Cyber Insurance, Privacy and Data Security Newsletter - May 2016
Published 27 May 2016
Government publishes Cyber Security Strategy 2016
2016 sees the launch of the UK's second National Cyber Security Strategy.
The first was launched in 2011 as a result of the 2010 National Security Strategy, which identified cyber crime as one of the top threats to the UK. The programme aimed to build the UKs cyber security capabilities and make the UK more resilient to cyber crime and one of the safest places in the world to do business online. However, 5 years is a long time in the cyber world - in 2010 the Internet of Things barely existed; in 2016, over six billion connected devices are in use worldwide, set to rise to over 20 billion by 2020.
Last year's National Security Strategy confirmed cyber crime's place as a "tier 1" threat to the UK's economic and national security; the threats are ever changing and uncertain: a new strategy, and greater investment, is required to ensure the UK stays ahead of the game. In recognition that there is more work to do, the government has promised to increase investment in cyber security from £869 million to £1.9 billion over the next 5 years.
On 18 April 2016, the government published its final report on the 2011-16 cyber strategy. The report summarises progress, reviews the impact of the programme and looks ahead to the 2016 strategy
The report notes that businesses of all sizes and sectors are better protected now than they were in 2011. According to the 2014-15 Cyber Governance Health Check of FTSE 350 companies, 88% of companies now actively consider cyber security as a business risk and included it in their risk register, up 30% on the previous year. Awareness among small businesses remains patchy, but it is noted that over 2000 Cyber Essentials and Cyber Essentials Plus certificates have been issued, and over 77,000 users have completed Cyber Essentials online training for small businesses.
It also reports that people are now being prosecuted for cyber crimes. However, given that the Office for National Statistics estimated that over 5 million instances of online fraud and 2.5 million cyber crimes took place last year the figures are far from encouraging. The number of live cyber crime cases being prosecuted by the CPS Organised Crime Division rose from 13 in October 2011 to 50 in December 2015, and the number of finalised crime cases increased over the same period from 2 to 43 (not including cyber cases dealt with by other sections of the CPS.)
While such incidences of cyber crime could be a small-scale phishing attack on you or me, it could also extend to an attack on a national bank, with much greater consequences, as experienced by the Bangladesh National Bank in February, resulting in access to the SWIFT banking system and an attempt to steal US$951m (of which US$81m is still unaccounted for).
To tackle such a range and extent of threats, it is clear that ongoing focus and investment is required, and the government's updated Cyber Security Strategy, and the investment that goes with it, is to be welcomed.
Cyber Business Interruption
In other news, earlier this year, DAC Beachcroft and RGL Forensics hosted a seminar on Non-Physical Business Interruption (BI) and cyber insurance. We reviewed the evolution of cyber risk insurance and considered some of the challenges and issues when dealing with cyber BI claims. We also worked through two case studies based on real life events.
We were overwhelmed by the interest and demand for the seminar and are pleased to make available a video of the entire event for those who want to review the content again or for those that could not make it on the day. We've also produced four short videos addressing key points about the nature of Cyber BI, waiting periods and deductibles, the Uber Law case study and the Mega Play case study.
Click the below headings to read more on each of the developments....
- Elizabeth Denham announced as successor to Christopher Graham as UK Information Commissioner.
- Financial Conduct Authority's ("FCA") 2016/2017 Business Plan, regulatory round up for data protection and innovation in the financial services sector.
- The House of Lords Select Committee on the European Union published its report on 'Online Platforms and the Digital Single Market'.
- Global Privacy Enforcement Network has announced that the Internet of Things will be the focus of its annual 'privacy sweep'.
- ICO enforcement round up.
- Data protection compliance of private investigators in the spotlight.
- Consultation on the ePrivacy Directive.
- GDPR – the countdown has begun.
Updates from across the world
Click the below headings to read more...
- Spain - Supreme Court case on a data subject's 'right to be forgotten'.
- Romania - 'right to be forgotten' recognised for the first time.
- France - the French data protection authority issues its annual report
- Germany - a committee of data protection supervisory authorities adopt guidance on privacy consent declarations.
- Greece - benchmarks set on sharing sensitive personal data.
- Greece - key data protection trend developments.
- Netherlands - camera surveillance in the workplace.
- Ireland - camera surveillance in public spaces.
- Netherlands – Decision on employee health data obtained via wearables.
- Hungary - Hungarian DPA releases 2015 annual report.
- Norway - companies to be ordered to notify data subjects on data breaches.
- South Korea - South Korea continues its trend towards more stringent enforcement action.
- Cayman Islands - new data protection bill released.
- Australia - Guide to developing a data breach response plan released.
- Singapore - Singapore DPA issues enforcement guidelines.
SecureData: Cyber Threat Advisory Summary
Panda Banker - 29 April 2016
Some of the code behind the notorious Zeus banking trojan has been repurposed for a new malware campaign targeting victims in the United Kingdom and Australia. Panda Banker works in much the same fashion as Zeus, operating on the same file system and utilizing the same data extraction technique, leveraging an Automated Transfer System (ATS) to deliver fake banking login pages to its victims. Unlike Zeus, Panda makes use of a technique known as ‘fast-flux DNS’ to obfuscate its tracks through various proxies and hosts, which makes finding their C2 servers a serious challenge. The Panda Banker malware is capable of stealing sensitive data from users, much in the same way as its predecessor, Zeus.
The threat group behind the new Panda Banker malware have been specifically targeting users in Australia and the UK. We are giving this a Medium Severity Rating, as the malware has already been analyzed to understand how the attack process takes place, which means that banks and other financial organizations can now take the necessary precautions to ensure such an attack would not be successful in the future.