Cyber Legislation Advances on the State and Federal Level

By Steven Caponi

Last year, cyber attacks on computer networks increased to a record level, doubling the number recorded in 2012. According to cybersecurity research firm FireEye, the rate of attacks on enterprises occurred every 1.5 seconds last year, up from once every three seconds the previous year. In the face of this onslaught, it is no surprise that government officials are taking steps to pass cybersecurity legislation. Unfortunately, if the recent announcements by Kentucky and Senator Mark Warner are a harbinger of things to come, it appears that inability of Congresses to enact comprehensive reforms will result in a patchwork of state and federal laws/regulations.

For its part, the Kentucky Senate passed a bill to improve security of personal data located on government computers. Known as House Bill 5, the legislation requires state agencies to better protect private information stored on government computers and also requires state and local government agencies to notify people within 35 days if their personal information is stolen or mishandled. House Bill 5 is a top priority of State Auditor Adam Edelen, who noted, “Every cybersecurity expert agrees that it’s not a matter of if agencies will be hacked. It is just a matter of when.” He further stated that, “From social security numbers, to tax returns, health records, to credit cards, governments possess more sensitive, private data than any other single entity.” These comments are likely a greater reflection on the past than a prediction of the future as a consequence of the 2012 incident when the Kentucky state finance cabinet accidentally posted Social Security numbers and sensitive information on its website.

House Bill 5 cleared the GOP-controlled Senate without opposition and received final approval from the Kentucky House on March 28. So far, the process has been described as bipartisan, and with 74 co-sponsors, a signature from the Governor appears to be a sure thing.

At the federal level, U.S. Senators Mark Warner (D-Va.) and Mark Kirk (R-Ill.) announced that they will introduce a bipartisan amendment creating a law enforcement partnership between the United States and Ukraine to combat cybercrime and improve cybersecurity. This amendment will be attached to an aid package intended to help bolster the Ukrainian government. At first blush, attaching an amendment to an aid package for Ukraine and limiting its focus to fostering cooperation between two countries may seem puzzling. But Ukraine is a known international haven for hackers, as evidenced by the data breach directed at millions of U.S. customers of Target and other leading American retailers. Both attacks were ultimately traced to cybercrime syndicates operating in Ukraine.

The Warner/Kirk amendment to the Ukraine aid bill proposes the following:

1) The initiation of formal U.S.-Ukraine bilateral talks on cybercrime to be followed by multilateral talks that include other law enforcement partners such as Europol and Interpol.

2) The establishment of a U.S. standing senior-level working group to conduct regular dialogue on cybercrime concerns and share best practices between law enforcement agencies in the U.S. and Ukraine.

3) The expansion of cyber law enforcement capabilities through a program with Ukraine that includes sending FBI agents to assist Ukrainian investigations and improve law enforcement cooperation.

4) Improved extradition procedures. There currently is no U.S.-Ukraine extradition treaty, which makes Ukraine a safe haven for operators of international cybercrime activities syndicates.

Sen. Warner stated in support of the amendment, “As the United States works to support this new Ukrainian government and as the Senate considers this significant Ukrainian aid package, we have an excellent opportunity to create new structures of cooperation that will better protect American consumers and businesses by working together to crack down on international cybercrime.”

“Our nation is one of the most frequently targeted countries for major cybercrimes and data breaches, accounting for nearly half of the $11 billion of losses on payment cards worldwide,” Sen. Kirk added. “Ukraine is a known hub for cybercrime, and the United States should work with the Ukrainian government to create a framework of cooperation to deter, prevent and counter these cyber criminals and ensure the safety of the newly formed Ukrainian government and financial system.

Whether the amendment remains part of the aid package and achieves positive results remains to be seen. But if it even slightly diminishes the ability of hackers to operate freely in Ukraine, it will be deemed a success.

SEC Cybersecurity Roundtable: Panel 4 – Broker-Dealers, Investment Advisers, and Transfer Agents

This post brings us to an overview of the final panel at today’s SEC Cybersecurity Roundtable. The panel began with a discussion on the nature of the cybersecurity risks faced by broker-dealers, and the steps taken by FINRA to address the issue. FINRA is in the process of developing protocols, particularly when dealing with personally identifiable information. To help develop these protocols, FINRA has been surveying broker-dealers to determine their areas of concern. Interestingly, broker-dealers are focused on (in order of importance): operational risks, insider risks, and hackers penetrating their systems.

The panel members representing investment advisors were primarily concerned with the potential takeover of a client account. Clearly, the notion of a hacker taking control of a trust account is a scary notion. Other areas of concern included activism through denial of service attacks on large financial institutions, and theft by individual employees. Asset managers recognize that cybersecurity and the threat of cyber attacks are not IT problems, but rather enterprise issues to be addressed at the highest levels. In particular, the panelists noted that wealth management firms receive a large volume of e-mails from consumer accounts that were taken over or compromised. This paradigm creates the risk of a very plausible scenario whereby a client seemingly sends a set of instructions, only to discover that it was an attempt at theft by a hacker.

All members of the panel acknowledged that one of the most significant issues facing financial services companies is the struggle to keep up with the changing face of cyber attacks. The rapidly expanding power of technology as well as the sophistication of hackers is allowing more people from around the globe to launch more robust attacks. In short, today’s solutions are useless for defending against tomorrow’s threats.

So, does size matter? With regard to broker-dealers, over 50% of registered broker-dealers are small businesses comprised of less than 10 employees. As a result, they are less prepared and more vulnerable than large financial institutions. While hackers are tempted to attack large companies because they possess more information—on a volume basis—the smaller companies present a softer target. Smaller companies may be an easy point of entry from which to work upstream to the larger institutions. This is exactly what happened in the case of the Target breach.

Raising a very interesting and troubling point, the panel delved into the move from fixed terminals to mobile devises. The venerable BlackBerry was designed from the outset to be highly secure; hence its broad enterprise acceptance. Today’s new phones—Android /IOS—are highly popular, but lack reliable security protocols. Yet, businesses are routinely launching new apps—ironically through these new, less secure mobile devices—to help facilitate consumers with managing their accounts. The need to grow market share and meet consumer demand versus the need for security will therefore continue to be a point of tension in today’s market.

So, where do we go from here? What should the SEC do or not do? The panel was looking for principle-based guidance and not proscriptive rules because hard and fast rules will be out of date almost immediately after they are issued due to the changing nature of the cyber threat. As a result, guidelines/principles/goals are more likely to be productive and permit companies to comply with the SEC while battling the cybersecurity threat.

Unanimity was achieved amongst the panel on the need to have clear guidelines for sharing threat information with the government while being simultaneously protected from legal liability. Members of the panel expressed the desire to have the various arms of the government (SEC, DHS, FBI, FTC, etc.) coordinate with one another in order to have a harmonious set of enforcement/regulatory regimes. Joining the loud chorus from the other panel discussion takeaways, it was noted that companies have a strong self interest in protecting themselves from cyber attacks, so they are looking for the government to help them and not treat them as a perpetrator.

Moderators: David Grim, Deputy Director, Division of Investment Management, James Burns, Deputy Director, Division of Trading and Markets, Andrew Bowden, Director, Office of Compliance Inspections and Examinations

Panelists:

  • John Denning, Senior Vice President, Operational Policy Integration, Development & Strategy, Bank of America/Merrill Lynch
  • Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors LLC
  • Mark R. Manley, Senior Vice President, Deputy General Counsel, and Chief Compliance Officer, AllianceBernstein L.P.
  • Marcus Prendergast, Director and Corporate Information Security Officer, ITG
  • Karl Schimmeck, Managing Director, Financial Services Operations, Securities Industry and Financial Markets Association
  • Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA
  • John Reed Stark, Managing Director, Stroz Friedberg
  • Craig Thomas, Chief Information Security Officer, Computershare
  • David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association

 

SEC Cybersecurity Roundtable: Panel 3 – Key Market Systems

The third panel at today’s SEC Roundtable talked about the various issues related to key market systems, i.e., trading, exchanges, brokerage houses, etc. The panel noted throughout the discussion that financial firms are becoming technology firms, and that continuous cyber-hygiene is increasingly important.

Topic 1:  Common threats to securities market infrastructure

Primarily, the panel focused on the need to share information, and to declassify cyber attack information so that people can work together to tackle risks. Interestingly, no one really talked about what the common threats were. One panelist grouped them together—as does Richard A. Clarke, chairman of Good Harbor Security Risk Management and renowned cyber and homeland security expert—saying that the common threats are: criminal actors, whose objective is to steal money; hactivists, who have a political objective; espionage; and war-like actors, whose objective is to disrupt or degrade.

Topic 2:  Tackling the cyber risk   

The panel focused on structured risk assessments and the need to continually test plans and security measures. They also stressed the need to focus on the gaps to see where the weak points are. However, the panelists also noted the importance of balancing the risk with current business needs; they asserted that using both inside and outside experts would help in that endeavor. Additionally, they once again emphasized the need to bring everyone together to collaborate on cyber threats, awareness, and best practices.

The panelists then focused on insider vs. outside threats. While insider threats were once the main focus of cybersecurity, that is no longer the case. But, the panelists noted that insider threats are still an issue because the insider knows a lot more about how the systems and operations work, which allows the insider to present a higher risk. Further, if these insiders have or are given more access or vetting potential, they will have more opportunities to make a significant attack. In conclusion, there was consensus that there has to be strong internal controls in place to make sure one person can’t take down the whole system.

Topic 3: If an attack occurs, what information should be given to members?

The panelists noted this was a tricky area, stating that there is a tension between knowing a problem and its scope (which is only known at the end) versus an immediate need to know. The panelists agreed that a balance needs to be struck. You must provide notice to your clients, based on what you know, about what occurred. But, the facts are going to change as you uncover what really happened. Consequently, the initial disclosure is going to look quite different from what really happened. One panelists noted that you can’t tell completely, early.

Topic 4: How market systems approach cyber security?

The panelists mentioned a variety of tests that they perform, but they all stated that testing is a never-ending cycle. These tests include: vulnerability scans, source code testing, penetration tests, industry-wide tests, table top exercises, and standard operating procedure testing.

Topic 5: Disclosure of information on breaches

The panelists agreed that the need to share information was critical because if someone else is under a similar attack, it is important to know what is going on. Also, getting information back to the government is necessary because the same intrusion could be happening in other places. However, the panelists noted that disclosure issues raise lots of questions, and this needs to be debated further. Also, a panelist noted that the big exchanges around the world have good and common best practices, but the smaller ones don’t. There is a need to get this information to them because they have just as much risk, but not the information to help mitigate it.

At the conclusion, a question was raised by one of the panelists: What can the SEC do to help facilitate best practices? All of the panelists agreed that collaboration is key, i.e., sharing information and mutual training. Also, another panelist suggested that since everything is risk-focused, help could/should be given to help quantify these risks.

Moderator:  James Burns, Deputy Director, Division of Trading and Markets

Panelists included:

  • Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation (DTCC)
  • Mark Graff, Chief Information Security Officer, NASDAQ OMX
  • Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange
  • Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury
  • Thomas Sinnott, Managing Director, Global Information Security, CME Group
  • Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc.

SEC Cybersecurity Roundtable: An Overview of the Second Panel Discussion

Continuing our live updates from today’s SEC Cybersecurity Roundtable, below is an overview of the second panel discussion, which commenced at 11:15 a.m. EST and covered cybersecurity disclosure issues faced by public companies.

Topic 1: How do cybersecurity risks impact public disclosures and how have disclosures changed over time?

The panel noted that the nature of the cyber threat or attack will have an impact on whether a disclosure is made. For example, a company may not disclose an attack launched by a foreign government, especially when the company was notified of the attack by the government. Conversely, a disclosure is more likely to occur when a breach involves consumer or customer information.

Topic 2: Are cyber risks a unique threat from a disclosure standpoint?

The panel noted the SEC appears to apply a different standard when it comes to cyber risks as compared to other material risks.  This emphasis suggests the SEC will require more comprehensive disclosures.  For example, the SEC guidance discusses the need to disclose whether cyber insurance has been secured.

Topic 3: What is the level of board involvement?

The panel acknowledged that there has been an uptick in the level of attention from boards on the issue of cybersecurity. Boards are more focused on the nature, extent, and consequences of a cyber attack. Boards are also looking at the short, mid-, and long-term impact of a breach, and the company’s breach response. In other words, boards want to ensure that their breach response is conducted in a way that protects the company’s future performance.

There was a disagreement between panel members, however, on the level of board involvement. Several panelists suggested that boards should consider retaining members with cybersecurity expertise who can interact with management to control the threat. Others were concerned that boards may overstep the boundary of overseeing the company to running the company. In the end, all of the panelists agreed that the composition and structure of the board should be considered on a case-by-case basis.

Lastly, the panel discussed whether the audit committee is the right group to manage this risk. All of the panelists agreed that audit committees are becoming overworked and are the default committee for board issues. Although recognizing this problem, many on the panel believe that the audit committee is well positioned to manage cyber risks.

Topic 4: What do investors want to know?

Investor relation members of the panel want greater disclosure as to what information companies collect, how they use it, why it’s collected, how it’s maintained, and how long it’s maintained. The concern is that companies who possess greater amounts of information are more likely to be a target. Knowing this will allow investors to better determine the risk(s) possessed by specific companies.

Topic 5: What drives disclosure?

The panel agreed that securities laws are not the driver of cybersecurity disclosures. Rather, state laws and regulations are what most concern companies who are breached. If a breach is not public, companies are disinclined to disclose a breach due to the potential for lawsuits and regulatory scrutiny. If companies believe there is no obligation to disclose under state law, they will likely decide the breach was not “material” and not deserving of a disclosure under securities laws. Importantly, most companies believe they will be treated not as the victim of a breach, but rather as a perpetrator. These factors indicate why we only hear of breaches involving consumer information instead of breaches involving the theft of intellectual property or security protocols.

Topic 6:  Materiality: Black and White or Grey?

The SEC acknowledged that cyber risks are unique, and an unmovable definition of the term “materiality” is not necessarily useful. The SEC solicited input on how they can work with the private sector to develop a workable standard. Panel members suggested that investors should not focus on cyber risks, i.e., stock prices don’t take a real hit after a breach, so mandating more disclosures are not appropriate. A concern is that the increased disclosures will subject companies to expensive lawsuits and regulatory reviews, which do impact stock prices.

Moderator: Keith Higgins, Director, Division of Corporation Finance, SEC

Panelists:

  • Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, Inc.
  • David Burg, Global and U.S. Advisor Cyber Security Leader, PricewaterhouseCoopers LLP
  • Roberta Karmel, Centennial Professor of Law, Brooklyn Law School
  • Jonas Kron, Senior Vice President, Director of Shareholder Advocacy, Trillium Asset Management LLC
  • Douglas Meal, Partner, Ropes & Gray LLP
  • Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. and Washington Gas Light Company

Live Updates of Today’s SEC Cybersecurity Roundtable

Today, the SEC is hosting a Cybersecurity Roundtable—in person and via webcast—to discuss cybersecurity and the challenges and issues it raises. The Roundtable will have four panels, each with distinguished panelists. We are blogging live to provide updates to our readers, so stay tuned throughout the day to get updates on each panel.

First Panel: “Cybersecurity Landscape”

The panelists began by generally discussing the three main areas of cybersecurity: the cyber attackers themselves, how to remain vigilant/incident management, and the ability to remain resilient against attacks. The panelists emphasized the importance of bringing everyone (agencies, government, and companies) together to thwart attacks. They noted that the private sector is at the front line for attacks and for defense.

Next, the panelists discussed the types of threats and challenges that companies currently face. They noted that although there have been a wide array of attacks, most of the focus, including the President’s focus, has been on critical infrastructure since it presents the gravest national danger.  Banking has been the most attacked industry, followed by energy, because they not only have a significant level of money involved, but also represent our nation. As a result, they noted that critical infrastructure is way ahead of most companies in their cybersecurity initiatives. Regarding the current challenges, companies should be looking to three questions:

  • How do I figure out what I really need to protect, since I can’t protect everything?
  • How do I manage access to my information by third parties, i.e., vendors and professional services?
  • How do I monitor what is supposed to be protecting the company?

The panel then focused on the board of directors, emphasizing that the board needs to be involved and that there needs to be continuous monitoring with a multi-layered approach. They noted that this will of course take a lot of work and people. Only 1% of boards have someone that is cyber proficient; as a result, the panelists focused on the importance of boards needing to know what questions to ask, having a plan in place, practicing that plan, and continually communicating with those dealing with cybersecurity issues. It was also noted that management needs to make sure that there is a culture in place so that everyone is part of the cyber risk plan because this is a business issue that requires a top-down approach. One panelist stated that boards with the best practices are getting outside expertise to deal with cybersecurity.

The panelists continued with a discussion on the state of preparedness. They again all focused on the need to share information, and that the financial services industry is probably the most advanced in cybersecurity. But, companies can never be 100% prepared, because there is always something new on the horizon. So, companies just have to stay on top of things and keep building safety devices, because “the DNA of a threat is never the same.”

Finally, the panel looked at protecting access and how to facilitate more productive dialogue between interested constituencies. The panelists talked about the Executive Order and the NIST Framework, noting that the NIST Framework is not a checklist per se because you can’t get “framework compliant.” And, right now, there are real barriers preventing government and the private sector from working together because of the lack of clarity on what information can be shared. Currently, companies do not share because they are afraid of incurring risks. The panelists discussed options for having an industry group that aggregates information and shares it with the industry anonymously, and the need to have legislation in place to determine when companies can share information without risk. The panelists stated that there are barriers to sharing on many levels: government to private sector; private sector to government; between government agencies; between governments; and between private sector companies. Barriers need to be identified in each lane of communication so they can be eliminated one by one. No one legislative solution will work.

The panelists concluded by focusing on the ever-evolving nature of the cyber threat: what is known today will be different from tomorrow. Thus, we should just go back to the basics—are we already thinking of our business preparedness in a way that we can get to the cyber problem before it becomes an issue?

Moderators:  Thomas Bayer, Chief Information Officer, Keith Higgins, Director, Division of Corporation Finance, James Burns, Deputy Director, Division of Trading and Markets

Panelists:

  • Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury
  • Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche LLP
  • Craig Mundie, Member, President’s Council of Advisors on Science and Technology; Senior Advisor to the Chief Executive Officer, Microsoft Corporation
  • Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.
  • Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP
  • Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House
  • Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology
  • Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security

SEC Sets Agenda and Identifies Panelists for Its Cybersecurity Roundtable

By Steven Caponi

In February, the U.S. Securities and Exchange Commission (“SEC”) announced its intention to hold a March 26, 2014 roundtable addressing cybersecurity issues facing market participants and public companies.  In the past few days, the SEC finally released the agenda and panelists for the roundtable.  The event will be held at the SEC’s headquarters in Washington, D.C., and is open to the public on a first-come, first-served basis.  For those unable to attend, the event will be broadcasted live on the SEC website and archived for viewing at a later time.

The full day event begins at 9:30 a.m., concludes at 3:00 p.m., and will be divided into four panels:

Panel 1—The cybersecurity landscape starts at 9:30 a.m. and will be moderated by Thomas Bayer, Chief Information Officer; Keith Higgins, Director, Division of Corporation Finance; and James Burns, Deputy Director, Division of Trading and Markets.

Panel 2—Cybersecurity disclosure issues faced by public companies starts at 10:40 a.m. and will be moderated by Keith Higgins, Director, Division of Corporation Finance.

Panel 3—Cybersecurity issues faced by exchanges and other key market systems starts at 12:45 p.m. and will be moderated by James Burns, Deputy Director, Division of Trading and Markets.

Panel 4—A discussion of how broker-dealers, investment advisers, and transfer agents address cybersecurity issues, including those involving identity theft and data protection will start at 1:45 p.m. This panel will be moderated by David Grim, Deputy Director, Division of Investment Management; James Burns, Deputy Director, Division of Trading and Markets; and Andrew Bowden, Director, Office of Compliance Inspections and Examinations.

The complete agenda and list of panelists for the roundtable can be viewed here.

Impact Of Data Disaster

disaster-recovery-infographic

Source: SingleHop

By Jeffrey Rosenthal

SingleHop, a leading global provider of hosted IT infrastructure and Cloud computing, created a cybersecurity infographic on what can happen to a business that experiences data loss.  Of note, SingleHop reports that 93% of businesses that lose their data center for ten (10) days go bankrupt within one year; 43% of businesses that experience a disaster never reopen; and that only 6% without a disaster recovery plan survive long-term. What makes such findings particularly troubling is the connection between data loss and an inability to continue operations—which enforces just how vital it is for companies of all sizes take appropriate measures to protect their data.  Indeed, nothing short of a company’s continued existence may be on the line when a data loss occurs.

Click here to view the infographic.

For more information on SingleHop, please visit: http://www.singlehop.com/cloud-hosting/

Can Commercial Airliners be Hijacked by a Cyber Attack?

post_planeBy Steven Caponi

The historical cause of airplanes being lost has been limited to operator error, a massive mechanical failure, weather, and a terrorist act. Technological advances, however, now require that we add to the list the potential for a cyber attack. This is not rank speculation, a conspiracy theory, or cyber hysteria. Rather, the potential for disabling a commercial aircraft using a cyber attack, while remote, is a fact well understood by both the Federal Aviation Administration (“FAA”) and the aviation industry. As the operation of planes—like everything else in society from cars to blenders—becomes more dependent on software and interconnectivity, the concept of a cyber attack on a commercial airplane should not be dismissed out of hand.  

Why consider a cyber attack? 

Start with the guidance offered by aviation and military defense experts. Last year, the North American Treaty Organization (“NATO”), the military organization whose essential purpose is to safeguard the freedom and security of most Western countries, held a meeting in Istanbul with senior executives from five international defense contractors to consider “[w]hat will be the biggest threats in the next 10 years?” Participants included aviation heavyweights Jeff Kohler, V.P. of International Business Development for Boeing, Steve Williams, President of Continental Europe for Lockheed Martin, and David Perry, Corporate V.P. for Northrop Grumman. This illustrious group concluded that, in light of computerization of important systems and the trend toward interconnectivity, the most significant threat was the potential for cyber attacks—in particular, attacks involving military/commercial/passenger aircraft.

Addressing the very topic of this article, Mr. Kohler acknowledged his company is “very concerned” about threats to software systems operating modern aircraft and the need for cyber protection. He then made two observations that, in light of current events, come across as ominous:

From our commercial aircraft side we’re very concerned about it. As commercial aeroplanes become more and more digital and electronic, we have actually started to put cyber protection into the software of our aeroplanes.

If they enter an airport environment, they are starting to exchange information and so we have to be able to protect the aircraft’s software itself, so there’s a lot of issues coming down the road just on cyber alone.

Driving home the point, Martin Hill, V.P. of Defence, EU, and NATO affairs for electronic systems company Thales, added: “Every single item that we have depends on cyber” and “[a]ll of our critical infrastructure is controlled by some sort of network. This has to be the area where we’re going to face problems and where we’ve got to spend a fortune.”

Mr. Kohler’s concerns are not surprising when one considers that in 2012, two Cambridge experts announced they had discovered a “back door” in a computer chip used in military systems and some newer passenger aircraft, which could allow the chip to be taken over via the Internet. A subsequent report by U.S. authorities found that a network in the cabin of the effected aircraft that were designed to give passengers Internet access could be used to access the aircraft’s control, navigation, and communication systems. For its part, Boeing indicated this security concern had been addressed before the official report was issued. In 2011, the threat of cyber terrorism was also the focus of the International Air Transport Association (“IATA”), which directed airlines to “remain on their guard” because cyber attacks poses “especially serious challenges for airlines that will be taking delivery of the new generation of aircraft.”

In addition to the observations discussed at the NATO Review in Istanbul and IATA guidance, on November 18, 2013, the FAA issued a “special condition” pertaining to  Boeing Model 777-200, -300, and -300ER series airplanes. The FAA action addressed modifications that enabled connections between systems accessible by passengers (in-flight entertainment networks) to previously isolated data networks/systems that perform the functions required for the safe operation of the airplane. The FAA noted that the modifications:

… may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance.

The potential to use in-flight entertainment systems to access previously secure core systems was troubling because airplanes at issue have fly-by-wire controls, software-configurable avionics, and fiber-optic avionics networks.

To address the vulnerabilities caused by the in-flight entertainment systems, the FAA required Boeing to ensure that:

… the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.

and

… appropriate procedures [be established] to enable the operator to ensure that continued airworthiness of the aircraft is maintained, including all post STC modifications that may have an impact on the approved electronic system security safeguards.

Note that these requirements apply only to the Boeing Model 777-200, -300, and -300ER series airplanes.

Unfortunately, as evidenced by the NATO Review and FAA action, when considering the cause of future plane crashes, cyber attacks will now be listed right alongside weather, mechanical failures, and human error. This means that the manufacturers and regulatory bodies responsible for the safety of air transportation must seriously focus on the potential for a cyber-hijacking and take all possible steps to prevent such a tragedy.

Dell Releases Significant Report on International Security Trends and Attitudes

dellreportBy Steven Caponi

Last month, the computer giant Dell released a report entitled “Protecting the Organization Against the Unknown: A New Generation of Threats.” The report, which is well worth a few minutes to read, was authored by the independent technology market research firm Vanson Bourne. Dell commissioned the report to examine how organizations are preventing security breaches as well as the degree to which IT security will be a priority over the next twelve months. The report analyzes the impact security breaches have had on various organizations and how organizations are protecting themselves from potential vulnerabilities associated with the adoption of BYOD, cloud, and increased Internet usage.

What makes this report particularly interesting is the breadth of survey participants, both numerically and geographically. The report reflects the results of 1,440 IT decision-makers from private sector organizations with 500 or more employees, as well as from public organizations with 500 or more end users. The interviewees were located in ten countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, India, Austria, and China. The survey topics included: IT Security in Organizations; Current Policies and Strategies; Responding to Security Threats; and Understanding the Threat.

Highlights from the report include:

  • Enterprises are spending an average of 17 percent of their IT budget on IT security. This focus on security is set to increase in the near future, as 86 percent of IT decision-makers surveyed report that their organizations will be prioritizing security over the next twelve months.
  • During the past year, security breaches cost respondent organizations an average of almost $1 million each.
  • Unsurprisingly, organizations are more likely to prioritize and commit resources to prevent breaches after they become a victim.
  • Appreciating the nature of the threat, 64 percent of the respondents were resigned to the fact that it is not a matter of if they will be breached, but when.
  • While 91 percent of those surveyed were hosting in the cloud and 93 percent adopted BYOD policies, only 46 percent implemented cloud security and 44 percent adopted policies for BYOD security.
  • 53 percent of survey participants see the government as an important partner in helping achieve operational security.

Click here for a copy of the full report.

The EC-Council Website Hacked; Hacker Posts Snowden’s Passport

ECHBy Elizabeth Sloan

EC-Council has been hacked, and its hacker isn’t keeping silent.  The hacker claims to have obtained copies of passports of law enforcement and military officials who signed up for the organization’s courses, which release could impact up to 80,000 individuals. 

EC-Council is a company that provides IT and security training and certification programs.  The organization has been controversial in that it provides courses and certifications for “ethical hacking.”   Notably, the US Department of Defense requires that its Computer Network Defense Service Providers take the EC’s “Certified Ethical Hacker” program.  The organization claims to have trained between 60,000- 80,000 individuals, including members from the FBI to IBM to the United Nations.

The hacker calls himself “Eugene Belford” – a throwback to the movie “Hackers”.  This past weekend, he defaced the EC’s website with documentation that Edward Snowden was trained by this company, posting Snowden’s passport on the website.   The hacker claims to also have all the passports and other personal information of those individuals certified by the EC, including law enforcement and military.

The hacker later posted on the defaced page the following:

“Defaced again? Yep, good job reusing your passwords morons jack67834#
owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/

-Eugene Belford

P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”

The EC’s website is still currently unavailable, and the EC has yet to comment on the cyberattack.

Cybersecurity Trends for 2014

post_lockBy Steven Caponi

Nearly 100 million retail customers had their personal information stolen this past holiday season, signaling that cyber crime is becoming more pervasive, its perpetrators more sophisticated, and the harm it causes (to both individuals and companies) harder to calculate. Companies are adopting policies to prevent and respond to cyber attacks, but before they can agree and implement defensive measures or best practices, those perpetrating cyber attacks are diligently working to circumvent the defensive measures and expand into completely new areas.  Thus, companies must keep a vigilant eye on both yesterday’s attack and the emerging threat that may not materialize for another six months to a year.

For more information about this issue, as well as the cybersecurity landscape in 2014, visit Corporate Compliance Insights to read a recent article authored by me and Michael Iannucci.

NIST Releases Final Framework For Improving Critical Infrastructure Cybersecurity

post_atBy Steven Caponi

The White House released today the long-awaited voluntary guidelines intended to encourage companies operating in critical infrastructure sectors to adopt policies to better protect themselves from cyber attacks.  The standards were developed through a collaborative process involving the National Institute of Standards and Technology (“NIST”) and critical infrastructure companies such as those involved with energy, transportation, communication, and banking.

The guidelines are formally known as the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”).  In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary, risk-based Cybersecurity Framework—i.e., a set of standards, guidelines, and practices to help organizations manage cyber risks. The resulting Framework announced today is intended to carry-out the objectives of the Executive Order by providing a common language to address and manage cyber risk in a cost-effective way without placing additional regulatory requirements on businesses.  The ultimate goal is to provide companies overseeing the nation’s crucial infrastructure with a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs.

In a statement, Obama warned that cyber threats “pose one of the greatest national security dangers that the United States faces,” echoing the recent judgment of major U.S. intelligence agencies.  “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said. “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet.”

The Framework does not mandate specific security controls, but instead are intended to provide guidance for detecting and responding to attacks, mitigating fallout from cyber incidents, and managing overall cyber risks.  A key objective of the Framework is to provide a common language and mechanism for organizations to:

  • Describe their current cybersecurity postures
  • Describe their target states for cybersecurity
  • Identify/prioritize opportunities for improved risk management
  • Assess progress toward a target state
  • Foster communication among internal and external stakeholders

Department of Homeland Security (“DHS”) chief Jeh Johnson also announced on Wednesday that the DHS was starting a program to help companies implement the Framework.  The government is not, however, providing any tax breaks or other incentives to encourage the adoption of the Framework.  The White House is instead going to rely on companies having a sense of self-preservation, as well as a strong desire to avoid being victimized by a cyber attack and managing the resulting law suits that will surely follow.

For a more comprehensive discussion of the NIST Framework and its anticipated impact on companies that are both inside and outside of critical infrastructure sectors, please read this recent article.

Cybersecurity—Hitting Too Close To Home

post_bombBy Steven Caponi

Last week, I was faced with yet another Friday filing deadline in my local federal district court.  By 6:30 p.m., the only thing standing between me and a much needed weekend was hitting the proverbial “Send” button to complete my filing.  For some unknown reason, however, I could not complete the filing and eventually lost my connection to the court’s electronic filing system, commonly known as PACER.  The start of my weekend quickly went from thoughts of a nice dinner with my wife, to mild panic over possibly missing a court-ordered deadline—not to mention the subsequent embarrassment of explaining to the other counsel involved in the case that I was incapable of completing a routine filing.  Close to midnight, I was able to access PACER and complete the filing just under the wire.

The following Monday, I entered the office committed to finding out what technical glitch in my Firm’s software had ruined my Friday evening.  Much to my surprise, I learned that the problem was not due to issues with our software, but rather due to a group called the European Cyber Army, who decided to scuttle my weekend by shutting down the federal judiciary’s websites.   A tweet from the group stated, “Government of the United States of America: We have taken the Liberty of Nuking your Court’s Website!”  Known for distributed denial-of-service (“DOS”) assaults, the group claims to have attacked the websites of the Syrian and Pakistani national governments, Asian and European banks, the State of Nevada, online document sharing site Scribd.com, and Craigslist Inc.

The DOS assault on PACER overwhelmed the system and resulted in communications slowing down to a snail’s pace before the subsequent termination of the connection.  Once the attack was noticed by the judiciary, the PACER system placed a warning on its website and a prerecorded message on its telephone hotline.  But, there were mixed messages as to whether or not the outage was caused by a cyber attack.    Almost immediately, a spokesman for the Administrative Office of the U.S. Courts stated the service problems were caused by a DOS attack and referred to the incident as a “national cyber attack on the judiciary.”  The FBI, however, told the Wall Street Journal that the problems with PACER were caused by technical issues in federal court computers rather than by a cyber attack.  The FBI quickly backtracked from this statement on Saturday and indicated it was “reassessing” its initial conclusion.

With the confusion caused by contradictory statements by the FBI and Administrative Office of the Courts, it is unclear whether the European Cyber Army launched its DOS attack on PACER to send a message to the American judiciary or if it was done specifically to scuttle my Friday dinner plans.  I do know, however, that despite extensively advising others on the need for increased cybersecurity, I did not anticipate becoming a victim myself.  All joking aside, the attack on PACER highlights several important points: (1) you never know when a cyber attack will occur; (2) the targets of cyber attacks are often chosen at random; and (3) as we increasingly transition into a society where even mundane functions (like filing scheduling order) are done electronically, cyber attacks will ensnare an increasingly larger portion of our population.

Denial of Coverage Under CGL Policy Affirmed by Connecticut Appeals Court in IBM Data Breach

By Jennifer Daniels

I often advise clients on security incidents involving the loss of a portable device that contains personally identifiable information.  We frequently have a conversation about what to do if a device is misplaced but there is no evidence that it is in the hands of a wrongdoer or that the data on the device have even been accessed.  The law may require companies to notify individuals of the incident anyway, and often companies want to notify the individuals and take steps to mitigate potential harm.  So, substantial costs may be incurred by companies before any suit is filed against them.  Does your insurance policy cover those mitigation costs if no lawsuit is ever filed?

Recall Total Information Management, Inc., et al. v Federal Insurance Company, et al., __ Conn. App. ___, 2014 WL 43529 (Conn. App. Ct. Jan 14, 2014) involved a dispute over coverage under the personal injury clause of a commercial general liability policy that arose from the theft of electronic storage tapes when an IBM subcontractor transporting those tapes suffered a traffic incident.  The tapes contained personally identifiable information about approximately 500,000 IBM employees and former employees.

In 2003, Recall entered into a contract with IBM where Recall agreed to transport and store various electronic media for IBM.  Recall subsequently entered into a subcontract with Executive Logistics (Ex Log) to provide the transportation services.  The subcontract required Ex Log to maintain $2 million commercial general liability policy and a $5 million umbrella liability policy naming Recall as an additional insured.  Federal Insurance issued those policies.

In February 2007, Ex Log was transporting IBM computer tapes in a van, and a cart containing the tapes fell out of the back of the van.  The tapes were removed from the scene by an unknown person and were not recovered.  The tapes included social security number, names, and birthdates of 500,000 individuals.  IBM took steps to notify the affected individuals, established a call center, and offered a one year credit monitoring service to the individuals potentially impacted by the incident.  IBM incurred more than $6 million in expenses for these mitigation measures, and settled with Recall for the full amount of those losses. Recall then sought indemnification from Ex Log, and Ex Log filed claims against its insurance policy.  Federal Insurance denied coverage.  The plaintiffs brought an action against the insurer claiming breach of an insurance contract.  The trial court concluded that the plaintiffs’ losses were not covered under either the property damage or the personal injury provisions of the policy.

On appeal, the plaintiffs argued that the trial court erred in finding that (1) the defendants did not have a duty to defend, and (2) the loss of the tapes did not constitute a personal injury.  The Connecticut appeals court ruled against the plaintiffs.

First, the policy at issue provides that the insurer had a right and duty to defend the insured against a suit, but the policy defined a “suit” as a civil proceeding, including arbitration or a dispute resolution proceeding.  The plaintiffs claimed that they engaged in negotiations with IBM for over two years and that the insurer failed to defend them in those negotiations.  But the appellate court found that those negotiations are not the same as a “suit,” as defined in the policy.

Next, the appellate court addressed whether the trial court erred in its interpretation of the policy.  The plaintiffs argued that (1) the loss of the tapes constituted the personal injury as defined by the policy, and (2) the loss of the tapes triggered the remedial provisions of certain state privacy laws, such that personal injury can be presumed.  The appellate court disagreed.

The policy defines ‘‘personal injury’’ as: ‘‘injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right to privacy.’’ (Emphasis added.)  The plaintiffs argued that the information on the tapes was “published” to the thief thereby subjecting the plaintiffs to liability for the cost of notifying the individuals and providing the credit monitoring service.  However, the court found no evidence that the information on the tapes had been published to the thieves.  There was no evidence that the information on the tapes was ever communicated to anyone, and no evidence that any employee or former employee of IBM was harmed due to any such improper access.

Keep in mind that insurance policies are interpreted by courts in the same manner as contracts.  The court will look to the precise language of the policy to determine what is covered.  Accordingly, it is critical that companies scrutinize their policies to identify if there are gaps in their coverage.

Accretive Health Settles FTC Charges that it Failed to Adequately Protect Consumers’ Personal Information

By Jennifer Daniels

Accretive Health, Inc. (“Accretive”) is a service provider for hospital systems nationwide, providing services related to the hospital systems’ revenue cycle operations.  In providing these services, Accretive obtains sensitive health information about its customers’ patients.  Accretive suffered a security breach that resulted in the exposure of sensitive, personally identifiable information for about 23,000 individuals.  As is often the case, that breach resulted in a complaint from the government.

Of course, Accretive’s clients are Health Insurance Portability and Accountability Act (“HIPAA”)-covered entities and Accretive is a business associate under HIPAA.  But this investigation was not a HIPAA investigation, but rather the claims made by the Federal Trade Commission (“FTC”) were under the FTC Act.  HIPAA-covered entities and their business associates should keep in mind that HIPAA compliance is not their only regulatory obligation to maintain the security of personal information.

The FTC argued that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, which Accretive collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access.  The FTC claimed that, among other things, Accretive:

  • transported laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
  • failed to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
  • failed to ensure that employees removed information from their computers for which they no longer had a business need; and
  • used consumers’ personal information in training sessions with employees and failed to ensure that the information was removed from employee computers after the training.

Accretive’s failures resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive laptop containing 600 files related to 23,000 patients was left in the locked passenger compartment of an employee’s car and was stolen.  The laptop included sensitive personal and health information, including names, dates of birth, billing information, diagnostic information, and social security numbers.  The user of the laptop had data that was not necessary to perform his job.

The FTC argued that the failure by Accretive to employ reasonable and appropriate measures to protect personal information from unauthorized access was an unfair act or practice in violation of Section 5(a) of the FTC Act.

On January 13, the FTC published a notice in the Federal Register that the FTC had accepted, subject to final approval, a consent order applicable to Accretive.  The Proposed Order requires Accretive to establish and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information.  The program must contain administrative, technical and physical safeguards appropriate to Accretive’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects about consumers.  Specifically, the Proposed Order requires Accretive to:

  • designate an employee or employees to coordinate and be accountable for the information security program;
  • identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of information, and assess the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable safeguards to control the risks identified through risks assessment, and regularly test or monitor the effectiveness of the safeguards key controls, systems, and procedures;
  • develop and use reasonable steps to select and retains service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers by contract to implement and maintain appropriate safeguards; and
  • evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Companies handling sensitive personal information are advised to review the types of security measures that the FTC includes in these types of consents because they give companies a checklist of the measures that the FTC will expect to be in place at companies handling similar types of data.

In Accretive’s case, the Proposed Order will be in place for 20 years, and the order requires Accretive to obtain an assessment and report every other year for 20 years from a qualified, objective, and independent third party professional certifying that its security program meets the requirements of the order.

The FTC published a description of the consent, which is subject to public comment for thirty days, after which the FTC will decide whether to make the proposed order final.