Cyber Risk Symposium. Secure your success.

Cyber Risk Symposium – Audience Q & A

Q&A with Greg Austin – Professor, Australian Centre for Cyber Security

Q: Greg showed us the cyber security 'flower' including the people element. I recall a statistic that around 60% of reported cyber-attacks are facilitated by poor user access controls & governance. If correct, surely this is a people issue as user access is well within our control should we choose to get it right. Thoughts?

A: The purpose of the flower is to reinforce that proposition that cyber security is all of the eight things. A serious executive or manager must understand how all eight things impact information security and systems security.  That doesn’t mean we have answers for all problems in each of the eight areas.

Q: Can you translate that global threat picture to what it means for a) a larger Australian enterprise and b) a small to medium level Australian enterprise?

A: In reverse order, the impact for the smallest businesses is that they should follow maximum cyber hygiene (e.g. ASD Top 4), but are unlikely to have any defence at all against a determined attacker. The good news is that the risk of devastating attack on a small business is small, but the possible damages could still be very serious. Each small business needs to evaluate the specific risk and respond accordingly. What it means for the biggest corporations is much the same, only the absolute scale of the losses and the complexity of the defence tasks are much greater. For high value targets, such as banks, which have high volumes of turnover or trade (billions of dollars), the threats are even more diverse and more serious than for small players. The chances of a big bank being subject to a serious attack are far higher than for small businesses.

Q: You talked a lot about the global threat. How is the US government responding at the operational level in ways that affect the private sector? The US government has dramatically escalated its investment in national cyber security policy just this year. It has made quantum leaps in all fields of policy. It is asking all corporations, government agencies and universities to do more and to do it more urgently.

A: One of the challenges with the implementation of cyber security initiatives is the question that often arises around 'return on investment?' Often a company cannot see the importance of cyber security investment until/unless they are required to do so for regulatory reasons or if they have experienced, first hand, a cyber attack. How do you convince a company to invest in cyber security, particularly SMEs, when often they don't see the payoff? The issues raised above speak to the challenge. In terms of practical actions, one technique is to circulate detailed case studies about the impact of attacks. There are not enough of these case studies in a good educational format for the various target audiences.

Q: Could you provide your views on the preparedness of those who protect our critical infrastructure- how does Australia compare to the rest of the world?

A: Australia is visibly behind the US and UK in its preparations for serious cyber emergencies involving our critical infrastructure. More detail is available on request. One quick test is for large corporations to ask themselves when they were last involved in a crisis exercise and when they did last see the written reports of the crisis exercises in which the Australian government has participated.

Q: What do you mean by the ecosystem and policy attack vector?

A: Ecosystem covers a multitude of factors, everything from the general organisational culture of your business to social attitudes about the value of information or the need for security. But ecosystem also refers to the legal criminal environment. An attack vector is simply a direction of attack. A corporation can suffer information integrity losses through any of the eight channels.

Q: Do you make use of public cloud storage systems such as Dropbox and iCloud and if not why not?

A: I personally have sufficiently low trust in all information systems I use that I commit no information of value to them that I can’t recover quickly. Not being in business and not dealing in confidential information, I can afford to do that. All systems I use have high vulnerability to compromise.

Q: Do you think it is economically viable to defeat cyber crime?

A: We can never defeat cybercrime. But the government and public need to know the scale of it, and in certain types of cybercrime, such as child sexual exploitation, ensure fast action and serious penalties for all offenders.

Q: Can you explain what a zero-day vulnerability is?

A: The term “zero day” vulnerability is a geeky word that disguises the fact that it is a fundamental security flaw in the basic product. It simply means a way of breaking into a machine because of security weaknesses in original code. Here is what one web-based source says: “A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.” Zero day” means undiscovered until that day.

Q&A with Scott Thiel, Partner, DLA Piper

Q: How do law firms work with their customers to mitigate cyber risk considering the rapidly changing threat landscape?

A: DLA Piper has developed the CyberTrak product which provides our clients with a forward looking view of the changing cyber regulation landscape.

Q: Within corporates, are you seeing regulatory compliance falling to Legal office or Risk Office or Information office?

A: There has been some recent development in this area. While legal and compliance are still commonly responsible for this area, we are seeing some organisations appointing IT and HR personnel to the role of data protection officer.

Q: Cyber extortion and resultant bitcoin payments are often utilised for mitigation in the US. How does this work in Australia and the Asia Pacific region from a legal standpoint?

A: The primary legal concern with any payment made in an extortion circumstance is the risk of financing criminal or other illegal organisations.

Q: What are some steps or processes the entities can take to improve their business continuity plan and incident response plans?

A: Business continuity planning should include the development of a plan and regular testing of it. DLA Piper's Cybercert product offering sets out a number of key issues which should be included within the incident response plan including legal notification obligations, contract compliance response, evidence preservation and PR management.

Q: What are the legal implications of organisations making ransom payments - especially with regards to AML legislation and bribery act / FCPA?

A: The primary legal concern with any payment made in an extortion circumstance is the risk of financing criminal or other illegal organisations.

Q: Do you believe the current fines and penalties for data breaches in Australia to be too low? And this is part of the problem in cyber insurance penetration in Australia?

A: As in many jurisdictions around the world, privacy sanctions often appear too low given the severity of the potential consequences. As a result we have seen other regulators in areas such as financial services taking the lead on prosecutions. These regulators have much larger, and sometimes unlimited, potential sanctions. The situation will also develop after the EU implements the GDPR where fines can be based on a percentage of global turnover.

Q: In regards to law making, often it is not fast enough to keep up with the cyber landscape, is it better to keep it broad terms in compliance and legislation?

A: Security standards are a good example of the challenge. Mandated specific security standards will be out of date before they are made law. However, generic concepts such as “adequate security standards” create uncertainty.

Q: What would be your top questions that you would seek to contract in a 3rd party agreement to mitigate cyber risk?

A: Liability for loss of or corruption to data.

Q: If an organisation was hacked in Australia, would you recommend calling the police or your lawyer first?

A: Your lawyer. They can then help you determine when and what to report to the relevant authorities.

Q: How does one determine amount of damages (legally speaking) for privacy breach?

A: In addition to traditional heads of damages such as pure economic loss, the emergence of liability for concepts such as injury to feelings is likely to make this a more complex question.

Q: Theft of PII of foreign tourists in Australia - which laws apply?

A: Generally it would be Australia, however some countries such as Singapore have laws which cover their citizens anywhere in the world.

Q: If an Australian business stores its data in another country and that data is breached, which laws apply?

A: It will depend on the specific facts, but it is likely the laws of both countries will apply.

Q: Does the accidental loss of a USB stick which carries personal information fall within definition of data breach? No guarantee has been accessed or disclosed.

A: This is like to amount to a data breach under the current proposed data breach laws in Australia.

Q&A with Tim Fitzgerald – Global Chief Security Officer, Symantec

Q: I was interested to hear you say that Symantec recently opted to purchase a cyber Insurance policy. How long were you considering doing so before you actually did and what was the ultimate deciding factor for you to buy that cyber Insurance policy?

A: From my perspective, Cyber Security Insurance is just another tool in my larger risk management toolkit. Though we invest time and treasure into making sure that negative events don’t happen in the first place, the reality is that humans are fallible, controls aren’t always implemented or and don’t always work as expect them to and at a certain point there are diminishing returns from additional investment in preventative controls. That doesn’t mean that I accept that breach is inevitable necessarily, but rather that I have realistic expectations and knowledge of where and how things could go wrong. Insurance offers me an opportunity to maximize my risk management return on the next dollar spent once the returns on preventive controls and monitoring and response capabilities start to level off.

At present, the insurance industry collectively lacks the right data to be able to make accurate predictions (or bets) on where cyber security breach events are likely to occur and who represents a good bet or a bad one. Consequently, premiums and coverage are not rightly in line with the security capability of an organization. That actuarial data will perhaps come over time but as the threat landscape and capability landscape keep shifting, this may mean that we never have sound actuarial data to support policy generation. As such, we have to look to non-tradition sources to try to ascertain risk and performance knowledge. Companies like Symantec have an opportunity to use our massive and diverse data sets to provide excellent indicators of systemic and specific risk factors in a way the insurance industry is unlikely to be able to do on their own.

Our decision to procure Cyber Security Insurance was largely driven by our board and the decision to move beyond self-insuring was largely driven by customer expectations.

Q: Tim, do you think the significant increase in zero day threats reflects lower quality products or better criminal analysis?

A: I think it is unlikely that the quality of code is getting worse and far more likely that adversaries are getting better at finding vulnerabilities in software. In addition to that, as the value of zero days has increased and as the ubiquitous software providers (think Acrobat or Office) are getting better at delivering secure code, lesser known or less widely distributed software providers are being subjected to scrutiny in a way that we have not historically seen.

Q: Tim, what is your view on the quality and availability of security professionals (people related question) to assist companies implementing their security strategy?

A: It’s no secret that we are seeing a global shortage is security talent. That shortage ranges from entry level employees to executive leadership and everything in between. That said, from my perspective we need to continue to seek our alternative sources of talent and to look to feed our own pipeline rather than expecting that there is some great glut of talent soon to arrive on the market. At Symantec we look to draw in folks with keen minds, adaptable skills and good technical foundations and we teach them security. From supporting programs to provide opportunities to underprivileged youth, to looking at non-traditional talent pools to developing our own executive preparation methods, we are attempting to solve our own talent shortage problems rather than waiting for the market to do it for us.

Q&A with Kevin Kalinich – Global Practice Leader, Cyber Risk, Aon

Q: Cyber criminals like to brag and transact with each other on mainstream social media and much is publically visible. Given this trend, do you see powerful social media monitoring solutions as a critical 'early warning' mechanisms?

A: Absolutely of value, while not necessarily critical. These systems can be quite hit and miss so they are excellent as an additional information tool, but are not to be entirely depended on.

Q: How do you see the global insurance markets adapting to meet the challenge of evolving threats?

A: Slowly but effectively. We are seeing far more accessible products. They are more inclusive and more effective and continue to evolve as global understanding of the risks improves.

Q: How do you see the focus of Australian organisations and boards on cyber as compared to the rest of the world?

A: Australian boards are widely considered to be behind countries that have a similar take-up of information technology and security. There many reasons for this, some are cultural and a key reason is that they are not accountable due to a lack of mandatory data breach notification laws.

Q: Will we ever see personal cyber insurance, like life insurance?

A: Highly likely, especially in and around coverage for tools to prevent and companies to help when identity theft occurs.

Q: How many cyber incidents have occurred in Australia?

A: It is hard to ascertain the exact number. We do know that CERT Australia alone responded to 11,073 cyber security incidents in 2014 affecting Australian business.

Q: Which incidents are more frequent?

A: There are a lot of crypto locker and malware incidents - typically email and web borne. There is also a lot of phishing and whaling being reported consistently.

Q: Would compulsory data breach notification increase more insurance claims?

A: Yes, as there is a cost associated with cyber incidents which would only be incurred if there was compulsory notification. Compulsory notification will also increase the number of policies purchased across the board.

Q: Do cyber policies respond to extortion claims in bitcoins and how is settlement facilitated?

A: This has been seen in the US and the insurers have used a third-party partner to transact the bitcoins due to concerns about the security of that platform.

Q: How do you determine the correct limit of cyber insurance to buy? Many organisations are finding this challenging. For example, cyber non-damage business interruption.

A: Unless an organisation has a very clear concept of the scenarios that they are concerned about and a good understanding of what each of these scenarios will cost the business in the case of an incident, then it is difficult to have a clear concept around limits. In this circumstance we would recommend engaging with Aon’s Global Risk Consulting team to perform a Cyber Risk Profiling exercise. This will determine, amongst other things, overlaps in insurance and limit confidence levels.

Q: What do you say to the CFO or CISO who says "we don't need cyber Insurance, we specialise in technology and already have the best controls in place”?

A: No organisation is completely secure. Even the most secure organisations have had cyber incidents with substantial cost. Even if the systems are as secure as possible then there is still a people factor in terms of programmers, administrators and end-users. As I mentioned in my plenary session “clap, clap, clap… You are therefore better than Google, Apple, the FBI and NSA who employ thousands of security professionals and have been hacked.”

Q: Do you hear much activity about cyber risk specifically in the food industry? Eg McDonald's, KFC. We talk about lawyers and insurers preventing cyber risk through policies and its impact on health and government, but what activity level is heard or can we expect to see a change in target from one industry to another? E.g from health to food. Especially with McDonald's having such a large database and sensitive information.

A: The short answer is yes, here are some interesting statistics for the food industry:

  • According to Trustwave’s 2013 Global Security Report, 24 percent of all reported data breaches occurred in the food and beverage industry, second only to retail
  • A breach at one restaurant chain between 2008 and 2011, for example, led to the stolen card data of more than 80,000 customers and was used to make millions in unauthorised purchases
  • According to Aon’s Global Risk Management Survey 2015 report, 6% of the respondents from the food processing & distribution industry had already purchased cyber insurance
  • However, 69% of respondents had neither purchased cyber insurance and nor had plans to purchase. A significant portion of respondents (25%) had plans of buying cyber insurance

Q: Perception is Cyber insurance is expensive. If I don't understand the risk and believe the insurer is unlikely to pay, why should I buy?

A: It is key that organisations work with their brokers and insurers to understand exactly what a policy buys them. An effective policy will pay claims and the premiums will reflect the value of the policy during the incident and after. It is also normal to look at multiple policies from multiple insurers to address your organisational cyber risk and run scenarios past them.

Q : You mentioned that insurance for property damage due to cyber breach is not yet well developed. How far is this away?

A: It is already there in some policies but not yet an option in others, though we expect to see this soon.