SlideShare a Scribd company logo

CYBERSECURITY - MANAGING LEGAL RISKS

American Chamber of Commerce in Bahrain
American Chamber of Commerce in Bahrain

This document contains a presentation on cybersecurity risks in the Middle East given by Abdullah Mutawi, a partner at the law firm Baker Botts. The presentation covers several topics: - An overview of common cyber threats like data breaches, ransomware, and state-sponsored attacks. It also discusses the costs of cyber attacks for businesses. - A case study on the Shamoon malware attacks against organizations in Saudi Arabia in 2016-2017. - The legal responsibilities and obligations organizations have to protect data, systems, and infrastructure from cyber risks. This includes the duties of directors and officers. - Compliance with privacy, data protection, and cybercrime laws, and how the new GDPR regulation

Technology
1 of 33
Download to read offline
CONFIDENTIAL © Copyright Baker Botts 2015. All Rights Reserved. Cybersecurity in the Middle East - Knowing and Managing the Risks Presentation to the American Chamber of Commerce, Bahrain Abdullah Mutawi: Partner, Dubai 25 April 2017
CYBERSECURITY - SOME BASIC FACTS THE THREAT ENVIRONMENT AND WHAT IS AT STEAK
3 Yahoo disclosed in March 2017 in a public filing that its internal legal and executive team “did not properly comprehend or investigate, and therefore failed to act sufficiently upon” information that the company’s security team had about ongoing breaches. The disclosure singled out the company’s internal legal team, which reportedly had “sufficient information to warrant substantial further inquiry in 2014, and … did not sufficiently pursue it.” Breaches are Bad for Business The sequence of reported Yahoo breaches has already led Verizon to renegotiate the price of its bid to acquire Yahoo downward by $350 million. Other costs due to the breach response were disclosed by Yahoo to be in the range of $16 million in forensic and legal fees to date. http://www.bakerbotts.com/ideas/publications/2017/03/yahoo-breach-results Sale price of $4.8 billion reduced by 7.3% or $350 million.
The cost of a cyber attack High Value Client Data Banking Medical HR Info Ability to Function Paralysis of organizational systems and CRM Remote control & disruption of physical systems Competitive Advantage Trade Secrets Personal Intellectual Property Proprietary information EXPOSUREReputational Organizational Economic Reputation Revenue / Business Interruption Damages & Costs Fines Organizational Value Average cost of a data breach is > $6 million. In some cases it is much higher
State Sponsored • Many examples of suspected state-sponsored attacks on government and private sector assets Multiple Attacker Profiles Organized Crime • Fraud • Identity Theft • Theft of money and/or valuable information Hackers & Hacktivists • Online Civil Disobedience - Groups (e.g. Anonymous) and individuals • Corporates and governments targeted - objective is to embarrass • Enormous proportion of all data thefts Business Competitors • Commercially sensitive data • Trade secrets, new product launch dates, customer data, intellectual property Insiders • Deliberate or careless disclosure of commercially sensitive information • Lost or stolen laptops and devices Supply Chain • Hardware installed in devices at source or en route to end user • Chips can be activated from anywhere and control device Terrorists • Many ways to use technology to recruit, gather intelligence, communicate and coordinate activity • Cross-border targeting
Common Threat Vectors DDoS attacks • Saturation attacks where so many external electronic communications cause an organizational system to overload Phishing • The attempt to acquire sensitive information or install malicious software by masquerading as a trustworthy entity in an electronic communication SQLs • A code injection technique in which malicious SQL statements are used to extract data from a database Malware • Software intended to damage or disable computer systems (e.g., computer viruses, worms, trojan horses, ransomware, spyware, adware). Physical Access • Ease of data transmission - e.g. email • Ease of data transfer - e.g. USB devices Spear Phishing • An email that appears to be from an individual or business that you know and trust. But it isn't APTs • A network attack in which an unauthorized person gains access to a network, establishes sufficient privileges and control to hide the penetration, and stays there undetected for a long period of time
7 The Growing Business of Ransomware
SHAMOON 2 WHAT WE KNOW ABOUT THE RECENT ATTACKS IN KSA
Shamoon 2 9 • Multiple attacks occurred in November 2016 and January 2017 • Reportedly affected thousands of computers across multiple government and civil organizations in KSA and other GCC states • Initial systems compromise took place weeks before the actual Shamoon deployment and activation were launched • Initial point of compromise: a document containing a malicious macro that, when approved to execute, enabled C2 communications to the attacker’s server and remote shell via PowerShell – PowerShell is a task automation and configuration management framework from Microsoft enabling administrators to perform administrative tasks on both local and remote and network devices. Initially a Windows component only, PowerShell was made open-source and cross- platform on 18 August 2016 Shamoon is MALWARE designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably
Shamoon 2 - Attack modalities 10 Shamoon Attack — Logical Flow of Events - IBM X-Force IRIS - February 2017
WHY CYBERSECURITY IS SUCH A BIG LEGAL ISSUE SOMEBODY IS GOING TO PAY FOR THOSE LOSSES
Critical Data 12 • PII - Personally Identifiable Information – Identity – Credit card information – HR, medical, travel – Lifestyle • Confidential or price-sensitive data – Business secrets, financial data, technology and IP – Data held with advisory firms* – Cloud and connected data is now ubiquitous The Panama Papers provided a tiny glimpse into a vast universe of information that resides in a different location to its owners.
Critical Systems & Infrastructure  Highly vulnerable infrastructure:  Power generation / transmission / grid operations  Other utilities - water treatment / telecommunications  Transport networks - particularly automation of signaling and / or control  Factories  Refineries and other downstream production facilities  Ubiquitous management of assets using computerized systems  When safe function depends on system integrity (i.e. not losing control over assets) there remains huge vulnerability to kinetic attacks  Rapid proliferation of the IoT and autonomous vehicles  Proof-of-concept demonstrations - vehicles / aircraft  Business disruption is also usually very expensive. 13
Legal relationships and obligations 14 Organization CustomerSupplier End User Duties Obligation to Pay Duties Obligation to Pay Duties Obligation to Pay ? ? Legal duties subsist in: 1. Contract 2. Tort Insurer
Legal relationships and obligations 15 Organization CustomersRegulators etcShareholders Board Management ? Insurer
Legal duties of directors and officers The Five Key Principles  Directors must approach Cyber Security as an enterprise-wide risk management issue, not just an IT issue.  Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.  Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.  Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.  Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach 16 National Association of Corporate Directors - Cyber-Risk Oversight Handbook, 2017
17 Cyber Risk Management Information and Decision Flows Board / C-Suite Responsibility for organizational risk Management Responsible for allocating budget and setting strategy in management of organizational risk Operations Responsible for implementing risk management strategy Set priorities, risk appetite & budget Establish mechanisms and allocate responsibility Feedback on progress, changes in assets and vulnerability / threats Changes in current and future risk
COMPLIANCE AND THE LEGISLATIVE ENVIRONMENT
Privacy, data protection and cyber crime legislation – how useful are our local laws?  Well-developed cyber crime laws across the GCC and MENA  Broadly, they prohibit activities undertaken on computers and networks including the internet.  But:  Who do they catch?  What protection / redress do they provide?  With a few specific sectoral exceptions - Data protection laws are grossly under-developed in the GCC and MENA region. They rely on high level principles of the right to privacy and provide penal sanction for dissemination or transfer without consent. 19
GDPR  European General Data Protection Regulation  Comes into force in May 2018  GDPR will apply beyond the borders of the EU!  Overseas organizations which process personal information in connection with:  the offering of goods or services to, or  monitoring of behavior of data subjects (e.g. residents) who are in the European Union.  Enormous potential punitive penalties for breaches:  €20m; or  4% of global annual turnover 20
LEGAL STRATEGY HOW DOES IT FIT IN TO THE MULTI- DIMENSIONAL, HOLISTIC AND ENTERPRISE-WIDE APPROACH?
Legal cyber risk management strategy by itself has to be multi-dimensional 22 1. Compliance with applicable laws and regulations – Data Protection laws (in as far as they exist) – Cyber crime legislation – Will your company be touched by GDPR? 2. Development of robust information-security policies and protocols – HR – Training – Company policies and internal compliance / sanctions 3. Voluntary certification under international standards 4. Risk transfer in supplier and customer agreements 5. Cyber Insurance is a valuable tool
Security Audits  A measurable technical assessment of a system’s security  Base line for assessing the resources to be protected and what is available to protect them  Needs to take into account where data is collected, stored, and transferred (Cross Border Data Flows)  Assess the type of data being collected and stored and why  Audit often can be part of a process to secure cyber security insurance 23
ASPECTS OF MANAGING LEGAL RISK WHAT COMPANIES AND GOVERNMENT ENTITIES CAN DO TODAY
Insider Risk 25 • Employment agreements: • Require employees to sign enforceable nondisclosure or non-compete agreements to protect information post- termination • Incorporate your comprehensive infosec policies • Have and enforce strong password rules • Be seen to take action as required such as restricting someone’s access to certain systems • Do you have a CISO? • What are your employees allowed to access: • Network / applications • Data • Physical access • Locations • Assets / equipment • Portable storage devices • Who implements information security and who tests it • Separation of duties • Conflicts of interest HR Policies & Integration Information Security & Data Access Policies
Insider Risk 26 • Theft of devices in transit • Infection with malicious payloads while off site • Both computers and mobile devices are potentially vulnerable • Direct thefts of data (thefts of or from the devices) • System incursions if they are reconnected to a network “at home” • Ensure that any device traveling to certain countries is fully encrypted • “Clean devices” for certain counties • Comprehensive training to explain threats to employees • Document training & recipients: • Recognition and avoidance of social engineering attacks • Training should be combined with robust systems to intercept phishing and malware emails before they get to employees • Test your employees Travel PoliciesTraining of Employees
Managing Supplier Agreements 27 • HR / Payroll Management • CRM Services / Call Centers • Finance & Accounting Services • Banking Services • Advisory firms • Due Diligence / Virtual Data Room • Data Centers & Cloud-based SaaS and data processing • Network management / NOCs • Managed Security Services • Disaster Recovery / backup & storage services • E-commerce enablers, payment processing Business ProcessesIT
Managing Supplier Agreements  Scrub your most important contracts  Strong and enforceable choice of law, venues and limitation of liability provisions  Warranties, indemnities and other tools for allocation of risk and responsibilities – include insurance  Rights to audit counterparty compliance with its obligations and documentation of audits  Vendors ongoing role in keeping systems secure  Patching security vulnerabilities and including backdoors  SLAs to impose response times and responsibility allocation  Impose continuous obligations – intrusion detection, constant monitoring, malware protection, internal access controls (e.g. role based access) etc. 28
A few words on cyber security and M&A29 • The Yahoo example highlights the profound impact breaches can have on M&A • Questionnaires should focus on Target's administrative, technical, and physical information security controls • Successful information security programs are embedded within broader corporate enterprise risk management approach. Not much use spending money to secure the network when the server room can be accessed easily by an outsider • Diligence for Cybersecurity in M&A Requires Mix of Traditional and Non-Traditional Tools • Consider instances where diligence is being done on you
INCIDENT RESPONSE LEGAL ASPECTS OF PLANNING, TESTING & IMPLEMENTING AN EFFECTIVE IRP
1. Developing and testing appropriate incident response plans 2. Internal and external communications strategies 3. Strategies to manage and contain legal liability in post-incident scenarios such as actions to protect legal privilege 31 Incident Preparedness
Incident Response 32 • Identify the attack • Mobilise key personnel • Engage technical teams • Engage counsel • Remedy the cause • Investigate • Resolve breach • Protect • Recover • Resume operations ASAP • Business interruption plans? • Use back-up data centres? • Internal • Notifying and involving all key personnel • Management and strategic decision makers • Investor relations • Legal / PR • Disclosure • Do you have statutory obligations? • Press and PR • Reassure • Restore confidence Continue Operations Communications Plan • Is there something you can do to mitigate loss: • by your organisation • by impacted third parties • Timely engagement with insurers • Have you had your counsel alongside from the outset? • Involve counsel in your post- attack 'Hot Wash' • Protecting privilege • Preserving maximum flexibility of what you can assert and argue Loss mitigation and preparing for claims
AUSTIN BEIJING BRUSSELS DALLAS DUBAI HONG KONG HOUSTON LONDON MOSCOW NEW YORK PALO ALTO RIYADH SAN FRANCISCO WASHINGTON bakerbotts.com ©Baker Botts L.L.P., 2017. Unauthorized use and/or duplication of this material without express and written permission from Baker Botts L.L.P. is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given with appropriate and specific direction to the original content.

Recommended

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 

Recommended

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015sarah kabirat
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBakerTillyConsulting
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Information Security
Information SecurityInformation Security
Information Securitysteffiann88
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Cyber Security and the National Central Banks
Cyber Security and the National Central BanksCyber Security and the National Central Banks
Cyber Security and the National Central BanksCommunity Protection Forum
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptxssusera5ade5
 

More Related Content

What's hot

Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015sarah kabirat
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBakerTillyConsulting
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Information Security
Information SecurityInformation Security
Information Securitysteffiann88
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 

What's hot (19)

Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
 
Information Security
Information SecurityInformation Security
Information Security
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Cyber Security and the National Central Banks
Cyber Security and the National Central BanksCyber Security and the National Central Banks
Cyber Security and the National Central Banks
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
 

Similar to CYBERSECURITY - MANAGING LEGAL RISKS

7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Business Days
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 

Similar to CYBERSECURITY - MANAGING LEGAL RISKS (20)

7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

CYBERSECURITY - MANAGING LEGAL RISKS

  • 1. CONFIDENTIAL © Copyright Baker Botts 2015. All Rights Reserved. Cybersecurity in the Middle East - Knowing and Managing the Risks Presentation to the American Chamber of Commerce, Bahrain Abdullah Mutawi: Partner, Dubai 25 April 2017
  • 2. CYBERSECURITY - SOME BASIC FACTS THE THREAT ENVIRONMENT AND WHAT IS AT STEAK
  • 3. 3 Yahoo disclosed in March 2017 in a public filing that its internal legal and executive team “did not properly comprehend or investigate, and therefore failed to act sufficiently upon” information that the company’s security team had about ongoing breaches. The disclosure singled out the company’s internal legal team, which reportedly had “sufficient information to warrant substantial further inquiry in 2014, and … did not sufficiently pursue it.” Breaches are Bad for Business The sequence of reported Yahoo breaches has already led Verizon to renegotiate the price of its bid to acquire Yahoo downward by $350 million. Other costs due to the breach response were disclosed by Yahoo to be in the range of $16 million in forensic and legal fees to date. http://www.bakerbotts.com/ideas/publications/2017/03/yahoo-breach-results Sale price of $4.8 billion reduced by 7.3% or $350 million.
  • 4. The cost of a cyber attack High Value Client Data Banking Medical HR Info Ability to Function Paralysis of organizational systems and CRM Remote control & disruption of physical systems Competitive Advantage Trade Secrets Personal Intellectual Property Proprietary information EXPOSUREReputational Organizational Economic Reputation Revenue / Business Interruption Damages & Costs Fines Organizational Value Average cost of a data breach is > $6 million. In some cases it is much higher
  • 5. State Sponsored • Many examples of suspected state-sponsored attacks on government and private sector assets Multiple Attacker Profiles Organized Crime • Fraud • Identity Theft • Theft of money and/or valuable information Hackers & Hacktivists • Online Civil Disobedience - Groups (e.g. Anonymous) and individuals • Corporates and governments targeted - objective is to embarrass • Enormous proportion of all data thefts Business Competitors • Commercially sensitive data • Trade secrets, new product launch dates, customer data, intellectual property Insiders • Deliberate or careless disclosure of commercially sensitive information • Lost or stolen laptops and devices Supply Chain • Hardware installed in devices at source or en route to end user • Chips can be activated from anywhere and control device Terrorists • Many ways to use technology to recruit, gather intelligence, communicate and coordinate activity • Cross-border targeting
  • 6. Common Threat Vectors DDoS attacks • Saturation attacks where so many external electronic communications cause an organizational system to overload Phishing • The attempt to acquire sensitive information or install malicious software by masquerading as a trustworthy entity in an electronic communication SQLs • A code injection technique in which malicious SQL statements are used to extract data from a database Malware • Software intended to damage or disable computer systems (e.g., computer viruses, worms, trojan horses, ransomware, spyware, adware). Physical Access • Ease of data transmission - e.g. email • Ease of data transfer - e.g. USB devices Spear Phishing • An email that appears to be from an individual or business that you know and trust. But it isn't APTs • A network attack in which an unauthorized person gains access to a network, establishes sufficient privileges and control to hide the penetration, and stays there undetected for a long period of time
  • 7. 7 The Growing Business of Ransomware
  • 8. SHAMOON 2 WHAT WE KNOW ABOUT THE RECENT ATTACKS IN KSA
  • 9. Shamoon 2 9 • Multiple attacks occurred in November 2016 and January 2017 • Reportedly affected thousands of computers across multiple government and civil organizations in KSA and other GCC states • Initial systems compromise took place weeks before the actual Shamoon deployment and activation were launched • Initial point of compromise: a document containing a malicious macro that, when approved to execute, enabled C2 communications to the attacker’s server and remote shell via PowerShell – PowerShell is a task automation and configuration management framework from Microsoft enabling administrators to perform administrative tasks on both local and remote and network devices. Initially a Windows component only, PowerShell was made open-source and cross- platform on 18 August 2016 Shamoon is MALWARE designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably
  • 10. Shamoon 2 - Attack modalities 10 Shamoon Attack — Logical Flow of Events - IBM X-Force IRIS - February 2017
  • 11. WHY CYBERSECURITY IS SUCH A BIG LEGAL ISSUE SOMEBODY IS GOING TO PAY FOR THOSE LOSSES
  • 12. Critical Data 12 • PII - Personally Identifiable Information – Identity – Credit card information – HR, medical, travel – Lifestyle • Confidential or price-sensitive data – Business secrets, financial data, technology and IP – Data held with advisory firms* – Cloud and connected data is now ubiquitous The Panama Papers provided a tiny glimpse into a vast universe of information that resides in a different location to its owners.
  • 13. Critical Systems & Infrastructure  Highly vulnerable infrastructure:  Power generation / transmission / grid operations  Other utilities - water treatment / telecommunications  Transport networks - particularly automation of signaling and / or control  Factories  Refineries and other downstream production facilities  Ubiquitous management of assets using computerized systems  When safe function depends on system integrity (i.e. not losing control over assets) there remains huge vulnerability to kinetic attacks  Rapid proliferation of the IoT and autonomous vehicles  Proof-of-concept demonstrations - vehicles / aircraft  Business disruption is also usually very expensive. 13
  • 14. Legal relationships and obligations 14 Organization CustomerSupplier End User Duties Obligation to Pay Duties Obligation to Pay Duties Obligation to Pay ? ? Legal duties subsist in: 1. Contract 2. Tort Insurer
  • 15. Legal relationships and obligations 15 Organization CustomersRegulators etcShareholders Board Management ? Insurer
  • 16. Legal duties of directors and officers The Five Key Principles  Directors must approach Cyber Security as an enterprise-wide risk management issue, not just an IT issue.  Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.  Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.  Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.  Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach 16 National Association of Corporate Directors - Cyber-Risk Oversight Handbook, 2017
  • 17. 17 Cyber Risk Management Information and Decision Flows Board / C-Suite Responsibility for organizational risk Management Responsible for allocating budget and setting strategy in management of organizational risk Operations Responsible for implementing risk management strategy Set priorities, risk appetite & budget Establish mechanisms and allocate responsibility Feedback on progress, changes in assets and vulnerability / threats Changes in current and future risk
  • 19. Privacy, data protection and cyber crime legislation – how useful are our local laws?  Well-developed cyber crime laws across the GCC and MENA  Broadly, they prohibit activities undertaken on computers and networks including the internet.  But:  Who do they catch?  What protection / redress do they provide?  With a few specific sectoral exceptions - Data protection laws are grossly under-developed in the GCC and MENA region. They rely on high level principles of the right to privacy and provide penal sanction for dissemination or transfer without consent. 19
  • 20. GDPR  European General Data Protection Regulation  Comes into force in May 2018  GDPR will apply beyond the borders of the EU!  Overseas organizations which process personal information in connection with:  the offering of goods or services to, or  monitoring of behavior of data subjects (e.g. residents) who are in the European Union.  Enormous potential punitive penalties for breaches:  €20m; or  4% of global annual turnover 20
  • 21. LEGAL STRATEGY HOW DOES IT FIT IN TO THE MULTI- DIMENSIONAL, HOLISTIC AND ENTERPRISE-WIDE APPROACH?
  • 22. Legal cyber risk management strategy by itself has to be multi-dimensional 22 1. Compliance with applicable laws and regulations – Data Protection laws (in as far as they exist) – Cyber crime legislation – Will your company be touched by GDPR? 2. Development of robust information-security policies and protocols – HR – Training – Company policies and internal compliance / sanctions 3. Voluntary certification under international standards 4. Risk transfer in supplier and customer agreements 5. Cyber Insurance is a valuable tool
  • 23. Security Audits  A measurable technical assessment of a system’s security  Base line for assessing the resources to be protected and what is available to protect them  Needs to take into account where data is collected, stored, and transferred (Cross Border Data Flows)  Assess the type of data being collected and stored and why  Audit often can be part of a process to secure cyber security insurance 23
  • 24. ASPECTS OF MANAGING LEGAL RISK WHAT COMPANIES AND GOVERNMENT ENTITIES CAN DO TODAY
  • 25. Insider Risk 25 • Employment agreements: • Require employees to sign enforceable nondisclosure or non-compete agreements to protect information post- termination • Incorporate your comprehensive infosec policies • Have and enforce strong password rules • Be seen to take action as required such as restricting someone’s access to certain systems • Do you have a CISO? • What are your employees allowed to access: • Network / applications • Data • Physical access • Locations • Assets / equipment • Portable storage devices • Who implements information security and who tests it • Separation of duties • Conflicts of interest HR Policies & Integration Information Security & Data Access Policies
  • 26. Insider Risk 26 • Theft of devices in transit • Infection with malicious payloads while off site • Both computers and mobile devices are potentially vulnerable • Direct thefts of data (thefts of or from the devices) • System incursions if they are reconnected to a network “at home” • Ensure that any device traveling to certain countries is fully encrypted • “Clean devices” for certain counties • Comprehensive training to explain threats to employees • Document training & recipients: • Recognition and avoidance of social engineering attacks • Training should be combined with robust systems to intercept phishing and malware emails before they get to employees • Test your employees Travel PoliciesTraining of Employees
  • 27. Managing Supplier Agreements 27 • HR / Payroll Management • CRM Services / Call Centers • Finance & Accounting Services • Banking Services • Advisory firms • Due Diligence / Virtual Data Room • Data Centers & Cloud-based SaaS and data processing • Network management / NOCs • Managed Security Services • Disaster Recovery / backup & storage services • E-commerce enablers, payment processing Business ProcessesIT
  • 28. Managing Supplier Agreements  Scrub your most important contracts  Strong and enforceable choice of law, venues and limitation of liability provisions  Warranties, indemnities and other tools for allocation of risk and responsibilities – include insurance  Rights to audit counterparty compliance with its obligations and documentation of audits  Vendors ongoing role in keeping systems secure  Patching security vulnerabilities and including backdoors  SLAs to impose response times and responsibility allocation  Impose continuous obligations – intrusion detection, constant monitoring, malware protection, internal access controls (e.g. role based access) etc. 28
  • 29. A few words on cyber security and M&A29 • The Yahoo example highlights the profound impact breaches can have on M&A • Questionnaires should focus on Target's administrative, technical, and physical information security controls • Successful information security programs are embedded within broader corporate enterprise risk management approach. Not much use spending money to secure the network when the server room can be accessed easily by an outsider • Diligence for Cybersecurity in M&A Requires Mix of Traditional and Non-Traditional Tools • Consider instances where diligence is being done on you
  • 30. INCIDENT RESPONSE LEGAL ASPECTS OF PLANNING, TESTING & IMPLEMENTING AN EFFECTIVE IRP
  • 31. 1. Developing and testing appropriate incident response plans 2. Internal and external communications strategies 3. Strategies to manage and contain legal liability in post-incident scenarios such as actions to protect legal privilege 31 Incident Preparedness
  • 32. Incident Response 32 • Identify the attack • Mobilise key personnel • Engage technical teams • Engage counsel • Remedy the cause • Investigate • Resolve breach • Protect • Recover • Resume operations ASAP • Business interruption plans? • Use back-up data centres? • Internal • Notifying and involving all key personnel • Management and strategic decision makers • Investor relations • Legal / PR • Disclosure • Do you have statutory obligations? • Press and PR • Reassure • Restore confidence Continue Operations Communications Plan • Is there something you can do to mitigate loss: • by your organisation • by impacted third parties • Timely engagement with insurers • Have you had your counsel alongside from the outset? • Involve counsel in your post- attack 'Hot Wash' • Protecting privilege • Preserving maximum flexibility of what you can assert and argue Loss mitigation and preparing for claims
  • 33. AUSTIN BEIJING BRUSSELS DALLAS DUBAI HONG KONG HOUSTON LONDON MOSCOW NEW YORK PALO ALTO RIYADH SAN FRANCISCO WASHINGTON bakerbotts.com ©Baker Botts L.L.P., 2017. Unauthorized use and/or duplication of this material without express and written permission from Baker Botts L.L.P. is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given with appropriate and specific direction to the original content.