Breaches and Attack Types IBM IBM X-Force Threat Intelligence Index 2017 March 2017 IBM X-Force Threat Intelligence Index 2017 March 2017 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 6
Cyber Security Threat Landscape Mega Breaches and Attack Types - Verizon Verizon 2017 Data Breach Investigation Report (10 th Edition) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 7
Cyber Security Threat Landscape Notable Recent Data Breaches 2017 - Canada third in reported data breaches so far this year Canada National Bank of Canada: Sep 2017; A website error may have exposed the personal information of nearly 400 of its customers, including their names, birthdates, phone number and email address. Globally Alberta Full House Lotter: (Jan/Feb 2017; multiple breaches, over 23,000 customers effected, PII, Credit card records) WestJet: (July 29, 2017; PII - Profile data from Customer Rewards Program) Cowboys Casino: (June 2017; Patrons info, year earlier massive attack (6.5 GB) revealing customer payouts, tracking of gambling habits, elite members list). Alberta Medical Association: (May 16, 2017; Data breach of AMA members and staff data; Virus infection (May 2017, advising effected individuals on how to sign up for Equifax Premium Credit monitoring services, now questioned if further effected by the Equifax breach). University of Alberta: (Nov 23, 2016; Over 3,000 students notified of potential privacy breach; virus infections stole user-id and passwords, leading to unauthorized access of systems). Ashley Madison: July 2015. (July 2017, agreed to pay $11.2 million to settle U.S. litigation over the 2015 data breach that exposed personal details of millions of users). Deloitte: Sep 25, 2017; Targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients. Equifax: May, 2017; An unknown group successfully breached Equifax's online services by exploiting a vulnerability in their web servers. More than 143 million people s credit history and PII was exposed. Equifax Inc. has been providing regular updates about its privacy breach to the Office of the Information and Privacy Commissioner. The number of affected Albertans, if any, is not known at this time. Equifax Inc. and Equifax Canada have committed to notifying all Canadians affected in writing as soon as possible. The company will also offer free credit monitoring to affected individuals. Target: 2013: Retail giant Target agreed in May 2017 to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into a massive data breach in late 2013. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 8
Cyber Security Threat Landscape The Threat Actors Resourcefulness refers to the Threat Actor s access to resources, characterized in terms of three levels of decreasing resourcefulness: Unconstrained: (3) those whose financial resources for cyber-attacks are measured in multiple millions and/or who have significant human resources and can dedicate them to discovering or creating sophisticated vulnerabilities in systems; Constrained: (2) those whose financial resources for cyber are measured in millions of dollars and/or can develop their own tools to exploit publically known vulnerabilities as well as discovering new vulnerabilities; Limited: (1) those attackers whose financial resources for cyber are measured in several thousands of dollars and/or who rely on others to develop the malicious code. Verizon 2017 Data Breach Investigation Report (10 th Edition) 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 9
Cyber Defensible Position The need for a Cyber Defensible Position We define a Cyber Defensible Position as a posture that you have implemented, given your organization's Cyber security risks and threats, to significantly reduce the impact should a Cyber security breach occur. In the event of a breach, a good Cyber Defensible Position can provide: A reduction in the likelihood of fines from regulators or Government bodies; A reduction in the backlash from customers or business partners who may otherwise take their business elsewhere; A reduction in the impact to share price and the reaction to this from shareholders; Less attention paid to your breach by the media; and Overall protection of your reputation. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 10
Cyber Defensible Position Establish a Cyber Defensible Position There are a number of steps to take for achieving a good Cyber Defensible Position. The following figure takes each of these in turn and summarizes the typical inputs, phase, status output and usual actions to take: Board Question Step Defensible Position Status KPMG Cyber Services Framework 1. What are the new cybersecurity threats and risks and how do they affect our organization? 2. Is our organization s cybersecurity program ready to meet the challenges of today s (and tomorrow s) cyber threat landscape? Risk Assessment Capability Assessment and Security Testing None Defined PREPARE Helps clients understand their vulnerabilities and improve their preparedness against cyber attack. 3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in cyber security? Cyber Security Strategy and Program Plan Created PROTECT Helps clients design and implement their cyber defence infrastructure. Execute and verify progress (ongoing) Achieved DETECT & RESPOND Helps clients respond to and investigate cyber attacks. 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 11
Thank you Gerrit Nel Senior Manager, Cyber Security 403.691.7904 gerritnel@kpmg.ca
Directors and Officers Obligations and Liability Presented by: Sunny Handa
Duty of Care Section 21 of Canada Business Corporations Act (CBCA) Directors and officers must exercise the care, diligence and skill a reasonably prudent person would in comparable circumstances Equivalent requirement under provincial corporate law statutes Possible shareholder litigation against directors and officers for failing to properly discharge their duties D&O Insurance likely to limit or exclude cyber risk coverage
Steps Directors and Officers can take Establish enterprise-wide information security team Prepare data map and data risk analysis Provide cybersecurity awareness training Develop vendor management program Develop incident response plan Conduct incident response drill Assess cyber liability insurance
Response Plan
Things to consider when developing Response Plan Be prepared to act Retain experts Consider notification obligations and risks Ensure communications strategy minimizes litigation risks Manage employee communications Maintain privilege
Ways to reduce cost of a breach $255 Cost of data breach per record $24 Reduction per record Incident response team $15 Reduction per record Employee training $11 Reduction per record Board-level involvement
Statutory Data Breach Reporting Requirements Alberta s PIPA vs. PIPEDA Presented by: de Lobe Lederman
Data Breach Reporting AB only CDN jurisdiction where data breach reporting is mandatory Changing soon PIPEDA recently amended Breach reporting soon to be mandatory under PIPEDA as well
When/How to Report a Breach? Under PIPA When? Real risk of significant harm How? Set out under the regs. Under PIPEDA When? Real risk of significant harm (again) How? Set out under regs. (currently being finalized) How to report is likely to be quite similar under PIPEDA as it is under PIPA
Notice to Commissioner Notice Must Include Description of breach PIPA PIPED A Date of breach Personal info involved in breach Assessment of risk of harm to affected individuals Estimate of individuals at risk of significant harm Steps taken by organization to reduce risk of harm Steps taken by organization to notify affected individuals Contact info of person who can answer Q s on breach
Notice to Affected Individuals Notice Must Include Description of breach PIPA PIPED A Date of breach Personal info involved in breach Steps taken by organization to reduce risk of harm Steps individual could take to reduce risk of harm Info about individual s right to file a complaint Contact info of person who can answer Q s on breach Toll free # or email address for info on breach
Possible Issues Under PIPEDA Notice to individuals info about right to file complaint Potential to encourage complaints/lawsuits? Record retention Orgs. need to keep/maintain record of every breach of security safeguards Maintain such records for 2 years (per regulations) Not just records of breaches causing real risk of significant harm even broader Risk of an offence under PIPEDA for failure to comply? Impact on class actions? Producible to show pattern of breaches/carelessness?
Mitigating Reputational and Litigation Risks Presented by: Cathy Beagan Flood
Case Study: Target and Home Depot Why Home Depot is not the next Target CNN Money Stockswatch, Sept. 22, 2014
Crisis Management Lessons Get in front Release official statement early Modify pre-drafted statements Don t say more than you know Consult with counsel
Crisis Management Lessons (cont d) Keep consistency in mind One spokesperson handles all inquiries Consider retaining a PR firm
Protecting Privilege Investigation work product is privileged if created at direction of legal counsel Pre-existing documents not privileged
What Should the Notice Say? Litigation Considerations Saying too much can be as problematic as too little Describe facts in a manner consistent with level of certainty that they are accurate Content should be informed by a reasonable assessment of risks to affected individuals Careful consideration should be given to which steps the notice recommends that the individual take Be careful not to include too much personal information in the notice (or use a compromised system to deliver it)
The Litigation Threat Landscape Tort of intrusion upon seclusion Tort of public disclosure of private facts Negligence Breach of confidence Breach of contract Unjust enrichment/waiver of tort Vicarious liability for conduct of employees
Risk Mitigation Checklist Pre-Breach Post-Breach Develop formal information governance structure Act promptly Establish enterprise-wide information security team Follow incident response plan Prepare data-flow map and data risk analysis Engage experts Develop incident response plan Investigate and contain the breach Provide privacy and security awareness training Maintain privilege Develop vendor management program Consider notification obligations Conduct incident response drill Ensure communications strategy minimizes litigation risks Assess cyber liability insurance Manage employee communications Limit collection and retention of personal information Conduct regular audits
Questions?