Cyber Crime and Cyber Security Data Protection Implications and Financial Regulation Expectations

Transcription

1 Cyber Crime and Cyber Security Data Protection Implications and Financial Regulation Expectations Denis Kelleher Senior Legal Counsel, Central Bank of Ireland Joern Dobberstein IT Risk Supervision, Central Bank of Ireland Michael Gubbins Detective Superintendent, Garda Cyber Crime Bureau, Garda Siochana Dublin, 19 September 2017

2 Minister Pat Breen Minister of State with special responsibility for Trade, Employment, Business, EU Digital Single Market and Data Protection 2

3 Denis Kelleher (Chair) Senior Legal Counsel Central Bank of Ireland 3

4 Cyber Crime and Cyber Security: Data Protection Implications and Financial Regulation Expectations Denis Kelleher Senior Legal Counsel, Central Bank of Ireland Central Bank of Ireland - UNRESTRICTED

5 Today s agenda Time Speaker 9.15 Minister Pat Breen - Minister of State with special responsibility for Trade, Employment, Business, EU Digital Single Market and Data Protection 9.30 Denis Kelleher - Senior Legal Counsel, Central Bank of Ireland Michael Gubbins - Detective Superintendent, Garda Cyber Crime Bureau, Garda Siochana Questions Coffee break Joern Dobberstein - Inspections Manager, Banking Supervision Onsite Inspections, Central Bank of Ireland Denis Kelleher - Senior Legal Counsel, Central Bank of Ireland Questions Close Central Bank of Ireland - UNRESTRICTED

6 What I am going to talk about 1.Why care about cybercrime? 2.Discuss changes in the law that will: i. Improve protections; Criminal Justice (Offences Relating to Information Systems) Act 2017 ii. Enhance remedies The GDPR Central Bank of Ireland - UNRESTRICTED

7 We live in a connected world Rely on internet a lot more: 87% of households had access to the internet at home in % of those aged used smartphones to access the internet We use the internet to do more: 18% use it to buy/renew insurance 2% use it to buy or sell investments 2% use it to arrange credit Central Bank of Ireland - UNRESTRICTED

8 There are lots of data risks: Payments software failure prevented thousands getting paid HSBC August 2015 IT contractor plugging out power supply led to flights being cancelled Fire British Airways June 2017 Four Courts fire of 1922 destroyed census returns, wills and parish registers Mislaying documents in a car park AIB September 2017 Central Bank of Ireland - UNRESTRICTED

9 But governance failure is the biggest risk of all Ulster Bank June/July 2012 IT and governance failings by the Firm that resulted in approximately 600,000 customers being deprived of essential and basic banking services over a 28 day period failed to have robust governance arrangements in relation to its IT systems and controls IT failure also threatened confidence in the operation of the retail banking sector as it effectively prevented the Firm from participating in the process used to settle payments among banks Fined 3.5 million Central Bank of Ireland - UNRESTRICTED

10 Cybercrime is a particular risk Equifax Data on up to 143 million Americans stolen hackers accessed people s names, Social Security numbers, birth dates, addresses and, in some instances, driver s license numbers Alleged cause was failure to patch software Breach in mid-may Discovered in July Disclosed in this month 2 executives have now stepped down Bank of Bangladesh $81 million stolen by fake transfer orders Had sought $1 billion many orders were blocked or reversed 15 million recovered Remainder being laundered through casinos Central Bank of Ireland - UNRESTRICTED

11 What criminal laws do we have? Criminal Damage Act 1991 Offence of unauthorised access to data repealed by 2017 Act Criminal Justice (Theft and Fraud Offences) Act 2000 A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence section 9 Making gain or causing loss by deception section 6 Obtaining services by deception section 7 Central Bank of Ireland - UNRESTRICTED

12 Criminal Justice (Offences Relating to Information Systems) Act 2017 Implements Directive 2013/40/EU on attacks against information systems Creates 5 new offences in sections: 2. Accessing information system without lawful authority, etc.; 3. Interference with information system without lawful authority; 4. Interference with data without lawful authority; 5. Intercepting transmission of data without lawful authority 6. Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5 Central Bank of Ireland - UNRESTRICTED

13 Definitions are simple data means any representation of facts, information or concepts in a form capable of being processed in an information system, and includes a programme capable of causing an information system to perform a function information system means (a) a device or group of interconnected or related devices, one or more than one of which performs automatic processing of data pursuant to a programme, and (b) data stored, processed, retrieved or transmitted by such a device or group of devices for the purposes of the operation, use, protection or maintenance of the device or group of devices, as the case may be; lawful authority, in relation to an information system, means (a) with the authority of the owner of the system, (b) with the authority of a right holder of the system, or (c) as permitted by law; Central Bank of Ireland - UNRESTRICTED

14 Accessing information system without lawful authority, A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure shall be guilty of an offence Central Bank of Ireland - UNRESTRICTED

15 Interference with information system without lawful authority A person who, without lawful authority, intentionally hinders or interrupts the functioning of an information system by a) inputting data on the system, b) transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system, or c) rendering data on the system inaccessible, shall be guilty of an offence. Central Bank of Ireland - UNRESTRICTED

16 Interference with data without lawful authority A person who, without lawful authority, intentionally deletes, damages, alters or suppresses, or renders inaccessible, or causes the deterioration of, data on an information system shall be guilty of an offence. Central Bank of Ireland - UNRESTRICTED

17 Intercepting transmission of data without lawful authority A person who, without lawful authority, intentionally intercepts any transmission (other than a public transmission) of data to, from or within an information system (including any electromagnetic emission from such an information system carrying such data), shall be guilty of an offence. Central Bank of Ireland - UNRESTRICTED

18 Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5 A person who, without lawful authority, intentionally produces, sells, procures for use, imports, distributes, or otherwise makes available, for the purpose of the commission of an offence under section 2, 3, 4 or 5 a) any computer programme that is primarily designed or adapted for use in connection with the commission of such an offence, or b) any device, computer password, unencryption key or code, or access code, or similar data, by which an information system is capable of being accessed, shall be guilty of an offence. Central Bank of Ireland - UNRESTRICTED

19 Penalties section 8 Fines & up to 5 years imprisonment for: 2. Accessing information system without lawful authority, etc.; 4. Interference with data without lawful authority; 5. Intercepting transmission of data without lawful authority 6. Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5 Fines & up to 10 years imprisonment for: 3. Interference with information system without lawful authority Section 8(4) a) Where a court is determining the sentence to be imposed on a person for an offence under section 3 or 4, the fact that the commission of the offence involved misusing the personal data of another person with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner, shall be treated as an aggravating factor b) Accordingly, the court shall (except when there are exceptional circumstances ) impose a sentence that is greater than that which would have been imposed in the absence of such a factor c) The sentence imposed shall not be greater than the maximum sentence permissible Central Bank of Ireland - UNRESTRICTED

20 Greater risks: data protection GDPR will apply from 25 th May 2018 Provides subjects with a straight-forward mechanism for recovering damages following a data-breach Mechanism is contains a number of steps 1. Article (5)(1) creates principle of integrity and confidentiality. Personal data must be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 2. Article 5(2) creates principle of accountability : The controller shall be responsible for, and be able to demonstrate compliance with (the above) Central Bank of Ireland - UNRESTRICTED

21 Duty to secure 1. Take into account the following: a) state of the art; b) costs of implementation; c) nature, scope, context and purposes of processing; d) risk of varying likelihood and severity for the rights and freedoms of natural persons. 2. Then controller and processor must: implement appropriate technical and organisational measures' 3. To: 'ensure a level of security appropriate to the risk. Article 32, GDPR Central Bank of Ireland - UNRESTRICTED 21

22 Appropriate measures a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Central Bank of Ireland - UNRESTRICTED

23 Risk assessment In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. Central Bank of Ireland - UNRESTRICTED

24 4. GDPR forces controllers to admit they have failed In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons Central Bank of Ireland - UNRESTRICTED

25 4. Admission of Liability? When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach Do not have to communicate if: a) measures were applied that render the personal data unintelligible to any person who is not authorised to access it, such as encryption b) controller taken subsequent measures to mitigate risk; or c) it would involve disproportionate effort. Central Bank of Ireland - UNRESTRICTED

26 but actions for damages will 'Any person who has suffered material or nonmaterial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Article 82, GDPR Central Bank of Ireland - UNRESTRICTED 26

27 Class actions? The data subject shall have the right to mandate a not-for-profit body, organisation or association: 1. properly constituted in accordance with the law of a Member State 2. has statutory objectives which are in the public interest 3. is active in the field of the protection of data subjects' rights and freedoms to lodge the complaint and exercise the right to compensation on his or her behalf where provided for by Member State law. Article 80, GDPR But see: Persona Digital Telephony Ltd [2017] IESC 27 (23 May 2017) Central Bank of Ireland - UNRESTRICTED 27

28 Administrative fines 'Each supervisory authority shall ensure that the imposition of administrative fines shall in each individual case be effective, proportionate and dissuasive. Imposed in addition to or as alternative to corrective measures such as bans, rectification Take various factors into account: intentional or negligent character of the infringement; efforts to mitigate damage; history of controller/processor; did controller notify DPC? Central Bank of Ireland - UNRESTRICTED

29 Category 1 fines Up to 2% of global turnover or 10m in respect of the following breaches: 1. Obligations of controllers DPO, DPIA etc 2. Processing of children s data 3. Failure to effectively anonymise data 4. Breach of certification rules Central Bank of Ireland - UNRESTRICTED

30 Category 2 fines Up to 4% of global turnover or 20m in respect of the following breaches: 1. Basic principles of processing 2. Subject rights 3. Transfers outside EEA 4. Rules around processing in context of employment, by journalists, or FOI 5. Breach of a ban on processing Central Bank of Ireland - UNRESTRICTED

31 Thank you & Good Morning Central Bank of Ireland - UNRESTRICTED

32 Michael Gubbins Detective Superintendent Garda Cyber Crime Bureau An Garda Síochána Cyber Crime & Cyber threats in Ireland A Garda Perspective 32

33 On request of Michael Gubbins, his slides can not be shared with the audience. Apologies for any inconvenience caused 33

34 Questions 34

35 Coffee Break 35

36 Joern Dobberstein Inspections Manager Banking Supervision Onsite Inspections Central Bank of Ireland Cyber risk expectations for Irish-licensed banks 36

37 Cyber risk management expectations for Irish-licensed banks Joern Dobberstein

38 Agenda 1. Expectation for managing Cybersecurity risk 2. Practical examples of key expectations vs. identified weaknesses 3. Closure 38

39 1. Expectations for managing Cybersecurity risk The 2016 Cross Industry Guidance in respect to IT and Cybersecurity Risk The SSM on-site methodology for Cybersecurity management 39

40 1. Expectations for managing Cybersecurity risk Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks 1 Issued by the Central Bank in September expectations for Cybersecurity risk management Principle based

41 Expectations for managing Cybersecurity risk Key Messages for Industry (Cybersecurity) Cyber risk should be among the Board s top priorities Identify your crown jewels and adequately safeguard Participate in cyber information sharing networks Prepare for the worst Resilience and Contingency Planning Address the human factor 41

42 Human Error Source: 42

43 1. Expectations for managing Cybersecurity risk Two examples of expectations The firm notifies the Central Bank when it becomes aware of a cybersecurity incident that could have a significant and adverse effect on the firm s ability to provide adequate services to its customers, its reputation or financial condition Firms consider relevant good practices and internationally adopted frameworks for IT security risk management as may be appropriate for their firm. 43

44 1. Expectations for managing Cybersecurity risk SSM on-site methodology on Cybersecurity Aligned to NIST Framework for Cybersecurity

45 2. Expectations vs. Key Issues: Identify Effective IT governance framework IT risk management strategy IT risk assessment process Holistic IT risk register Holistic IT asset inventory or CMDB X No or poor IT Risk management frameworks, policies & procedures X No or poor IT risk appetite statements X Poor IT risk registers X Poor asset management and no holistic IT asset registers. No CMDBs. No inclusion of third parties. 45

46 2. Expectations vs. Key Issues: Protect Formal IT security policies, processes and procedures User Access Controls Protective technology & hardening Cybersecurity awareness training X IT Security documents are fragmented X No formal user recertification processes X Limited use of network segregation, vulnerability scanning or penetration testing X No formal IT security / Cybersecurity training 46

47 2. Expectations vs. Key Issues: Detect Process to detect Cybersecurity events in a timely manner Use of technology (SIEM) to detect IT security events Maintain and test the effectiveness of detective measures X Limited use of log file monitoring & analysis X Limited use anti-virus / malware X Poor distribution of IDS systems X Limited knowledge of IT assets X Limited testing of IT security technology 47

48 2. Expectations vs. Key Issues: Respond Processes to respond to a Cybersecurity incident in a timely and planned manner Containment of identified incidents Coordinate response communication X Response is not planned, rather follows IT incident path X Poor network segregation restricts capability of containment X No planned and coordinated communication for Cybersecurity incidents 48

49 2. Expectations vs. Key Issues: Recover Recovery processes and procedures that ensure a timely restoration of systems Define recovery time objectives (RTOs) and recovery point objectives (RPOs) Test of recovery processes Coordinated restoration activities with internal and external stakeholders X Outdated business impact assessments (BIA) X Poor business continuity plans (BCP) X External parties not included in recovery X No formal testing of BCPs 49

50 3. Closure 64% of all noted findings from on-site IT inspection fall into just three IT risk areas: IT Security (30%) IT Risk Management (19%) Business Continuity (15%) These three IT risk areas are fundamental for Cybersecurity management 50

51 3. Closure Robert Mueller (former FBI Director): There are only two types of companies: those that have been hacked, and those that will be. Attackers need to succeed only once; defenders have to be perfect every single time. 51

52 Thank you Joern Dobberstein, Inspections Manager, IT Risk Inspections, Banking Supervision, CBI 52

53 Denis Kelleher (Chair) Senior Legal Counsel Central Bank of Ireland 53

54 Cyber Crime and Cyber Security: Data Protection Implications and Financial Regulation Expectations Denis Kelleher Senior Legal Counsel, Central Bank of Ireland Central Bank of Ireland - UNRESTRICTED

55 What I will talk about now: New rules on: Evidence Jurisdiction; and New functions of the State under Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Central Bank of Ireland - UNRESTRICTED 55

56 Passwords & encryption 2014: A computer science student accused of hacking offences has been jailed for six months for failing to hand over his encryption passwords, which he had been urged to do in "the interests of national security" The international director of the campaign group Cage has pleaded not guilty to a terror offence after refusing to give police the passcode to his mobile phone at Heathrow airport last year Trial starts next Monday San Bernadino - Apple Central Bank of Ireland - UNRESTRICTED 56

57 Passwords - Criminal Justice Act 2011 Section 15 For the purposes of the investigation of a relevant offence, a member of the Garda Síochána may apply to a judge of the District Court for an order under this section in relation to a) the making available by a person of any particular documents or documents of a particular description, or b) the provision by a person of particular information by answering questions or making a statement containing the information, Or both Central Bank of Ireland - UNRESTRICTED 57

58 Criminal Justice Act 2011 section 15 District Judge may make an order where: a) there are reasonable grounds for suspecting that a person has possession or control of particular documents or documents of a particular description, b) there are reasonable grounds for believing that the documents are relevant to the investigation of the relevant offence concerned c) there are reasonable grounds for suspecting that the documents (or some of them) may constitute evidence of or relating to the commission of that offence, and d) there are reasonable grounds for believing that the documents should be produced or that access to them should be given, having regard to the benefit likely to accrue to the investigation and any other relevant circumstances, Central Bank of Ireland - UNRESTRICTED 58

59 Criminal Justice Act 2011 section 15 District Judge may order that the person: produce the documents to a member of the Garda Síochána give such a member access to them, Where the documents concerned are not in legible form, an order under this section shall have effect as an order a) to give to a member of the Garda Síochána any password necessary to make the documents legible and comprehensible b) otherwise to enable the member of the Garda Síochána to examine the documents in a form in which they are legible and comprehensible, or c) to produce the documents to the member of the Garda Síochána in a form in which they can be removed and in which they are, or can be made, legible and comprehensible. Central Bank of Ireland - UNRESTRICTED 59

60 Criminal Justice Act section 15 It is an offence not to comply with such an order without reasonable excuse Punishable by a fine and up to 2 years imprisonment It is similarly an offence for: who, in purported compliance with an order under this section provides information or makes a statement which is false or misleading in a material particular knowing it to be so false or misleading, or being reckless as to whether it is so Central Bank of Ireland - UNRESTRICTED 60

61 Criminal Justice Act 2011 section 17 Concealing facts disclosed by documents Any person who a) knows or suspects that an investigation by the Garda Síochána into a relevant offence is being or is likely to be carried out, and b) falsifies, conceals, destroys or otherwise disposes of a document or record which he or she knows or suspects is or would be relevant to the investigation or causes or permits its falsification, concealment, destruction or disposal Shall be guilty of an offence Punishable by a fine and up to 5 years imprisonment Central Bank of Ireland - UNRESTRICTED 61

62 Criminal Justice Act 2011 section 17 Withholding of information: A person shall be guilty of an offence if he or she has information which he or she knows or believes might be of material assistance in a) A person shall be guilty of an offence if he or she has information which he or she knows or believes might be of material assistance in b) securing the apprehension, prosecution or conviction of any other person for a relevant offence, and fails without reasonable excuse to disclose that information as soon as it is practicable to do so to a member of the Garda Síochána Punishable by a fine and up to 5 years imprisonment Central Bank of Ireland - UNRESTRICTED 62

63 Cyber-crime is a global phenomenon Wannacry Part of NSA suite of cyber-tools that were leaked on stolen Microsoft released a security patch for the vulnerabilities in March Not everyone applied this (legacy systems) Attack affected 150 countries, affecting 200,000 computers, Victims included: Global companies (FedEx, Nissan) China (Colleges & petrol stations) Germany (Deutsche Bahn) Russia (Central Bank, interior Ministry, railways, communications) UK (NHS) Central Bank of Ireland - UNRESTRICTED 63

64 Marcus Hutchins Wannacry stopped by Marcus Hutchins Found kill-switch in the UK Was then arrested in USA by the FBI over his alleged involvement in separate malicious software targeting bank accounts Originated in: North Korea? China? Central Bank of Ireland - UNRESTRICTED 64

65 Criminal Justice (Offences Relating to Information Systems) Act 2017 Jurisdiction - Act applies to: a) by the person in the State in relation to an information system outside the State b) by the person outside the State in relation to an information system in the State c) by the person outside the State in relation to an information system outside the State if that person is: an Irish citizen; a person ordinarily resident in the State; a body corporate established under the law of the State; A company formed or established pursuant to the Companies Act 2016 In addition the action complained of must be an offence both there and here ordinarily resident means he or she has had his or her principal residence in the State for the period of 12 months immediately preceding the alleged commission of the relevant offence Central Bank of Ireland - UNRESTRICTED

66 GDPR - Jurisdiction GDPR: applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Central Bank of Ireland - UNRESTRICTED 66

67 Directive (EU) 2016/ security of network and information systems across the EU National strategy on the security of network and information systems Article 7, published in 2015 Require the establishment of Computer security incident response teams (CSIRTs) Co-operation group CSIRTs network Central Bank of Ireland - UNRESTRICTED 67

68 Notifications Article 14: Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed Member States shall ensure that operators of essential services take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services Member States shall ensure that operators of essential services notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notification shall not make the notifying party subject to increased liability Central Bank of Ireland - UNRESTRICTED 68

69 Security requirements Article 16 Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed Take into account the following: a) the security of systems and facilities b) incident handling; c) business continuity management; d) monitoring, auditing and testing; e) compliance with international standards Central Bank of Ireland - UNRESTRICTED 69

70 Security requirements Article 16 Member States shall ensure that operators of essential services notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability. Central Bank of Ireland - UNRESTRICTED 70

71 Questions 71

72 Thank you 72