Cybersecurity – Is Your

Discovery/Disclosure Safe?

Marlon Hylton,
Cassels Brock & Blackwell LLP, Toronto,
Canada

Global Association of Risk Professionals

November 2015
 The views expressed in the following material are the

author’s and do not necessarily represent the views of

the Global Association of Risk Professionals (GARP),

its Membership or its Management.

2
 What is Cybersecurity?

DEFINITIONS

The process of protecting information by preventing, detecting, and responding to attacks.

Source: National Institute of Standards and Technology. US Department of Homeland Security

Cybersecurity is the collection of tools, policies, security concepts, security safeguards,

guidelines, risk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and user's
assets.
Source: International Telecommunication Union

From a law practice standpoint, “Cybersecurity” is an umbrella term that encompasses multiple
areas of the law, including privacy, insurance, litigation, financial, regulatory, and labour &
employment.

2 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 2
 What is E-discovery/E-disclosure?

E- discovery/E-disclosure refers to the discovery/disclosure of electronically stored information

in litigation or regulatory investigations.
 Electronically stored information includes emails, web pages, word processing files, audio and video files,
images, computer databases, and virtually anything that is stored on a computing device – including but not
limited to servers, desktops, laptops, cell phones, hard drives, flash drives, PDAs and MP3 players.

3 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 3
 Is Your Discovery/Disclosure Safe?

Attorneys (especially those in litigation, property or mergers and acquisitions) process highly
sensitive information—and law firms are notorious for weak security.

4 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 4
 Types of Cyber Attacks

Advanced Cybercriminals,
Denial of Service
Persistent Exploits and
Attacks (“DDoS”)
Threats (“APT”) Malware

Employee
Corporate
Domain name mobility and
impersonation
hijacking disgruntled
and phishing
employees

Inadequate
Lost or stolen
security and
laptops and
systems; third
mobile devices
party vendors

5 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 5
 Recent High Profile Cyber Attacks

U.S. Office of Personnel Management

 What was stolen: 4.2M records of government employees, 19.7M records from people who went
through background checks and 5.6 million sets of fingerprints stolen
 Result: Director Katherine Archuleta resigned in July, 2015
Target
 What was stolen: Loss of personal information from over 70M shoppers and the credit card
information of 40M
– Hackers sold the data for $53.7 million by selling the credit card information on the black market
 Result:
– Costs to December 31, 2014 exceeded $162 million
– CEO Gregg Steinhafel was fired
Home Depot
 What was stolen: 56M credit card and debit card data stolen
 Result:
– Costs to date exceed $232 million
– Cyber insurance policy only covered $100 million
6 | © 2012 Global Association of Risk Professionals. All rights reserved.
slide | 6
 Recent Cyber Attacks
•November 2014
•Forced Sony Pictures to
refrain from releasing The
Interview in US theatres
•September 2015
•Personal information of
33-36 million users
exposed October
•Feburary 2015
•80 million records of
current and former
customers and employees
•February 2014
•Account and contact
information of 233 million
customers stolen
•August 2014
•Security improvements to
cost $250 million per year
7 | © 2012 Global Association of Risk Professionals. All rights reserved.
slide | 7
•Exposed personal
information of 15 million
customers who applied for
credit checks between
Sept 2013 – Sept 2015
•September 2013
•Credit and debit card
information from 7 million
28, 2015 customers
•October 2014
•Compromised 1.16
million credit cards
•June 2014
•Personal information of
4.5 million hospital
patients stolen by Chinese
hacking group
•June 2015
•Russian hackers
opposed to Canada’s
sanctions against Russia
 Cyber Threats are on the rise

Source: Key Findings from the PwC Global State of

Information Security Survey, published 2015, at pp.24-25
8 | © 2012 Global Association of Risk Professionals. All rights reserved.
slide | 8
 Cost of Cyber Attacks by Industry

Source: Ponemon Institute 2014 Global Report on the Cost of Cyber Crime, published October 2014,
at page 12.
9 | © 2012 Global Association of Risk Professionals. All rights reserved.
slide | 9
 The Global State of Information Security Survey 2016

10 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 10
 Areas of Risk and Sources of Attack:
Main Cyber Adversaries

Source: PricewaterhouseCoopers. Jason Green, Best Practices for Data Security and Data
Breach Protocol, ed (2015).
11 | © 2012 Global Association of Risk Professionals. All rights reserved.
slide | 11
 The Accidental Insider

Source: PricewaterhouseCoopers. Jason Green, Best Practices for Data Security and Data
Breach Protocol, ed (2015).

12 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 12
 Data Breach Statistics

• Over 1B data records were compromised globally in 2014

Gemalto, February 12, 2015

• 348M identities exposed as a result of data breaches in 2014

Symantec, April 2015

• Hope for the best but prepare for the worst

• Having a plan in place and a team capable of implementing it can be of crucial importance

13 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 13
 Effects on Business

Loss of “Crown
Jewels”, IP and trade
secrets

Compromise of
customer information,
Legal and regulatory
credit cards and
issues
Personally Identifiable
Information

Brand tarnishment Loss of web presence

and reputational harm and online business

Loss of customer
funds and
reimbursement of
changes

14 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 14
 Best Practices – Before Discovery/Disclosure

• Application whitelisting
Know where you stand • Assess risk profile
• Identify “Crown Jewels”

• Exchange protocols; limitations of scope; protective orders; encryption; hashing.

Plan for how you will protect
discoverable data
• Assess effectiveness of current security
Audit & Test Security • Consider whether to hire experts

• Cyber hygiene
Educate and Train Staff • Develop and disseminate cyber policies
• Refresh training

• Ensure your vendors have necessary security protocols in place

Supply Chain Risk • Consider including language that requires them to tell you about a breach
• Consider indemnification clauses

• Plan should map out what to do in case of an attack

Cyber incident plan • Key considerations: public relations, legal, internal communication, etc.

• Not a perfect solution

Cyber Insurance • Assess whether this is something that makes sense for business
• Make sure you have the right coverage

15 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 15
 Best Practices – During / Post-Breach

• Team should diligently record all steps taken

Activate the Response • Include external legal counsel for privilege reasons
Team
• Block unauthorized access to network
Containment & • Implement steps to recover and/or restore lost information/data
Assessment • Address weaknesses of the network

• Consider transferring information/data to sanitized systems

Preservation of • Establish clear chain of custody of data
Evidence
• Consider whether to notify individuals whose information has been
Notification compromised
• Notification requirements to regulators/privacy agency

• Consider retaining a public relations firm for external messaging

Communication • Determine what information needs to be communicated to whom
internally

16 | © 2012 Global Association of Risk Professionals. All rights reserved.

slide | 16
Creating a culture of
risk awarenessTM

Global Association of
Risk Professionals

THANK YOU
111 Town Square Place
Suite 1215
Jersey City, New Jersey 07310
USA
+ 1 201.719.7210

2nd Floor Marlon Hylton

Bengal Wing
9A Devonshire Square E-mail: mhylton@casselsbrock.com
London, EC2M 4YN
UK
+ 44 (0) 20 7397 9630
Twitter: @marlonhylton
www.garp.org

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make
better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,
academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)
exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for
professionals of all levels. www.garp.org.

© 2012 Global Association of Risk Professionals. All rights reserved.