Merger & Acquisitions (M&A) involve businesses of all sizes and span all industry sectors. It is currently booming, with Pitchbook reporting 4,754 deals closing worth $849.7 billion in 1H of 2019. We expect to read about deals like Abbvie/Allergan, as drug companies look for the next blockbuster drug, or UTX/Raytheon and Oxy Petroleum/Anadarko, where economies of scale will improve financial performance or provide access to much needed technologies or resources. But M&A more often involves mid-market companies that rely heavily on suppliers and partners, possibly with large consumer client bases, that have developed valuable IP that will propel them into competitive environments.
And for these transactions, what cybersecurity due diligence is conducted prior, during and post close of the M&A transaction? You only have to consider the Verizon/Yahoo and Marriott/SPG mergers to wonder what surprises await the buyer of a seemingly well run enterprise. M&A is a complex, lengthy courtship process that should bring two entities closer together, and cybersecurity has emerged as a core element in the process. Consider the regulatory environment around data breaches. With both the delayed reporting and heightened fine structure under FTC or the GDPR, it’s very easy to imagine acquiring a company that will trigger a violation post close and thereby damage the reputation or security posture of the acquiring entity… at significant expense.
The malware and ransomware epidemics continue to have wide impact, both on under resourced government entities and large entities with significant cyber capability. Business interruption is the major concern for all companies. If you look at Maersk’s statement from 2016, they understood the risk but still suffered from Notpetya. “The risk is managed through close monitoring and enhancements of cyber resilience and focus on business continuity management in the event that IT systems, despite their efforts, are affected.” How can you filter out the risky acquisitions from seemingly positive disclosure?
As many companies have recently completed a merger or may be contemplating an M&A transaction, I interviewed three leading practitioners to better understand the most important components of a cyber M&A due diligence. I spoke with Luke Dembosky, partner and co-chair of the Cybersecurity & Data Privacy for Debevoise Plimpton; Chris Keegan, senior managing director of the Cyber Liability practice at Beecher Carlson; and James Arnold, principal at KPMG Cyber Security. What follows is not an exhaustive list of steps but definitely some valuable insights and pointers to potential issues. Our discussion flowed from the early stages of a transaction through to completion and then to ‘post deal,’ and includes general guidance as well as pointed replies to questions.
Early Stages of Transaction
BARNABY: How do you go about initiating M&A cyber due diligence?
LUKE: “We are most commonly asked to be involved where the target holds a large store of valuable data or the crown jewel is a particular item of IP that if it were exposed by hackers or others would significantly devalue the target. There is a growing realization that you can’t just cover yourself with representations and warranties, and the data for many targets is the primary asset, such that the whole purpose of the acquisition is in jeopardy if that has been breached or exposed in any significant way.
“The liability that the purchaser made / incurs / inherits that flows from that is added insult to injury. Not only do you lose the value of what you are buying, but you find yourself defending privacy lawsuits and regulatory enforcement proceedings in the United States and abroad, and you bought yourself a very big mess that was not your creation, but that you failed to detect with your diligence efforts.
JIM: “Both Sellers and Buyers are beginning to realize the importance of cyber security and how it effects the valuation of a transaction. Sellers are completing Cyber Maturity Assessments and related activities prior to starting the sales process to help ensure no cyber security issues arise during the sales process. Buyers are realizing that when they make an acquisition they are not only acquiring the financial benefits of the business they are taking on the financial and reputational liability of the targets cyber security, data management and data privacy programs.
BARNABY: What is your initial guidance on insurance actions?
CHRIS: “M&A participants are increasingly seeking to protect their interests by transferring cyber risk to the insurance markets. There are three types of insurance policies that participants in M&A transactions should focus upon to protect their interests to offset losses if a cyber event diminishes the value of a transaction. They are cyber insurance, which protects a company against cyber events; Representations and Warranties coverage, which backs the obligations in the purchase agreement; and D&O insurance which protects individual officers and directors. All provide critical elements of protection. The value of these insurance policies all depends upon the risks that the particular transaction represents, the parties to the transaction and the terms of the contract.
“Whether the Purchase and Sale agreement has provisions that contemplate liabilities or loss from a cyber event will impact what can be insured and how an insurance program can be structured. The focus on cyber risk has been on companies that hold large amounts of private personal information or have a large credit card exposure. That view should be changing as we see large income losses and direct costs as a result of ransomware, wiper viruses and new types of malicious code. These types of losses can occur at any company that relies on computer technology. As more examples of malicious access of systems occurring before the purchase but coming to light after the transaction, we should see more contracts specifically dealing with the issue.
BARNABY: Can you point to divergent outcomes from recent M&A transactions?
JIM: “While buyers are starting to realize the importance of Cyber Due Diligence they don’t always know what to do with the information. At KPMG we recently assisted a PE Firm client with its acquisition of a manufacturing target and a healthcare client with its strategic acquisition of several regional hospitals.
“KPMG’s Cyber Due Diligence of the manufacturing target uncovered a number of cyber security issues. We provided our client with a recommendations report identifying high priority items to be fixed immediately and a roadmap of items for the buyer to undertake to improve the overall cyber security of the newly acquired company. Unfortunately, our client did not implement even the simplest and most critical recommendations like initiating Multi Factor Authentication and patching of known vulnerabilities. Subsequently the company was hit with Ransomware and their manufacturing was interrupted for nearly a week and other functions were adversely affected for months.
“While this client realized the importance of performing Cyber Due Diligence to value the transaction, their failure to follow through and address the identified cyber security weaknesses likely cost them well over $10 million.
“The story of our healthcare client has a much happier ending. While it the midst of the transaction to purchase the regional hospitals the CISO insisted that KPMG be retained to perform Cyber Due Diligence. While performing the Cyber Due Diligence KPMG uncovered significant weaknesses in the target’s cyber security program. With KPMG’s findings in hand our client negotiated a reduction in the purchase price and escrow funds to be set aside in case any other cyber security weaknesses were uncovered after closing. The CISO also secured budget from the board to allow his organization to address the identified cyber security weaknesses.
“These two examples show the importance of not only going through the motions of performing Cyber Due Diligence, but acting upon the findings to properly value the transaction and protect the value of the newly acquired company going forward.
LUKE: “Increasingly, our clients are investing more in cyber and privacy diligence to try to surface these issues. There are several things they are worried about.
–For example, is there an historical or ongoing breach? Has valuable data been already exposed even unbeknownst to the seller? We will increasingly be asked to start to evaluate a potential acquisition before there is even a term sheet or any signing. This can include dark web searches to identify hacker chatter about the target or stolen credentials purporting to belong to the target or one of its key vendors
BARNABY: Do you take steps like conducting a Darkweb search, without telling the target company or before you enter into a due diligence phase?
LUKE: “Yes, we can look at public source information on the dark web. We can take other publicly available steps like reviewing the target’s website and glean something about the level of sophistication of the seller, including through the way that they set up or configured the site. We, take advantage of threat intelligence including the type of threat intelligence provided by Cylance, to be able to come in on an informed basis, looking for any yellow flags or red flags that we may see on the outside.
JIM: “A recent KPMG client buyer engaged us to perform dark net investigation of a target company. During our investigation KPMG uncovered significant information about the company which indicated they had been compromised for some time and their confidential information and intellectual property was available for sale on the dark net. KPMG’s findings led our client to cancel the proposed transaction. Most dark net investigations do not uncover this level of negative information, but often times does help inform both the Seller and buyer as to what steps need to be taken to improve cyber security at the target company.
BARNABY: The privilege issue that you have during an IR, is there a similar phase here? Do you run the risk of collecting or exposing or learning something that will then become part of your client’s company which then wasn’t shielded from privilege?
LUKE: “We are careful to keep our legal advice regarding the risks under privilege, but the underlying facts are never privileged. You may learn facts that do create some potential future exposure, but the idea is it is better to know sooner rather than later and ideally to know before you sign on the dotted line.
BARNABY: Can you think of any disclosure or lack of disclosure that might have resulted in a problem for a transaction?
LUKE: “We have had people present a rosy picture to us of their cybersecurity program. We have seen targets with the right industry certifications and we have looked under the hood and found a different picture… so you can’t take these things at face value unless you are confident the worst case cybersecurity outcome is still not enough to derail the deal. That’s rare these days. If you are buying a brick and mortar company and you know, whether or not there is a cyber or data privacy issue--maybe limited to their HR data and you know there are only X number of employees, then you might conclude you could manage that. But if you are buying someone whose crown jewel is IP, and that’s the value of the transaction and that has been exposed by outsiders, it’s generally not going to be worth it. Similarly, if someone’s holding large stores of personal data of individuals and diligence reveals a likely breach, then liability risks now are through the roof and it very well may not be worth it to proceed with the transaction.
BARNABY: Are there any other things you want to highlight in the early stages of a transaction?
LUKE: “Sometimes our clients acquire startups and, with some exceptions, they tend to present more risk in terms of legal and compliance issues because they are usually thin in that area and, compliance-wise, may not realize they are subject to the full range of applicable legal regimes. They may be learning for the first time through the diligence process about legal regimes that they should be complying with all along. So some of the early questions have to do with, not only what are you doing to protect systems and data, but what legal regimes do you believe you are subject to and what have you done to comply with them, as well as others that you have not mentioned?
JIM: “Both targets and acquirers need to continue to focus more on cybersecurity.
Targets/sellers need to ensure they have their cyber house in order before they begin the sales process. Recent surveys have shown buyers are willing to pay more for a target that can prove it has a strong Cyber Security Program.
“Buyers need to demand more information from sellers during the pre-deal process – data rooms should include information about the target’s Cyber Security Program – budgets, Incident Response Plans, Playbooks, employee awareness / training materials, cyber security tools, results of any recent pen-testing and org chart for the cyber security team.
In addition, information about any prior cyber incidents, including cyber insurance claims, investigation reports and remediation steps taken to strengthen cyber security. Buyers can also initiate dark-net and other threat intelligence searches at this stage which do not require access to the target’s environment. Valuable information can be obtained from these dark-net and threat intelligence investigations.
CHRIS: “Cyber risk is broader than most companies think. Buyer companies should not only focus on credit card information but on the broader sphere of confidential and other information that is highlighted in newly minted statues such as CCPA and GDPR. Recent fines have been well over $100 million, enough to change the dynamics of any transaction. There is a broader set of information that can be subject to these types of laws, and the exposures are not necessarily triggered by breach but can be triggered by the way in which such information is handled or shared. Theft of money and diversions of payments by hackers are becoming increasingly common and large enough to impact a company’s bottom line. Companies should be focusing their attention as much on these types of events and direct damage from ransomware and other types of destructive code and vandalism. Many experts think the worst of cyber events are in the future with effects that we are not currently anticipating.
“The insurance market has increasingly been asking buyers to do cyber due diligence especially if they are planning on transferring the cyber risk to the insurance market. Confidentiality provisions and time considerations in the run up to a closing can limit the due diligence but companies expecting to be able to transfer risk should be aware that audit of the purchased company may be required if they expect to have affordable insurance options.
During the Transaction
BARNABY: Companies may not be forthcoming on the initial data request – have you found that to be the case?
LUKE: “It’s a mix. We see some companies that are very well papered from a compliance standpoint but they can be more of a paper tiger where the cybersecurity controls are weak. We see others that are the opposite. They are quite savvy on cybersecurity issues but not so great on the legal and compliance aspects. I would rather have a paper compliance issue than an underlying cybersecurity breach issue. I’d rather have tires on my car, so to speak, and I can worry about the color of the paint and other details as I go. Not that that is insignificant, but relatively speaking that is a more manageable situation than one where you made the right presentations to regulators and industry certifiers, but you don’t actually have the goods to uphold that.
BARNABY: Do you bring in third parties for technical or systems audit?
LUKE: “Of course. We would retain KPMG or Cylance or other leading forensic experts or threat intelligence source vendors, to be able to help us with that, and this usually occurs pre-signing and often before there has been any approach to the target.
BARNABY: Is it possible to determine if IP has been altered in any way?
LUKE: “You can certainly look for what purport to be copies of the IP or people offering to sell it and then you make a determination about whether you can legally buy that to review. You might instead bring it to attention of the seller and let them considering buying what purports to be their own IP. IP, customer data, business strategic plans-- those are all the kinds of things that we look for from public sources. There are vast underground markets now and have been there for quite some time with valuable company data, even beyond the personal data of individuals, and so there’s a whole market for that type of info and people buying and selling it.
“You will also see people advertise access to a system, plug-ins to a particular company network where they allow you to install your malware or other scheme. We look for any of those signs pre-signing. Once a contract is signed with the seller and there’s substantial commitment on both sides, then you start doing the path towards more formal diligence efforts. A lot of that is a function of your leverage and the time that you have. If the seller has told you that they have other bidders and you have good reason to believe that it’s true, you may not have much leverage. If they will permit access to systems even in a limited way-- a third party vendor runs a penetration test, or a vulnerability scan or CA-- that obviously is ideal to identify any historical issues.
BARNABY: Last year, we had SEC cyber guidance on BEC, that cited 10-11 companies lost $100 million in aggregate. Do acquisition candidates seem to be following regulatory controls?
LUKE: “Well it’s all over the spectrum as you would expect, and more sophisticated parties certainly are but startups seem much generally less aware on those issues. There are certainly exceptions. They are getting their business launched and are not majoring in some of the legal developments in the space. So we often have to get them up to speed. And another risk is integration. When you go to ingest the systems into your own, that’s the greatest risk. Sometimes the acquisition remains as a standalone business and the systems may have some kind of connectivity to the buyer’s systems, such that there’s some level of trust in between networks but they are separate. But there are situations when a client has gone to integrate the network systems and data of the target that they’d acquired and closed on, only to find out that they’d effectively be swallowing a pill that is not worth doing.
“The other variable is that you try to get a sense of how they are vetting their own employees, contractors, and vendors. They are dependent on the trust of their own people including their vendors. It may be they have the best of intentions but they are not doing a good job of vetting some of their employees and that may be in certain countries, for example. All of this is part of the risk picture that we present to the client.
BARNABY: If you are acquiring a business with 20 million records that were collected with consent as part of the business, can I as the acquiring company, have use of that database or are they required to refresh the consent?
CHRIS: “In our experience, these issues are reviewed on a case-by-case basis. Whether action is required will depend upon several factors such as where the companies are doing business, how the systems are being integrated, where data is being held and the laws that both companies may be subject to. The insurance markets would defer to legal teams and outside legal counsel to provide a review of the status of the networks and data pre transaction and then the changes that need to take place post transaction. Given the many legal changes that are taking place around the world and with enforcement becoming more aggressive, these are issues which should be being reviewed on a constant basis.”
LUKE: “Yeah, you have to understand whether or not the consent will carry through to the buyer. We work on a lot of acquisitions around the world and the client may want to buy a target in a part of the world that has very strict data localization law like China, in which case we will need to advise our client on the ability to move that data out of the host country or not and they have to make valuations or decisions accordingly. Even doing penetration testing in some parts of the world requires a careful legal analysis-- you cannot just cart out data in and out of every country in the world. You have to be keenly aware of the local requirements and get the necessary government approvals to do so.
BARNABY: On allocating risks between the seller and the buyer, to what extent if info is available to the buyer to judge the IT security posture of a selling company? How do you protect the value of the acquired data in a contract?
LUKE: “The data issues are moving front and center in more and more transactions because we have more technology and data-focused companies being bought and sold. What I think that means is that there’s an increased likelihood that the buyer will be able to negotiate a very large scale data breach for example as a material adverse event that could allow them to back out of closing if it’s discovered between signing and closing, or be leverage to renegotiate the price.
BARNABY: What is the interplay between the components of the purchase and sale agreement, and the reps and warranties coverage?
CHRIS: “The insurance under R&W insurance policies will depend upon the representations and warranties in the purchase agreement. Surprisingly, many agreements still do not make specific reference to cyber, but they are becoming less common. Representations & Warranties (R&W) insurance can provide several options depending upon the perceived risk, the target company and the size and type of the transaction.
“Companies can negotiate full cover for cyber under their R&W policy with the insurance market if the risks seem relatively insignificant, the representations and warranties in the contract seem to be manageable or if the premium is attractive to insurers. Where the risks are significant or representations in the contract open the possibility of responsibility for large losses, the R&W carriers are likely to seek to limit their responsibility for cyber exposures. Buyers for R&W cover should beware of carriers adding specific exclusions for statutes such as GDPR, the EU privacy legislation.
“R&W insurers may require the buyer to purchase and maintain cyber cover for a set number of years post-closing of the transaction, a requirement that we are seeing in more and more transactions. The R&W carriers will then sit above the cyber coverage but may further limit their exposure to the coverage that is provided in the cyber policy
“Whether cyber gets flagged as a risk in the Reps & Warranties process depends on the type of target and their specific business. Even if a deal has a very short turnaround and the insurance markets are asked to push it through to the close date as quickly as possible, we see the Representations & Warranty carriers and due diligence by firms being extremely thorough. If there is a risk to be aware of, it will be fleshed out in the underwriting process.
BARNABY: If the target company is being transparent would your next action be, to do a thorough evaluation?
LUKE: “At a minimum, you want the seller to be sharing their own test results with you. And ideally they have their own third party penetration test and other technical tests, but of course, the devil is in the details in how you designed the test. And so, increasingly buyers will be asking sellers for the ability to have their own third party trusted expert like KPMG do that technical testing and evaluate the results. And it needs to be a careful protocol worked out in terms of access to what’s necessary but not access to customer content for example. There are careful protocols worked out for this type of hands on testing that is for the benefit of the buyer. And the seller’s rightfully nervous that they may learn something about their network that they did not know, that now paints them with knowledge as to other perspective buyers.
BARNABY: How “hands on” can the acquiring entity be during the deal?
LUKE: “In general, you can work with the buyer to preserve the assets, but you cannot take over their operations before closing. What’s good is if you’ve done good diligence, you then come out of the closing with a sprint to take care of the priority issues.
BARNABY: What is the greater concern for the acquiring entity, the first party exposures from poor cyber controls or related third party, industry fines (PCI) or government fines?
CHRIS: “Buyers and sellers should want to audit their respective insurance programs of both companies and be ready to align insurance with cyber exposures to make sure there are no gaps in coverage. The best companies go through a checklist of exposures in order to make sure that they have considered what can be insured and then make a conscious decision on transferring the risk or not. Where insured exposures are being handed from one insurance program to another, companies need to make sure programs are aligned.
BARNABY: How do D&O and R&W insurance work together?
CHRIS: “Lawsuits against directors and officer have come about in mergers and acquisitions as a result of cyber issues. Those involved in transactions should make sure firstly that their Directors and Officer liability program is sufficient to protect individuals in the event there is a suit after a cyber issue. Directors and officers can make themselves aware of cyber issues from advice from law firms such as Debevoise and advisors such as Blackberry and KPMG that can provide protection against cyber risk. The best solution is not to have a cyber event and avoid calling upon insurance programs.
“Purchasing R&W and cyber coverage adds an additional layer of protection for directors, officers and corporations. If there is an issue, companies and their employees can point to another layer of protection that they put into place prior to the transaction if there is a cyber issue that arises. The advantage of being able to say that they anticipated the risk and financed it through insurance can have a considerable positive impact from a public relations standpoint in the crises stage after a breach.
Post Transaction Issues
BARNABY: What are your main watch areas post-close?
CHRIS: Many cyber events occur in the first few months after and event when changes in staff, and other integration is taking place. Keeping breach response vendors coordinated. Confirming controls the seller said were in place are in place. Making sure that insurance carriers are aware of discovery of any issues with a view to the following renewal.
JIM: During the transaction or post deal period is where we are seeing the most growth in Cyber Due Diligence. Buyers are performing more in-depth dark net and threat intelligence due diligence. Tools and services are employed to search the dark net for information about the company’s executives, customers, vendors, Intellectual Property and other valuable information. Also scanning is performed to see if the target has any open ports or other vulnerabilities. It is important for the Buyer to know if the target is compromised and its assets are already available for sale on the dark net.
Bad actors are also known to pick up their attacks on target companies during this post deal period because they know both the Seller and the Buyer are focusing on the transaction and often times neglect their overall cyber security. This is also a stressful time for the target company’s employees who are uncertain about their future employment and are prone to making mistakes and even attempting to copy or otherwise misappropriate the company’s intellectual property. For these reasons the Buyer should step up its threat intelligence investigation of the company to monitor and investigate any new activity it sees about the target.
LUKE: “Our role is usually to carry through on updating any risk assessments that the client wants to do or is required to do, so we now take into account the new pieces that have been added both personnel and systems, data and so forth. And we work to move the compliance pieces up to date and current with the acquisition. If issues arise, then we are then well-positioned to advise the client because we have the whole context of having studied the target, knowing our own client, and being able to spot potential seams or gaps in the integration. And we will typically work with the technical teams to help with that process. It’s got both controls aspects and compliance aspects, legal aspects, and our team is quite technical for being lawyers but our primary job is on the legal issues.
BARNABY: One article cited that 40% of cyber-related problems are discovered post M&A. Does that sound right?
LUKE: “Maybe a bit high but not outrageously so, Very troubling if it’s true.
BARNABY: How should the acquirer work with Insurance policies of both companies to maximize protection post close?
CHRIS: “The liability where a breach occurs prior to the closing of a transaction but the claims comes to light after the transaction can be dealt with in two ways under a cyber policy. The policy purchased by the selling company can be extended. Alternatively, the purchasing company can amend or purchase a cyber policy to cover the purchased company. If they choose the later, the insurance should be amended to cover the selling company’s “prior acts.” Depending upon the risk underwriters may ask for information on the transaction and the company being purchased by endorsement, which may cost an additional amount if the company is large or high risk. For the most complex transactions with the highest risks, we have placed a separate cyber insurance program for the purchased company. This type of structure allows the purchasing company to not have its program be impacted by the purchased entity while the purchaser has an opportunity to assess systems and the cyber exposures at the new entity with full access to their technology.
“For smaller transactions, the buyer’s cyber policy should have an acquisition threshold that allows for target companies to be added to existing coverage at no extra charge. These provisions allow purchasing companies to add cyber cover based upon a percentage of the revenue of the purchaser company which can go as high as 25%. For large companies these clauses should allow immediate coverage for purchased companies for at least 90 days and allow negotiation of revised insurance terms. A cyber broker should negotiate these clauses into a program prior to the transaction. If there are systems breaches which might have taken place prior to the company being purchased which have not been discovered, they could represent an exposure to the purchasing company which can be insured in a cyber policy but only with specific amendments.
BARNABY: Is there a window of time for things to be taken care of, that you set in the purchase and sale agreement?
JIM: “Unfortunately, there are still instance where the Buyer is not allowed to perform adequate Cyber Due Diligence in the pre-deal and post-deal phases of the transaction. In these cases it is critical for the Buyer to begin assessing the overall cyber security of the newly acquired organization as soon as possible after closing. Then the Buyer needs to begin remediating the high risk cyber security issues identified during the Cyber Due Diligence and post closing investigation of the target company.
“We are seeing positive trends in the market where our clients are beginning to insist on more robust Cyber Due Diligence and following up after the closing of the transaction to address identified cyber security issues. We are also seeing more PE Firm clients start to complete cyber security valuations of their existing portfolio companies to ensure they are protecting the value of their investment.
CHRIS: “If we are placing either the Cyber or Reps & Warranties policies, or both, we remain involved as the broker for purposes of continuing to service the policy, manage and advocate regarding any claims that may arise and continue our ongoing relationship with the insured.
“In large transactions, keeping underwriters informed, integration of systems and the status of IT protections at the purchased company is critical to keeping cyber insurance cover in place and preventing any restrictions on terms for activities of the purchased company. Setting up underwriting meetings for communicating this type of information is critical to keeping strong relationships with insurance carriers and preventing issues in the claims process should any occur.”
More and more, corporate boards are mandating cyber insurance to transfer risk, but watch out, because you might not get what you paid for. A recent International Monetary Fund (IMF) report estimates that annual banking losses could be as high as "9% of net income or $100 billion annually."
Bank breaches impact the viability of both the bank and the customer’s ability to transfer funds or access our accounts. JP Morgan reports that "78% of companies were targets of payment fraud last year... 54% of business email compromise (BEC) scams targeted wires and 28% were subject to ACH debit fraud."
In the 2016 Bangladesh Bank cyber heist, $81 million disappeared in no time, and - but for a typo made by the hackers - it could have been $1 billion. The SWIFT messaging system serves over 11,000 banks and relies on each bank to keep access to its service secure.
More recently, the Bank of Chile lost $10 million to hackers after SWIFT was used to send the money to Hong Kong. The bank is now working with insurers to recoup its losses. Bloomberg reports that in May of this year, $15 million was stolen from Banxico, as hackers attacked the domestic payments system SPEI. And Bancomext was targeted by North Korean hackers attempting to steal $110 million and resulted in the international payments system being frozen across the country.
The Silence Before the (Banking) Storm
Criminal syndicates have been using malware for years in multi-stage attacks that take advantage of unpatched systems, untrained users and weak processes. These kinds of hackers are incredibly patient and creative.
Industry veteran Scott Scheferman described the attackers as “a criminal ring with many operative layers that work in coordination.... it’s not unusual at all for the threat to stay in ‘monitor’ mode for extended periods of time before performing the ‘power moves’ at the end of the heist."
For example, the notorious FIN7 or Carbanak Gang, known for its multi-purpose malware, stole over $1 billion from more than 100 banks over several years. What made Carbanak so successful in hacking banks? Their malware combined keylogging, form grabbing, point-of-sale (POS)/ HTTP monitoring, and desktop video capture for stealing banking data.
In August of 2018, the Department of Justice indicted the Carbanak gang leaders on 26 counts, including conspiracy to commit wire and bank fraud and computer hacking. FIN7 had started their own pen testing company Combi Security to cover their activities and used instant messengers Jabber and HipChat to share files and instructions.
It’s hard to disentangle the many aspects of these breaches. Some are targeted or use insiders, others utilize social engineering, and many are the result of malvertising from innocent browsing. Users click on shady links or enable dangerous macros in Word documents which come to them in the form of fake invoices or bogus IRS communications - as in this example. And with so much data scraping from LinkedIn, Facebook and online dumps from recent data breaches, the phishing threat vector is likely to establish the foothold hackers need.
Many 2017 bank hacks utilized utilized Emotet banking malware, which evades sandbox detection and uses Powershell and other ‘living off the land’ techniques to download additional malware payloads.
The current one-two punch is from Smokeloader and Trickbot (a data stealer). Clients can be pwnd in seconds and unless they have protections against scripts and sophisticated malware variants, their systems may become part of a multi-stage attack. Hackers will collect username/passwords, move to other workstations, repeat and use video and keystroke capturing malware to watch how the user transfers money in third-party systems like SWIFT, SPEI, STAR Network or Navigator.
The ability to access these third-party services means that the hackers can destroy the integrity of account data by temporarily inflating customer balances, which they can then harvest.
The Impact of GDPR on Banking Fraud
It's no wonder we are seeing stringent rules emerge for the monitoring of networks and multi factor authentication (2FA) in the newly published GDPR and US regulations. Hackers are monitoring users, collecting passwords and then accessing payment systems to wire out funds or send payment card data for use in ATM cash-out schemes. Authentication systems that are used to access payment systems should leverage more attributes about the user and apply a real-time score that verifies the identity and correlates any anomalous activity to that of malicious activity.
But even with regulations in place, breach reports cite a lack of controls or technology capable of preventing one or more phases of the attack. A good red team will surface these weaknesses before the bad guys do.
Most people agree that risk transfer via insurance is necessary to account for gaps in security. For example, Brian Krebs recently reported on a bank hack on the National Bank of Blacksburg (NBB). Account balances were increased, credentials stolen with access to the First Data STAR network for ATMs, and a mule cash-out operation successfully yielded $2.4 million over two separate incidents. In another example in May 2016, it is thought that NBB was phished by Russians and $569k was taken from ATMs. Later, in January 2017, an additional $1.8 million was stolen in the same manner.
"Repeat attacks are common and often successful because they know the environment," adds Cylance’s Scheferman. Now two years later, we are learning the details because the insurer is denying coverage. This hack is very similar to the RBS Worldpay incident, when hackers broke encryption on debit cards and used over 2,000 ATM's to cash out $9 million over a single weekend.
Sign of the Changing Times
The National Bank of Blacksburg incident doesn’t read like a garden variety phishing scam. The malware, monitoring, lateral movements and control over financial workstations enabling debit card production (used by money mules) is a persistent sophisticated hack. International cybersecurity expert Bryan Cunningham points to a problem with insurance cover: "There remains vigorous disagreement – and little clear legal precedent – on basic definitions of terms in cyber insurance policies."
And as the cyber insurance market has added new policy forms to cover emerging risks like social engineering, they then exclude those types of attacks from existing policies. "Traditional crime and FI bond policies are designed to cover losses that arise from embezzlement by employees [where] social engineering attacks are made by external actors, not employees," offered David Lewison, co-leader of the AmWINS Financial Services National Practice. And with the new products, "carriers have sublimited social engineering fraud to low levels due to high volume of claims," adds Ryan Gibney at Lockton, the world’s largest privately held independent insurance broker.
NBB had purchased an $8 million Computer & Electronic Crime rider to its financial bond. The CE Rider points to a "loss resulting directly from an unauthorized party acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs [which] causes property to be transferred, paid or delivered..." NBB also purchased a $50,000 Debit Card Rider to cover lost or stolen debit cards that might be used at ATMs.
NBB argues that the primary attack was against the NBB network which enabled the hackers to access the STAR and Navigator systems, change balances, steal account data and ultimately cash out via the ATMs. And, there was an exclusion of coverage for “loss resulting directly or indirectly from the use or purported use, of credit, debit [cards] used in [ATMs]."
So, the Debit Card Rider which specifically names the ATM becomes the operative policy? "We would expect many crime carriers to try and pigeon hole the coverage through a small sublimit that they apply for social engineering fraud due to the phishing email initial access and behind the scenes criminal activities," said Gibney.
I recently spoke with coverage counsel Scott Godes about NBB and his reaction was, "The loss should be seen as within the heart of the coverage of the policy, particularly the crime rider. One would hope that the insurance carrier should carry the burden of proving that a sublimit applies, as a restriction on coverage."
Recurrent Attacks: a Reasonable Expectation?
Based on the bank hacks going back to the RBS Worldpay incident, what happened in Blacksburg seems likely to occur, or 'reasonable' to expect. "Exclusions and limitations on coverage in insurance policies should be read narrowly, and insurance carriers should not be rewarded for reading them broadly", noted Scott N. Godes, a cyber insurance and commercial litigator.
Here, the exclusion seems to swallow the coverage. The insurer is calling this a single incident. "The crime policy is most likely an occurrence-based policy and the bank should not have coverage limited because the event happened multiple times," stated Lockton’s Gibney.
Buying these policies is complex, however. Godes adds that "insurance carriers should sell products with robust coverage, so that policyholders do not fall through hidden trapdoors at the time of a claim." NBB’s position that the ATM cash-out could not have occurred but for the internal hack on their systems has support from a recent federal court decision in the Second Circuit, Medidata Solutions, Inc. v. Federal Insurance Co. In Medidata, Godes noted, the court ruled that the crime insurance policy provides coverage for a fraudulent scheme and wire transfer, even though the insurer claimed it was not a direct loss.
The court rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds. This result is favorable for victims of complex phishing and malware attacks.
For those currently looking for cyber insurance, David Lewison suggested some practical steps to get the right coverage.
· "Work with a broker that specializes in Cyber-liability and Crime/Bond, from the same brokerage;
· Hold an underwriting/broker meeting or conference call so you can ask questions about who has the ball when something bad happens;
· Prior to binding coverage, put both policy forms and all endorsements side by side and verify that the coverage has been assembled as intended;
· It may also be worthwhile for larger insurance buyers to include a claims leader from the insurance company on a call, so you know who you are dealing with at the time of claim."
And, to avoid ending up in court, involve counsel and review your existing and proposed new policies before you buy.
A Distributed Denial of Service (DDoS) attack shuts down your business for hours or days at a time, disrupting supply chains, turning away clients/patients and causing significant $$ losses. The frequency and magnitude of attacks warrants a management team analysis similar to data breach, to ensure that your company remains open for business.
DDoS attacks are not new, but they are escalating and growing in complexity. The objective is to deny service to the victim through attacks on their infrastructure. Whether your data is in your data center, the cloud or a hybrid, you are susceptible. A denial of service can result from a ransomware event where all data is encrypted. Or, it could be a bandwidth saturation attack combined with attacks on application servers. Regardless, the victim has limited or no ability to function and serve its clients. We tend to pay attention to DDoS during the mega events but like data breach, they occur everyday and hit businesses of all sizes, across verticals.
Denial of Service is expensive. With the NotPetya virus, we saw TNT Express in The Netherlands business disrupted and its parent corp FedEx stated that it would cost $300 million. A.P. Moller-Maersk A/S shipping also lost an estimated $200 million. Merck & Co. had an insurable claim of over $300 million after drug production was halted. The Wannacry attack is estimated to have caused over $4 billion in damages with little or no insurance cover because most of the damage was in Europe. Wikileaks Vault 7 Coderelease could unleash tools that impact US based companies. Graeme Newman of CFC Underwriting estimates a potential insurable events of $2.5 billion if a new NotPetya occurs.
Costs related to bandwidth attacks are startling. It can be hard to quantify all of the related losses within days of an event but estimates from the Arbor Networks for enterprise clients look at $$ loss per minute. Losses range from $500 per minute to over $20,000 per minute. The Ponemon DDoS Report estimates company losses at $1.5 million per event with surveyed companies experiencing four events over 12 months. Imperva survey reports 49% of DDoS attacks last between 6-24 hours at an estimated cost of $40,000 per hour or $500,000 per event with some costing $100,000 per hour. In addition to lost revenue or damage to systems, the business disruption is immense and could have long term business impacts as clients go elsewhere to buy.
How common are these attacks? Across all reports from 2017, the numbers are high. "45% reported they were hit with 70% hit 2 or more times." (Imperva) "53% reported seeing 51 or more attacks per month." (Arbor) "16,600 attacks in Q1 2017."(Nexusgaurd) Similar to data breach, many attacks are not seen or understood until its too late. All providers report seeing multi vector attacks which combine a Volume attack (UDP flood) with a State Exhaustion attack (SYN flood) on a firewall or load balancer and an Application attack (HTTP) on a server. Attackers will shift between strategies to confuse the victim and open the door to other threats, such as data theft.
These multi vector attacks are the norm and they make it tougher for victims to defend on their own. Arbor Networks Worldwide Infrastructure Report for 2017, states 42% of enterprise, government and education surveyed experienced a DDoS attack last year. 75% of DDoS attacks were directly against the customer (not the ISP). The top target verticals include: Gaming, Government, Financial, eCommerce and Education. Most of the attacks are under 2 Gbps, but one confirmed attack in the UK was 579 Gbps. The average duration was only 55 minutes but are often repeated over many hours. The size, frequency and scale are getting worse and the protocols and infrastructure which are used to attack victims have inherent weaknesses (DNS, BGP, NTP, etc).
Denial of service is not new and has gone through many iterations over the past decade. Back in 2012, banks in the northeastern US, including the NYSE, were hit by Muslim hacktivists that caused outages and could have triggered severe systemic problems. In 2015, we saw a state sponsored attack from China against Github, which was posting anti-censorship tools. The "Great Cannon" intercepted traffic destined for China and redirected it at Github and flooded its bandwidth and shut down the service. Last year the Mirai botnet, took advantage of some 100,000 poorly configured IoT devices to unleash a 1.2 Tbps DDoS on DNS service provider Dyncorp and affect many downstream clients such as Netflix and Twitter. Botnets used with ransomware, Ransomware as a service and DDoS as a service that leverages IoT devices, has increased the threat surface exponentially. Now, for $15 to $50 per hour, criminals can launch an attack to shut down a company's internet access.
The battle against DDoS has been ongoing at the ISP's but increasingly this is an Enterprise threat that risk managers must learn about. With significant amounts of data hosted in the cloud, attacks may hit the ISP provider or the enterprise directly. Akamai uses its content delivery network (CDN) to absorb threats at the edge. Firewall and load balancers attempt to stop DDoS but according to Cisco "aren't in the best position, cant see anomalies and lack anti spoofing capabilities." Purpose built applications like Arbor Networks operate in the cloud and uses a layered approach where application and state exhaustion attacks are handled at the customer data center. When it looks like a large volume attack is coming, traffic automatically re-routes to a cloud scrubber and sends clean traffic back to the enterprise. Handling these attacks requires a combination of software and incident responders and time is of the essence. As with the malware attacks, global threat intel that is operationalized for DDoS is needed to spot entire attack campaigns. It is worth asking your ISP who is protecting their bandwidth, don't just check the box on this capability.
But as complicated as the DDoS threat is, the cyber insurance coverage adds a layer of complexity. Risk transfer is needed for DDoS and it may come under cyber insurance or may be an endorsement to a property policy. Business Interruption (BI) coverage is needed when an attack is launched directly against your network and Contingent or Dependent BI is needed if the attack is upstream at your vendor/provider. The coverage is triggered upon notice by the insured that their network is unavailable and waiting periods for valid claims can be as many as 12 hours. Another consideration is your retention or deductible that will apply against any loss. Cyber insurance can be difficult to underwrite because the losses or the magnitude are not foreseen. One Merck employee simplified the impact from NotPetya, “[I]t just shut down the whole network site, without computers these days you can’t do anything… There’s not much you can do without access.”
Scott Godes an insurance recovery partner with Barnes & Thornburg LLP, pays close attention to the wording of all policies and shared some comments. "The question of business interruption coverage can vary by insurance policy and insurance carrier. Some policies, for example, look to whether the insured’s business was interrupted or suspended. Other policies, for example, look to whether there was an interruption or suspension of the relevant computer system. Although many policies use 12 hours for a waiting period, other policies may use have shorter windows, such as 8 or 10 hours. Certain policies include CBI coverage explicitly, whereas other policies may provide the same coverage through varying terms and conditions. "
Kurt Suhs, SVP at Ironshore stated, “ Today, most markets offer full limits for business and dependent business interruption for claims arising from a network security incident while coverage for system failure is generally sub-limited. We are also seeing traditional property markets offering coverage for business and dependent business interruption from a cyber event. A turning point for some markets on the ability to profitably write this coverage was the Petya malware that significantly impacted the operations of several Fortune 500 companies.”
David Lewison of AmWINS Brokerage commented on BI coverage. "Some of the business interruption costs are what we call betterment (“improved computer hardware”) and internal expenses (“overtime wages for staff”). Betterment has always been excluded. CFC is now offering some coverage, up to $50,000, on their new form. Most policies get you back to where you were, not buying new, upgraded equipment. The policies are a mixed bag right now. I would expect nearly all cyber policies with BI included to cover events impacting their own networks and devices. That contingent or dependent coverage is a little more fuzzy. Some markets cover that cloud outage or other critical vendor going down. Some cover when an IT person kicks a plug out of the wall. It’s hard to keep it all straight. Recently, a client received a handful of cyber insurance quotes and each one has a different amount of time limit on the business interruption (period of restoration). One covers lost profits for 30 days and some go up to 6 months."
On calculating losses, Jesus added: "Wording in a typical policy will be for 'actual loss sustained' and you can expect to have the insurers hire a forensic accounting firm on their behalf to quantify the loss. The insured/victim should have their own forensic accounting firm prepare the claim on their behalf. There is no 'single form' of quantifying claims as every client and situation is unique, which is why it is invaluable to prepare a 'Proof of Loss' template to attach to the policy as a pre-agreed endorsement."
The takeaway is that you need to spend time with your broker and counsel so that they can understand your business, your network architecture, how to calculate your business losses from downtime and then select/negotiate with one of the carriers to find the best coverage. BI that results from a DDoS attack will need to address the nuances of multiple, short duration attacks that result in claims calculated over days. DDoS doesn't have the mitigation options available that a potential data breach does. Unlike data theft where multi-factor authentication (Okta, InAuth) can prevent credential theft that leads to database access or proper encryption that can mitigate the risk if data is stolen, or working back ups for data extortion events... DDoS protection involves infrastructure outside of your control and is a team sport!
Recently, there has been DDoS attacks on ICO offerings, as a smokescreen for an APT and via a wireless Android botnet. The growing IoT devices footprint includes little or no security and the protocols that are utilized as part of the DDoS attack, will not be easily fixed. Don't think of DDoS as a technical problem that you can issue a patch for...dig in on this business risk now.
This week we are experiencing the latest iteration of ransomware after last month's Wannacry attack. Key takeaways are: Patch your systems and lock down you Admin level password privileges.
It not clear yet whether this latest attack is a Petya variant they are calling "Goldeneye" or some new ransomware. But the attack is hitting critical infrastructure including, the Ukraine Central Bank, Danish shipping company Maersk, Dutch transport company TNT, Russian oil giant Roseneft and one of the top law firms globally, DLA Piper.
The days of ransomware affecting single hosts are gone and we are now presented with self replicating worms that include weaponized payloads that can spread quickly. Now, this latest strain does not just rely on the Eternalblue exploit. According to Binary Defense, in the Ukraine, an accounting software called MeDoc was compromised and led to the infection. During the attack, psexec v1.98 is dropped into the system to see passwords in clear text and then a tool is used to leverage lsadump to pull passwords from memory. Automation, lateral movements on the network and passwords with Admin rights, enabled this attack to propagate.
This latest attack hit European and Australian locations, and Merck and Heritage Valley Health System in PA were also hit. Companies hit by the ransomware told employees to shut down all computers. Business interruption is the main impact from ransomware and the reason why we are seeing an escalation in attacks and the amounts sought in payment. What is the cost of shutting down operations for a national telco or electric utility?
Last week, a South Korean web hosting company Nayana, paid a $1 million ransom after an Erebus attack encrypted data on 153 linux servers, potentially affecting 3400 customers. They negotiated down from $1.6 million (550 bitcoin) to 397.6 Bitcoin. Last year an American Bar Association article on ransom cited an average payment of $4.5 million for a human ransom. What's to keep data from reaching parity with humans, when the cyber insurance policies will cover losses?
The average amount sought in this latest attack is $395 and reports say they likely have no kill switch. It also appears that this attack is more targeted, enabling hackers to handle manual bitcoin payments that are handled through email. Victims must email proof of payment to an email address to get a decryption key. Posteo email provider has closed the hacker email account, frustrating payment. They will no doubt find a work around to the payment process.
Access to systems/networks and authorization to services must move beyond passwords and two factor authentication. We need multi factor authorization (MFA) that includes something you have, something you know and something you are. Mobile devices enable us to use fingerprints, facial recognition, voice and behavioral characteristics to authenticate and identity proof a user before giving access to services.
Thankfully, these technologies are available now, not too pricey and being implemented by our Federal Government under NIST guidelines for Level of Assurance (LOA). Pilot tests that link access to federal services under the NIST Trusted Identities Group, with commercial transactions in banking and ecommerce, indicate that a Federated Identity solution has traction in the USA, similar to the UK identity verification program.
The guidance to avoid these attacks is solid: PATCH and test your back ups. You also need to know WHAT is inside the traffic on your network: you must monitor network sessions! And...you must know WHO is on your network and accessing your services: Identity Proofing.
The Deep.Dot.Web reported a new attack on three US healthcare orgs in the southeast and midwest that has 655,000 identities at risk. We saw what happened at Medstar when care providers had to rely on paper records, things slow down and care could suffer. Hospitals are on notice of the risks from not properly protecting patient data but that doesnt mean that they are prepared. See full story here: https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/
We have seen ransomware go through a couple of phases, with each iteration of malware improving the hackers options for success. Crysis malware is the latest scurge and can encrypt data and take remote admin control of systems and move data away from an organization. Crysis can be delivered through email or downloaded from websites as part of a download for an installer. http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/crysis-to-take-over-teslacrypt Larger organizations are getting hit on their enterprise share drives, this is no longer a client-only problem.
The ability to pull files away from the infected organization, could trigger the data breach threshold. This latest hack has a similar theme, has accessed three health providers internal systems and "pulled out" hundreds of thousands of complete patient records using RDP. The databases are for sale from $100,000 to $400,000 and are currently not exposed. The hacker wants to give the company a chance to pay the ransom...which is (apparently) less than the retail price shown. How much less?
Insurance policies will cover extortion and ransom demands and have a retainer, so most will fall below the threshold to trigger a payment. But are we entering the next phase, where data ransom payments are negotiated more akin to people? The JIGSAW variant of Ransomware as a Service uses to guide its victims through a speedy payment process and assures them that their data will be restored. http://www.darkreading.com/attacks-breaches/ransomware-now-comes-with-live-chat-support/d/d-id/1325879 If the hacker requests $100,000 more than the client's deductible, the insurer will take the hit. Should healthcare orgs expect premium increases for this popular coverage?
These extensions in the software make it easier to pay with bitcoin, to negotiate amounts and for the hacker to find the right price point for the stolen data. Even then, there is no assurance that your data will not be re-sold or released for others to create a synthetic identity. Medical service fraud is on the rise and consumers are on the hook, unlike dredit card payments. http://medidfraud.org/wpcontent/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf
Ransomware covers multiple approaches to holding data and companies, hostage. The best guidance is to have a business continuity and disaster recovery plan in place, the experts may have a hard time helping you without that. And, buy ransom and extortion insurance. Its good value for the price and enables risk transfer when all else fails. Just dont publicize that you have it...it may drive up the cost of your data.
Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March, Washington DC-based MedStar Health became the latest in a series of providers to fall victim to ransomware.
The impact of a network-wide ransomware attack grinds operations to a standstill. Patient care is often at stake. In the wake of the MedStar attack, staff scrambled to provide services without access to emails and electronic patient records. It is not very surprising that Hollywood Presbyterian Medical Center in Los Angeles paid the perpetrators $17,000 in Bitcoin to regain access to their files after the February ransomware attack.
With these attacks, we’re seeing new attack strategies come into play. Ransomware, once a scourge largely against individuals, is now hitting companies and critical infrastructure where it hurts. These attacks demonstrate that data is becoming the new human ransom as criminals seek to cripple organizations by encrypting files with a private key – available at high cost – known only to the attacker.
When criminals target critical infrastructure, ransomware crosses an especially serious line, according to one of our partners who is a leading expert in cybersecurity law. “This case [the Hollywood Presbyterian incident] is an example of how cyber can impact the physical world – here, [it affects] the provision of medical services as some patients were diverted to other facilities,” says Tony Kim, global co-chair of cybersecurity at Orrick, Herrington & Sutcliffe LLP, a leading global law firm. “We’ve seen similar dynamics in relation to hacked vehicles, power grids, and other critical services.”
Criminals are also getting more aggressive in their attacks and demanding higher ransom payments, according to a partner who is a top expert on cyberinsurance. “Cyber extortion and ransomware are, without question, on the rise,” shares Toby Merrill, senior vice president, global cyber practice leader for Chubb, the world’s largest publicly traded property and casualty insurer. “A concerning aspect is that the demand values are increasing exponentially. What used to be a few thousand dollars with commoditized ransomware is turning into larger cyber extortion events."
The Hollywood Presbyterian hospital ransom was particularly vicious in that criminals sought an extremely high dollar payment of $3.4 million. The final amount negotiated, $17,000, was substantially less. Is this a new approach in which the terrorist expects the victim to negotiate, as with human ransoms? Start with an outrageous sum and settle for less? This figure is much higher than the average payout for ransomware. Will we see future ransomware victims adopt this practice of negotiating settlements to eke out maximum value from the payer?
Hospitals and companies can manage and minimize ransomware risk if they are prepared. These organizations must be as aggressive and flexible as the attackers to avoid hostile takeover of their networks, proprietary data and user information.
What can an organization do to bolster their defenses? Prepare! Best practice suggests the following strategy to handle a ransomware incident:
• Assess your current capabilities focusing on your users’ awareness posture and data security. This involves a risk assessment that looks at systems and employees. Companies also need to test email phishing vulnerabilities and safe browsing habits (e.g., social engineering). Deploy safe browser configurations and test your company’s ability to respond to an incident. It is one thing to have a plan and another to execute the plan successfully.
• Consider implementing session-based network detection tools that can detect, analyze and block exploit kit (EK) activity. As exploit kits deliver ransomware (teslacrypt, etc.) to your network, you may be able to block the EK and see the encryption keys exchanged prior to encrypting your data. You may also detect shifts in infrastructure, which will trigger an alert. Be proactive to avoid putting your entire infrastructure at risk.
• Develop a Disaster Recovery and Business Continuity (DRBC) plan and consider purchasing cyber insurance to transfer risk. Insurance companies are adjusting coverage based on a company’s security profile and response plans. For example, Ironshore insurance offers full policy limits for both network and data extortion. “But if the applicant doesn't have a DRBC plan in place, then we will cap the limit to $1 million,” says Kurt Suhs, vice president, Ironshore.
• Finally, if you are hit with ransomware, turn to outside counsel and forensics firms for help. They can negotiate and pay ransom fees if needed without creating a Bitcoin account. They can manage company fallout and repair brand reputation. Organizations may also need assistance in recovering data from backups, volume snapshots or restore points.
A solid (DRBC) plan and experienced cybersecurity partners are critical to keeping networks and information secure.
I was startled when I heard his voice. "Can you give me another area, where a misdemeanor violation suspends a Constitutional right?" That was the opening question from Justice Clarence Thomas in Voisine v. United States at minute 41, hear the audio here: http://www.supremecourt.gov/oral_arguments/audio/2015/14-10154
The issue in Voisine is "Whether a misdemeanor crime with the mens rea of recklessness qualifies as a "misdemeanor crime of domestic violence" as defined by 18 U.S.C. §§ 921(a)(33)(A) and 922(g)(9); and (2) whether 18 U.S.C. §§ 921(a)(33)(A) and 922(g)(9) are unconstitutional under the Second, Fifth, and Sixth Amendments and the Ex Post Facto Clause of the United States Constitution."
Most of the discussion was focused on the common law definition of battery, unwanted touching, recklessness and federal statutes. But Justice Thomas raised the question of whether this person should lose a Constitutional right to bear arms under the Second Amendment, for what amounts to a misdemeanor.
I listen to all of the oral arguments when I run and each voice is distinctive. This voice, you never hear. I was also gauging the exchanges between counsel and the Justices since the passing of Justice Scalia, who is noticeably absent. Justices Ginsburg, Alito, Kagan, Sotomayor and Breyer, all actively participating. But Justice Thomas' question and follow ups, could have been Justice Scalia asking...pressing the magnitude of the impact of this decision. I hope this is a sign of things to come!
Another case that I expect we would have heard a lot from Justice Scalia is Utah v. Strieff. http://www.supremecourt.gov/oral_arguments/audio/2015/14-1373 This case asks: "Should evidence seized incident to a lawful arrest on an outstanding warrant be suppressed because the warrant was discovered during an investigatory stop later found to be unlawful?"
The discussion here was dominated by Justice Sotomayor (arguing the case on behalf of Respondant) and Justice Alito, asserting the need for warrant checks for police safety. This is an interesting case that asks if police should be able to stop everyone in a particular neighborhood that may have a high number of outstanding warrants, run warrant checks, and then arrest them. If they find illegal substances during the legal arrest, then that evidence is admissable...maybe. Fourth Amendment is always being tested!
Another case worth listening to is Hughes v. Talen Energy Marketing, LLC http://www.supremecourt.gov/oral_arguments/audio/2015/14-614
This is a complicated regulatory case which raises the question: "Does the Federal Power Act preempt attempted state regulation of utility contracts and sales?" The State of Maryland solicited bids for a power generating plant that would use revenue over a 20 year contract to pay for the construction of the plant. Attorney Paul D. Clement skillfully argues for respondents that this will distort the wholesale energy bidding system. No matter the subject, if Paul Clement is arguing, its worth listening.
The DPPA covers transfers of data between EU and US law enforcement agencies and focuses on "the exchange of information which is critical to prevent, investigate, detect and prosecute criminal offenses, including terrorism…" It is posted on the EU Commission website here:
Yesterday, tentative agreement was reached on the successor to the Safe Harbor, known as the 'Privacy Shield', with text to follow in 4-6 weeks. A summary from the EU Commission of the new framework is here: http://europa.eu/rapid/press-release_IP-16-216_en.htm Can we look to the DPPA to find language and terms that will emerge in the Privacy Shield?
The DPPA agreement has significant elements that are noteworthy.
*It will improve EU citizen administrative and judicial redress in the US court system, upon a claimed violation of their privacy rights. This requires passage of the Judicial Redress Act, now in the US Senate.
*DPPA Article 9 calls for "appropriate technical, security and organizational arrangements for the protection of personal information…against unlawful destruction, loss or unauthorized disclosure." We are seeing more requirements for appropriate technical security, which standard will that be, NIST?
*Following proper security is a Notice provision. Upon discovery of a breach, notice shall be given to the "Competent Authority" and the individual, unless that notice could impact national security or ongoing investigations or criminal proceedings. The GDPR has an EU breach notice provision, expect some form of notice provision in the Privacy Shield.
*Using logs for data processing will be acceptable provided the data is "not retained for longer than necessary." Additional controls related to "national origin, political opinions or religious beliefs, trade union membership or sexual life" shall require added restrictions and may be 'case by case.' This language goes to profiling of terror suspects as a class. Using data science to find context is very common and useful. Will that be addressed under processing of data/metadata in commercial data centers?
*Individuals will be able to seek "rectification or correction" of personal information that is inaccurate or improperly processed. Is this language geared toward Google and Facebook and the EU notion of privacy as a Fundamental right? From what I have read, if they don’t, we can expect more challenges to this agreement before it gets off the ground. See article here: http://europe-v-facebook.org/PS_update.pdf
*The EU backlash that undermined the Safe Harbor was the PRISM program of bulk analysis of phone records and personal data. This agreement says that the Parties will ensure that personal information is processed (that includes collection) in a way that is "directly relevant to and not excessive or overbroad in relation to the purposes of such processing." The US will also establish an Ombudsman position for fair oversight with the power to "accept and act upon complaints made."
*Transparency is called for when a Competent Authority processes information of an individual. Notice shall be given on "the purpose of processing the information…sharing with other authorities…third parties to whom data is disclosed.." How does this work with the USA Freedom Act and FISA warrants?
Under "Territorial Application", the EU Commission will notify the US if UK, Denmark or Ireland, "has decided that this agreement applies to its state." Isn't it ironic that Max Schrems brought his case against Facebook before the Irish Data Protection Commissioner, for transferring data from Irish data centers to US data centers?
And at the end of all this, Ireland could reject the agreement or the US fail to pass Judicial Redress, which would undermine the DPPA and probably Privacy Shield. This is far from settled. More details are needed. How will the Privacy Shield address bulk commercial collection, mining and targeted advertising of US citizens at home and within the EU? This agreement gives us some indication of what the EU will want for the commercial transfer but there are many approvals required at home and in the EU, with stakeholders lobbying for their best result.
Cyberlaw, technology, insurance, social media, breaches and global regulation were under the microscope this past week at the ABA Cyberlaw Winter Meeting. Law geeks convened at the Nova Southeastern University Shepard Broad College of Law in Fort Lauderdale and over the course of three days, thoughtful discussion revealed a patchwork of dependent issues. Some of the topics are covered in this blog post, as they are timely. The ABA presentations were well researched and current, if you are a member, you can access them here:
Prof. Jon Garon, Dean of the hosting law school, delivered a colorful and revealing look at cyberlaw in 2015 including heinous events and sticky court rulings. His paper, “2015 Cyberlaw Year in Review – Seeking Security Over Privacy, Finding Neither” is available at: http://ssrn.com/abstract=2707756. His key takeaway was that global terrorism combined with state sponsored cyber attacks put the focus on security in 2015, not on enhancing privacy for individuals. What struck me was how much we are still living with events from 2015 or earlier and how they shape the current landscape. Dean Garon points to Snowden as the tipping point for the Safe Harbor rebuke by the EU Court of Justice as well as an impetus for hacktivists. He cites the attack on (whitehat?) spyware company Hacking Team, that released 400 gig of data and showed their ties to authoritarian regimes. Hacktivism not only exposed those claiming the moral high ground, Anonymous “released 9,200 ISIS Twitter accounts” being used in the ground war which enabled Twitter to shut them down (hacktivism for good?).
Dean Garon also links the Snowden impact to the Patriot Act successor the USA Freedom Act and notes the relatively modest changes that have resulted, after global outrage at the bulk telephone call collection by the NSA. The new Act prevents bulk collection unless the government has a “specific selection term, that specifically identifies a person, account, address or device in a way that limits to the greatest extent reasonably practicable, the scope of tangible things sought consistent with the purpose for seeking the tangible things.” That’s good, or better.
But, the NSA “will continue to make use of data collected by the phone companies [including] NSA collection of foreign internet content from US tech companies, which sweeps up lots of data.” Epic.org reports that the FBI issued over 14,000 National Security Letters (NSL’s) in 2013, seeking call records, email records, billing, credit and other data, all subject to a gag order. Security v. privacy, the balance shifts based on real world events.
The EU Court of Justice ruling in Schrems v. Data Protection Commissioner, exposes the rift in relations created by the Snowden disclosures. The rebuke of the Safe Harborrule for its lack of oversight to ensure the privacy of EU citizen data, leaves corporations to adopt Binding Corporate Rules or Model Contract Clauses, which are reviewed by an EU Data Protection Agency for approval. Dean Garon questions whether Notice and Choice which underpin the Safe Harbor, were illusory to begin with, “given the lack of transparency and the difficulty of opt-out schemes.” A balkanization of the internet is shaping up as nations require data centers be located in their country to hold the PII of their citizens.
Pointing to the violent attacks on French soil and the outward use of social media by ISIS to further their interests, Dean Garon suggests law enforcement monitoring and terrorist use of social media are here to stay, with “a reported 95% of police agencies” using the approach. We want to protect privacy but we shudder when we hear that the attackers are using our software tools and applications to wage war.
The passage of the General Data Protection Regulation in the EU maintains key elements of privacy and security: consent, transparency and data minimization. The EU will require notice of breaches across all member countries, something the US has yet to do. All of this regulation is designed to prevent a breach or minimize the damage when it occurs. We have seen the long tail of a breach and some notable incidents cited by Dean Garon express the breadth and ripple effect to unsuspecting recipients.
The Sony breach involved nation state actors, IP theft, company sensitive data, attempts at ‘hackback’ and NSA knowledge of the attack prior to its disclosure. We now have greater sharing of threat intel under the newly passed CSIA but would that have helped Sony? Threat intel sharing requires companies to operationalize knowledge in security operations, in an effective and timely manner. The CSIA removes liability for companies which may increase sharing but will that prevent breaches? Nation state hacks of IP and sensitive data, trade secrets, strip the US government and companies of a competitive edge. Stolen secrets could cost billions as competitors bring their product to market and as with Sony, create losses on existing investments.
The Office of Personnel Management (OPM) breach had millions of records lost combined with highly sensitive data on US operatives. The circle of data extends wide when a top secret clearance or higher is sought by an applicant, dragging friends and family sensitive records into the breach. Dean Garon noted that journalists with access to government officials were swept up in the hack. Further, he cites reports that discuss the ability of foreign governments to “cross reference employees in a government facility….anyone not in the OPM database could be presumed to be hired by the CIA.” The OPM breach created long term risk to many Americans for identity theft, financial crime and to our national security.
The Ashley Madison hack affected 37 million members of a tawdry online business. So many victims here beyond the members. Poorly encrypted passwords were downloaded and brute forced. Open source solutions like Pythia: https://testpypi.python.org/pypi/pythia/1.0 offer client and server password hardening to prevent such an attack. Even worse than the attack on the business is the unfortunate fallout on member families. Cyber crime is the king of cottage industry formation and within hours the blackmail began against member families.
Hackers downloaded the database and then began sophisticated, US Mail based blackmail campaigns citing family, friends and work address and emails. They attacked with impunity and suicides were reported after demands for upward of $4,000 were received to keep quiet. Remote, online blackmail leaves its victim with no assurances, especially here where many blackmailers could re-use the same data. This breach brought out the worst in everyone.
One last breach covered by Dean Garon was the VTech Holdings loss of five million adults and six million children (according to the HK based company). Names, chat logs, emails, passwords, mailing addresses, download histories and 2.3 million headshots were stolen with an SQL injection attack which enabled them to dump the database. Techcrunch reported that there was no encryption, no SSL anywhere, hard to believe. The VTech Kid Connect service falls under the COPPA legislation and could result in the highest fines ever, up to $16,000 per child under age 13 who had private information compromised.
VTech devices that are connected show us how the surface area is vastly expanded from an Internet of Things (IoT) attack. Our children’s credit history is clean and sought after by criminals trading such data. Devices used by children combined to online services (think earlier Sony Nintendo breach) can affect tens of millions in an instant. Dean Garon added another twist, what if Hello Barbie gets hacked? Mattel and ToyTalk have taken Barbie into the 21st century reports Forbes Magazine. Talking Barbies that record child input through a necklace microphone, upload the data to online servers, use AI to parse/process data and then provide a contextual response to the child. Its creepy to think of companies storing a child’s musings, a hacker will release those audio files and bring new meaning to the loss of innocence.
The internet speeds things along, making it hard to keep up with law, regulations and enforcement. Its obvious that keeping up with developing malware is a challenge, we only need to look at the ITRC daily breach blog to see all of the affected companies that didn’t make the headlines. Perhaps they managed their breach better or there is only so much room to lament the losses but chances are, one of your relationships close to home just had a breach.
We will continue to ask what seem obvious questions. Whose data is it? Are you a data contributor or a data steward? Does your company benefit from a stagnant data regulation process or new stringent rules for presence in a certain country? US based companies with data from a foreign country must navigate all of these issues at once and pay steep penalties if they falter along the way.
Thanks to the folks at the ABA Cyberlaw Committee, we are one step closer to the action and perhaps, some answers.