This document contains a presentation on cybersecurity risks in the Middle East given by Abdullah Mutawi, a partner at the law firm Baker Botts. The presentation covers several topics:
- An overview of common cyber threats like data breaches, ransomware, and state-sponsored attacks. It also discusses the costs of cyber attacks for businesses.
- A case study on the Shamoon malware attacks against organizations in Saudi Arabia in 2016-2017.
- The legal responsibilities and obligations organizations have to protect data, systems, and infrastructure from cyber risks. This includes the duties of directors and officers.
- Compliance with privacy, data protection, and cybercrime laws, and how the new GDPR regulation
3. 3
Yahoo disclosed in March 2017 in a public filing that its
internal legal and executive team “did not properly
comprehend or investigate, and therefore failed to act
sufficiently upon” information that the company’s security
team had about ongoing breaches. The disclosure singled
out the company’s internal legal team, which reportedly had
“sufficient information to warrant substantial further
inquiry in 2014, and … did not sufficiently pursue it.”
Breaches are Bad for Business
The sequence of reported Yahoo breaches has already
led Verizon to renegotiate the price of its bid to acquire
Yahoo downward by $350 million. Other costs due to the
breach response were disclosed by Yahoo to be in the
range of $16 million in forensic and legal fees to date.
http://www.bakerbotts.com/ideas/publications/2017/03/yahoo-breach-results
Sale price of $4.8 billion
reduced by 7.3% or $350
million.
4. The cost of a cyber attack
High Value
Client Data
Banking
Medical
HR Info
Ability to
Function
Paralysis of
organizational
systems and
CRM
Remote
control &
disruption
of physical
systems
Competitive
Advantage
Trade Secrets
Personal
Intellectual
Property
Proprietary
information
EXPOSUREReputational Organizational Economic
Reputation
Revenue / Business
Interruption
Damages & Costs
Fines
Organizational
Value
Average cost of a data breach is > $6 million. In some cases it is much higher
5. State Sponsored • Many examples of suspected state-sponsored attacks on government and
private sector assets
Multiple Attacker Profiles
Organized Crime
• Fraud
• Identity Theft
• Theft of money and/or valuable information
Hackers &
Hacktivists
• Online Civil Disobedience - Groups (e.g. Anonymous) and individuals
• Corporates and governments targeted - objective is to embarrass
• Enormous proportion of all data thefts
Business
Competitors
• Commercially sensitive data
• Trade secrets, new product launch dates, customer data, intellectual
property
Insiders
• Deliberate or careless disclosure of commercially sensitive information
• Lost or stolen laptops and devices
Supply Chain • Hardware installed in devices at source or en route to end user
• Chips can be activated from anywhere and control device
Terrorists
• Many ways to use technology to recruit, gather intelligence, communicate
and coordinate activity
• Cross-border targeting
6. Common Threat Vectors
DDoS attacks
• Saturation attacks where so many external electronic communications
cause an organizational system to overload
Phishing
• The attempt to acquire sensitive information or install malicious software by
masquerading as a trustworthy entity in an electronic communication
SQLs
• A code injection technique in which malicious SQL statements are used to
extract data from a database
Malware
• Software intended to damage or disable computer systems (e.g., computer
viruses, worms, trojan horses, ransomware, spyware, adware).
Physical Access
• Ease of data transmission - e.g. email
• Ease of data transfer - e.g. USB devices
Spear Phishing
• An email that appears to be from an individual or business that you know
and trust. But it isn't
APTs
• A network attack in which an unauthorized person gains access to a
network, establishes sufficient privileges and control to hide the penetration,
and stays there undetected for a long period of time
9. Shamoon 2
9
• Multiple attacks occurred in November 2016 and January 2017
• Reportedly affected thousands of computers across multiple
government and civil organizations in KSA and other GCC states
• Initial systems compromise took place weeks before the actual
Shamoon deployment and activation were launched
• Initial point of compromise: a document containing a malicious macro
that, when approved to execute, enabled C2 communications to the
attacker’s server and remote shell via PowerShell
– PowerShell is a task automation and configuration management framework from Microsoft
enabling administrators to perform administrative tasks on both local and remote and network
devices. Initially a Windows component only, PowerShell was made open-source and cross-
platform on 18 August 2016
Shamoon is MALWARE designed to destroy computer hard drives by wiping the
master boot record (MBR) and data irretrievably
10. Shamoon 2 - Attack modalities
10
Shamoon Attack — Logical Flow of Events - IBM X-Force IRIS - February 2017
11. WHY CYBERSECURITY IS SUCH
A BIG LEGAL ISSUE
SOMEBODY IS GOING TO PAY FOR
THOSE LOSSES
12. Critical Data
12
• PII - Personally Identifiable Information
– Identity
– Credit card information
– HR, medical, travel
– Lifestyle
• Confidential or price-sensitive data
– Business secrets, financial data, technology and IP
– Data held with advisory firms*
– Cloud and connected data is now ubiquitous
The Panama Papers provided a tiny glimpse into a vast universe of
information that resides in a different location to its owners.
13. Critical Systems & Infrastructure
Highly vulnerable infrastructure:
Power generation / transmission / grid operations
Other utilities - water treatment / telecommunications
Transport networks - particularly automation of signaling and / or control
Factories
Refineries and other downstream production facilities
Ubiquitous management of assets using computerized systems
When safe function depends on system integrity (i.e. not losing
control over assets) there remains huge vulnerability to kinetic
attacks
Rapid proliferation of the IoT and autonomous vehicles
Proof-of-concept demonstrations - vehicles / aircraft
Business disruption is also usually very expensive.
13
14. Legal relationships and obligations
14
Organization
CustomerSupplier
End User
Duties
Obligation to Pay
Duties
Obligation to Pay
Duties
Obligation to Pay
?
?
Legal duties subsist in:
1. Contract
2. Tort
Insurer
16. Legal duties of directors and
officers
The Five Key Principles
Directors must approach Cyber Security as an enterprise-wide risk
management issue, not just an IT issue.
Directors should understand the legal implications of cyber risk as they
relate to their company’s specific circumstances.
Boards should have adequate access to cybersecurity expertise, and
discussions about cyber-risk management should be given regular and
adequate time on board meeting agendas.
Directors should set the expectation that management will establish an
enterprise-wide cyber-risk management framework with adequate staffing
and budget.
Board-management discussions about cyber risk should include identification
of which risks to avoid, which to accept, and which to mitigate or transfer
through insurance, as well as specific plans associated with each approach
16
National Association of Corporate Directors - Cyber-Risk Oversight Handbook, 2017
17. 17
Cyber Risk Management
Information and Decision Flows
Board / C-Suite
Responsibility for organizational
risk
Management
Responsible for allocating
budget and setting strategy in
management of organizational
risk
Operations
Responsible for implementing
risk management strategy
Set priorities,
risk appetite
& budget
Establish
mechanisms
and allocate
responsibility
Feedback on
progress,
changes in
assets and
vulnerability /
threats
Changes in
current and
future risk
19. Privacy, data protection and cyber crime
legislation – how useful are our local laws?
Well-developed cyber crime laws across the GCC and MENA
Broadly, they prohibit activities undertaken on computers and networks
including the internet.
But:
Who do they catch?
What protection / redress do they provide?
With a few specific sectoral exceptions - Data protection laws are grossly
under-developed in the GCC and MENA region. They rely on high level
principles of the right to privacy and provide penal sanction for
dissemination or transfer without consent.
19
20. GDPR
European General Data Protection Regulation
Comes into force in May 2018
GDPR will apply beyond the borders of the EU!
Overseas organizations which process personal information in
connection with:
the offering of goods or services to, or
monitoring of behavior of data subjects (e.g. residents) who are in the
European Union.
Enormous potential punitive penalties for breaches:
€20m; or
4% of global annual turnover
20
21. LEGAL STRATEGY
HOW DOES IT FIT IN TO THE MULTI-
DIMENSIONAL, HOLISTIC AND
ENTERPRISE-WIDE APPROACH?
22. Legal cyber risk management strategy by itself has to be
multi-dimensional
22
1. Compliance with applicable laws and regulations
– Data Protection laws (in as far as they exist)
– Cyber crime legislation
– Will your company be touched by GDPR?
2. Development of robust information-security policies and protocols
– HR
– Training
– Company policies and internal compliance / sanctions
3. Voluntary certification under international standards
4. Risk transfer in supplier and customer agreements
5. Cyber Insurance is a valuable tool
23. Security Audits
A measurable technical assessment of a system’s security
Base line for assessing the resources to be protected and what
is available to protect them
Needs to take into account where data is collected, stored,
and transferred (Cross Border Data Flows)
Assess the type of data being collected and stored and why
Audit often can be part of a process to secure cyber security
insurance
23
25. Insider Risk
25
• Employment agreements:
• Require employees to sign
enforceable nondisclosure or
non-compete agreements to
protect information post-
termination
• Incorporate your comprehensive
infosec policies
• Have and enforce strong
password rules
• Be seen to take action as required
such as restricting someone’s access
to certain systems
• Do you have a CISO?
• What are your employees allowed
to access:
• Network / applications
• Data
• Physical access
• Locations
• Assets / equipment
• Portable storage devices
• Who implements information
security and who tests it
• Separation of duties
• Conflicts of interest
HR Policies & Integration
Information Security & Data
Access Policies
26. Insider Risk
26
• Theft of devices in transit
• Infection with malicious payloads
while off site
• Both computers and mobile
devices are potentially vulnerable
• Direct thefts of data (thefts of or
from the devices)
• System incursions if they are
reconnected to a network “at
home”
• Ensure that any device traveling to
certain countries is fully encrypted
• “Clean devices” for certain counties
• Comprehensive training to explain
threats to employees
• Document training & recipients:
• Recognition and avoidance
of social engineering attacks
• Training should be combined
with robust systems to
intercept phishing and
malware emails before they
get to employees
• Test your employees
Travel PoliciesTraining of Employees
28. Managing Supplier Agreements
Scrub your most important contracts
Strong and enforceable choice of law, venues and limitation of liability
provisions
Warranties, indemnities and other tools for allocation of risk and
responsibilities – include insurance
Rights to audit counterparty compliance with its obligations and
documentation of audits
Vendors ongoing role in keeping systems secure
Patching security vulnerabilities and including backdoors
SLAs to impose response times and responsibility allocation
Impose continuous obligations – intrusion detection, constant monitoring,
malware protection, internal access controls (e.g. role based access) etc.
28
29. A few words on cyber security
and M&A29
• The Yahoo example highlights the profound impact breaches can have
on M&A
• Questionnaires should focus on Target's administrative, technical, and
physical information security controls
• Successful information security programs are embedded within
broader corporate enterprise risk management approach. Not much
use spending money to secure the network when the server room can
be accessed easily by an outsider
• Diligence for Cybersecurity in M&A Requires Mix of Traditional and
Non-Traditional Tools
• Consider instances where diligence is being done on you
31. 1. Developing and testing appropriate incident response
plans
2. Internal and external communications strategies
3. Strategies to manage and contain legal liability in
post-incident scenarios such as actions to protect legal
privilege
31
Incident Preparedness
32. Incident Response
32
• Identify the attack
• Mobilise key personnel
• Engage technical teams
• Engage counsel
• Remedy the cause
• Investigate
• Resolve breach
• Protect
• Recover
• Resume operations ASAP
• Business interruption plans?
• Use back-up data centres?
• Internal
• Notifying and involving all
key personnel
• Management and strategic
decision makers
• Investor relations
• Legal / PR
• Disclosure
• Do you have statutory
obligations?
• Press and PR
• Reassure
• Restore confidence
Continue Operations Communications Plan
• Is there something you can
do to mitigate loss:
• by your organisation
• by impacted third parties
• Timely engagement with
insurers
• Have you had your counsel
alongside from the outset?
• Involve counsel in your post-
attack 'Hot Wash'
• Protecting privilege
• Preserving maximum
flexibility of what you can
assert and argue
Loss mitigation and
preparing for claims