The Management and Insurance of Cyber

CONTENTS

LIST OF FIGURES ...... 5 LIST OF TABLES ...... 5 ANNEXURES ...... 5 DEFINTIONS ...... 6 ABSTRACT ...... 16 1. Introduction ...... 17 2. Emerging cyber exposures ...... 19 2.1 Cyber-crime ...... 20 2.1.1 Business Disruption and Misuse ...... 20 2.1.2 Online scams ...... 23 2.1.3 Theft and Fraud ...... 27 2.2 Hackers ...... 32 2.3 Cyber obscenity ...... 38 2.4 Cyber activism ...... 39 2.4.1 Hacktivism ...... 39 2.4.2 Cyber terrorism ...... 44 2.4.3 Cyber warfare ...... 45 2.4.4 Information warfare ...... 49 2.5 Bring Your Own Devices ...... 50 2.6 Social media ...... 52 3. Cost of cybercrime ...... 53 3.1 Perception of cybercrime exposures ...... 53 3.2 Economic cost of cybercrime ...... 56 3.3 Financial cost of cybercrime ...... 58 3.4 Cost of cybercrime involving confidential business information and market manipulation 60 3.5 Opportunity cost and cybercrime ...... 60 3.6 Cybercrime recovery costs ...... 61 4. Data breaches statistics ...... 63 4.1 Types of breaches ...... 72 4.1.1 Point-of-Sale (POS) intrusions ...... 74

4.1.2 Web application attacks ...... 76 4.1.3 Insider and privilege misuse ...... 78 4.1.4 Physical theft / loss ...... 81 4.1.5 Miscellaneous errors ...... 83 4.1.6 Crimeware ...... 84 4.1.7 Card skimmers ...... 86 4.1.8 Cyber-espionage ...... 88 4.1.9 Denial of Service Attacks ...... 91 4.1.10 Everything else ...... 92 5. Data Protection Legislation ...... 94 5.1 European Union ...... 94 5.2 United States ...... 99 5.3 South Africa ...... 101 5.3.1 Electronic Communications and Transactions Act No. 25 of 2002 ...... 101 5.3.2 Protection of Personal Information Act (POPIA) ...... 105 6. Risk management ...... 109 6.1 Risk management and corporate governance policies ...... 120 6.1.1 King Code of Governance for South Africa 2009 (King III) ...... 122 6.1.2 Organisation for Economic Co-operation and Development (OECD) Privacy Principles 131 6.1.3 Staff awareness and training ...... 141 6.1.4 Security configuration ...... 144 6.1.5 Network security ...... 147 6.1.6 Managing user privileges ...... 153 6.1.7 Incident Management ...... 156 6.1.8 Malware Prevention ...... 161 6.1.9 Monitoring ...... 165 6.1.10 Removable Media Controls ...... 169 6.1.11 Home and Mobile Working ...... 171 7. Risk financing ...... 175 7.1 Insurance ...... 176 7.2 Cyber liability insurance ...... 178 7.2.1 Development of cyber liability product ...... 180 7.2.2 Cyber liability insurance alternatives ...... 183

7.2.3 Cyber liability coverage under non-cyber liability insurance products ...... 186 7.2.3.1 Commercial general liability (CGL) policies ...... 187 7.2.4 Cyber liability product offerings ...... 192 7.2.4.1 Coverage ...... 192 7.2.4.1.1 First-party insurance ...... 193 7.2.4.1.2 Third-party (liability) insurance ...... 195 7.2.5 Challenges experienced by cyber liability insurance providers ...... 197 7.2.5.1 Inherent nature of cybercrime risk ...... 197 7.2.5.2 Lack of standards, metrics and governance for cybercrime insurance ...... 200 7.2.5.3 Reasons for not purchasing cyber liability insurance ...... 201 7.2.6 Cyber insurance market ...... 203 7.2.6.1 Size of market ...... 204 7.2.6.2 Capacity available ...... 205 7.2.6.3 Capacity providers ...... 206 7.2.6.4 Cyber liability product offerings ...... 206 7.2.6.4.1 Exclusions ...... 207 7.2.6.4.2 Limits of indemnity ...... 212 7.2.6.4.3 Deductibles ...... 213 7.2.6.4.4 Pricing ...... 213 7.2.7 South African cyber liability insurance market ...... 214 8. Conclusion ...... 217 9. REFERENCES ...... 219

LIST OF FIGURES

Figure 1: Information security budget by company size (revenue)……………………………………… 55

Figure 2: Incidents are more costly to large organisations………………………………………………….. 57

Figure 3: Percentage of breaches per threat actor category over time……………………………….. 65

Figure 4: Percentage of breaches per threat actor motive over time…………………………..……… 65

Figure 5: Number of breaches per threat action category over time………………………………….. 67

Figure 6: Top 10 varieties of threat actions over time………………………………………………………… 68

Figure 7: Breach count by data variety over time……………………………………………………………….. 69

Figure 8: Percentage of breaches where time to compromise / time to discovery was days 70 or less…………………………………………………………………………………………………………………..

Figure 9: Breach discovery methods over time…………………………………………………………………… 72

Figure 10: Frequency of incident classification patterns……………………………………………………….. 73

Figure 11: Departments / Functions that are most likely to have representation on the 116 information security risk management team………………………………………………………..

Figure 12: “Cyber Kill Chain” – Incident Contextualization for Incident Mitigation / Response 161

Figure 13: Cyber-risk management framework for information security………………………………. 175

LIST OF TABLES

Table 1: Code of Governance Principle pertaining to Information Technology………………… 125

ANNEXURES A. Commercial General Liability Policy Form, ISO Properties, 2000. B. Commercial General Liability Policy Form, ISO Properties, 2003. C. Camargue eRisks policy wording, May 2014.

DEFINTIONS

Adware: Any software application that displays advertising banners while the program is running. Adware often includes code that tracks a user’s personal information and passes it on to third parties without the user’s authorisation or knowledge (Cyber Risk and Insurance Forum, n.d.).

Advanced Persistent Threat (ATP): refers to a group, such as a foreign government, with both the capability and intent to persistently and effectively target a specific entity (Cyber Risk and Insurance Forum, n.d.).

Adversary: An individual, group, organisation, or government that conducts or has the intent to conduct detrimental activities (National Initiative for Cybersecurity Careers and Studies, n.d.).

Anti-virus Software: software designed to detect and potentially eliminate viruses before they have had the opportunity to wreak havoc within the system. This software can also repair or quarantine files that have already been infected through virus activity (Cyber Risk and Insurance Forum, n.d.).

Attack: an attempt to gain unauthorised access to system services, resources, or information, or an attempt to compromise system integrity (National Initiative for Cybersecurity Careers and Studies, n.d.).

Authentication: the process of verifying the identity or other attributes of an entity (user, process, or device) (National Initiative for Cybersecurity Careers and Studies, n.d.).

Backdoor: hidden software or hardware mechanism utilised to circumvent security controls (Cyber Risk and Insurance Forum, n.d.).

Backup: File copies that are saved as protection against loss, damage or unavailability of the primary data. Saving methods include high-capacity tape, separate disk sub-systems or on the Internet.

Banking Trojans: steals banking information from the victim’s machine. Some variants inject code in the browsers of infected machines to exfiltrate credentials for banking institutions or generate fraudulent transactions (Trustwave Holdings Incorporated, 2013).

Botnet: a collection of computers compromised by malicious code and controlled across a network (National Initiative for Cybersecurity Careers and Studies, n.d.).

Build Security: a set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilities, flaws, and attacks (National Initiative for Cybersecurity Careers and Studies, n.d.).

Cyber security: the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorised use or modification, or exploitation (National Initiative for Cybersecurity Careers and Studies, n.d.).

Cyberspace: comprises all of the world’s computer networks. It thus includes both open and closed networks and everything that they connect and control, including the computers themselves, the transactional networks that send data regarding financial transactions, and those networks comprising control systems that enable machines to interact with each other (Krepinevich, 2012).

Cyber warfare: actions by nation-states and non-state actors employing cyber weapons to penetrate computers or networks for the purpose of inserting, corrupting, and/or falsifying data; disrupting or damaging a computer or network device; or inflicting damage and/or disruption to computer control systems (Krepinevich, 2012).

Data Breach: the unauthorised movement or disclosure of sensitive information to a party, usually outside of the organisation, that is not authorised to have, or see, the information (National Initiative for Cybersecurity Careers and Studies, n.d.).

Data Integrity: the property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorised or accidental manner (National Initiative for Cybersecurity Careers and Studies, n.d.).

Denial of Service (DOS): an attack where a user repeatedly requests data from a server in order to deplete the server’s resources, causing it to overwork until it grinds to a halt (Himes & Joseph, 2006).

Distributed Denial of Service (DDos): different from a denial of service attack in that several users simultaneously utilise resources, rendering the attack more effective. Hackers activate a network of computers to send huge amounts of data to a website, and is referred to as “distributed” because the hackers utilises multiple computers to launch the attack (Himes & Joseph, 2006).

Distributed Denial of Service Bots: utilised for distributed denial of service attacks against online services. A botnet gets its strength, and value, from the number of infected machines that comprise the bot (Trustwave Holdings Incorporated, 2013).

Discussion board: (also known as discussion group, discussion forum, message board, and online forum) is a general term for any online “bulletin board” where you can leave and expect to see responses to messages that you have left (WhatIs.com, n.d.).

E-commerce: electronic commerce is the buying and selling of goods and services, or the transmitting of funds or data, over an electronic network, primarily the Internet (WhatIs.com, n.d.).

Encryption: a data security technique utilised to protect information from unauthorised inspection or alteration. Information is encoded so that it appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt of the transmission, the recipient decodes the information utilising an encryption key (Cyber Risk and Insurance Forum, n.d.).

Exfiltration: the unauthorised transfer of information from an information system (National Initiative for Cybersecurity Careers and Studies, n.d.).

Exploit: a technique to breach the security of a network or information system in violation of security policy (National Initiative for Cybersecurity Careers and Studies, n.d.).

Exposure: the condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network (National Initiative for Cybersecurity Careers and Studies, n.d.).

Firewall: a hardware or software link in a network that inspects all data packets received and sent by a computer, permitting only those that are authorised to reach the other side (Cyber Risk and Insurance Forum, n.d.).

Hacker: an individual who attempts to break into a computer without authorisation (Cyber Risk and Insurance Forum, n.d.).

Honeypot: a trap set to detect, deflect, or in some manner counteract attempts at unauthorised use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers (Cyber Risk and Insurance Forum, n.d.).

Incident: an event attributable to a human root cause. This distinction is particularly important when the event is the product of malicious intent to inflict harm. All incidents are events, but many events are not incidents. A system or application failure due to age or defect may be considered an emergency event, but a random flaw or failure is not considered to be an incident (Cyber Risk and Insurance Forum, n.d.).

Incident Response Team: the incident coordinator manages the response process and is responsible for assembling the incident response team. The coordinator will ensure that the team includes all of the individuals required to properly assess the incident, and make and implement decisions regarding the appropriate course of action (Cyber Risk and Insurance Forum, n.d.).

Information and Communications Technology: any information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information (National Initiative for Cybersecurity Careers and Studies, n.d.).

Information Technology: any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information (National Initiative for Cybersecurity Careers and Studies, n.d.).

Insider Threat: a person or group of persons with an organisation who pose a potential risk through violating security policies (National Initiative for Cybersecurity Careers and Studies, n.d.).

Integrity: the property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorised manner (National Initiative for Cybersecurity Careers and Studies, n.d.).

Intrusion: an unauthorised act of bypassing the security mechanisms of a network or information system (National Initiative for Cybersecurity Careers and Studies, n.d.).

Internet Protocol (IP) Address: a computer’s inter-network address, written as a series of four 9-bit numbers separated by periods (e.g. 123.45.678.990). Every website has an IP address, although finding a website is considerably easier to do when utilising its domain name instead (Cyber Risk and Insurance Forum, n.d.).

Internet Relay Chat: enables people using the Internet to converse with each other in real time by typing messages back and forth. When you join and others connect to the server, you can join a channel (also known as a chat room), and talk with the other people who have joined that channel (TechTerms.com, n.d).

Keylogger: also known as memory dumper or a keystroke logger. Keyloggers are malware which can read the memory of a chosen process on a victim’s computer and parse sensitive information from it because that data is often temporarily stored in memory in an unencrypted state. Malicious files known as keyloggers record what end-users type on their keyboard. Some less advanced card-reader

devices also appear to the computer to be a keyboard and a keylogger records the data inputted through those devices (Trustwave Holdings Incorporated, 2013).

Malicious Software: referred to as malware, are programs such as viruses and worms that attempt to exploit computer systems or networks leading to business disruption, leakage of sensitive data, or unauthorised access to system resources (Jain & Kalyanam, 2012).

Mitigation: the application of one or more measures to reduce likelihood of an unwanted occurrence and/or lessen its consequences (National Initiative for Cybersecurity Careers and Studies, n.d.).

Outsider Threat: a person or group or persons external to the organisation who are not authorised to access its assets and pose a potential risk to the organisation and its assets (National Initiative for Cybersecurity Careers and Studies, n.d.).

Network: two or more computer systems that are grouped together to share information, software and hardware (Cyber Risk and Insurance Forum, n.d.).

Operating Software (OS): programs that manage all of the basic functions and programs on a computer, such as allocating resources, providing access and security controls, maintaining file systems and managing communications between end users and hardware devices (Cyber Risk and Insurance Forum, n.d.).

Password: a secret sequence of characters that is utilised as a means of authentication to confirm one’s identity in a computer program or online (Cyber Risk and Insurance Forum, n.d.).

Password Stealers: ‘Sniffs’ passwords from well-known sites or common protocols used by the victim (Trustwave Holdings Incorporated, 2013).

Patch: a patch is a small security update released by a software manufacturer to fix bugs or vulnerabilities in existing programs (Cyber Risk and Insurance Forum, n.d.).

Penetration Test: also referred to as a pentest, is a method of evaluating the computer security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorised means of accessing the organisation’s systems) and malicious insiders (who do have some level of authorised access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. This analysis is conducted from the position of the potential attacker and can involve active exploitation of security vulnerabilities. Effective penetration tests provide an accurate assessment of the potential impacts on the organisation and outline a range of technical and procedural countermeasures to reduce risks (Cyber Risk and Insurance Forum, n.d.).

Phishing: soliciting private information from customers or members of a business, bank or other organisation in an attempt to fool them into divulging confidential personal and financial information. People are lured into sharing user names, passwords, account information or credit card numbers, usually from an official-looking message in an email or a pop-up advertisement that urges them to act immediately, usually by clicking on a link contained therein (Cyber Risk and Insurance Forum, n.d.).

Pharming: redirecting visitors from a real website to a bogus one. A user enters what is believed to a valid website address and is unknowingly redirected to an illegitimate website (called a spoofed website) that steals the user’s personal information. On the spoofed website, criminals may mimic real transactions and harvest private information unknowingly shared by users. With this, the attacker can then access the real website and conduct transactions utilising the credentials of a valid user (Cyber Risk and Insurance Forum, n.d.).

Ransomware: takes full control of a victim’s computer and encrypts all files that reside on the machine, rendering it unusable and inaccessible without the encryption key (Trustwave Holdings Incorporated, 2013).

Resilience: the ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption (National Initiative for Cybersecurity Careers and Studies, n.d.).

Script: a file containing active content such as commands or instruction to be executed by the computer (Cyber Risk and Insurance Forum, n.d.).

Secure Baseline Builds: means the implementation of a common standard security configuration that it utilised throughout the organisation for installing any operating system. The secure baseline establishes a set of rules or recommendations that outline the minimum acceptable security configuration for new installations (Huggins, 2003).

Security incident: synonym: incident (National Initiative for Cybersecurity Careers and Studies, n.d.).

Skimming: a high-tech method by which thieves capture personal or account information from credit cards, drivers licences or even passports utilising an electronic device called a “skimmer”. The card is swiped through the skimmer and the information contained in the magnetic strip on the card is then read into and stored on the device or an attached computer. Skimming is predominantly a tactic utilised to perpetuate credit card fraud (Cyber Risk and Insurance Forum, n.d.).

Social Engineering: a euphemism for non-technical or low-technology means, such as lies, impersonation, tricks, bribes, blackmail and threats, utilised to attack information systems (Cyber Risk and Insurance Forum, n.d.).

Social Networking Websites: websites specifically focused on the building and verifying of social networks. Such websites enable users to create online profiles and post pictures and share personal data such as their contact information, hobbies, activities and interests. The websites also facilitate connecting with other users with similar interests, activities and locations (Cyber Risk and Insurance Forum, n.d.).

Spam: unwanted, unsolicited email from someone who you do not know. It is often sent in an attempt to sell something, or to get the recipient to reveal personal information (Cyber Risk and Insurance Forum, n.d.).

Spambots: distributes spam messages to email addresses or on social networking websites (Trustwave Holdings Incorporated, 2013).

Spoofing: masquerading so that a trusted internet protocol address is utilised instead of the true internet protocol address. This is a technique utilised by hackers as a means to gain access to a computer system (Cyber Risk and Insurance Forum, n.d.).

Spyware: software that utilises your Internet connection to send personally identifiable information about you to a collecting device on the Internet. It is often packaged with software which is downloaded virtually, so that even if the downloaded program is later deleted, the spyware remains installed (Cyber Risk and Insurance Forum, n.d.).

Threat Actor / Agent: an individual , group, organisation, or government that conducts or has the intent to conduct detrimental activities (National Initiative for Cybersecurity Careers and Studies, n.d.).

Trojan Horse: a computer program that appears to be beneficial or innocuous, but also has a hidden and potentially malicious function that evades security mechanisms (Cyber Risk and Insurance Forum, n.d.).

Virus: a hidden, self-replicating section of computer software, usually containing malicious logic, that propagates by infecting (i.e. by inserting a copy of itself into and becoming a part of) another program. A virus cannot run by itself, it requires that its host program is run in order to activate the virus. Viruses are often circulated through email attachments (Cyber Risk and Insurance Forum, n.d.).

Vulnerability: a flaw that allows someone to operate a computer system with authorisation levels in excess of that which the system owner specifically granted (Cyber Risk and Insurance Forum, n.d.).

Whitelisting Software: a form of filtering that only allows connections to a pre-approved list of websites that are considered to be useful and appropriate (Cyber Risk and Insurance Forum, n.d.).

Worm: originally an acronym for “write once, read many times”, a type of electronic infection that can run independently, can propagate a complete working version of itself onto other hosts on a

network, and may consumer computer resources destructively. Once this malicious is on a computer, it scans the network for another machine with a specific security vulnerability. When it finds once, it exploits the weakness to copy itself onto the new machine, and then the worms begins to replicate itself from there as well (Cyber Risk and Insurance Forum, n.d.).

Zombie Computer: a remote access Trojan Horse installs hidden code that allows the computer to be remotely controlled. Digital thieves then utilise robot networks of thousands of zombie computers to carry out attacks on others, and cover their tracks (Cyber Risk and Insurance Forum, n.d.).

ABSTRACT

Information technology has developed significantly in the past two decades in particular, resulting in new cyber exposures, which not only impact significantly on organisations, but also open organisations up to cyber liability. It is thus vital for organisations to incorporate risk management strategies and techniques into the fabric of their corporate governance policies. In order to do so, organisations need to understand the exposures which they face, and ascertain the risk management policies which should be adopted, in alignment with their risk appetite. This dissertation examines the various cyber exposures which organisations face and the impact that these exposures have on said organisations. The dissertation also considers the legislation which is currently in place and in development (including corporate governance), and ultimately the risk management techniques (including risk transfer through the utilization of insurance) which could potentially be employed in an effort to minimize the organisation’s exposure to cyber risks.

1. Introduction

The gross national product of many countries has been significantly increased by information technology, as has the quality of life of millions of people around the world. Its major contributions have been improved efficiency and the replacement of a myriad of human tasks with computerized and automated functions. The capability and increased functionality of information systems have provided organisations with a competitive advantage, but has also increased vulnerabilities and thus, risk (Chittester & Haimes, 2004).

Cyberspace is defined as an interactive domain made up of digital networks that are used to store, modify and communicate information. It includes the internet, but also other information systems that support organisations, infrastructure and services, such as applications, e-mail systems and local networks. The term also extends to the virtual environment of information and interactions between people (United Kingdom Department for Business Innovation and Skills, 2012). Ganatra, Kosta, Patel and Patel (2008) expand this definition to specifically note that this is where electronic commerce, also called e-commerce, takes place.

Electronic commerce is increasing around the globe. E-commerce mostly consists of electronic business transactions related to the purchase and delivery of goods and services. E-commerce is now being used in all types of business, and has made business processes more reliable and efficient (Ganatra, Kosta, Patel & Patel, 2008).

Information, and information and communications technologies that store and process information, are critical to the success of any organisation. Intellectual property, confidential or sensitive information all provide competitive advantage whether it be in the form of a product design, a manufacturing process or even a negotiating strategy. Simultaneously, the need to access and share information more widely, utilising a broad range of connecting technologies, increase the risk which the corporate information base is exposed to (United Kingdom Department for Business Innovation and Skills, 2012).

The common taxonomy which defines the characteristics of the organisation’s data is confidentiality, integrity and availability. Confidentiality is the property of the data which defines the fact that the information is not compromised through being accessed by unauthorised users. Integrity is the property of the data which defines the fact that information is not altered by unauthorised users, in a way that is detected, or undetectable, by authorised users. Lastly, availability ensures that principals of the organisation have appropriate access to resources (Rusu & Stroie, 2011). Organisations fail to realize that cyber exposures not only potentially affect their profitability but also relationships with customers, vendors, and partners (Grove, 2003). Given the importance of information technology, it is vital that organisations develop appropriate risk management strategies and processes, to ensure the integrity and security of the information within their organisation.

The purpose of this dissertation is to identify emerging cyber exposures facing organisations, the resultant impact of the exposures, and liability stemming therefrom, as well as the consequences to organisations. Secondly, this dissertation will consider the corporate governance and data legislative requirements impacting on organisations’ responsibilities, contemplating international legislation (European Union and United States) followed by South African specific legislation. Thirdly, and most importantly, the appropriate risk management strategies and techniques are discussed in detail. , paying particular attention to cyber liability insurance. The latter is examined in depth, not only in terms of the availability and development of the product, but also the coverage provided thereby.

The current lack of data protection legislation in South Africa is discussed in Section 5.3 below. In the absence of legislation, South Africa has to date been largely remiss in its ability to protect personal information. It is due to this situation that information sources utilized in this dissertation predominantly originate from the United States of America and Europe, where data legislation has been firmly established (discussed in Section 5.1 and 5.2 below).

2. Emerging cyber exposures

Electronic risk, also referred to as cyber exposures, is the potential for financial and technology problems resulting from engaging in e-commerce. Developments in economic, industrial, and regulatory conditions create new challenges for organisations participating in the electronic commerce arena (Ganatra, Kosta, Patel & Patel, 2008). Dunlevy, Shimeall and Williams (2001) note that advanced post-industrial societies and economies are critically dependent on linked computer information and communications systems. Sophistication has itself become a form of vulnerability for enemies to exploit.

Whilst the business of being connected to the Internet is analogous to many traditional business types of risk, some characteristics of cyber exposure are unique, in terms of location, degree and visibility. For example, a perpetrator of information theft or property damage may be [physically] thousands of kilometres away from the location of the organisation when committing the crime via the Internet. Similarly, the damage caused by a virus goes way beyond the effects on the data and software of the targeted organisation, causing the initial targeted organisation to incur a liability (Gordon, Loeb & Sohail, 2003). There are a vast array of potential consequential losses which may harshly impact on the organisation, particularly in the situation where the virus results in a data breach. The organisation may suffer reputational damage, as well as be subject to additional financial obligations such as additional costs of working (to reinstate records), fines and penalties imposed by regulatory authorities and potentially even the loss of market share.

This section discusses the various types of cyber exposures which may potentially impact an organisation. Data breach statistics are contemplated in Section 4, where specific modes of cyber exposures are assessed in relation to the data breach. An organisation can be severely impacted upon by cyber exposures, not only from an operating or financial point of view, but in terms of legislation too (Section 5). The discussion which ensues considers various types of cyber-crime, which predominantly include cyber exposures which cause business disruption, are online scams; or result in theft and fraud. Trends exposing the organisation, such as social media and Bring-Your-Own-Devices are also analyzed.

This dissertation would be lacking if one did not contemplate the individuals who are predominantly responsible for these cyber exposures, and thus, hackers and their motivations are also considered in this chapter.

2.1 Cyber-crime

Cyber-crime refers to any illegal activities utilising, or against, computer systems or networks, and the internet including criminal acts such as hacking, phishing, and denial or service attacks (Ganatra, Kosta, Patel & Patel, 2008). Although the term cyber-crime is commonly utilised today, there is no standard or universal definition and it can be broadly classified into three categories i.e. business disruption and misuse, online scams, and theft and fraud (Jain & Kalyanam, 2012):

2.1.1 Business Disruption and Misuse

The first category of cyber-crime which warrants discussion is that of the various cyber exposures which results in business disruptions and misuse. The likes of Denial of Service attacks, malware, software and information piracy, industrial espionage and cyber extortion all have the potential to cause significant business interruptions, as well as negatively impact the organisation outside of operational aspects.

Denial of Service (DOS) Attack

Denial of Service, or Distributed Denial of Service (DDOS) Attack refers to rendering a computer resource unavailable to its intended users or preventing it from functioning efficiently (Jain & Kalyanam, 2012). The most common denial of service attack occurs when an attacker floods the server hosting the target website with requests for information. Servers can only process a defined number of request at any given time and if overloaded will be unable to process a request and cause the server to slow down or crash (Advisen, 2012).

A distributed denial of service attack is different from a denial of service attack in that several users simultaneously use up resources, rendering the attack more effective (Himes & Joseph, 2006). Hackers activate a network of computers (known as a botnet) to send huge amounts of data to a website. The attack is referred to as “distributed” because the attacker is using multiple computers to launch a denial of service attack (Advisen, 2012).

Malicious Software (referred to as Malware)

Malware are programs such as viruses and worms that try to exploit computer systems or networks leading to business disruption, leakage of sensitive data, or unauthorised access to system resources (Jain & Kalyanam, 2012). Malicious software is a powerful tool for cyber-criminals looking to engage in e-espionage as it can invade a computer undetected and take control of it, targeting and extracting sensitive documents. Malware can even turn on the camera and audio-recording functions of an infected computer, enabling the criminals to monitor what is happening in the room (PricewaterhouseCoopers, 2011).

Viruses are the oldest form of information warfare and thus are the threat which the general population is most equipped to deal with. There are many organisations which produce anti-virus software that is used to defend users against such attacks (Himes & Joseph, 2006). An example of the damage a virus can cause can be illustrated through a discussion of the notorious Love Bug virus which coursed through computer systems throughout the world in May 2000, erasing data in its path and causing billions of dollars in losses by the time it was done. Sent by an e-mail to an estimated 45 million computers, the mail seduced e-mail users with the alluring subject line “ILOVEYOU” and an enticement to “kindly check the attached LOVELETTER coming from me”. When the attachment was opened, the virus embedded therein traversed through computer systems by self-replicating, stealing passwords, crashing systems, and deleting files containing valuable data. In less than one day, the Love Bug had caused more than USD15 billion in losses worldwide, most of it uninsured (Barker, Glad & Yost, 2001).

Industrial Espionage

Industrial espionage is the action of corporate rivals illegally accessing confidential information to erode competitive advantage, gain financial information, or misuse trade secrets (Jain & Kalyanam, 2012). The impact of a cyber-criminal obtaining access to critical intellectual property could be disastrous. A company in a sector such as defence, electronics or pharmaceuticals might find that its products have been reverse-engineered without its knowledge, and are now being counterfeited and sold at a fraction of the price. Furthermore, the damage from an incursion could extend beyond the potential loss of data, to encompass threats to data integrity, ultimately undermining the organisation (PricewaterhouseCoopers, 2011).

Although forms of espionage have been around for thousands for years, increased global competition, advances in information technology and the proliferation of tiny, embedded storage devices have added significantly to espionage dangers. As organisations open their internal networks and make more company information available to employees and vendors, the occurrence of corporate espionage will likely increase (Boulton & Knapp, 2006).

According to PricewaterhouseCoopers (2011), in the past espionage activity was typically directed towards obtaining political and military intelligence. This remains the case, but in today’s high-tech world, the intelligence requirements of a number of countries have extended to include new communications technologies, information technology, genetics, aviation, lasers, optics, electronics and many other fields.

A major driver behind this threat is the growing reliance on internet-enabled computer systems for storing, processing and communicating business-critical digital information across organisational boundaries, and the increase of telecommunications across the Internet. Corporations’ increasing reliance on global enterprise-wide systems can heighten the danger still further because

centralised core systems effectively widen the range and sensitivity of the data that may be exposed (PricewaterhouseCoopers, 2011).

Cyber Extortion

One method utilised by cyber criminals to obtain information, whether it be for the purpose of industrial espionage, or theft of financial data, is cyber extortion. In order to obtain the information, organisations are held ransom through denial of service attacks, manipulating website links, or the threat of leaking customer or financial data (Jain & Kalyanam, 2012).

2.1.2 Online scams

The second category of cyber-crime discussed herein is that of online scams, which manifests through various mechanisms utilised by cyber criminals (Jain & Kalyanam, 2012). The online scams considered are: phishing; farming; spoofing; purchase fraud; botnet; and spyware and adware. These online scams are defined and discussed below in order to enhance organisations’ understanding of these exposures, as well as to assist them in protecting themselves against these threats.

Phishing

Phishing occurs when a perpetrator sends fictitious mails to individuals with links to fraudulent websites and thereby cause the victim to release personal information to the perpetrator (Ganatra, Kosta, Patel & Patel, 2008). Often, the electronic communication is disguised as coming from a trustworthy and official entity in order to attempt to acquire sensitive data (Jain & Kalyanam, 2012). The information which is deceptively obtained is later used for unauthorised purposes such as fraudulent purchases, acquiring fraudulent loans, or identity theft (Ganatra, Kosta, Patel & Patel, 2008).

Key steps in the cyber-crime of phishing are as follows (Ganatra, Kosta, Patel & Patel, 2008):

1. The phishing perpetrator creates a fraudulent email that appears to come from a legitimate source. The phishing emails are then sent to numerous potential victims.

2. The phishing email provides a link to the fraudulent website, which appears to be a genuine website.

3. The victim connects to the fraudulent website and provides the requested information, based on the assumption that it is the genuine website.

4. The phishing perpetrator accumulates data obtained through the fake website in order to illegally obtain funds, or alternatively, to sell the data to online clearinghouses.

A more targeted form of phishing is spear phishing, which are campaigns wherein personalised bogus e-mails are sent to a specific individual or organisation, which appear to come from a trusted source (Jain & Kalyanam, 2012).

Pharming

Pharming techniques involve the redirection of website traffic, from a legitimate website, to a fraudulent website (Jain & Kalyanam, 2012). The fraudulent website (also referred to as a spoofed site) mimics the legitimate website, permitting criminals to mimic real transactions and harvest private information unknowingly shared by the users. With this information at hand, the attacker can then access the genuine website and conduct transactions utilising the credentials of a valid user (Cyber Risk and Insurance Forum, n.d.).

Spoofing

This technique fools people into entering their personal details into a counterfeit website (Jain & Kalyanam, 2012).

Purchase fraud

Purchase fraud is the selling of products, through online channels, which are never distributed to the purchaser (Jain & Kalyanam, 2012).

Botnet

A Botnet infection occurs when a hacker transmits instructions to other computers for the purpose of controlling them, and then utilises them for various purposes such as spam distribution or phishing. The Bot may infect a computer directly or piggy-back on a virus or Trojan horse program (Ganatra, Kosta, Patel & Patel, 2008).

The hacker who sends out the “bot” program is designated as the ”herder”. Thousands of computers can be infected and controlled in a botnet for nefarious activities. The owners of the computers in the botnet are typically unaware that their computer is part of the botnet (Ganatra, Kosta, Patel & Patel, 2008).

Spyware and adware

Spyware and adware are growing threats, where monitoring programs could be legitimate computer applications which a user agrees to, or could be from third parties with illegal intentions (Boulton & Knapp, 2006).

A common example of spyware and adware is spam mail. Spam is unsolicited commercial e-mail with a massive distribution. Numerous variants exist, including requests for assistance, claims for lottery winnings and worms. Since the person who receives it did not request the message, many reply complaining (and thus send some personal data, including proof that their e- mail addresses exist), which is exactly what the sender hopes to achieve (Cilli, 2005). Spam is one of the most aggressive cyber battles that information technology departments wage, especially given the new levels of sophistication and cunning utilised. Cyber criminals are increasingly utilising

spam as a method to deliver malware into the workplace with the intention of either causing disruption, holding computers and servers to ransom, or stealing personal information (Kelleher, 2014).

The recipient suffers economic damage through spam through a loss of productivity (Cilli, 2005). Infected machines mean unproductive computers and users, limiting business activities and as a result, losing money. Further disruption is caused through mailboxes being clogged up, filling up storage and consuming information technology administration time that could be put to work on more valuable tasks (Kelleher, 2014).

Various techniques have been proposed to mitigate spam, including filtering methods utilising proper software to blacklist (lists sites from which spam messages emanate from and automatically deleting messages sent from these blacklisted sites) and content filtering (analysis of the content of messages to determine whether the message should be discarded) (Cilli, 2005). Unfortunately the weakest link is not the technology but rather those who utilise email. Many people take spam for granted and put their trust in spam filters on their machines or at server level, and disregard information technology department cautions of opening attachments or clicking on links contained in emails from unknown senders (Kelleher, 2014).

Spyware is a technology which assists in obtaining information about people or organisations without their knowledge. There are in excess of 250 spyware applications currently in existence on the Internet. Prevention is not simply and is almost wholly reliant on the victim’s knowledge of the problem and the adoption of adequate policies and procedures in order to prevent the infections. From a technological aspect, identifying the presence of spyware is difficult as the evidence of spyware is not obvious. Antivirus programs often are not able to signal their presence, whilst antispyware programs are often ineffective, particularly if utilised in isolation. Automatic removal programs are also inefficient as it is necessary to manually act on critical system files (Cilli, 2005).

The various online scams detailed above are utilised to various ends, one of which is potentially to utilise the stolen information or credentials to commit theft or fraud. Hereunder the potential impact of such theft on the organisation is considered, as well as the means utilised to perpetrate these cyber-crimes.

2.1.3 Theft and Fraud

The third and final category of cyber-crime, theft and fraud, underpins the motivations of most cyber criminals, and traverses several arenas of cyber exposures facing organisations. The core tactics of hacktivists has shifted from relatively benign attacks designed to make a statement to those with more sinister intentions and consequences. Hacktivists frequently look to damage and embarrass their targets by stealing sensitive and highly valuable corporate and personal information. Stolen trade secrets, confidential documents, and personal identifiable information (PII) cause significantly more damage and create substantially more publicity for their intended cause (Advisen, 2012). Examples of theft and fraud are: identity theft, E fraud, online credit card fraud, theft from business, intellectual property theft, consumer data theft and fiscal fraud.

Unlike a denial of service attack or website defacement, the consequences of a data breach are far greater and can have far reaching implications. Not only can a breach place an organisation in violation of data security and privacy regulations and standards, it can also have significant financial consequences. The costs to identify and repair the breach, compliance with regulatory breach notifications laws, and potentially having to provide credit monitoring services and other loss mitigation services, can prove to be a huge financial burden. However, of greatest concern, is the impact which a data breach can have on an organisation’s reputation (Advisen, 2012).

Hackers have several methods at their disposal to steal funds from individuals and unsuspecting organisations. Transferring funds electronically through credit card skimming, ATM card and password scams are just some of the more common methods. However, stealing valuable data, stealing valuable services or capacity (such as for communications or data storage), stealing intellectual property (piracy), extortion, diversion to premium telephone services, fraud and marketing schemes (client lists, email lists, free, linked and subscription site payments) are just some of the other methods exploited to this end (Australian High Tech Crime Centre, 2005).

The volume of personal data being collected, used and stored is vast and continues to grow. Modern communications networks support global accessibility and continuous, multipoint data flows. The potential uses of personal data have increased tremendously as a result of the wide range of analytics that can provide comprehensive insights into individuals’ movements, interests and activities (Organisation for Economic Co-operation and Development, 2013).

However, at the same time, the abundance and persistence of personal data have elevated the risks to individuals’ privacy. Personal data is increasingly used in ways not anticipated at the time of collection. Almost every human activity leaves behind some form of digital data trail, rendering it increasingly easy to monitor individuals’ behaviour. Personal data security breaches are therefore common (Organisation for Economic Co-operation and Development, 2013).

Identity theft refers to obtaining personal data from individuals which can be misused in fraudulent activity (Jain & Kalyanam, 2012) and has even been called a new form of cyber terrorism against individuals (Boulton & Knapp, 2006). Stolen personal information is usually purchased by cyber-criminals, from other cyber-criminals, on the Internet (Holm, 2012). Identity theft can be used to sell the data to others so that they can commit frauds. There is proof of data banks, paradoxically sold on the Internet, with all of the necessary

information to impersonate those whose data were stolen. It is a large market which continues to grow (Cilli, 2005).

There are two variations to identity theft committed by an identity criminal. The first is through the assumption of parts of another’s identity to perpetrate the crime. This involves the criminal using parts of the victim’s identity to obtain goods or services, for instance. The second is through the assumption of the identity wholly which involves the criminal basically becoming the victim – this involves establishing lines of credit whilst impersonating the victim. However, not all identity crime leads directly to a financial gain but may actually be utilised towards other ends such as avoiding criminal sanctions (Holm, 2012).

The crime of identity theft is a dangerous threat which people should recognise, even if they do not utilise a computer to conduct electronic commerce or financial operations when they interact with public and private administrations in the course of their daily lives. If a person succeeds in assuming all of the characteristics that identify a victim in the archives of various administrations (registry office, banks, public offices, etc.) that person can commit criminal actions without fear of being discovered (Cilli, 2005). Identity theft affects individuals and organisations alike; however, the majority of cases result from cyber-thieves using an individual’s personal information to open new accounts (Boulton & Knapp, 2006).

When it comes to crimes involving identity, information is considered to be of great value. The information that is valuable to the identity criminal is that which can be converted into gain, typically by way of fraudulent activity. Certain information provides opportunities for identity criminals to either obtain credit under false pretences or to impersonate another for like purposes. Valuable personal information includes identification numbers, driver’s licence details and passport details, amongst others. The theft of identity particulars can potentially be a catalyst for a number of pursuant crimes such as fraud, money laundering, organised crime and even acts of

terrorism (Holm, 2012). However, information could also be procured through computer crimes such as spam, online scams and phishing. In some instances, the information can simply be acquired through the interpersonal exchanges which take place on the Internet, such as through social networking (Holm, 2012).

Cilli (2005) discusses various methods through which identity theft can be perpetrated such as stealing from a pocket/purse containing identification documents, credit cards, personal information, passwords and PINs. Passwords and PINS should never be carried together with the cards. Theft of correspondence or an error by the postal worker who puts mail in the wrong mailbox is yet another potential way in which personal information can be obtained. The interception or reading of e-mail presents great exposures in terms of identity theft. The protocol used for e-mail, SMTP, is intrinsically insecure as it does not offer certainty about the authenticity of the sender, and it does not prevent the information in transit from being read by unauthorised users. Furthermore, data in transit is able to be intercepted. Personal data supplied when registering to websites could also be potentially intercepted or stolen. Lastly, information could be obtained from the workplace, through theft of financial and personal information, by hacking files or taking paper documents or notes left unattended.

Further to Cilli’s (2005) discussion above, consideration is now given to the methods utilised by cyber-criminals in order to perpetrated theft and fraud. E- fraud is the utilisation of online techniques to commit fraud such a spoofing, phishing and online credit card fraud (Ganatra, Kosta, Patel & Patel, 2008).

Online credit card fraud is the illegal online acquisition of a credit card number, and the utilisation of same for unauthorised purposes, such as fraudulent purchases (Ganatra, Kosta, Patel & Patel, 2008).

The impact of theft and fraud is hard felt by organisations, whether it be the theft of revenue directly from businesses utilising online channels (Jain & Kalyanam, 2012), or perpetrators hacking into a banking system and diverting funds to accounts accessible to the criminal (Ganatra, Kosta, Patel & Patel, 2008).

Although not thievery of financial resources, intellectual property theft potentially presents even larger exposures to organisations. Intellectual property theft is defined as the sale of ideas, designs, specifications, trade secrets, or process methodologies, which may erode competitive advantage in terms of operations and technology (Jain & Kalyanam, 2012). Trade secrets and intellectual property is typically the foundation upon which many companies are built as this information gives each company a competitive advantage and to have such information compromised in any way could present a significant and immeasurable financial cost to the company (Arthur & Venter, 2004).

Yet another exposure facing organisations, and which also does not stem from the theft of resources, is the theft of personal customer information. The theft of sensitive customer information is usually carried out with the intent of misusing the data for financial gain (Jain & Kalyanam, 2012). Termed netspionage, the perpetrator’s sole purpose of obtaining the personal information may be for the purpose of selling it to other third parties (Ganatra, Kosta, Patel & Patel, 2008). In fact, information brokers have been in existence for decades. However, a new breed of information broker has emerged in recent years, and that is one which sells personal information to anyone requesting it (Kumar & Singh, 2011).

One of the last types of fraud which is considered herein is that of fiscal fraud which is fraud against the government and includes theft such as fraudulent claims for social benefits and evading taxes. Fiscal fraud is often perpetrated through attacking government online channels (Jain & Kalyanam, 2012).

2.2 Hackers

The term hacker was originally defined as:

1. A person who enjoys learning the details of computer systems and how to stretch their capabilities, as opposed to most users of computers, who prefer to learn only the minimum amount necessary;

2. One who programs enthusiastically or who enjoys programming rather than just theorising about programming (Turgeman-Goldschmidt, 2008).

Roush (1995) supports the above definition stating that it simply connoted a computer genius. Indeed, hackers considered quirky programmers, capable of brilliant, unorthodox feats of machine manipulation (Nissebaum, 2003).

Originally, hacking was not a criminal or negative act. In fact, the roots of hacking can be traced back to the Massachusetts, Institute of Technology (MIT) in the late 1950s, when core members of the Tech Model Railroad Club realised that computers could be utilised as a tool for enhancing their model railroads. These early hackers turned their considerable creative energies to the task of building and programming MIT’s early mainframes in uneasy, but relatively peaceful co-existence with formal employees of the university’s technical and academic staff (Nissebaum, 2003) despite the hackers’ perceived unorthodox methods. In contrast to how hackers were previously perceived, in the 1970s, hackers were profiled as highly motivated, intelligent people with technical knowledge who often worked in university, or business, computer centres (Boulton & Knapp, 2006).

As formidable programmers, the hackers (who were mostly young men) produced and debugged code at astonishing rates. They assisted in developing hardware and software for existing functionalities, and invented, sometimes as playful challenges, many novel algorithms and applications that were incorporated into subsequent generations of computers. These novel functions not only extended the recreational capabilities of computing and information technology – gaming, virtual reality, and digitised music - but also increased practical capabilities, such as control of robots and processing speed. Obsessive work coupled with inspired creativity also yielded a host of basic subroutines

and utilities that improved operating capacities and efficiency, steered the field of computing into novel directions, and became a fundamental part of what is experienced every time one utilises a computer (Nissebaum, 2003).

Hackers construct themselves as positive deviants. They do so by portraying themselves as extraordinary people who are smarter than others, display unusual or superior behaviour, or see themselves as agents of social change. The manner in which hackers construct themselves as positive deviants is likely to be based partly on the historical change in the connotation of the hacker label but also on their backgrounds (Turgeman- Goldschmidt, 2008).

It was not only the single-minded attachment to their craft that defined these early hackers but rather their assertion of the ‘hacker ethic’ ideology, which included several elements: commitment to total and free access to computers and information, belief in the immense powers of computers to improve people’s lives and create art and beauty, mistrust of centralised authority, a disdain for obstacles erected against free access to computing, and an insistence that hackers be evaluated by no other criteria than technical virtuosity and accomplishment (i.e. by their hacking alone, and not ‘bogus’ criteria such as degrees, age, race or position). In other words, not only did the hacking culture incorporate technical ends, but political and moral values too (Nissebaum, 2003).

Hackers have a distinct image, an imagined identity that binds them, even if they have never met each other. They are bound through the computer underworld which forms a worldwide subculture. The symbolic identity of the computer underworld generates a rich and diverse culture consisting of justifications, high specialised skills, information- sharing networks, norms, status hierarchies, language and symbolic meanings. (Turgeman-Goldschmidt, 2008).

The first electronic message boards for hackers appeared around 1980. The boards allowed the rapid sharing of hacker tactics and software (Boulton & Knapp, 2006). With the sharing of knowledge between hackers it was inevitable that hacking would evolve

and by the early 1990s it had noticeably done so. However, the hacker environment began its evolution in the early 1990s. Technical barriers lowered as downloadable and graphic-interfaced tools became widely available. Technical competence was no longer required in order to assault an information system (Boulton & Knapp, 2006). Hacking had evolved into unauthorised access to computer networks, with the label hacker acquiring a negative connotation of computer criminal and electronic vandal, a national security threat and threat to intellectual property. That being said, hackers have contributed significantly to the development of software programs, ranging from text editors to the Internet, and the involvement in the open source movement (Turgeman- Goldschmidt, 2008).

Cyber-criminals (hackers associated with cyber-crimes) make it their jobs to find vulnerabilities in operating systems, applications or services that run on a computer connected to the internet. Once the vulnerability has been discovered and exploited, the hacker is in a position to view (or store) sensitive information on some form of storage media (Arthur & Venter, 2004). The motivations of hackers (in a general sense) can be summarised utilising the acronym MEECES representing the motives for the commission of espionage offences. MEECES stands for money, entertainment, ego, cause, and entry to social groups and status (Australian High Tech Crime Centre, 2005).

The perplexity around the label “hacker” has to do with the unclear definition of the term, and the vague boundaries between computer experts and hackers, as well as those characteristics that differentiate between various types of hackers. As a result of the various different types and definitions of hackers they arrange themselves into different groups depending on their expertise, areas of interest and behaviour patterns. The best-known groups are hackers / crackers (usually referring to those who break into computer systems), phreaks (who utilise technology as a means), and pirates (those who distribute software illegally) (Turgeman-Goldschmidt, 2008). Another subgroup of hackers are script kiddies, who are inexperienced blackhats that attempt to break into systems utilising scripts which have been created by knowledgeable hackers (Manzano & Yasinac, 2002).

Having reviewed the evolution of the hacking fraternity above, examples of recent hacking activities is now considered, in order to place the role which hackers play today, in context.

The origins of the hacktivist collective are seeded in an Internet message board known simply as /b/. A purposefully-designated off-topic discussion board, /b/ is composed of thousands of anonymous self-claimed /b/tards (i.e. members of the /b/ message board) posting discussion topics (Sembrat, 2011).

Although hacktivism has been a component of the activist arsenal since the early days of the Internet, the movement has recently been reinvigorated largely due to the a loosely affiliated international group of individuals referred to as “Anonymous”, which originated in 2003. However, the resurgent hacktivist movement which is evident today was largely as a result of WikiLeaks (initiated in 2006) and its highly publicised and extremely controversial posting of classified documents from the US government. In response to WikiLeaks actions, major businesses such as Amazon, PayPal, MasterCard, Visa and Bank of America (amongst others) attempted to distance themselves from the organisation. Anonymous retaliated to this perceived censorship, launching “Operation Payback”, where they bombarded the websites of the WikiLeaks opponents with distributed denial of service attacks. Operation Payback has since been referred to as the first war over digital information (Advisen, 2012).

The hacker collective group Anonymous stepped into the international spotlight in 2008 as a response to the civil unrest in Egypt and Tunisia spurred on by the governments’ efforts to silence its citizens by taking down its Internet connectivity. /b/ branded the Anonymous image during their 2008 harassment of Scientology group leaders and members. Anonymous banded together, solely through the discussion board, and conducted dedicated denial of service (DDoS) attacks against Scientology websites, fax and email spams, all in an effort to disrupt the church’s operation. Anonymous members donned Guy Fawkes style masks to publicly protest local Scientology officers, thereby attempting to legitimise the Anonymous movement and rebranding the Guy Fawkes-style mask as a de facto logo. As an organisation, their scope and scale can only be matched by the freedom their Internet anonymity allows them (Sembrat, 2011). The

group has no formal leadership, governance structure or even criteria for membership and unsurprisingly so, lacks a consistent message – it is often contradictory in its actions and divergent from what some regard as hacktivism’s true purpose (Advisen, 2012), as asserted in the ‘hacker ethic’ ideology incorporating political and moral values (Nissebaum, 2003).

After his arrest in 2011, self-described leader of Anonymous, Christopher Doyon (alias “Commander X”), was allowed out of jail on a USD35,000 bond after being arrested in connection with a 30-minute distributed denial of service attack. However, Doyon’s bail held several restrictions forbidding him from using Twitter, Facebook, and Internet Relay Chat or from communicating with other Anonymous members. Unable to operate within the confines of this restraint, Doyon disappeared, releasing a press release in February 2012 titled “Commander X escapes into exile”. Doyon hopes to obtain political asylum. A bench warrant for his arrest has been issued (Anderson, 2012).

During his exile, Doyon continued to support Anonymous activities and seek attention, even appearing masked at a Toronto screening of a documentary about Anonymous. A National Post reporter interviewed him, during which he boasted that Anonymous had access to every classified database in the United States government. Doyon went so far as to repurpose LocalLeaks, a site which he had created two years earlier, as a platform for his efforts, and which was considered to be both influential and irresponsible. After Anon began an operation about the rape of a teenage girl in Steubenville, Ohio in January 2013, the site widely disseminated a video of a graduate of a Steubenville High School joking about the rape. The action incited public outrage about the story. However, the site also perpetrated false rumours pertaining to the case, and went so far as to fail to redact a court document, resulting in the accidental reveal of the victim’s name. May 2013 saw the Rustle League, a group of online trolls who often provoked Anonymous, hack Doyon’s Twitter account, implanting racist and anti-Semitic messages into Doyon’s account. On 27 August 2013, Doyon posted an announcement advising his retirement from Anonymous stating that his life had been dedicated to fighting for justice and freedom and that he was extremely ill from the exhaustion and stress of fighting in the epic global cyber war (Kushner, 2014).

Yet another example of Anonymous’ hacktivism activities is the massive January 2008 online attack where on the Church of Scientology’s websites, forcing the church to hire computer security experts to reinstate its online presence. According to the Anonymous website, the group was upset by the church’s attempts to suppress a leaked promotional video featuring actor and Scientologist Tom Cruise, who made enthusiastic claims about the religion. Ultimately, only one person, 19-year old Dmitriy Guzner admitted playing a role in the cyber assault, (Corbett, 2009). Guzner is the first person to be sent to jail for participating in an Anonymous distributed denial of service attack. He pled guilty and was sentenced to 366 days in US federal prison. 1

Since then, Anonymous has grown substantially and utilise website defacements, denial of service attacks, and data theft to champion their vision of internet freedom and human rights. Anonymous’ targets have included Sony, Fox, PBS, HBGary Federal, Verizon, the United States Secret Service, the Federal Bureau of Investigation, the Vatican, the Dutch National High Tech Crime Unit, and The Australian Federal Police, amongst others (Advisen, 2012).

A further example of hacking can be illustrated through the Lulzsec group. In response to HBGary Federal (a security company) attempting to profile on Anonymous members, the group began an orchestrated attack on the firm in February 2011. Subsequent to retrieving company records and e-mails from HBGard, Anonymous splintered with a small group of Anonymous leaders, most of whom had orchestrated the HBGary hack, to start a group named LulzSec. The name is derived from the Internet-language acronym ‘lol (stylised as ‘lulz’) and security (Sembrat, 2011).

LulzSec, in a 50 day period ending in June 2011 (Neal, 2011) attacked American state and local law enforcement agencies, security consultancy companies, and American corporations. Given the smaller team, the group was able to co-ordinate fast-paced and frequent attacks and communicate quicker on social networks such as Twitter. LulzSec was successful in taking down public-facing sites of the Central Intelligence Agency (CIA) and Sony (Sembrat, 2011).

1 Anonymous is still in existence and interested parties can visit their website www.anonymoushackers.org, whether it be to obtain hacking hints, or to hire a hacker!

LulzSec’s most high-profile attack involved the extensive breach of Sony Pictures’ computer systems, which led to the personal data of thousands of Sony customers being posted online. Sony lost details relating to 26.4 million customers in the attack, which cost the company around USD20million. In June 2011, LulzSec took down the CIA.gov website, and the following month, visitors to The Sun’s website were redirected to a spoof story about Rupert Murdoch committing suicide (Miller, 2014).

Recently, four British members of the LulzSec computer hacking group have been jailed for masterminding cyber-attacks on major global institutions over a three-month period in 2011. Targeted companies included Sony Pictures, the CIA and a British newspaper, The Sun and sensitive information stolen included personal data such as e-mails, online passwords and credit card details. The hackers were handed down jail sentences ranging from 20 to 32 months, having admitted offences under the 1990 Computer Misuse Act and were the most severe handed down by a British court for such offences, (Miller, 2014).

The examples above indicate that no information is sacrosanct, nor any organisation immune to the attacks of hackers. Without going into the modus operandi of each attack, and assessing the security which was implemented in these organisations, it is difficult to pinpoint exactly what the organisation did wrong, or ineffectually, that it could not pre-empt or manage to block the attack. This dissertation later analyses risk management techniques which can be deployed in an attempt to keep an organisation safe from such an attack, or at the very least, minimize the resulting impact thereof.

2.3 Cyber obscenity

Cyber obscenity is one of the more popular forms of cyber-crime for example pornographic material, such as child pornography, is hidden on storage media since perpetrators acknowledge the illegality of being in possession of these images (Arthur & Venter, 2004).

2.4 Cyber activism

Cyber-attacks, network security and information pose complex problems that reach into new areas for national security and public policy (Lewis, 2002).

Activism refers to normal, non-disruptive use of the internet in support of an agenda or cause. Operations in this area include trawling the web for information, constructing websites and posting material on them, transmitting electronic publications and letters through e-mail, and using the internet to discuss issues, form coalitions and plan and coordinate activities (Denning, 2001).

There are seven categories of information warfare that are filled with military terminology: command and control warfare, intelligence-based warfare, electronic warfare, psychological warfare, hacker warfare, economic information warfare and cyber warfare (Boulton & Knapp, 2006).

2.4.1 Hacktivism

Hacktivism refers to the marriage of hacking and activism. It covers operations that utilise hacking techniques against a target internet site with the intent of disrupting normal operations but not causing serious damage, such as web sit- ins, virtual blockades, automated e-mail bombs, web hacks, computer break- ins, and computer viruses and worms (Denning, 2001). A hacktivist is an individual who engages in hacker activities for one goal: protesting corporate or political policy (Sembrat, 2011). Wray (1998) adds hereto, explaining that computerised activism exists at the intersections of politico-social movements and computer-mediated communication.

Over the past couple of years, this 21st century method of protest has become more common and more complex. It is the technology world’s approach to political activism. Unlike conventional hacking, cyber-attacks against organisations are not for financial gain, but rather are intended to cause embarrassment and reputation damage. Hacktivism in its milder forms can blur the line between illegal hacking and the right to protest, which is an essential element of freedom of speech. However, in its more extreme manifestations, hacktivists are differentiated only by motive from cyber thieves, who plunder digital information for personal gain (Advisen, 2012).

Thomas (2001) draws from hacktivist group Cult-of-the-Dead-Cow a definition of hacktivism as a policy of hacking, phreaking or creating technology to achieve a political or social goal. “Hacktivist” is a term coined by the mid-90s by a member [of the Cult of the Dead Cow] named Omega (Advisen, 2012). A clearer definition is provided by Professor Dunning of Georgetown University “the convergence of hacking with activism, where ‘hacking’ is used here to refer to operations that exploit computers in a way that are unusual and often illegal, typically with the help of special software (‘hacking tools’). Hacktivism includes electronic civil disobedience, which brings methods of civil disobedience to cyberspace” (Thomas, 2001: 1).

Hacktivists claim that the root of hacktivism can be traced to the roots of civil disobedience itself, the classic work On Civil Disobedience by Henry David Thoreau. Hacktivists claim that they are following in the tradition of Gandhi and Martin Luther King, Jr. by attempting to bring about social change, through non-violent means (Thomas, 2001).

Hereon follows a discussion of hacker tactics and methodologies, as well as a brief overview of some well-known hack attacks, to demonstrate the impact of hacktivism.

The goal of a virtual sit-in or blockade is to call attention to the protestors and their cause by disrupting normal operations and blocking access to facilities. Thousands of activists simultaneously visit a specific website and attempt to generate so much traffic against that site that others cannot reach it (Denning, 2001). Such acts have become more sophisticated, such as the September 1998 Electronic Disturbance Theater (EDT) who organised a series of sit-ins to show solidarity with the Mexican Zapatistas. To facilitate the strikes, the organisers set up special websites with automated software. All that which participants had to do was visit one of the FloodNet sites and when they did so, their browser would download the software, which would access the target site every few seconds. EDT estimated that 10,000 globally participated and delivered 600,000 hits per minute, to each target website (Denning,

2001). In December 2005, a group named Strano Network conducted such demonstrations as a protest against French government nuclear and social issues. Thousands of participants launched a one hour Net Strike attack against various government agencies websites, rendering some of them useless (Denning, 2001). The software utilised in web sit-ins are fundamentally different from that utilised in a standard denial-of-service (DoS) and distributed DoS attacks as it does not compromise any systems or spoof source addresses, and usually does not shut down the target. Furthermore, in order to have any impact, tens of thousands of people must hit the target at once (Denning, 2001).

Other than web sit-ins, another method utilised by hackers is that of e-mail bombs, whereby a mail recipient is simultaneously bombarded by thousands of messages, distributed with the aid of automated tools. This results in jamming the recipient’s mail box, thus not allowing legitimate mail to be received. E-mail bombs are often utilised as a means of revenge or harassment, as well as to protest government policies (Denning, 2001). E-mail bombs were utilised by protestors (on both sides) during the Kosovo conflict which occurred between 1998 and 1999. According to NATO, their server was saturated by one individual who was sending 2,000 messages daily. When a Californian resident, Richard Clark, heard of Belgrade attacks on the NATO website, he retaliated by sending an e-mail bomb to the Yugoslav government site, which crashed after a total of 500,000 mails were directed at it (Denning, 2001).

Web hacks and computer break-ins are an additional two methods utilised by hackers. In June 1998, an international hacktivist group called Milw0rm hacked India’s Bhabha Atomic Research Center’s (BARC) website and replaced it with a spoof web page showing a mushroom cloud and a message stating that, ‘if a nuclear war does start, you will be the first to scream…’. Although protesting India’s nuclear weapons test, Milw0rm admitted that another reason for their attack was merely thrill-seeking. Milw0rm went on to admit that they had downloaded a substantial amount of content, including e-mails

and research documents, and had even erased data on two of BARC’s servers (Denning, 2001).

Hacktivists often uncover passwords or manipulate web servers in order to deface the website of their victim in order to put their message into the public eye (Himes & Joseph, 2006). The hacker can do this by either replacing or manipulating a webpage with new information (Advisen, 2012). Website tampering is favoured by hacktivists by altering the domain name of the target website to the address of some other website, causing visitors to the target site to be redirected to the alternative site. One of the consequences of hacking is that victims might falsely attribute an assault to a foreign government rather that to the activist group which actually perpetrated the attack. Naturally, this could strain foreign relations or lead to even more serious conflict (Denning, 2001).

Rarely seen in the past, diversion tactics are becoming increasingly common within hacktivist circles. Denial of service attacks are used as a distraction mechanism while attackers simultaneously target another part of an organisation’s network. Denial of service attacks are also used to draw attention away from a more comprehensive plot (Advisen, 2012).

The Chinese government has been accused of attacking a US website devoted to the Falun Gong meditation sect, which has been outlawed by Chinese authorities. The sect’s Maryland site was under persistent electronic assault during the course of July 1999 – in addition to a continuous denial-of-service attack, attackers also attempted to access their server. The penetration attempt was traced to the Internet Monitoring Bureau of China’s Public Security Ministry. April 2000 saw additional attacks levied against at least five Falun Gong sites (three in the US and two in Canada). An anonymous tip-off was received advising that the police software security bureau had offered to pay a company to hack into these sites. If the attack had indeed originated from the Chinese police, this would have had major foreign relations implications, suggesting that Chinese government views website operating on

foreign soil as legitimate targets of aggression when the activities supported by the site are prohibited on home soil (Denning, 2001).

Computer viruses and worms are utilised by hackers to spread protest messages and damage target computer systems. Whilst both are forms of malicious code that infect computers and propagate over computer networks, the difference is that the worm is an autonomous piece of software that is capable of spreading on its own. Conversely, a virus attaches itself to other files and code segments and spreads in this manner, usually in response to user actions such as opening an e-mail attachment (Denning, 2001). One of the first documented worm occurrences was that of the attack on the US National Aeronautics and Space Administration SPAN Network, in 1989. Scientists at NASA’s Goddard Space Flight Center in Maryland, when logging onto their computers, were greeted by a banner from the WANK worm stating “WORMS AGAINST NUCLEAR KILLERS – Your System Has Been Officially WANKed. You talk of times of peace for all, and then prepare for war”. Antinuclear protestors were, at the time of the attack, attempting to halt the launch of the shuttle that carried the Galileo probe on its initial leg to Jupiter, given that its booster system was fuelled with radioactive plutonium. NASA estimated that the impact of the worm was up to half a million dollars of wasted time and resources, despite it not having its desired effect of halting the launch. Although the source of the attack was never identified, evidence suggested that it may have emanated from Australia (Denning, 2001).

The Kosovo conflict also bears witness to the impact of computer viruses, with businesses, public organisations and academic institutions having received virus-laden e-mails from a variety of Eastern European countries. The virus is usually contained within an attachment to an e-mail, which usually presented as messages containing attacks on NATO, or propaganda cartoons. A London- based Internet software company, mi2g, cautioned that the real threat of Serbian cyber warfare was to the economic infrastructure of NATO countries, and not necessarily to these countries’ military command and control network, which would be better equipped to deal with such a threat (Denning, 2001).

2.4.2 Cyber terrorism

Cited by Chittester and Haimes (2004), George W Bush stated that Cyberspace is the control system of a country as critical infrastructures such as agriculture, food, water, public health, emergency services, government, systems of defence, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping all rely, in varying degrees, on technology and the internet. Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, and fibre-optic cables that allow these above mentioned critical infrastructures to work. Thus, the healthy functioning of cyberspace is essential to the economy and national security. These computer networks also control physical objects such as electrical transformers, trains, pipeline pumps, chemical vats, radar, and stock markets, all of which exist beyond cyberspace.

Whilst information technology has introduced vast efficiencies, this is at the cost of significant exposure of the information technology systems and physical infrastructures to risks of terrorism, due to the additional interconnectedness and interdependencies between, and among, structures (Chittester & Haimes, 2004).

Cyber terrorism refers to the convergence of cyberspace and terrorism (a term coined by Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, in the 1980s). A working definition is put forward by Mark Pollitt, an FBI special agent: “cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub-national groups or clandestine agents” (Denning, 2001, p. 24). Cyber terrorism usually involves politically motivated hacking operations which are intended to cause grave harm such as loss of life or severe economic damage, such as severe economic hardship, or sustained loss of power or water (Denning, 2001).

Lewis (2002:1) expands stating that cyber terrorism is “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population”. The premise is that, as nations and critical infrastructure become more dependent on computer networks for their operation, new vulnerabilities were created, opening the potential for a hostile nation or group to exploit these vulnerabilities to penetrate a computer network and disrupt, or even shut down, critical functions.

Information technology has enabled the global positioning system (GPS) to become readily available for military as well as civilian use. The well- documented vulnerability of satellites to orbital nuclear attacks and to other threats renders the overall information technology derivatives at risk, along with the systems that are dependent on them. Information technology has enhanced the ability for terrorists to access defence programs, banking and financial institutions, and other critical infrastructures (Chittester & Haimes, 2004).

However, it is not the first time that a new technology has been seized upon in order to create a strategic vulnerability. A similar strategy was implemented by European strategists such as Douhet and Trenchard, who argued that aerial bombing attacks against critical infrastructure would disrupt and cripple an enemies’ capacity to wage war. The US Army and Royal Air Forces utilised these strategies in their World War II bombing campaigns aimed at destroying electrical power, transportation and manufacturing facilities (Lewis, 2002).

2.4.3 Cyber warfare

Given the increasing reliance on information systems in general and access to the Internet in particular, critical infrastructure is growing progressively more vulnerable to cyber-attack. In addition to manifold societal benefits presented by technological developments, the cyber domain, like the physical domains of land, sea, and air, as proven to be no stranger to crime and conflict. The cyber

economy, which includes multiple financial systems, has spawned cybercrime. Storage of sensitive information on networks has given birth to cyber espionage against governments and cyber economic warfare against organisations. And in periods of crisis and conflict stats have been subjected to various forms of cyber-attack at both the tactical and operational levels of war (Krepinevich, 2012).

Advanced, post-industrial societies and economies are critically dependent on linked computer information and communications systems. Sophistication has itself become a form of vulnerability for enemies to exploit, particularly due to the interconnectedness and interdependencies between, and among structures. Disruption of civilian infrastructures is an attractive option for countries and non-governmental activists that want to engage in asymmetric warfare and lack capacity to compete on the traditional battlefield (Dunlevy, Shimeall & Williams, 2001).

The cyber domain has been an area of competition for governmental and non- governmental entities for two decades; cyber weapons have been employed in minor conflicts, and political and military leaders have made startling claims regarding the capabilities of these new weapons. It is difficult to state with confidence just how effective cyber weapons will be, if and when they are employed against a society’s critical infrastructure (Krepinevich, 2012).

Cyber-attacks are often presented as a threat to military forces and the Internet has major implications for espionage and warfare. Whilst information operations and information superiority have become critical elements in executing successful military operations, nations do not place their military forces in a position where they would be vulnerable to an outside attack (Lewis, 2002).

There are several levels of cyber war, three of which are: cyber war as an adjunct to military operations; limited cyber war; and unrestricted war. In the midst of military hostilities, one of the key objectives is to achieve information superiority or information dominance in the battle space. Dunlevy, Shimeall and Williams (2001) elaborate that the aim is to increase the “fog of war” for the enemy through direct military strikes designed to degrade the enemy’s information-processing and communications systems, or by attacking the systems internally to achieve a denial in capability. Military cyber warfare focuses almost exclusively on military cyber targets.

Limited cyber warfare involves little or no real-world action accompanying the attack on the information infrastructure, which is the medium, target and weapon of attack (Dunlevy, Shimeall & Williams, 2001). The information infrastructure forms the vector by which the attack is delivered to the target, often through interconnections between the enemy and its allies, using links for sharing resources or date, or through wide area networks, or alternatively, through inside agents who might place malicious software directly on the enemy’s networks. Degrading network capacity inhibits or prevents operations that depend on the network, which could force the enemy to resort to backup means for operations, which may expose additional vulnerabilities (Dunlevy, Shimeall & Williams, 2001). At a minimum, the defender can spend an inordinate amount of time troubleshooting and rectifying the problem (Krepinevich, 2012).

According to Dunlevy, Shimeall and Williams (2001), unrestricted warfare has three major characteristics: it is comprehensive in scope and target coverage with no distinctions between military and civilian targets or between the home front and the fighting front; there are physical consequences and casualties, some of which would result from attacks deliberately intended to create mayhem and destruction, and some of which would result from the erosion of what might be termed civilian command and control capabilities in areas such as air-traffic control, emergency-service management, water- resource management and power generation; third, the economic and social impact, as well as in addition to the loss of life, could be profound.

An unrestricted cyber campaign would be directed primarily against the target country’s critical national infrastructure: energy, transportation, finance, water, communications, emergency services and the information infrastructure itself. Such an attack would likely cross boundaries between government and private sectors, and would have both immediate impact and delayed consequences. Ultimately, an unrestricted cyber-attack would not only result in significant loss of life, but also economic and social degradation (Dunlevy, Shimeall & Williams, 2001). One of the earliest recorded cyber- attacks on national infrastructure occurred during the Cold War, when US President Ronald Reagan approved a SCADA (supervisory control and data acquisition) attack on the Russian pipeline system in Siberia in 1982. The pipeline software which ran the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds. One of the earliest examples of a “logic bomb”, this attack was part of a broader, indirect effort by the United States to disrupt the Soviet Union’s technological capabilities and military industrial base. In the context of Cold War tensions, the pipeline attack was specifically designed to disrupt the Soviet Union’s gas supply and harm the Russian economy and its gas revenues from the West, thus undermining its power (Clemente, Cornish, Livingstone, & Yorke, 2010).

The conflict over Kosovo has been characterised as the first war on the Internet, which was used as a platform for government, and non-government, actors to disseminate information, spread propaganda, demonise opponents, and solicit support for their positions. The utilisation of e-mail bombs and viruses as weaponry in the Kosovo conflict was discussed above in section 2.4.1. Hackers voiced their objections to Yugoslav and Nato aggression by disrupting service on government computers and taking over their websites. Individuals utilised the internet to tell their stories of fear and horror inside the conflict zone, whilst activists exploited it to amplify their voices and reach a wide international audience (Denning, 2001).

In the case of warfare where nuclear weapons are being utilised, the intent behind the usage thereof is easily apparent given the potential impact of mass destruction. The mere fact that nuclear weapons are being utilised categorises the action as warfare. However, this is not so simple when one considers the utilisation of cyber weapons, as the intent may not be as apparent. Thus, it may be difficult for the leadership of one cyber power to determine when, in the mind of its enemy, it has crossed the line between cyber operations that are “acceptable” and those that will trigger a major escalation in the intensity of cyber activity that could lead to catastrophic attacks. The picture is further blurred owing to the fact that states are constantly under cyber-attack from multiple sources, not just one. Matters are made murkier still by the similarities that exist between cyber reconnaissance operations and those designed to implant cyber weapons or conduct an attack. For example, efforts to penetrate a computer system for the purpose of exfiltrating data are often indistinguishable from efforts to penetrate a system for the purpose of planting a logic bomb or executing a cyber-attack (e.g. corrupting or deleting data, compromising a control system. This may make it difficult and perhaps impossible to discern promptly when a rival has transitioned from acts of cyber espionage, crime, and economic warfare to an attack on its adversary’s critical infrastructure (Krepinevich, 2012).

2.4.4 Information warfare

Society has evolved from an agrarian to an industrial to an information-based culture. References to the “digital economy” and “third wave” describe our growing dependence on information technology (Boulton & Knapp, 2006). There has thus been a distinct shift from traditional warfare to that of warfare waged in the digital space. Information warfare is a relatively new field of concern and study, with the name reportedly having been coined by Dr Thomas Rona in 1976 (Boulton & Knapp, 2006). Information warfare is the use of information as an instrument of war (Himes & Joseph, 2006). In the years following the digital war over WikiLeaks, the online world has increasingly become a battleground of conflicting ideals and principles (Advisen, 2012). Whether used to uncover sensitive government information, steal trade secrets or commercial data or as a part of intelligence or reconnaissance work,

it fits into the doctrine of using information superiority to achieve greater victories at a smaller cost (Clemente, Cornish, Livingstone, & Yorke, 2010).

Commonly regarded as a military concern, information warfare has evolved into a societal issue. This shift into the commercial world presents a growing threat to information managers who are responsible for protecting organisational information assets (Boulton & Knapp, 2006).

Just as militaries are concerned about state-sponsored information warfare programs, so should commercial organisations also pay attention. With at least 30 known countries suspected of actively pursuing cyber-weaponry, business and government executives alike should assess their vulnerabilities from a concerted attack (Boulton & Knapp, 2006).

Grassroots infowar is an intensification of computerised activism. Infowar refers to a war of words, a propaganda war. Grassroots infowar was the first step away from the Internet as just a platform for communication and the beginning of the transformation from word to deed. Grassroots infowar actors emerge fully cognisant that they are on a global state, telepresent across borders, in several locations simultaneously. More than a mere sharing of information and dialogue, there is a desire to incite action and the ability to do so at a global scale (Wray, 1998).

2.5 Bring Your Own Devices

Mobile applications are becoming the norm rather than the exception. Not only are organisations creating technologies which result in their customers utilising applications via their mobile devices; they are also changing their public facing applications to accommodate mobile device utilisation, as well as also moving their internal applications to support mobile devices (Trustwave Holdings Incorporated, 2013).

Two primary technologies have emerged to help organisations accommodate a wide selection of devices and multiple operating systems. Mobile Device Management (MDM) products allow devices to be administrated, either then an endpoint application installed by the user or through features in the device’s operating system. Although mobile device management solutions are good at managing applications on a device, they have difficult in separating personal from corporate data. Furthermore, they also cannot detect “rooting” or “jail-breaking” activities, which can jeopardise sensitive data (Trustwave Holdings Incorporated, 2013).

The root cause of most mobile vulnerabilities is the assumption that data is safe due to an internal application being utilised on an internal network. Vulnerabilities related to information leakage represent 68% of the findings in mobile application tests. This includes simple caching issues that expose personally identifiable information (PII) to insecure storage of cryptographic materials (including private keys and online decryption keys), as well as cardholder data (Trustwave Holdings Incorporated, 2013). Integrity flaws, including the ability to alter calls to backend systems with techniques like user-defined prices or replay attacks, accounted for 21% of all mobile findings. Other integrity flaws were related to attacks on session management (Trustwave Holdings Incorporated, 2013).

Surreptitious physical or network access that allows malicious code to be installed and run on the device remains the most successful attack vector against mobile devices (Trustwave Holdings Incorporated, 2013).

The biggest issues for non-point-of-sale mobile applications are storage and transmission of critical information in a non-secure manner. Banking, retail and even gaming applications will accept and store personally identifiable information (PII) in unsecured databases on the device, or transmit the data insecurely. Data can also be stored unencrypted in the device’s caches, which can be retrieved by an attacker requiring only brief access to the device (Trustwave Holdings Incorporated, 2013).

2.6 Social media

The use of online social media is becoming more prevalent, providing internet users with the opportunity to communicate and collaborate (in their personal and professional capacities) with family, friends, social groups and other community by utilising social media tools such as Twitter, Facebook, MySpace and YouTube. Furthermore, the technology provided by mobile devices combined with social networking technologies has resulted in communication using online social media becoming a way of life people. However, the lack of physical contact on social network sites results in a false sense of anonymity, lowering users’ natural defences and leading users to divulge information that they would ordinarily not consider revealing to virtual strangers (Kim, 2012).

Kim (2012) cites Gupta and Carpenter’s 2009 research indicating that enterprise value is heavily dependent on employees’ knowledge and their ability to share that knowledge, emphasising active social networking for increasing enterprise value.

Organisations also utilise online social network platforms for recruitment and publicity campaigns. As a result, organisations permit employees to access online social networking sites from the organisations network environment, which results in exposures to the organisation’s network security. Thus, it is imperative that networks are safeguarded from the vulnerabilities prevalent in social networks (Kim, 2012). Nearly half of the 2011 Advisen survey respondents consider reputational damage via social media to be a significant threat to their organisations. Of the organisations surveyed, 63.6% have social media policies in place (Advisen Limited, 2011). However, in addition to the aforementioned cyber security threats posed by online social networking, organisations also have to ensure that they mitigate the increased exposure of potentially sensitive and exploitable information. Thus, organisations need to not only assess the security concerns posed by online social networking but also the risks associated with employees’ use thereof (Kim, 2012).

It is apparent from the discussion above that there is a vast multitude of cyber exposures facing the organisation. In order to attempt to manage and mitigate these exposures, it is vital that the organisation have an understanding of these exposures, as well as of the motivations underlying the cyber-attacks.

3. Cost of cybercrime

Following the above assessment of the most widespread cyber exposures which organisations face, consideration is now lent to the impact of cyber exposures on organisations, and just how organisations perceive this risk.

3.1 Perception of cybercrime exposures

It is apparent that cybercrime has emerged as a serious threat to organisations globally, notably due to the increased cyber exposures faced as a result of technological development and reliance. Despite the fact that it is difficult to quantify the financial impact of cybercrime, given the variety of cybercrime types, methodologies and estimate processes, the available statistics help quantify the possible risks (Jain & Kalyanam, 2012).

In President Obama’s 2013 State of the Union address, he declared that “America’s enemies are seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy”. Furthermore, the President’s white paper on the issue, the “Cyberspace Policy Review”, suggests the costs to American business could run close to one trillion dollars (Internet Security Alliance, 2013).

Organisations are not necessarily au fait with the full spectrum of risks facing their organisations, nor appreciative of the full extent of the exposures which they are aware of. A growing number of organisations are now realising that cyber security extends well beyond the information technology department – a wide range of issues such as lost or stolen data, violation of privacy laws, intellectual property infringement and social media related risks such as cyber-bullying and textual harassment constitute a much broader scope of cyber exposures (Advisen Limited, 2011).

Zurich Insurance Company commissioned Advisen to conduct a survey on enterprise- wide cyber exposure management practices, in order to gain insight into the current state of enterprise-wide information security and cyber liability risk management. In

addition to collecting data on information security and cyber exposure management, the survey was designed to help create a framework for identifying and addressing cyber exposures throughout the organisation. Most respondents were classified as risk managers (58%), followed by risk management department professionals (17.8%) and enterprise risk managers (8.2%) (Advisen Limited, 2011).

The vast majority of respondents to the Advisen / Zurich survey believed that information security and other cyber related exposures pose a threat to their organisations. In response to the question posed on how they would rate the potential dangers posed to their organisation by cyber and information security risks, over 50% of respondents indicated that they viewed cyber and information security risks in a serious light. Disconcertingly, the balance of respondents either considered it to be a moderate to very mild risk to their organisation (Advisen Limited, 2011).

In the 2015 Global State of Information Security Survey, it is reported that small organisations consider themselves to be too insignificant to attract threat actors. This is an extremely dangerous misperception, as it often a strategy of sophisticated adversaries to target small and medium-sized organisations in order to gain a foothold in the interconnected business ecosystems of larger organisations with which they partner. This is further compounded by the fact that large organisations seldom make any effort to monitor the security practices of their service providers and other stakeholders (PricewaterhouseCoopers LLP, 2014).

It is imperative that governments make serious, systematic efforts to collect and publish cybercrime data, in order to empower and equip countries and organizations to make better decisions regarding their risk and policy choices (Center for Strategic and International Studies, 2014).

Information security and cyber liability has become an important topic for organisations of all sizes across all industries. The survey revealed that small companies viewed cyber exposures only slightly less seriously than the largest companies (Advisen Limited, 2011), which is reassuring, given that the size of the organisation does not necessarily exempt it from an attack.

Almost half of respondents to PricewaterhouseCooper’s 2014 Global Economic Crime Survey said that the perception of cybercrime risk to their organisation had increased in the past year (PricewaterhouseCoopers LLP, 2014).

As is to be expected, there is a disparity in respect of the information security budgets of organisations, according to their size. As Figure 1 below reflects, small organisations with revenues less than USD100 million spent approximately USD0.73 million, whilst large entities with revenues exceeding USD1 billion were allocating USD10.8 million to their cybersecurity budgets (PricewaterhouseCoopers LLP, 2014).

Figure 1: Information security budget by company size (revenue)

Note. From “Managing cyber risks in an interconnected world: Key Findings from The Global State of Information Security Survey 2015”, p. 9, by PricewaterhouseCoopers LLP. (2014).

Larger organisations are also inclined to take a more strategic approach to security, by compiling asset inventories and allocating resources thereto. Furthermore, larger organisations generally more frequently cultivate cultures of security through employee awareness and training, as well as ensuring that senior executives broadcast the importance of cybersecurity across the entire organisation (PricewaterhouseCoopers LLP, 2014).

3.2 Economic cost of cybercrime

According to the 2014 McAfee Report on the Global Cost of Cybercrime, the estimated annual cost to the global economy from cybercrime exceeds USD400 billion (compared to the estimated USD600 million cost of the global drug trade). The cost of cybercrime includes the effects of hundreds of millions of people having had their personal information stolen (estimated at more than 800 million individual records in 2013). The Report analyses the implications on employment, noting that the effect of cybercrime is to shift workers from high-paying to low-paying jobs or unemployment. Studies suggest that, in the United States alone, losses from cybercrime could result in as many as 200,000 jobs being lost. European Union job losses are estimated at 150,000. Also included in the estimate are both direct and indirect costs – the loss of intellectual property, the theft of financial assets and sensitive business information, opportunity costs, additional costs incurred for securing networks, as well as the cost of recovering from cyber-attacks (including the reputational damage to the hacked organisation) (Center for Strategic and International Studies, 2014).

According to the McAfee Report, North America, Europe and Asia lost the most to cybercrime, whilst Africa lost the least. The losses experienced by the United States, China and Germany were fairly similar, and represent more than USD200 million of the losses cited above. It is estimated that the cost of cybercrime to South Africa is 0.14% of gross domestic product (GDP), which equates approximately to R5.8 billion annually (Center for Strategic and International Studies, 2014). Furthermore, the total cost of cybercrime to the United Kingdom is estimated to be £27 billion annually (Detica Group Plc, 2011). It has been determined that income levels are a good predictor of cybercrime, as wealthier countries or organizations are more likely to be targeted, given that a rich target produces a better return on effort. However, that being said, this may change as low-level income countries increase their access and utilisation of the Internet for commercial purposes, and as cybercriminals continue to refocus their efforts to mobile platforms, which are the preferred source for connectivity in developing regions (Center for Strategic and International Studies, 2014).

Parallel to the discussion above that larger organisations are more likely to be targeted, incidents prove to be more costly to large organisations too. Thus, given the increased likelihood of a cyber-attack, it is imperative that these larger organisations deploy sufficient resources to their cybersecurity budgets. However, it is thought that larger organisations are more likely to have the processes and knowledge to calculate financial losses, taking into consideration the full range of potential exposures, including costs associated with customer erosion, legal fees, fines and penalties, forensic investigations, and reputational harm. Figure 2 below shows that the cost of cyber incidents range from USD0.41 million for a small organisation with revenues less than USD100 million, to a cyber-incident cost of USD5.9 million for organisations whose revenues exceed USD1 billion (PricewaterhouseCoopers LLP, 2014).

Figure 2: Incidents are more costly to large organisations

Note. From “Managing cyber risks in an interconnected world: Key Findings from The Global State of Information Security Survey 2015”, p. 10, by PricewaterhouseCoopers LLP. (2014).

The most serious cost of cybercrime is the potential damage to organisational performance and national economies, as it damages trade, competitiveness, innovation, and global economic growth. This cost will continue to increase as more organisational functions are moved online, and more organisations and consumers globally connect to the Internet. Losses emanating from intellectual property theft are expected to increase as acquiring countries improve their ability to utilise the information to manufacture competing goods. Thus, cybercrime quashes innovation and slows the pace of global

innovation due to the reduced rate of return to innovators and investors. Valuing the cost of stolen intellectual property is difficult to estimate but organisations do place a value on intellectual property every day. Countries where intellectual property creation and intellectual property-intensive industries are important for wealth creation lose more in trade, jobs and income from cybercrime than countries who are more dependent on agriculture, extractive industries or low-level manufacturing. However, the latter still experience losses resulting from financial crime, as well as the theft of confidential information on production, prices, or crop yield forecasts which could potentially be utilised in contract negotiations (Center for Strategic and International Studies, 2014). Using the World Bank’s 2013 annual global gross domestic product estimate of USD74.9 trillion, it is thought that the loss of trade secrets may range from USD749 billion to USD2.2 trillion annually (PricewaterhouseCoopers LLP, 2014).A significant portion of the cost of cybercrime to the United Kingdom (£9.2 billion annually) emanates from the theft of intellectual property from United Kingdom businesses.

In terms of financial impact experienced by the organisation, decreased revenues may result from disruption of business systems, regulatory penalties may be imposed, and the client base may be eroded (PricewaterhouseCoopers LLP, 2014). Other intangible losses are also difficult to measure – over and above losses in business and consumer confidence, the effect of cyberespionage on national security is significant and the monetary value of military technology stolen does not comprehensively reflect the full cost to the nation (Center for Strategic and International Studies, 2014).

3.3 Financial cost of cybercrime

Financial crime is the theft of financial assets through cyber intrusions, and represents the second largest source of direct loss from cybercrime. Given that the financial sector is regulated, the sector pays stringent attention to cybersecurity, and given that losses can easily be measured, reliable data is obtained therefrom. Various exploits are utilised with the most damaging seeking to penetrate bank networks to gain access to accounts in order to siphon money. Another exploit type, extortion, involves threats to either disclose stolen information or alternatively to shut down critical services should the ransom (sometimes running into hundreds of thousands of US dollars) not be paid

(Center for Strategic and International Studies, 2014). This type of cybercrime is usually perpetrated by organised criminal networks (Detica Group Plc, 2011).

Cybercriminals are improving their abilities to monetise stolen personally identifiable information and credit card data. This is evident by the series of high-loss attacks against Sony, Home Depot and Target. UK retailers reportedly lost in excess of USD850 million in 2013. Similar large-scale attacks have been carried out against retailer, hotel chains, media organisations, and airline and financial service companies in Australia, with losses averaging more than USD100 million per company. Financial assets are easiest to monetise, particularly when the funds can simply be transferred to an account controlled by the criminal. Where assistance is required, cybercriminals utilise intermediaries termed “mules” (people hired under false pretences who think they are employed by a legitimate organisation) or “cashers” (low-end criminals utilised to monetize stolen information) to launder money. The hacker will transfer the funds to the mule, who in turn will take a commission and forward the balance to an overseas account. Interestingly, the theft of USD45 million from two banks in the Middle East involved the recruitment and use of 500 mules around the world. The mules would use cloned debit cards to withdraw money from Automatic Teller Machines, keep a portion thereof as payment for their services, and remit the balance to the hackers. These crimes are perpetrated by sophisticated gangs, who have repeatedly demonstrated that they are capable over overcoming almost any cyber defence. Financial crime in cyberspace now occurs at industrial scale (Center for Strategic and International Studies, 2014).

There are several financial costs associated with cybercrime which impact upon an organisation: the costs incurred in anticipation of cybercrime such as information security measures and insurance costs; the costs as a consequence of cybercrime which such as business continuity and disaster recovery costs; costs in response to cybercrime such as regulatory fines from regulators, legal and forensic costs, and compensation to identity theft victims (Detica Group Plc, 2011). According to Schutzer (2015), 60% of small organisations discontinue operating within a year of having being victim of cybercrime.

3.4 Cost of cybercrime involving confidential business information and market manipulation

Emanating from cybercrime and cyberespionage, the theft of confidential business information presents the third largest cost of cybercrime. Confidential information can be converted into immediate gains, given that the investment information, exploration data and sensitive commercial negotiation data can be utilised immediately – one example is the theft of sensitive negotiating data that would provide one party an advantage in a potential business deal (Center for Strategic and International Studies, 2014). Whilst cyber criminals may utilise the stolen information to acquire or sell shares, on occasion they may even utilise it to hedge against currency fluctuations (Detica Group Plc, 2011).

The McAfee 2014 Report (Center for Strategic and International Studies, 2014) states that stock market manipulation is a growth area for cybercriminals, where the organisation’s (or its lawyers or accountants) networks are infiltrated in order to acquire confidential information pertaining to merger or acquisition plans, or even financial reports, or other data which could affect an organisation’s share prices. Unfortunately cybercrime of this nature is not easily detectable as their trades would not be discernible from that of a normal trade, particularly if it was carried out on another stock market.

3.5 Opportunity cost and cybercrime

Opportunity cost encompasses the opportunities or benefits that are not realised due to resources having been expended elsewhere. According to the 2014 McAfee report, three kinds of opportunity costs determine the losses emanating from cybercrime: reduced investment in research and development; risk adverse behaviour by businesses and consumers that limit Internet usage; and increased spending on network defence. For organisations, the latter may well be the largest opportunity cost. Whilst organisations would allocate resources to security even in a digital environment where risk was greatly reduced, there would be a “risk premium” which they would pay for utilising an insecure network. Not only does the increased rate of spending on cybersecurity reflect an increased use of network technologies, but also an increased awareness of the cyber exposures facing the organisation. The market size for

cybersecurity products and services has increased by 8.7% since 2011, increasing from USD53 billion to USD58 billion in 2013 (Center for Strategic and International Studies, 2014).

As has been discussed in detail earlier in this dissertation, cybercriminals’ motives are not only financial, but may seek to disrupt the provision of a key service. In 2012, cybercriminals permanently erased the data from 30,000 computers at a large oil producer, and launched similarly disruptive attacks against South Korean banks and media outlets. The impact of these attacks extends beyond reparation costs. It has been found that recovery costs, which include reputational damage, are also on the increase – a 2012 survey estimated that, based on the value that victims of cybercrime placed on time lost due to the incident, amount to an additional USD274 million to the targeted organisation (Center for Strategic and International Studies, 2014).

Once the intellectual property has been acquired, there are a number of ways in which it can be exploited: producing an exact replica (particularly if the intellectual property has not been legally protected); producing a similar product quicker using the same concept; incorporating elements of the intellectual property into alternative designs; selling the intellectual property to a third party; and lastly; threatening to disclose the intellectual property should the owner thereof not pay ransom (i.e. blackmail) (Detica Group Plc, 2011).

3.6 Cybercrime recovery costs

Often the cost of recovering from a cyber-attack proves to be more expensive than the crime itself. These costs are also on the increase. One particular Italian study of cybercrime found that whilst the actual losses were USD875 million, recovery and opportunity costs reached a staggering USD8.5 billion. These costs include brand damage and other reputation losses, as well as harm to customer relations and retention. The range of cyber clean-up costs can be great, with examples being USD3 million for the State of Utah, to USD171 million for Sony Corporation. Estimates for the Target attack are around USD420 million, which include reimbursement, the cost of reissuing millions of cards, legal fees, and credit monitoring (Center for Strategic and International Studies, 2014).

As has been noted on several occasions within this dissertation, organizations’ share value may depreciate subsequent to a cyber-attack. The effect on share prices can be significant – a fall in value between 1% and 5% - however, the decline is temporary and a recovery is usually apparent with a quarter or two. However, this may change should organisations be required to report major hacking incidents and detail the actual information lost. Furthermore, as best practices and standards of care for cybersecurity become the norm, organisations may find a more litigious environment surrounding the lack of due diligence (Center for Strategic and International Studies, 2014).

Unfortunately, given the dynamic nature of technology, cybercrime opportunities and exposures shall inevitably be on the increase. Cybercrime remains a growth industry. Organisations that do not sufficiently secure their networks soon find themselves to be at an increasing competitive disadvantage. Nations shall see increasing costs emanating from affected jobs and trade balances, as well as the global costs as the pace of innovation is stagnated due to reduced investor returns. In order to address this malady, better technology and stronger defences need to be implemented. Standards and best practices for cybersecurity need to be agreed and applied, in order to reduce the cost of cybercrime. Furthermore, it is of vital importance that international agreement is reached in terms of law enforcement and government behaviour. These changes will require that governments improve their ability to account for loss, and organisations improve their risk assessment. However, this is only possible if cybercrime is treated seriously and appropriate action taken against it. If these changes are not implemented, there is no possibility for cybercrime losses to diminish (Center for Strategic and International Studies, 2014).

4. Data breaches statistics

The preceding discussion has expounded the cyber exposures facing organisations, going into detail about the extent to which organisations collect personal information data, and just how lucrative this data is to cyber criminals. The discussion which follows provides insight into just how prevalent data theft is, as well as the means utilised to obtain this information, and the industries who are predominantly falling victim to these thefts.

A discussion of data legislation follows in Chapter 5 below, which details that South Africa does not currently have any legislation in force which requires that data breaches be reported, as is the case in the United States and European Union. Given the aforementioned, statistics pertaining to South African data breaches are far and few between, and thus, a large reliance is placed on data breach statistics emanating from countries such as the United States where legislation requiring reporting of data breaches has been in place for some time. Therefore reliance is placed in this section on US statistics to illustrate the frequency, severity and ramifications of data breaches.

The 2014 Verizon Data Breach Investigation Report is an annual data breach investigation report, compiled by Verizon, an American organisation, with the assistance of fifty international organisations ranging from security companies, audit firms, to authorities such as the United States Department of Homeland Security. The dataset underpinning the 2014 report comprises over 63,000 confirmed security incidents, 1,367 confirmed data breaches affecting organisations in 95 countries.

Released by Trustwave Holdings Incorporated, a global organisation with offices across the United States, as well as London, Sao Paolo and Sydney, the 2014 Trustwave Global Security Report, reports on evidence gathered from 691 data breach investigations (compared to 450 in 2012), spread across industries and 24 countries, as well as threat intelligence gathered from Trustwave products and security operations centres (Trustwave Holdings Incorporated, 2013).

The PricewaterhouseCoopers The Global State of Information Security Survey 2015 surveyed in excess of 9,700 security, IT and business executives and discovered that the total number of security incidents detected by respondents had increased to 42.8 million (an increase of 48% from 2013). According to the Insurance Information Institute, as at 27 May 2014 there had already been 311 data breach events, with 8.5 million records exposed (Hartwig & Wilkinson, 2014).

NetDiligence’s 2014 Cyber Claims study assessed 117 data breach insurance claims, in which 111 of them resulted in the exposure of sensitive personal data. The balance involved business interruption or the theft of trade secrets (NetDiligence, 2014).

According to Willis’ Marketplace Realities 2015 report, there were in excess of 2,100 privacy breaches reported in the United States in 2013. A staggering 552 million identities exposed via breaches in 2013 (a 492% increase over 2012 breaches) (Willis North America Inc., 2014).

An incident is a security event that compromises the integrity, confidentiality or availability of an information asset. A breach is an incident which results in the [potential] disclosure of data. A data disclosure is a breach for which it was confirmed that the data was actually disclosed (not just exposed) to an unauthorised party. The 1,367 confirmed data breaches represent the high mark in ten years of data breaches, and is the first time that Verizon has crossed the 1,000 breaches point (Verizon Enterprise Solutions, 2013).

Almost 60% of the victims of the breaches analysed by 2014 Trustwave Global Security Report reside in the United States. The United Kingdom ranked in at 14% and Australia at 11%. 19% of attack source internet protocol addresses emanated from the United States, 18% from China, and 15% from Nigeria (Trustwave Holdings Incorporated, 2013).

Figure 3 below depicts the raw count of breaches attributed to four different categories of threat actor from where the threat has emanated (i.e. whether the threat emanated from an external or internal actor, collusion or partner actors) over Verizon’s 10-year history of breach data (Verizon Enterprise Solutions, 2013):

Figure 3: Percentage of breaches per threat actor category over time

Note. From “The 2014 Data Breach Investigations Report”, p. 8, by Verizon Enterprise Solutions, 2013.

Barring 2006 to 2008, the overall ratio of threat actor category is relatively stable. The giant dip for external actors in 2012 (refer solid blue line in figure 3 above) coincides with an overall drop in breach count that year, mainly due to fewer large multi-victim points of sale intrusion sprees targeting small to medium businesses in the dataset (Verizon Enterprise Solutions, 2013).

Having considered where the threat action was emanating from in the above Figure 3, we now look at the motivations behind these attacks, in Figure 4 below.

Figure 4: Percentage of breaches per threat actor motive over time

Note. From “The 2014 Data Breach Investigations Report”, p. 9, by Verizon Enterprise Solutions, 2013.

It is apparent from Figure 4 above (refer solid blue line in Figure 4 above) that money- motivated breaches outnumber other motivations by a good margin (Verizon Enterprise Solutions, 2013). The 2014 Trustwave Global Security Report supports the finding that financial gain is still the most common incentive for attacks (Trustwave Holdings Incorporated, 2013).

Although Verizon were aware of the increase in espionage over the past few years, they expressed surprise at the degree of convergence with financial motives (refer solid teal line in Figure 4 above) (Verizon Enterprise Solutions, 2013).

The 2014 Trustwave Global Report reported an increasing focus on attacks motivated by corporate or government espionage (Trustwave Holdings Incorporated, 2013) with political motivations for hacking remained high in 2013. The Syrian Electronic Army (SEA) formed in 2011, claiming to be a collective supporting Syrian President Bashar al-Assad, claimed responsibility for attacks on a variety of high-profile media outlets and several official Microsoft Twitter feeds, all with the goal of spreading its political message (Trustwave Holdings Incorporated, 2013).

Narcissism, a less pragmatic and more psychological motivation, also featured in the 2014 Trustwave report (refer solid purple line in Figure 4 above). Some attacks appeared to be driven purely for attention, with no obvious financial or ideological rewards for the perpetrator. An example hereof is that of Romanian Marcel Lehel (alias “Guccifer”) who attracted media attention on multiple occasions, by publicly sharing his discoveries made by accessing email accounts of celebrities and high-profile politicians (Trustwave Holdings Incorporated, 2013).

In the discussion above, we have identified where attacks are emanating from (in terms of nature of threat actor), establishing that attacks are predominantly being levied by external threat actors (refer Figure 3 above). Furthermore, the prime motivation spurring these attacks are clearly financial (refer Figure 4 above). Now we consider through what means these attacks where perpetrated (i.e. threat action) in Figure 5 below:

Figure 5: Number of breaches per threat action category over time

Note. From “The 2014 Data Breach Investigations Report”, p. 9, by Verizon Enterprise Solutions, 2013.

The figure above exhibits ten years of threat actions leading to data breaches. There is an evident surge in the hacking and malware categories in 2009 (green and yellow solid lines respectively), with social tactics climbing in 2010 (solid purple line) (Verizon Enterprise Solutions, 2013). It is interesting to note that the number of breaches due to error and misuse are fairly stable over the period (refer solid purple line in Figure 5 above), and do not compare to the breaches perpetrated through social, malware or hacking, where the prevalence of these threat actions have steadily gained momentum over the years. NetDiligence (2014) found that in 30% of the time, hackers were responsible for the loss, followed by staff mistakes (14%).

The above assessment has determined who the threat actors are (refer Figure 3), their motivations (refer Figure 4) and the threat actions which lead to data breaches (refer Figure 5 above). Now consideration is given to the varieties of threat actions, which have presented themselves as being the most prevalent in the year under review (refer Figure 6 below).

Figure 6: Top 10 varieties of threat actions over time

Note. From “The 2014 Data Breach Investigations Report”, p. 10, by Verizon Enterprise Solutions, 2013.

It is interesting to note the top varieties of threat over the past three years, per the figure above, with the top three threats in 2013 being the use of stolen credentials, the export of data and phishing. Seven threat types appear in all three years: use of stolen credentials, export data, backdoor, use of backdoor or C2, phishing and C2 mail. Another point of interest is that the top three varieties in 2013 exhibit significant increases in the number of incidents over the prior period, with the breaches resulting from use of stolen credit cards more than doubling in 2013, from the prior period.

The 2014 Trustwave report indicates that weak passwords opened the door for the initial intrusion in 31% of compromises, with 59% of malicious spam including attachments and 41% containing malicious links. Strong passwords should consist of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers, in order to play an essential role in combatting a breach. Passphrases, that contain eight to ten words, are recommended, along with two-factor authentication, which forces users to verify their identity with information other than simply their username and password (such as a unique code sent to a user’s mobile phone) (Trustwave Holdings Incorporated, 2013).

Significant discussion has been had determining threat actions (refer Figure 3), motivations (refer Figure 4), and then threat categories (refer Figure 5) and the top threat varieties presenting themselves (refer Figure 6). The conversation now turns to understanding what data is being targeted and exposed in the data breaches under review (refer Figure 7 below).

Figure 7: Breach count by data variety over time

Note. From “The 2014 Data Breach Investigations Report”, p. 11, by Verizon Enterprise Solutions, 2013.

When comparing the trends reflected in Figure 7 above with those of actor motives in Figure 4, the parallels are apparent. Financially-motivated criminals will naturally seek out data that is easily converted to cash, such as bank information and payment cards, whilst espionage

groups target internal corporate data and trade secrets. The demand for authentication credentials, which are useful in both the criminal underground and the shadowy world of the clandestine, is evident herein (Verizon Enterprise Solutions, 2013). The Trustwave report indicates that, whilst payment card data continues to top the list of the types of data compromised at 45%, there was a 33% increase in the theft of sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records. E-commerce made up 54% of assets targeted, point-of-sale breaches contributed 33% and data centres (i.e. corporate infrastructure) 10% (Trustwave Holdings Incorporated, 2013).

The Verizon Report conducts a deep analysis in respect of when an organisation actually realises that they have been a victim of a cyber-attack (Verizon Enterprise Solutions, 2013). In section 6 of this dissertation (risk management) incident management is discussed in detail. It is imperative that organisations are monitoring their networks in order to determine whether they are being attacked. Without this knowledge, the organisation continues to be an easy target, given that the vulnerability exploited by the threat actor has not been resolved. It is particularly interesting to consider the timelines of an attack, and that of an organisation coming to the realisation that they have in fact been breached. Figure 8 below considers the variables between the time taken to compromise an organisation, compared to the timeline during which an organisation discovers the breach.

Figure 8: Percentage of breaches where time to compromise (red) / time to discovery (blue) were days or less

Note. From “The 2014 Data Breach Investigations Report”, p. 12, by Verizon Enterprise Solutions, 2013.

The above figure contrasts how long it takes the attacker to compromise an asset with how long it takes the defender to discover this. It is apparent that attackers are getting better and faster at what they do, particularly when compared to the rate at which defenders are improving their discovery times. Furthermore, attackers seldom need days in order to successfully compromise an asset, whereas defenders seldom discover an attack in a matter of days but usually take a significant amount of time to discover the breach (Verizon Enterprise Solutions, 2013).

Cyber-attack victims that identify a breach on their own detect it sooner, and reduce clean-up time by two weeks. However, self-detection of breaches remains low. Statistics show that, in 71% of cases in 2013, victims did not detect their own compromises. Breach detection was predominantly made by regulatory bodies, card brands and merchant banks (58%), with the balance being attributable to other third parties, public detection and law enforcement (Trustwave Holdings Incorporated, 2013).

The median number of days from the date of initial intrusion to the date of detection was 87, indicating that half of compromise victims became aware of the breach within approximately three months of the initial intrusion. Similarly, the median number of days between the date of the initial intrusion and containment of the breach was 114 days, meaning half of compromise victims contained a breach within approximately four months of the initial intrusion (Trustwave Holdings Incorporated, 2013).

Having ascertained that self-discovery presents only 79% of breach detection, Figure 9 details breach discovery methods over time.

Figure 9: Breach discovery methods over time

Note. From “The 2014 Data Breach Investigations Report”, p. 12, by Verizon Enterprise Solutions, 2013.

It is encouraging to see that internal breach discoveries (refer solid purple line in Figure 9 above) outweigh external fraud detection (refer solid blue line) (albeit for the first time in the Verizon Data Breach Investigation history, i.e. since 2004). Unrelated third parties are quickly rising as an important and prominent way in which victims (particularly espionage victims) come to learn about breaches (refer solid pink line in Figure 9 above) (Verizon Enterprise Solutions, 2013). Breach discoveries made by law enforcement currently represent approximately 30% of the time (refer solid teal line in Figure 9 above), representing a steady increase since 2004.

4.1 Types of breaches

The following nine pattern clusters were identified, from the Verizon results, which describe comprehensive incident classifications: Point of Sale (POS) intrusions, web application attacks, insider misuse, physical theft / loss, miscellaneous errors, crime ware, card skimmers, denial of service (DoS) attacks, cyber-espionage and ‘everything else’ incorporating the balance of the incident classifications. Together, these classifications describe 94% of the confirmed data breaches analysed in 2013. Furthermore, when applying these classifications to the last three years of breaches, 95% fall within the nine classifications. In further support of these classifications is the fact that, when applying them to the last ten years of data, 92% of the 100,000+ security incidents are described (Verizon Enterprise Solutions, 2013).

Figure 10: Frequency of incident classification patterns

Note. From “The 2014 Data Breach Investigations Report”, p. 14, by Verizon Enterprise Solutions, 2013.

Point-of-sale breaches also featured prominently in the 2014 Trustwave report, accounting for 33% of their investigations (Trustwave Holdings Incorporated, 2013).

According to PricewaterhouseCooper’s 2014 Global Economic Crime Survey, insiders have become the most cited perpetrators of cybercrime, albeit that they are so not necessarily through malicious behaviour. The survey found that 35% of attacks caused by insiders were through current employees and 30% former employees. However, employees are not the only source of insider threats - 18% of incidents were attributed to current service providers, consultants and contractors (and 15% by former providers). This threat was highlighted by the several attacks levied against United States retailers over the past year, some of which were achieved by cybercriminals who gained access to retailers’ networks through compromise of third–party suppliers and contractors (PricewaterhouseCoopers LLP, 2014).

Given the significance of these classifications, and the sheer volume of incidents occurring thereby, it is imperative that they are considered in detail. Each incident

classification shall be discussed in detail, assessing exactly what each classification entails, and the impact on the organisation. Furthermore, risk management techniques specific to each classification is also discussed hereunder.

4.1.1 Point-of-Sale (POS) intrusions Point-of-Sale intrusions are remote attacks against environments where retail transactions are conducted, specifically where card present purchases are made. Crimes involving tampering with or swapping out devices are covered in the Skimming pattern (discussed below). The top industries affected by these intrusions are unsurprisingly restaurants, hotels, grocery stores, and other brick-and-mortar retailers. The number of intrusions reviewed in 2013 totalled 198, with all of them being confirmed data disclosures (Verizon Enterprise Solutions, 2013).

Although point-of-sale hacks have received a fair amount of press coverage recently, they have been occurring for a number of years. From a frequency point of view, this largely remains a small- and medium- organisation issue. Surprisingly, the number of point-of-sale attacks in 2012 and 2013 is substantially lower than the number recorded in 2010 and 2011 (despite having significantly more data). This experience is mainly due to the fact that fewer attack sprees involving numerous small franchises were evidenced (Verizon Enterprise Solutions, 2013).

The most simplistic means of attack is to compromise the point-of-sale device, install malware to collect magnetic stripe data while in process (where it is unencrypted), retrieve the data, and then utilise the data. All of these attacks are motivated by financial gain, and most can be conclusively attributed to organised criminal groups operating out of Eastern Europe (Verizon Enterprise Solutions, 2013).

Whilst not as common as the above method of attack, several incidents recorded in 2013 feature a compromise at a corporate location, leading to widespread compromise of individual locations and malicious code installations across a multitude of stores. In certain cases, the compromise began at the store and led to penetration of the corporate network (Verizon Enterprise Solutions, 2013). As noted above, in the recent spate of retailer attacks, cybercriminals obtained access to the retailers’ network through compromising third-party service providers (PricewaterhouseCoopers LLP, 2014).

As a Payment Card Industry (PCI) Forensic Investigator, Trustwave examines a substantial number of breaches involving payment card data, as well as a large amount of malware that targets point-of-sale devices. Typically a malware sample will fit into a “family” that shares certain characteristics and is likely to be authored by the same individual(s). A malware family has a number of commonalities that make it unique when compared to other families. The most prevalent point-of-sale families observed by Trustwave were Alina (19.1%), Baggage (16.5%) and Triforce (11.2%) (Trustwave Holdings Incorporated, 2013).

In 99% of the cases, the victim discovered that they had suffered a breach through the advices of a third party. Notification by law enforcement and fraud detection are the most common discovery methods in this arena of cyber-crime, as investigations into breaches uncover other victims. Payment card breaches are only being discovered weeks after the compromise – usually only after the criminals have begun utilising their ill-gotten gains for fraud and other illicit purposes (Verizon Enterprise Solutions, 2013).

Risk management initiatives recommended in order to avoid this type of intrusion include the restriction of remote access whereby remote access into point-of-sale systems by third-party management vendors is limited. Organisations should also enter into dialogue regarding how and when they shall perform their duties. Password policies should be enforced by ensuring

that all passwords utilised for remote access to point-of-sale systems are not factory defaults, the name of the point-of-sale vendor, dictionary words, or any other weak type of password. If passwords are handled by a third party, require (and verify) that this is done, and that the same password is not utilised for other customers. Web browsing, e-mail, social media utilization, game playing, or conduct any other activities other than point-of-sale-related activities on point-of-sale systems should not be permitted. Of crucial importance is the recommendation that anti-virus software be installed and maintained on point-of-sale systems. Organisations should review the interconnectivity between stores and central locations and treat them as semi-trusted connections, as well as to segment the point-of-sale environment from the corporate network. Network traffic to and from the point-of-sale network should be monitored continuously. There should be a normalized traffic pattern, and whilst easier said than done, anomalous traffic must be identified and investigated. Lastly, two-factor authentication should be utilised - whilst strong passwords alleviate the bulk of the problem, organisations should consider multiple authentication factors (for third-party and internal users) (Verizon Enterprise Solutions, 2013).

4.1.2 Web application attacks Any incident in which the web application was the vector of attack is referred to as a web app attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms (Verizon Enterprise Solutions, 2013). Top industries impacted by this type of intrusion are information, utilities, manufacturing and retail. 3,937 incidents of this type were identified, with 490 being confirmed data disclosures (Verizon Enterprise Solutions, 2013).

It is a complex task to defend web applications due to the variety and combination of techniques available to attackers. As opposed to the financial gain motivator evident in point-of-sale attacks, ideology is the prominent reason for attack in web app attacks. Just under two out of every three attacks were attributable to activist groups driven by ideology and just for fun (the

balance was driven by greed and a small number by espionage actions) (Verizon Enterprise Solutions, 2013).

In respect of financially motivated attacks, criminals are focused on gaining access to the money, thus their primary target industries are in the financial and retail sector (where data that converts easily to money is abundant and accessible). Within the financial industry, focus is on gaining access to the user interface of the web (banking) application. Thus, user credentials are targeted by utilising the web applications protected with a single factor (password) as a conduit thereto. Tactics utilised to procure credentials include phishing techniques to either trick the user into supplying the credentials, or installing malware onto the client system; brute force password guessing; targeting the application through SQL injection or other application-level attacks as a means to retrieve credentials, bypass the authentication, or otherwise target the user-management system. Again, the majority of external attackers utilising stolen credentials hail from Eastern Europe (Verizon Enterprise Solutions, 2013).

A different focus is apparent when considering attacks on the retail industry – the primary aim is payment card information, which is often accessible simply by exploiting the web application. SQL injection was leverage in 80% of the attacks, followed by techniques to install use web shells (Verizon Enterprise Solutions, 2013).

Ideology (whether their motivation is social, political, or for just plain fun) represents the largest identified portion of motives for web application attacks, and the actors tend be the most geographically diverse. Intruders are more concerned about obtaining a platform to stand on – two types of results emanate here from: defacements to send a message or hijacking the server (including distributed denial of service) to attack other victims (Verizon Enterprise Solutions, 2013).

When the act is financially motivated, the leading notification method is through customers (74%). Only 9% of victims discovered data breaches of their own accord. Comparatively, 99% of notifications of attacks perpetrated by activists were by external parties contacting victims to advise them that their hosts were involved in other attacks (Verizon Enterprise Solutions, 2013).

Sixty percent of the initial compromises occurred within minutes or less, with just over 85% of the incidents being discovered in days or more, and the about 50% taking months (or longer) to discover. However, when discovery is made, the reaction time is relatively fast with about half of the organisations taking days or less to respond and contain the incident (Verizon Enterprise Solutions, 2013).

Recommended controls to curtail this type of intrusion include single-factor, password-based authentication is not sufficiently secure for anything Internet- facing. Alternative methods of identity verification and authentication mechanisms should be investigated. If committed to an active Content Management System (CMS) platform, automatic patch processes should be utilised. Static CMS frameworks should be considered as it will pre-generate the same pages, negative the requirement to execute code on the server for every request. The best method of ensuring that the web application is secure is to conduct vulnerability assessments, and to remedy any weaknesses identified in order to avoid exploitation thereof. In order to reduce the potential success of brute force attacks, slowing down the rate of repeated attempts or temporarily locking accounts with multiple failed attempts should be followed. In addition to the aforementioned, outbound connections should be monitored (Verizon Enterprise Solutions, 2013).

4.1.3 Insider and privilege misuse Insider misuse encapsulates any unapproved or malicious use of organisational resources. Although this is mainly misuse, outsiders (due to collusion) and partners (due to privileges granted) also fall under the ambit

hereof. Whilst unapproved hardware (refers to employees using devices like USB drives that are either forbidden altogether or allowed but subject to various restrictions), bribery, email misuse (an employee sending intellectual property out to his personal address), data mishandling (when someone uses data in a manner counter to the organisation’s policies), use of stolen credentials, unapproved workarounds, physical theft, unapproved software and embezzlement are all threat actions falling under this section, the bulk of the confirmed incidents were perpetrated by privilege abuse (taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts) (Verizon Enterprise Solutions, 2013).

Top industries affected by this type of attack include public, real estate, administrative, transportation, manufacturing and mining. 11,698 incidents of this nature were reported during 2013, with 112 confirmed data disclosures (Verizon Enterprise Solutions, 2013).

An organisation’s intellectual property is amongst its most valued assets, frequently driving its ability to compete in the market. Data usually consists of customer information, employee data, and the relationships which are the mainstay of their business. Not only is this data of value to the organisation, but also to those who seek or for their own personal benefit (or a myriad of other reasons). Verizon (Verizon Enterprise Solutions, 2013) discovered that most crimes perpetrated by trusted parties were to the ends of financial or personal gain. However, there was a noticeable increase in insider espionage targeting internal data and trade secrets. Arguably the most prominent case of internal misuse [in the headlines] in the past year is that of United States government contractor Edward Snowden (Verizon Enterprise Solutions, 2013). Through revelations leaked by the former National Security contractor, the United States was implicated in several cyber espionage campaigns (Trustwave Holdings Incorporated, 2013).

The Verizon report 2013 indicates that in 71% of these incidents, the corporate Local Area Network (LAN) was the vector, and 28% took advantage of physical access within the corporate facility. What these results mean is that the majority of employees perpetrated their acts whilst in the office. Furthermore, the criminals committing these crimes are payment chain personnel and end-users, but also management (who often have access to trade secrets and other data). Personnel in management positions are also usually more likely to be exempted from following security policies, given their status within the organisation.

In terms of external actors committing crimes falling under this section, 36% of incidents were perpetrated through organised crime (who bribe insiders to steal data for fraud schemes), 24% by former employees (exploiting their still active accounts), 24% by unaffiliated individuals and 16% by competitors (soliciting intellectual property to gain business advantages). In more than 70% of intellectual property theft cases, the insider stole the information within 30 days of resigning (Verizon Enterprise Solutions, 2013).

Whereas nearly all misuse incidents prior to 2013 centred on obtaining information for fraud usage (72%), the latest data reflects that insider espionage targeting internal organisational data and trade secrets is on the increase (18%). In the latter instance, data is typically stolen in order for perpetrators to start their own competing company, or alternatively to help secure employment with a rival (Verizon Enterprise Solutions, 2013).

The most frequently compromised asset is desktops, as an employee’s primary interface to the rest of the network. Data is typically stored and uploaded hereon, data emailed out of the organisation, or copied onto removable media. Databases and file servers, being repositories of data, are regularly targeted (Verizon Enterprise Solutions, 2013).

Traditionally discovery methods for the majority of breaches are dominated by external signs. However, for insider misuse, internal methods represent 55% of detection methods (usually by employees reporting the misuse). External detection still appears prominently when considering discovery method, with this being the means of discovery in 55% of instances. Financial and information technology audits resulted in detection in 19% of cases (Verizon Enterprise Solutions, 2013).

As opposed to other types of incidents, the discovery time for misuse compares favourably with the majority of misuse incidents being detected within days. That being said, 13% of incidents took weeks to years to uncover (Verizon Enterprise Solutions, 2013).

In terms of organisational controls and policies which should be considered in order to mitigate misuse, Verizon recommend that organisations ensure that they are aware of where data is held, and who has access thereto. Controls should be built to protect the data, and be capable for detecting misuse. Following thereon, specific positions should be identified with regards to having access to sensitive data, as well as a process to regularly review account activity when employees in these positions give notice or have left the organisation. It is of paramount importance that user accounts are disabled as soon as the employee has left the organisation (or even sooner, if warranted). Monitoring processes should also focus on data exfiltration. Lastly, it is recommended that anonymous results of audits of access are regularly publicized. This will serve to ensure that employees are aware that there are consequences to misuse, and that policies are being enforced. This shall serve as a powerful deterrent to bad behaviour (Verizon Enterprise Solutions, 2013).

4.1.4 Physical theft / loss Any incident whereby an information asset went missing (whether through misplacement or malice) falls under this particular section. Industries predominantly affected hereby are the healthcare, public and mining sectors.

A total of 9,704 incidents were analysed, with 116 confirmed data disclosures. Verizon were surprised to discover that assets are stolen from corporate offices more often than personal vehicles or residences. Whilst personal and medical information is commonly exposed, most losses / thefts are reported due to mandatory disclosure regulations rather than due to fraud (Verizon Enterprise Solutions, 2013).

As would be expected, the most common demographic of asset lost or stolen are laptops, followed by documents, desktops and flash drives. Unfortunately incident reports often do not specify the asset lost or stolen and thus, the largest demographic hereunder is represented by “other” (some kind of user device). Of particular interest is that losing information assets happens far more often than theft. This suggests that the vast majority of incidents reported under this pattern is not due to malicious or intentional actions. The primary challenge thus facing organisations is to minimize the impact when employees lose assets (Verizon Enterprise Solutions, 2013).

Surprisingly, the highest proportion of thefts occur in the victim’s work area (40%), which suggests that storing sensitive information in secure facilities isn’t sufficient, given that the exposure is the employees within these areas. 23% of thefts occurred from personal vehicles, 10% personal residences which highlights that mobile devices are prone to theft (Verizon Enterprise Solutions, 2013).

Given the fact that the bulk of these incidents are included due to the fact that they triggered mandatory reporting, it is unsurprising to discover that the bulk of at-risk-data falls under the personal and medical information categories (Verizon Enterprise Solutions, 2013).

Given human nature, it is difficult to manage this type of risk, but organisations can implement various actions in order to mitigate the risk, such as encrypting devices. Regular backups (preferably automatic) serve a

threefold purpose to the organisation – it simplifies recovery processes, assists with minimizing the amount of time wasted in getting the employee up and running, and lastly, establishes what data was contained on the device in order to determine whether disclosure is necessary. Securing mobile equipment should be considered, as well as storing highly sensitive or valuable assets in a separate, secure area, where they should remain (Verizon Enterprise Solutions, 2013).

4.1.5 Miscellaneous errors Incidents where unintentional actions directly compromised a security attribute of an information asset is reported under this category. Industries predominantly affected hereby are the public, administrative and healthcare sectors. A total of 16,554 incidents were assessed, including 412 confirmed data disclosures. The data suggests that highly repetitive and mundane business processes involving sensitive information are particularly error prone. This pattern contains more incidents caused by business partners than any other category (Verizon Enterprise Solutions, 2013).

Misdelivery (sending paper documents or emails to the wrong recipient) is the most common error (44%) resulting in data disclosure, followed by publishing errors which often involve accidentally posting non-public information to a public resource (22%) and disposal errors where the affected asset is thrown away without being shredded or, in the case of digital media, properly sanitized of sensitive data (20%). The culprits are almost entirely insiders; however, there are a fairly large number of incidents caused by partner errors (Verizon Enterprise Solutions, 2013).

Verizon (Verizon Enterprise Solutions, 2013) suggest that organisations only discover their own mistakes approximately a third of the time. External entities account for the balance of discoveries (68%), most frequently of which is the organisation’s own customers.

There are several steps which organisations can take in order to decrease the frequency of these types of miscellaneous errors by reducing their exposure to the common error patterns that result in data disclosure. Data Loss Prevention (DLP) software could be implemented in order to reduce instances of sensitive information being transmitted by email, by identifying information which follows a common format, such as credit card details, identity numbers, or medical billing codes. In terms of publishing errors, formal procedures for posting documents (to both internal and external sites) should be implemented. Policies could include the requirement for a second reviewer approving anything posted to organisational servers, blanket prohibitions against storing un-redacted documents on a file server that also has a web server running. Lastly, device recycling should be the responsibility of the information technology department. Sampling should be conducted in order to ensure that the disposal process has been successful. Should this functionality be outsourced to a third party service provider, the contract governing this service should stipulate how data is transferred, stored and dispose of, as well as roles, responsibilities, verification, and of course, penalties for non-compliance (Verizon Enterprise Solutions, 2013).

4.1.6 Crimeware Any malware incident that does not fit the other patterns, such as espionage or point-of-sale attacks is labelled as “crimeware” as the moniker accurately describes the common theme amongst such incidents. The industries most impacted upon by this pattern are the public, information, utilities and manufacturing sectors, with a total of 12,535 incidents examined, and 50 confirmed data disclosures. Under this pattern, the primary goal of the attacker is to gain control of systems as a platform for illicit uses such as stealing credentials, distributed denial of service attacks, spamming, etc. The most common infection vectors witnessed herein are web downloads and drive-bys (Verizon Enterprise Solutions, 2013).

The 2014 Trustwave Global Security Report indicates that the top three malware hosting countries were the United States (42%), Russia (13%) and Germany (9%) (Trustwave Holdings Incorporated, 2013).

According to Verizon (Verizon Enterprise Solutions, 2013), the incident pattern consists mainly of opportunistic infections tied to organized criminals with some sort of direct or indirect financial motive. Once the malicious code has acquired a level of access and control of a device, there opens up a myriad of possibilities for the attackers.

Zeus was a much-utilised crimeware of 2013, along with its offspring Citadel, which focus on stealing money via bank account takeovers. Despite the efforts of many, Zeus has eluded all attempts to eradicate the crimeware. Online markets offering cybercrime-as-a-service expanded, particularly through the utilization of “booter” websites which make this type of attack available to anyone who wishes to attack an organisation (Verizon Enterprise Solutions, 2013).

Verizon report that the majority of crimeware incidents are initiated through web activity, such as downloads or drive-by infections from exploit kits, rather than through the links or attachments contained in email. For malware concentrated on social engineering, both scams and phishing continue to dominate. The variety of at-risk-data under this type of pattern is predominantly credentials (82%) (of which banking credentials presents 71% of the risk-at-data) (Verizon Enterprise Solutions, 2013).

Zero-day vulnerabilities and corresponding exploits are one of the most sought-after items in underground markets. A stable zero-day exploit for a popular browser or plug-in is extremely marketable and is expected to fetch the equivalent of hundreds of thousands of United States dollars. Attackers typically use either server-side zero-day or client-side zero-day exploits. Criminals use server-side zero-day vulnerabilities to infiltrate organisations by

directly attacking their servers. Client-side zero-day vulnerabilities enable infection of end-user machines, and through those compromised machines, an attacker can then pivot to other areas of an organisation’s systems (Trustwave Holdings Incorporated, 2013).

There is insufficient detail regarding incident discovery methods and timelines due to the fact that often the incident response is to merely wipe the system, and restore its functionality. However, from the information at hand, notification of crimeware incidents is predominantly made by unrelated third parties (84%) and 67% of time, discovery is made within hours (Verizon Enterprise Solutions, 2013).

Recommendations to combat crimeware include ensuring that browsers and plugins are up to date and secure, and that patches are applied as soon as they are made available. Crimeware frequently utilises a technique which involves exploiting browser vulnerabilities and add-on functions. Many of the vectors and persistence methods employed by crimeware can be easily detected by monitoring indicators on systems, supporting the general theme of improving incident detection and response (Verizon Enterprise Solutions, 2013). Employees should be educated on best security practices, including strong password creation and awareness of social engineering techniques such as phishing. Furthermore, organisations should invest in gateway security technologies as a fallback to automate protection from threats such as zero- day vulnerabilities, targeted malware and malicious email (Trustwave Holdings Incorporated, 2013).

4.1.7 Card skimmers Incidents wherein a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g. auto teller machines, point-of-sale terminals, etc.) are included under this particular pattern. Skimmer devices are evolving to appear more realistic, and become more efficient at exporting data through the utilisation of Bluetooth, cellular

transmission, etc. It is of no surprise that the finance and retail industries are worst hit by this pattern. 130 incidents, all confirmed data disclosures, were analysed (Verizon Enterprise Solutions, 2013).

There is a common misconception that chip-based transactions on a PIN Transaction Security (PTS) - compliant PIN Entry Device (PED) give little opportunity for attackers to compromise data. However, the security focus of PTS is merely the PIN, not other cardholder data, such as account numbers or expiration dates. Following the implementation of a 2008 Visa Europe mandate requiring different security codes on the magnetic stripe and on the chip, it is not possible to clone a credit or debit card from chip data. For example, if an attacker captures data from the magnetic stripe, they will have the stripe’s CVV number, but not the chip’s iCVV code. Writing the data from a chip onto the magnetic stripe of a forged card will result in any attempted purchases with that card being declined. However, forgers can extract the full card number and expiration dates from chip data. This allows criminals to utilise stolen credential to make purchases from e-commerce sites that do not required the CVV2 security code in order to authorise a transaction. Online retailers requiring the CVV2 will limit the value (to criminals) of standalone card numbers and expiration dates (Trustwave Holdings Incorporated, 2013).

Whilst most incidents are linked to East European actors, nearly all of the victims of payment card skimmers assessed in this report are United States organisations. Bulgaria presents the most common origin of card skimmer attacks, representing 38% of attacks. Armenia and Romania each contributed 18% of the attacks to the results, followed by Brazil and the United States at 8% each. Bosnia and Herzegovina, Cuba, Iran, Mexico and Nigeria make up the balance proportionately (Verizon Enterprise Solutions, 2013).

The bulk of 2013 card skimming attacks (87%) were levied at auto teller machines (ATMs). It is surmised that this is due to the relative ease with which they can be approached and tampered with. More highly skilled criminals collect data from the skimmer via Bluetooth or SIM cards with remote caching and tampering alerts (Verizon Enterprise Solutions, 2013).

Verizon (Verizon Enterprise Solutions, 2013) report that this pattern is most commonly detected by a third party (76% of the time). In most instances the third party is a payment card organisation or a customer who has noticed fraudulent activity. Occasionally the activity is exposed by law enforcement agencies that have arrested criminals with skimming devices in their possession. On seldom occasions, observant users notice the skimming equipment and report it to management.

Organisations are urged to purchase terminals whose designs are less susceptible to skimming devices than others. Signs that indicate tampering should be implemented, such a simple sticker over a door, or visual anomaly monitoring. Frequent monitoring of terminals for unauthorized tampering should be practised, with employees trained to spot skimmers, as well as to recognize suspicious behaviour of individuals attempting to install the equipment. From a consumer point of view, one should ensure that they cover their hand when entering their personal identification number (PIN), avoid locations which appear to be suspicious, and if anything appears amiss at a payment terminal, to report it to management (Verizon Enterprise Solutions, 2013).

4.1.8 Cyber-espionage This pattern encompasses incidents such as unauthorized network or system access linked to state-affiliated actors and/ or exhibiting the motive of espionage. Industries most affected by this pattern are professional, transportation, manufacturing, mining and public (embassies, economic programs, military and other support organisations) sectors. Victims within the Professional, Scientific and Technical Services category typically deal with custom computer programming services, research and development, engineering and design, and legal practices. Thus, many of these organisations are targeted due to the contracts and relationships which they hold with other organisations. Not only do they serve as a valuable aggregation point for victim data, but also a trusted exfiltration point across several target organisations. Manufacturing industries are typically targeted for the

intellectual property held, technology, and business processes. Out of the 511 incidents assessed (triple of that analysed in the 2012 dataset), there are 306 confirmed data disclosures (Verizon Enterprise Solutions, 2013).

The Global State of Information Security Survey 2015 reported a 19% increase in intellectual property theft, with 24% of thefts represented by the theft of “soft” intellectual property, which includes information on processes and institutional knowledge. Fifteen percent reported the theft of “hard” intellectual property which encompasses strategic business plans, deal documents and sensitive financial documents. It is surmised that the reason for this increase may be that organisations are discovering that it is simpler and more cost effective to steal information stored in digital formats, and quicker to steal intellectual property and trade secrets, than to develop such capabilities themselves (PricewaterhouseCoopers LLP, 2014).

Given that regulation does not require breaches of internal information and trade secrets are made public, comprehensive information pertaining hereto is scant. In addition, due to the fact there are no fraud algorithms to alert victims about the illicit usage of such data, many cases of espionage of left undiscovered (Verizon Enterprise Solutions, 2013). Furthermore, given the ability of nation-state adversaries to attack without detection, it is expected that the number of compromises are under-reported (PricewaterhouseCoopers LLP, 2014).

Geographically, the United States is the most targeted victim (54%), followed by South Korea (6%), Japan (4%) and then the Russian Federation (3%). Colombia, Ukraine, Vietnam, Belarus, Kazakhstan and Philippines are also represented herein. Unfortunately victim size is not often tracked, but a wide distribution of both size and type of victim organisation is evident. In terms of geographic location of external actors within cyber-espionage, the date indicates that 49% if attacks emanate from Eastern Asia (represented in particular by the People’s Republic of China and the Democratic People’s Republic of Korea) and 21% from Eastern Europe (Russian-speaking actors in

particular), with 25% being unattributed to any particular geographical area (Verizon Enterprise Solutions, 2013).

The study reflects that most incidents within this category are attributed to state-affiliated actors (87%). However, the data also indicates that the criminal activity is also perpetrated by organized criminal groups, competitors, as well as former and current employees. Motives are no longer just espionage, but also financial interests (Verizon Enterprise Solutions, 2013). The Global State of Information Security Survey 2015 found that there was an 86% increase in respondents who reported having been compromised by nation-states. It is thought that the increase in the number of incidents attributed to nation- states are due to geopolitical events in Eastern Europe and the Middle East, which have largely coincided with an increase in distributed denial of service attacks, as well as the utilisation of sophisticated espionage spyware. The survey also reported a 64% increase in the number of security incidents attributable to competitors. It was discovered that this particularly acute in the Asia Pacific, particularly China, where 47% of survey respondents identified competitors as the source of security incidents (PricewaterhouseCoopers LLP, 2014).

A wide range of tools (employing a wide range of capabilities) are utilised by state-affiliated groups, resulting in a diverse broad range of type of threat action deployed. Whilst the array of tools utilised are diverse, the basic method of gaining access to the victim’s environment is not, the most prolific being that of spear phishing. The latter is conducted by sending a well-crafted personally/professionally-relevant email to target users, prompting them to either open an attachment, or alternatively click on a link within the mail. When the user inevitably executes the required action, malware is installed on the system, a backdoor or command channel is opened, which permits the attacker entry. Email attachment as the vector for malware actions within cyber-espionage contributes 78% of actions. Web drive-bys as the vector represent 20% of actions. Strategic web compromises (SWC) set a trap within (mostly) legitimate websites, which are likely to be visited by the targeted

demographic. When the victim visits the page, the trap is sprung and the system infected, once again allowing the attacker access (Verizon Enterprise Solutions, 2013).

The variety of at-risk-data within cyber-espionage ranges from internal information, secrets, system information to credentials and classified information. Under this attack pattern, it typically takes the victim organisation months (or more) to discover the breach. Discovery is usually made by an external party’s notification – most commonly from threat intelligence and research organisations (Verizon Enterprise Solutions, 2013).

Recommended controls to mitigate this type of threat action do not vary greatly from those suggested throughout this dissertation, and include basic mainstays such as continuous patching, utilisation of up to date anti-virus software, training of employees and network segmentation. Incident logging is also suggested, as well as advanced solutions that more completely defend against phishing, such as not being solely reliant on spam detection and blocklists, but also conducting header analysis, pattern matching based on past detected samples, and sandbox analysis of attachments or links included. Furthermore, it is suggested that the organisation collect and/or buy threat indicator feeds, which are useful within intelligence and monitoring operations. Outbound traffic should not only be monitored, but also filtered, for suspicious connections and potential exfiltration of data to remote hosts. Lastly, lateral movement within the network should be ceased. Two-factor authentication shall assist in containing the widespread and unchallenged reuse of user accounts (Verizon Enterprise Solutions, 2013).

4.1.9 Denial of Service Attacks Denial of Service (DOS) attacks are any attacks intended to compromise the availability of networks and systems. It includes both network and application layer attacks, and are usually levied against the finance, retail, professional, information and public industries. Whilst there were no confirmed data

disclosures, a total of 1,187 incidents were analysed in the study (Verizon Enterprise Solutions, 2013).

September 2012 saw a new trend developing, whereby in the past, denial of service attacks were primarily generated from compromised home computers or willing participants, to attackers exploiting vulnerable websites and content management systems (CMSs), wherein they placed specific denial of service attacks scripts. This method allows high packet, high bandwidth attacks (Verizon Enterprise Solutions, 2013).

Recommended controls to combat this attack pattern include turning off servers or services, when not in use, and to ensure that they are patched when they are in use. Anti-DDos service should be utilised, and regularly tested. Incident teams should respond timeously and not rely on provider’s “auto-mitigation” service. Detailed business and disaster recovery plans should be compiled in order for the organisation to act appropriately in the event that the primary anti-distributed denial of service does not work (Verizon Enterprise Solutions, 2013).

4.1.10 Everything else As the name intimates, any incidents (7,269 in total) that do not fit within the patterns discussed above, fall within this pattern due to the fact that there is insufficient detail in order to classify them appropriately (Verizon Enterprise Solutions, 2013).

The discussion above makes for interesting reading in that it highlights that malicious intrusions (point-of-sale intrusions, web application attacks, crimeware, card skimmers, cyber espionage and denial of service attacks) account for over 80% of incidents reviewed by Verizon Enterprise Solutions (2013). In addition, the statistics highlight that individuals in their personal capacity are being targeted and their data can be breached with relative ease through the likes of point-of-sale intrusions and card skimmers. Furthermore, the intrusions discussed above reveal that organisations do not only face exposure through [malicious] third

parties, but that perhaps one of the biggest risks are employees! The next chapter focuses on data legislation with a view to establishing what onus is placed on the organisation in terms of protecting information, but also the ramifications of a data breach.

5. Data Protection Legislation

Having considered the various types of cyber exposures which can impact upon an organisation above (section 2), as well as the frequency and ramifications thereof upon organisations (section 3 and 4), the discussion now turns to consideration what data protection legislation is currently in place, as well as any other legislation which includes the protection of personal information under its ambit. The European Union and United States have the most comprehensive legislation in place, and thus, these countries’ legislation are considered in depth. Currently South Africa’s legislation was historically largely silent on the issue of data protection, but the latest legislation shall see this rectified.

5.1 European Union

The concept of a right to privacy only emerged after the Second World War, in Article 12 of the Universal Declaration of Human Rights, according to which no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. Article 8 of the European Convention on Human Rights (ECHR) followed hereon providing the right to respect of his private and family life, his home and correspondence, and no interference by a public authority with the exercise of this right would be allowed except in accordance with the law, and where necessary for certain important and legitimate interests (Hustinx, 2014).

The Council of Europe concluded, in the early 1970’s, that Article 8 had a number of shortcomings, particularly in light of new developments such as the growing use of information technology. The Committee of Ministers to the Member States recommended that the necessary steps be taken to give effect to certain principles on the protection of the privacy of individuals in the private and public sector. After four years, this resulted in the adoption of the Data Protection Convention (also known as Convention 108), which was ratified by 46 countries (including all EU Member States). The Convention secures freedom, for every individual, respect for his rights and fundamental freedoms, particularly his right to privacy, with regard to automatic processing of personal data relating to him (Hustinx, 2014).

The European Data Protection Directive of 1995 is currently the main legislation in the European Union overseeing the processing of personal data. The Directive emphasises the processing and free movement of personal data. Whilst the Directive does seek to protect individuals with regards to the processing of personal data, it is not the main consideration of the legislation as the requirements of government and private business to collect, analyse and store data is given greater priority. The legislation applies to the 27 Member States of the Union, as well as applying to the European Economic Area, which includes Iceland, Liechtenstein and Norway (De Hert & Galetta, 2014).

The European Data Directive is considered to be a milestone towards fundamental citizen data protection rights. Prior to the legislation, data protection fell under the ambit of national initiatives. The Organisation for Economic Cooperation and Development (OECD) Guidelines of 1980 contributed greatly towards the establishment of data protection under a European framework, as well as the Council of Europe Convention 108 contributing significantly thereto. The protection of personal data, as well as the rights of data subjects to access their data and require rectification thereof, is also legitimised within the Charter of Fundamental Rights of the European Union. The European Data Directive draws on the key principles of the Organisation for Economic Cooperation and Development Guidelines, espousing the eight basis principles that give data protection (refer section 4.2 above, which discusses these principles in detail). Furthermore, the principles pertaining to the quality of data and data processing, as dealt with in Chapter II of the Council of Europe Convention 108, are also included within the European Directive. The legislation under the European Directive contains three main features: the establishment of a balance between fundamental rights and privacy, and the free movement of data; the definition of the reciprocal relationship between the data controller and the data subject; and lastly, the empowerment of Member States to make the final decision in respect of the effective application of the legislation’s provisions (De Hert & Galetta, 2014).

Other than Directive 95/46/EC there are other categories of instruments relevant to European Union data protection. These are acts which specify the rules in a particular area, applying the rules at EU level, and applying them in the law enforcement area. The first is Directive 2002/58/EC on privacy and electronic communications, which specified

Directive 95/46/EC in the area of publicly available electronic communications services and public communications networks. This Directive covers issues ranging from security and confidentiality of communications; the storage and use of traffic and location data; and unsolicited communications, regardless of the technology used (Hustinx, 2014).

Regulation (EC) 45/2001 implemented Directive 95/46/EC and Directive 97/66/EC, the predecessor of Directive 2002/58/EC, for EU institutions and bodies. The legal basis for the establishment of an independent supervisory body was laid down in Article 286 of the EC Treaty, which provides that 'Community acts' on the protection of individuals with regard to the processing of personal data and the free movement of such data should also apply at EU level. Thus, Regulation (EC) 45/2001 saw the establishment and empowerment of the European Data Protection Supervisor (Hustinx, 2014).

The Treaty of Maastricht (1992) and the Treaty of Amsterdam both had an impact on areas traditionally covered by the third pillar of the European Union (namely that of immigration, asylum and border control) being transferred to the first pillar (internal market legal basis), bringing those areas under the ambit of Directive 95/46/EC. This resulted in a couple of regulations, bearing considerable data protection relevance, being adopted. These third pillar provisions of the EU Treaty provided for common action in the field of police or judicial cooperation in criminal matters being subject to appropriate safeguards pertaining to the protection of personal information. Furthermore, it was also held that common data protection standards would also contribute to the efficiency and legitimacy of such cooperation. This ultimately led to the Council Framework Decision 2008/977/JHA which provided general rules on the protection of personal data processed in the context of policy and judicial cooperation in criminal matters. It should be noted that the Decision only applies when personal data is transmitted or made available to other Member States, and does not extend to domestic processing (unlike Directive 95/46/EC) (Hustinx, 2014).

Another piece of law which impacted heavily on the development of European data protection law was the Lisbon Treaty which was signed on 13 December 2007 and enforced in December 2009. This Treaty was provided with the same legal value as the Treaties in Treaty on European Union (TEU), which specifically mentions the right to the

protection of personal data in the Treaty on the Functioning of the European Union (TFEU). The institutional structure of the EU has been reshaped by the Lisbon Treaty, with the old pillar structure being replaced with the proven Community method for decision making also in areas, where unanimity had been the practice in Counsel, and only an advisory role being played by Parliament. Hereunder, the Commission continued to be an initiator for new legislation, to be adopted by Parliament and Council in co-decision, each of them acting with majorities depending upon the subject. Thus, data protection legislation (in the former third pillar which had been adopted by the Council acting alone), in order to be compliant with Article 16(2) of TFEU, would have to be replaced by rules adopted by Parliament and Council in co-decision. The aforementioned has added to the requirement that the EU legal framework for data protection be reviewed (Hustinx, 2014).

The new European Union Data Protection Regulation shall see the European Union having a tougher data protection regime with which to adhere to (Business Standards Institution Group, 2014), replacing the earlier Data Protection Directive of 1995. The form process was triggered by a proposal for the regulation of processing of, and protection of, personal data. In addition, there was also a proposal for a directive to legislate the protection of personal data to the ends of preventing, investigating, detecting and prosecuting criminal offences. This was in response to four key concerns which had emerged, namely new technological changes and challenges; the exponential growth of digital information and communication; the internationalisation of exchange of personal data; and lastly, the utilisation of commercial data to the ends of law enforcement (De Hert & Galetta, 2014). The European Parliament voted in favour of the new European Union Data Protection Regulation (EUDPR) in March 2014 (Crawford & Company, 2014) and is one of the most comprehensive and heavily enforced data breach notification regimes in the world. The legislation specifies that the onus is on the organisation to ensure that there are sufficient protections in place in order to prevent information security breaches. The Regulation requires that the organisation should have a dedicated Data Compliance Officer (in the event that the organisation’s staff complement is in excess of 250) and that impact assessments pertaining to data privacy should be carried out in respect of new projects. Empowering data subjects to challenge data protection infringements, individuals’ consent must be obtained in order for their data to be held. The Regulation requires that data breaches are promptly reported and

that the organisation could potentially be liable for penalties of up to 2% of global turnover (Business Standards Institution Group, 2014).

The reforms included under the European Union Data Protection Regulation include mandatory breach notification within 24 hours (if feasible), as well as fines of 5% of annual worldwide turnover (or EUR100m, whichever is greater) should the organisation have failed to protect sensitive information (Crawford & Company, 2014).

The new legislation will have a particularly significant impact upon non-European organisations operating within the EU, given that the legislation shall apply to these entities too. This is reflective of the e-commerce age where business has become borderless (Triger, 2014).

Fortunately, organisations shall have a grace period of two years whilst they adopt and implement the requirements of the regulation (Trustwave Holdings Incorporated, 2013). It is expected that the Regulation shall come into force early 2017 (Business Standards Institution Group, 2014).

Critics of the legislation claim that the economy shall stagnate and suggest that Europe was in fact attempting to create a trade barrier against US organisations operating in lucrative personal information-intensive service markets. Quick to point out potential economic losses caused by increased privacy protection, critics asserted that any firm operating within or receiving information from the EU would have to revise its data- handling processes. Barriers would effectively be erected against organisations which traditionally automate data collection, particularly in their attempts to offer personalised or targeted advertisements. This would be further exacerbated by the “opt in” requirement presented by the legislation (Krup & Movius, 2009).

It is hoped that a careful balance shall be stuck by European Union legislators in the upcoming inter-institutional negotiations which shall allow for the establishment of a robust future-proof regulatory framework which shall protect users’ rights without also creating unnecessary burdens for industries (Romano, 2015).

5.2 United States

In the United States, instead of a single law regulating the collection and processing personal data, data protection is regulated by several state and federal laws, which shall be discussed in the section below. It is likely that the different approaches stem from historical differences: Europe has had much experience with dictators and under this leadership, data protection was considered a human right, legislated by comprehensive data protection regulations. Conversely, market forces dictate data protection in the United States, an example of which is the adoption of the US Patriot Act (developed in response to September 11, 2001) which saw personal data collection restrictions by law enforcement agencies being significantly reduced (Dimov, 2013).

The most important and broad based laws specifically dealing with the concept of data protection is the Privacy Act of 1974 and the Computer Matching and Privacy Act of 1988. However, these laws apply only to personal information held by government and do not extend to data held by other entities. The Freedom of Information Act (FOIA) of 1966 was primarily intended to provide access to government information but also contained legislation which ultimately prohibited people from accessing their own records. Thus, the Privacy Act was adopted to protect personal information in federal databases, but also to provide individuals with certain rights over the information contained in those databases. Not only does the Act address problems posed by electronic technologies and personal records systems, it also set forth basic principles of fair information practice. Individuals have the right to access their information under the Act. The Act also specifies that personal information may only be disclosed under consent. Lastly, the Act also requires that federal agencies publish a list of systems maintained by the agency which contain personal information, on an annual basis. The Computer Matching and Privacy Protection Act of 1988 amended the Privacy Act by adding new provisions pertaining to the utilisation of computer matching (whereby a computerised comparison it utilised for eligibility determination purposes) under Federal benefit programs (Stratford & Stratford, 1998).

In 1995, the United States Secret Service created the New York Electronic Crimes Task Force (ECTF) to join law enforcement, private industry and academia to share information, stop emerging threats and aggressively investigate incidents. Recognising

the success of this model, in 2001, Public Law 107-56 directed the Secret Service to establish a network of Electronic Crimes Task Forces for the purpose of preventing, detecting and investigating carious forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payments systems. Thirty- five ECTFs, throughout the United States, as well as London and Rome, are operated by the Secret Service (Trustwave Holdings Incorporated, 2013).

Interestingly, despite not being specifically included under the legislation, a cyber-attack could potentially be covered under the Terrorism Risk Insurance Program Reauthorization Act (TRIA), depending on the type of attack and coverage. This legislation was implemented subsequent to the September 11, 2001 attacks as a measure to encourage insurers to insure New York City buildings (Schutzer, 2015). However, this is disputed with some opponents stating that TRIA, as originally written, explicitly describes attack modes, of which cyber is not mentioned (CRO Forum, 2014).

Unlike the European Union, the United States does not have a single overarching privacy law. Instead, a sectoral approach towards data protection legislation has been adopted, where certain industries are covered and others are not. At a state level, most states have enacted some form of privacy legislation. We shall later discuss three of the important federal data protection laws, namely, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Fair and Accurate Credit Transaction Act (FACTA) of 2003, and the Children’s Online Privacy Protection Act (COPPA) of 1998 (Dimov, 2013).

The Health Insurance Portability and Accountability Act aims to protect health data which is individually identifiable. The legislation goes onto define who can have access to health information including medical providers’ records, health insurer’s records, billing information, as well as medical conversations concerning the patient’s care and treatment (Dimov, 2013).

100

The aim of the Fair and Accurate Credit Transaction Act is to assist in protecting consumers’ credit information from the exposures related to data theft. Credit card and debit card receipts are not to list more than the last five digits of the card number. Furthermore, a person requesting a credit report may request that the first five digits of his identity number is not included thereon (Dimov, 2013).

The Children’s Online Privacy Protection Act of 1998 protects the privacy of children under the age of 13. Included under the ambit of the Act are websites that are directed at children, or that have knowledge that children are visiting the website. COPPA requires that these website operators publish privacy policies specifying whether or not personal information is being collected, how this information is being used, as well as the disclosure practices. Verifiable parental consent is required in order for information to be collected from children. Parents may request a description of the type of information being collected and furthermore, request that the website operator stop collecting data from the particular child (Dimov, 2013).

5.3 South Africa

The impact of data protection legislation, corporate governance and guidelines has been discussed in great detail in this dissertation. Furthermore, legislation impacting specifically on the protection of personal information has also been assessed above. However, South Africa is largely remiss in its ability to protect personal information given that until recently, the country did not have specific data protection legislation. Hereunder follows a discussion of the legislation which is currently in force, as well as the imminent Protection of Personal Information Act which was largely modelled on the latest European Union directives.

5.3.1 Electronic Communications and Transactions Act No. 25 of 2002

The stated objective of the Electronic Communications and Transactions Act No. 25 of 2002 (ECT Act) is to provide for the facilitation and regulation of electronic communications and transactions; to provide for the development of a national e-strategy for the Republic; to promote universal access to electronic communications and transactions and the use of electronic

101

transactions by SMMEs; to provide for human resource development in electronic transactions; to prevent abuse of information systems; to encourage the use of e-government services; and to provide for matters connected therewith” (Electronic Communications and Transactions Act No. 25, 2002, p. 2).

Section 2 of the Electronic Communications and Transactions Act No. 25 (2002, p. 16) elaborates on the above by noting that it is the purpose of the Act, amongst other objectives, to:-

a) Recognize the importance of the information economy for the economic and social prosperity of the Republic;

b) Remove and prevent barriers to electronic communications and transactions in the Republic;

c) Promote legal certainty and confidence in respect of electronic communications and transactions;

d) Promote technology neutrality in the application of legislation to electronic communications and transactions;

e) Ensure that electronic transactions in the republic confirm to the highest international standards;

f) Encourage investment and innovation in respect of electronic transactions in the Republic;

g) Develop a safe, secure and effective environment for the consumer, business and the Government to conduct and use electronic transactions;

h) Promote the development of electronic transactions services which are responsive to the needs of users and consumers;

i) Ensure compliance with accepted International technical standards in the provision and development of electronic communications and transactions;

j) Promote the stability of electronic transactions in the Republic;

102

k) Ensure that the national interest of the Republic is not compromised through the use of electronic communications.

The concept of a “data message”, defined by the Act as data generated, sent, received or stored by electronic means, is introduced. In addition, an “automated transaction” is defined as an electronic transaction conducted or performed in whole or in part by means of data messages in which the conduct or data messages of one or both parties are not reviewed by a natural person in the ordinary course of such natural person’s business or employment. The Act affords legal recognition to data messages, on the grounds that information is not without legal force merely due to the fact that it is in the form of a data message. Furthermore, Section 12 of the Act provides that, where it is required by law that a document or information be provided in writing, it is permissible for such to be in the form of a data message (Peter, 2003).

Consumer protection is considered in this legislation, with Chapter 7 providing for the disclosure requirements by suppliers offering goods or services for sale, hire or exchange by way of an electronic transaction. Consumers are afforded a ‘cooling off’ period during which they may cancel an electronic transaction without penalty. However, it should be noted that this ‘cooling off’ period does not apply to certain types of transactions, including financial services and other transactions where the right to cancel the transaction after seven days would not be practical, or would be unfair towards vendors.

Peter (2003) considers Chapter 7 to be one of the more important aspects of this legislation, which deals with electronic ‘junk mail’. It requires that the sender of unsolicited commercial electronic communications provides the addresses with an option to cancel their subscription to the mail list in question. Furthermore, it also prescribes that the recipient may, on request, be provided with the identifying particulars of the source from which their personal information was obtained. Continued unsolicited commercial communications to an individual who has advised the sender of their unwillingness to receive same is now criminalised.

103

The protection of personal information, obtained through electronic transactions, is dealt with in Chapter 8 in this legislation. Data collectors are required to have express written permission from the data subject for the collation, processing, or disclosure, of their personal information. Regulation and enforcement thereof is not expressly dealt with herein (Peter, 2003).

Continuing in the vein of the sanctity of personal information, the Act also considers the protection of critical data bases. “Critical data” is data declared by the Minister to be of importance for the protection of national security, as well as the economic and social wellbeing of the country’s citizens. Chapter 9 details the registration of critical data bases, as well as affords the Minister the ability to prescribe specific standards and prohibitions in respect of the management, and administration of, critical data bases. The Act also provides for the inspection of such data bases.

The roles and responsibilities of service providers (persons providing information system services) are defined, stating that they have no obligation to monitor the data which they transmit or store, nor actively seek facts or circumstances indicating unlawful activity (Peter, 2003).

The ECT Act criminalises the accessing, or interception, of any data without authority or permission to do so. Cyber-crime offences are detailed, noting that any intentional and unauthorised interference with data which results in the modification, destruction or damage thereof is an offence. Interestingly, the unlawful production, sale, distribution or possession of any device, or computer program to overcome security measures for the protection of data, or the utilisation of such a device or program is also considered to be an offence. Furthermore, the threat of computer hacking, for the purpose of extortion, has also been criminalised herein (Peter, 2003). Hacktivists can be prosecuted under the Act, with offences attracting a fine or imprisonment not exceeding five years (Sutherland, 2015).

104

Section 15 of the Act repeals the Computer Evidence Act 57 of 1983, governing the admissibility of computer evidence and affording information in the form of a data message due evidential weight.

The Protection of Personal Information Act No. 4 of 2013 (refer section 7.3.4 hereunder) will largely repeal the provisions contained in the ECT Act and replace them a prescriptive stringent regulatory regime. Given the limited protection afforded to personal information and the processing thereof, the POPI Act shall be strongly welcomed and is discussed in detail hereunder.

5.3.2 Protection of Personal Information Act (POPIA)

Per the discussion above, the Republic of South Africa has had scant data protection legislation in place to date. Not having adequate legislation in place shall ultimately present a barrier to international trade, specifically noting that the European Data Protection Directive requires that personal data should only flow outside European Union boundaries to countries which can provide an assurance of adequate personal data protection (Pillay, 2014).

However, Section 14 of the Constitution of the Republic of South Africa 1996 provides that everyone has the right to privacy, which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.

Signed into law on 26 November 2013, the Protection of Personal Information Act No. 4 of 2013 (POPIA) aims to bring South Africa in line with international data protection laws by promoting the protection of personal information processed by public and private bodies by introducing certain conditions so as to establish minimum requirements for the processing of personal information. The Act extends to the provision of rights of persons regarding unsolicited electronic communications and automated decision making, and seeks to regulate the flow of personal information across the borders of the

105

Republic of South Africa (Protection of Personal Information Act No. 4 of 2013).

POPIA governs the processing of personal information, the latter of which broadly includes information related to the gender, marital status, race, age, health, religion, conscience, belief, language, financial, criminal and employment information, addresses, fingerprints, personal opinions and private or confidential correspondence of a person. Not restricted to individuals, the Act also applies private and public entities (called “responsible parties”. Similar to the EU legislation, POPIA also requires that responsible parties not domiciled in South Africa but who make use of automated and non-automated means of processing, situated in South Africa (Pillay, 2014).

POPIA requires personal information to be processed in accordance with eight conditions for lawful processing, and creates rights and responsibilities respectively on the part of what POPIA defines as responsible parties, and data subjects (Protection of Personal Information Act No. 4 of 2013). These conditions closely resemble the data protection principles utilised in the European Union and include accountability, process limitations (fair and lawful processing), purpose specification, further processing limitations, information quality, openness, security safeguards and data subject participation (Pillay, 2014).

POPIA incentivises compliance through various enforcement and punitive mechanisms (Pillay, 2014). Similar to the European Union, the Act provides for the establishment of an Information Regulator to exercise certain powers and to perform certain duties in terms of this Act (Protection of Personal Information Act No. 4 of 2013). The Information Regulator’s functions shall include monitoring and enforcing compliance with the Act, the handling of complaints, the issuance and regulation of codes of conduct, and the facilitation of cross-border cooperation (Pillay, 2014).

106

POPIA introduces strict liability for the interference with personal information. There are three elements of potential liability stemming from POPIA (Protection of Personal Information Act No. 4 of 2013):

1. Civil liability for patrimonial and non-patrimonial damages for interference with personal information (whether or not there is intent or negligence);

2. Criminal liability not exceeding ten years and / or the payment of a fine; and

3. Administrative liability for an administrative penalty payable to the Information Regulator, to the maximum of R10 million.

The commencement date of the Act is yet to be announced by the President in the Government Gazette. Until then, it is unlikely that organisations shall, of their free will, report any data breaches. Once legislation forces disclosure, the true nature of South African data breaches shall become apparent.

As is apparent from the above, it has been the United States’ approach to provide specific and narrowly applicable legislation, whereas there are unified supra-national policies for the European Union regions. Most European Union countries have implemented these policies, which outline a set of rights and principles for the treatment of personal data, with omnibus legislation. Legal tradition in the United States is more concerned with the regulation of data collected by the federal government (Stratford & Stratford, 1998).

The United States has refrained from implementing personal data protection legislation whilst the European Union has proactively regulated uses of personal data. Whilst the US is increasingly in favour of security (eclipsing privacy protection), European policy espouses personal freedoms and supports most of their legislation. Thus, the variances in privacy legislation stem largely from fundamental differences in cultural values and belief systems (Krup & Movius, 2009).

107

Both the US and EU are initiating strategies in respect of information sharing. The EU seeks to do so under their draft EU Cybersecurity Directive, whilst the US intends on doing so through the building of good cyber-citizens (through awareness and information sharing). The ideal of both initiatives is to ensure that entities involved in the provision of certain critical infrastructure take appropriate steps to manage cybersecurity risks, and encourage doing so through information sharing. Whilst the EU approach mandates compliance, the US approach is closer to self-regulation within defined frameworks. The new EU data regulation shall also have interplay with this, and thus the legislation is of great interest (Webber, 2015).

However, regulatory differences present numerous problems when countries face a cross- border spillover. When the impact of regulation is not limited to the originating jurisdiction, regulatory spillover occurs and creates wasteful bureaucracy, confusion, and inefficiencies for countries and organisations involved, as well as for the public. Such excessive regulatory spillover could potentially disrupt both the US and EU economies which are of particular concern given that the US and EU enjoy the world’s largest bilateral trade relationship (Krup & Movius, 2009).

The European Union has been negotiating with the United States since March 2011, an international framework agreement called the Data Protection Agreement, which shall govern personal data transferred between the United States and European Union for law enforcement purposes (including the prevention, detection, investigation and prosecution of criminal offences, including terrorism). Negotiations are in their final stages, with agreement already having been reached on several issues such as retention periods, right of access and rectification, effective oversight, and fundamental principles such as non-discrimination and maintaining the integrity and security of data (European Commission, 2014).

The discussion under South African legislation above draws distinct parallels between local data protection legislation and that of the European Union, particularly in that it is a distinct singular piece of legislation regulating data protection. Moreover, the replication of the data processing principles draws further parallels between these two pieces of legislation.

108

6. Risk management

It is apparent from the above discussions that there are a myriad of cyber exposures facing organisations today. Risk management strategies shall be discussed herein, in an attempt to prevent, minimize and/or transfer the risk caused by these exposures. Risk is an inherent part of doing business. For any organisation to successfully operate, it needs to address risk and respond proportionately and appropriately to a level consistent with the organisation’s risk appetite. If an organisation does not identify and manage risk it could potentially lead to the failure of the organisation (United Kingdom Department for Business Innovation and Skills, 2012). Valsamakis, Vivian, and du Toit (2010) state that the reasons for managing risk are linked to the corporate objectives of survival, growth and maximising shareowner wealth. Risk management is a managerial function aimed at protecting the organisation and its people, assets and profits against the physical and financial consequences of risk. It involves planning, coordinating and directing the risk-control and the risk-financing activities in the organisation. The goal of risk elimination is to eliminate risk, however, most of the options tend to eliminate the organisation out of the market, as an organisation that does not prefer risk, shall not survive in its chosen market (Rusu & Stroie, 2011).

The probability of occurrence and consequence of occurrence are the two characteristics of a possible negative future event, which defines risk. Thus, the risk is undefined if the probability of occurrence is unknown (United States of America Department of Defense, 2001). Risk can also be defined as the combination of an event’s probability, and the consequences thereof (Institute of Risk Management, 2002). Rusu and Stroie (2011) state that risk is the potential that a chosen action or activity (including the choice of inaction), will lead to an undesirable outcome. They go on to say that threat is the potential cause of an unwanted impact on a system or organisation. Threat can also be defined as an undesired event (intentional or unintentional), which may cause damage to the goods of the organisation. Lastly, vulnerability is a weakness in system procedures, architectural system, its implementation, internal control and other causes that can be exploited to bypass security systems and unauthorised access to information. Vulnerability represents any weakness, administrative process, act or statement that makes information about an asset to be capable of being exploited by a threat. Thus, according to Rusu and Stroie (2011), in order to combat risk and threat, a risk management process should be undertaken in which vulnerabilities and threats to the information resources used by an organisation in achieving business objectives should be identified. A proactive approach should be adopted whereby risks are anticipated in advance in order to

109

enable the organisation to sufficiently cater therefor (Valsamakis et al., 2010).

A risk exists only if, as a result of an uncertain action or event, that risk occurs. Similarly, a threat can potentially harm assets such as information, processes and systems, and thus, ultimately, the organisation. Threats may apply to a broad spectrum of aspects such as: events or actions that can lead to the occurrence of a risk, such as an accident, fire, theft etc.; actions that enable the occurrence without actually causing it, such as privilege abuse or identity theft; effects which are related to, and which indicate, undetermined causes, such as saturation of an information system; lastly, behaviour that is not an event itself but leads to an occurrence of risk (such as the unauthorised utilisation of organisational equipment). Thus, the threat does not have to be directly linked to the cause of a risk (Club de le Securite de L’Information Francais, 2008).

Following on from the discussion or risks and threats above, it is important to also discuss vulnerabilities, which, although utilised in risk analysis, are more commonly utilised in domain of information systems security. Vulnerability can be described as a feature of a system, object or asset that may be susceptible to threats. However, vulnerability can also be defined as a flaw in a security system which potentially may be exploited by a threat to target a system, object or asset. Thus, risk can be defined as the combination of an asset with the threat which is capable of damaging that threat and vulnerabilities exploited by the threat to damage the asset (Club de le Securite de L’Information Francais, 2008).

Risk and return are interrelated. Thus, any reduction in the risk profile of an organisation (against a given expected return) following a deliberate risk management program will result in a more efficient risk-return trade-off. Thus, adopting a risk management program that reduces risk is of itself consistent with the general reasons for the existence of a firm. It is thus not surprising that the adoption of a risk management program features in most codes of corporate governance (Valsamakis et al., 2010).

Risk management is a permanent cycle process that involves activities for establishing, monitoring and ensuring continual improvement of the organisation’s activity. The concept of risk management is applied in all aspects of business, including planning and project risk

110

management, health and safety, and finance. A generic definition of risk management is the assessment and mitigation of potential issues that pose a threat to the organisation, whatever their source or origin (Rusu & Stroie, 2011). Risk management is a process whereby an organised methodical approach is continuously implemented in order to identify and measure risk, as well as to select, develop and implement various options for managing risk (United States of America Department of Defense, 2001). At the core of any organisation’s strategic management lies risk management (Institute of Risk Management, 2002).

The ultimate goal of risk management is to enable the organisation to maintain at the highest values the activity results. Thus, the risk management process should combine all factors which can increase the probability of success and decrease the uncertainty of achieving objectives (Rusu & Stroie, 2011). In order to conduct risk management, planning, early identification analysis have to take place, as well as continuous tracking and reassessment of risk, early corrective action implementation, communication, documentation, and of course, coordination of all of these processes (United States of America Department of Defense, 2001). Risk management should be an evolving process with particular attention being given to the implementation of the strategies for eliminating or reducing the risk and their appliance, to the analysis of the past evolution of risks and to the present and future prediction of the events (Rusu & Stroie, 2011). Risk management should be managed from boardroom to basement (Institute of Directors, 2009) and should be organisation-wide, driven by corporate governance from top down, with user participation evident at every level of the organisation (United Kingdom Department for Business Innovation and Skills, 2012).

Hereunder follows a discussion of the risk management process, whereby risk analysis / identification is the first step of the process, followed by risk evaluation and quantification. Risk control follows thereafter, followed by risk financing and then monitoring and evaluation.

Before attention can be focused on the management of risk, the source of risk must be identified (Valsamakis et al., 2010). The objective of risk identification is to identify the organisation’s exposure to uncertainty. In order to identify these uncertainties, an intimate knowledge of the organisation is required, as well as the legal, political, social and cultural environment in which the organisation exists. This cannot be done without a deep understanding of the organisation’s strategic and operational objectives, as well as critical

111

success factors impacting upon the organisation (Institute of Risk Management, 2002). Whilst, in many instances the identification of risk is self-evident, however, in others it may require additional insight (Valsamakis et al., 2010). Risk identification consists of two related activities; firstly, risks that affect the organisation must be identified. Identification of risks usually is accompanied by both hazard identification and exposure identification. Hazards (or ‘risk factors’ in the case of speculative risks) are activities or conditions that create or increase the likelihood of loss or the loss amount. An exposure to loss would be the object, individual or situation subject to loss (Valsamakis et al., 2010). Potentially critical assets have to be identified as the first step of this process (Club de le Securite de L’Information Francais, 2008). The activities which should be followed in this step of the risk management process include identifying the risk, quantifying it, establishing probability and then establishing the priority of risk items (United States of America Department of Defense, 2001). It is imperative to include vulnerabilities in risk identification, as not doing so would imply that risk results simply from the combination of an asset element that has value and of circumstances in which this particular value could put exposed to risk. Thus, threats may potentially damage the assets need to be identified, as well as potential vulnerabilities which could be exploited. Furthermore, it is vital that the organisation ascertains the damage that may affect these assets, and under what circumstances this damage is likely to occur (Club de le Securite de L’Information Francais, 2008).

Two main approaches exist in identifying [potentially] critical assets, the first of which is to analyse the processes and activities of the organisation in order to ascertain whether there are any potential process malfunctions which could impact on the organisation’s goals and anticipated results. In this approach one would identify and list the assets, identifying those which are of critical importance to the organisation, and the damage to these assets which could initiate such malfunctions. Thus, in this approach one is essentially identifying the circumstances under which damage may occur, in order to identify the various risk scenarios. In the second approach, a list of assets to be considered when identifying risks are compiled by identifying the primary means for supporting the organisation’s activities, along with secondary support means (Club de le Securite de L’Information Francais, 2008).

112

Risk analysis is the next step to be followed in the risk management process, after risk identification. It is insufficient to know that hazards, risk factors and exposures to loss or gain exist. The risk manager is required to understand the nature of those hazards, risk factors and exposures; how they come to exist; and how they interact to produce a loss. Perceptions of risk, as well as uncertainty, are also analysed, since they may be of profound importance (Valsamakis et al., 2010). Essentially the risk assessment process is continued through risk analysis activities, by formulating a refined description of the risk. This is done by isolating the cause of the risk, formulating the full impact of the risk and then deciding upon the appropriate course of action. In other words, risk analysis explores the various alternatives and opportunities associated with risk. Sensitivity of risk interrelationships are analysed, along with performance variation. Furthermore, the impact of potential and realised, external and internal changes, are analysed (United States of America Department of Defense, 2001). A risk profile can be produced from the risk analysis process, which not only provides a significance rating to each risk, but also assists in prioritising risk response, i.e. it essentially ranks the identified risks according to relative importance (Institute of Risk Management, 2002). By identifying the threats and vulnerabilities which an asset faces, it is possible to characterise a given risk (Club de le Securite de L’Information Francais, 2008).

The risk evaluation and assessment step is the third and most important step in the overall risk management process as, together with identification of possible sources of loss, it represents the foundation for planning, organising and managing the risk to reduce the impact of losses. Risk evaluation entails quantifying the risk and determining its possible impact on an organisation (Valsamakis et al., 2010). In other words, the level of risk facing the organisation is dependent on two factors: potentiality and impact (severity of the consequences thereof). The goal of risk analysis is thus to assess the severity of the damage (Club de le Securite de L’Information Francais, 2008).

Quantified risk assessment involves the formal quantification of probabilities of occurrence, and the consequences thereof (United States of America Department of Defense, 2001). More particularly, risk evaluation and assessment concerns the evaluation of both loss frequency and loss severity, which will provide the two significant measures of expected average loss and maximum possible loss. Given that the characteristics of risk and the frequency and severity of losses are all constantly changing, evaluation becomes a continuous process

113

(Valsamakis et al., 2010).

Every element of risk is assessed through analysis and simulation in order to formulate the statistical probability of the occurrence, as well as the specific conditions caused thereby (United States of America Department of Defense, 2001). An analysis of the financial strength of the organisation entails the assessment of the firm’s risk-retention capacity. The objective is to ascertain what the impact of a given risk might be relative to the financial strength of the organisation. Given the complexity of this exercise, the evaluation process requires expertise in several disciplines, as well as the utilisation of various techniques that by their nature necessitate interacting with several organisational units (Valsamakis et al., 2010).

There are several general principles which should be followed during this step of the process, such as that of initially identifying what the most serious consequences of damage would be. This is done through the classification process wherein a scale of severity is established, and how seriously this would impact upon the organisation. Thereafter the specific consequence of the analysed risk should be evaluated, paying particular attention to those at the highest level of consequences faced by the organisation (Club de le Securite de L’Information Francais, 2008). Thus, risk evaluation empowers the organisation to make decisions regarding the significance of risks to the organisation, as well as whether each of the specific risks should be accepted or treated (Institute of Risk Management, 2002).

As previously noted, the organisation should also ascertain what impact security measures make, when identifying and classifying risk. The organisation should assess the effect that security measures may have upon the identified risks, as well as how they may potentially impact upon the exposures facing the risk. Factors which should be considered when assessing the effects of security measures include the effect of deterrence and prevention; the effect of detection followed by action to prevent recurrences or mitigate consequences, the effect of restoration and palliative recovery measures. Obviously the security measure’s effect is dependent on the quality of the measure. Knowing that certain measures or processes are more effective than others, it is thus imperative that the organisation is in a position to consider the quality of the security measure. Thus, the risk model should ideally incorporate a method of evaluation of security measures, in order to ensure that a sufficient level of quality of security measure is being utilised. Dependent on skills within the organisation, it may

114

consider employing the services of third party experts in order to assist hereon (Club de le Securite de L’Information Francais, 2008).

Risk control is the fourth next step to minimise the risk practically through the design and implementation of a physical risk management program. The goal of such a program would be the reduction of the magnitude of the exposure, reduction of the frequency of the loss- producing events, dealing (physically) with loss-producing events and recovering (physically) from loss-producing events (Valsamakis et al., 2010). In other words, the main driver of risk control activities is to mitigate risk (United States of America Department of Defense, 2001). Risk control activities are thus activities that focus on avoiding, preventing, reducing, or otherwise controlling risks and uncertainties. Risk control programs may be referred to as practical in the sense that they are conducted at the source of the risk. In practice, the practical implementation and monitoring of loss control programs are conducted by line management (Valsamakis et al., 2010). In direct risk management, scenarios are individually considered in order to ascertain what measures are most appropriate. Two main options are available, the first wherein a reliance is placed on a risk scenario knowledge base. Hereunder appropriate security measures are referenced and evaluation in terms of how effectively they reduced the level of risk. In addition, it should be assessed as to whether the risk management method provides any other type of assistance. In the second option, risk situations are directly reduced by managers of the relevant activity or process by them directly managing the solutions to be implemented (Club de le Securite de L’Information Francais, 2008).

The fifth and final step in the risk management process entails the financial provision for losses that may occur. Risk-financing activities provide the means for reimbursing losses that occur and for funding other programs to reduce uncertainty and risk or to enhance positive outcomes. Normally, some losses will occur, despite risk control efforts. The financing of these losses can include measures such as the purchase of insurance coverage, the establishment of a captive insurance subsidiary or the use of letters of credit. In the selection of the most efficient method of financially providing for the consequences of risk, the organisation could opt to retain the risk under a self-funding plan; utilise a combination of risks (diversifying or hedging) to obtain the benefit of greater certainty in predicting the loss occurrences through the use of the law of large numbers (this method may be used by business organisations, individuals or, indeed, insurers. It has its limitations, however, since the scope of combination

115

or diversification may be limited); or lastly, the transfer of risk cost to other third parties through techniques such as insurance (Valsamakis et al., 2010).

Risk transfer is associated with transferring the risk to another organisation, through the act of assignment, delegation or through payment. Transfer methods often utilised include insurance, warranties and incentive clauses. However, it is important to note that, even though the risk has been mitigated through the chosen risk transfer action, the risk is never truly transferred (United States of America Department of Defense, 2001). Granted, the effect or consequences of the risk may be transferred, but the risk remains inherent in the organisation.

In risk assumption, organisations can consciously choose to acknowledge the existence of risk and monitor it accordingly (Rusu & Stroie, 2011). Acceptance is the deliberate acceptance of the risk, in all likelihood due to the fact that the probability is low, as well as the consequences thereof (United States of America Department of Defense, 2001). The decision to assume risk must be well analysed and documented by the management team of the organisation. However, organisations can also choose the risk action of ignoring the risks facing it (Rusu & Stroie, 2011). Risk avoidance entails an understanding of priorities in requirements and constraints, to the extent that risk is traded off for performance or another capability (United States of America Department of Defense, 2001).

In order to be comprehensive, an integrated approach to risk management requires that three key aspects of business organisations are considered, namely its strategy, the processes and its people. To be inclusive, risk management must involve all the levels of the organisation – at the strategic level, it requires that the risk-to-reward ratio for all types of risk are considered, where the company’s board of directors must play a leading role in setting a clear risk framework. The framework should provide management with a guide that relates to investors’ expectations to the risk-to-reward ration. This framework should also provide guidelines as to what level of risk will be accepted, which risks will be transferred by contract or negotiation, and which risk should be insured (Valsamakis et al., 2010). The risk management policy of an organisation should not only stipulate its approach to, and appetite for risk, but also its approach to risk management (Institute of Risk Management, 2002). A well-orchestrated risk management process shall result in improved decision-making, planning

116

and prioritisation which is only achieved through a comprehensive and structured understanding of the organisation’s activity, how volatile it is, as well as the opportunities and threats facing the organisation (Institute of Risk Management, 2002).

Once these guidelines have been set, they have to fully integrated into the processes of the organisation so that management and day-to-day activities support this vision. At the management level, this requires a full understanding of risk management principles and the embedding of a risk management culture in the organisation. It also means that risk management activities should be integrated with other business functions and risk control integrated with the risk-financing activities, as well as self-funding with other ways of financing risks. The interaction of strategic activities with operational activities is also essential. Failure to involve the operational level can result in a fragmented or contradictory approach in which an organisation may face unnecessary risks (Valsamakis et al., 2010).

In information technology and communications, one of the most important goals of risk management is to accomplish more by better securing the informatics systems that store, process or transmit organisational information by enabling management to make well informed risk management decisions to justify the expenditures that form part of the information technology budget, and by assisting management in authorising the information technology systems, on the basis of the supporting documentation resulting from the performance of risk management (Rusu & Stroie, 2011).

Through proper risk identification and planning, risk management becomes an integral part of general management, as opposed to a set of isolated functions comprising risk control and risk financing (Valsamakis et al., 2010). Whilst information technology departments are traditionally responsible for spearheading data security and privacy initiatives in most organisations, more are beginning to believe that it is an enterprise-wide responsibility to mitigate risks. According to the Advisen / Zurich study, nearly two-thirds of all organisations surveyed have a multi-departmental information security risk management team or committee (Advisen, 2012).

117

The majority of the 2011 Advisen survey respondents recognised that it is the responsibility of the entire organisation to mitigate risks. However, when questioned as to whether their organisation had a multi-departmental information security risk management team or committee, 34% responded in the negative. The departments or functions that are most likely to have representation on the information security risk management team are represented per the figure below (Advisen Limited, 2011):

Figure 11: Departments / Functions that are most likely to have representation on the information security risk management team

Note. From “A New Era In Information Security and Cyber Liability Risk Management: A Survey on Enterprise-wide Cyber Risk Management Practices in Europe”, p. 7, by Advisen Limited, 2011, London.

The 2011 Advisen survey informed that 71.7% of respondents indicated that security risks are a specific risk management focus within their organisation and acknowledged that it is the responsibility of the entire organisation to mitigate risks. However, the respondents opined that the threat was viewed in a less serious light by key decision makers. As is apparent from Figure 3 above, the information technology department is still considered to be the front line defence against cyber exposures, with 95.9% of respondents stating that IT staff would be the department which would most likely have representation in the information security risk management team. 78.1% of survey respondents indicated that Risk management / Insurance

118

departments would also be included in such an information security risk management team (Advisen Limited, 2011).

The PricewaterhouseCoopers The Global State of Information Security Survey 2015 reports that information security budgets actually decreased by 4% from the preceding year, with security spending (as a percentage of information technology budget) being a meagre 4% or less. Smaller organisations often hold the belief that they are too insignificant to attract cybercrime attacks. This sentiment is apparent when considering Figure 1, wherein the cybersecurity budgets for smaller organisations are significantly smaller than those of their larger counterparts. That being said, it is possible that smaller organisations also hold some measure of comfort that the financial ramifications of a cyber-attack are usually smaller for the smaller organisation (refer Figure 2 above). However, it is also possible that, increasing risk, combined with an abundance of security solutions has resulted in "analysis paralysis”, rendering smaller organisations unable to make decisions and take appropriate action (PricewaterhouseCoopers LLP, 2014).

Unfortunately, research indicates that most organisations are still attempting to fight attacks with antiquated perimeter-based defences like anti-virus and intrusion detection, which are no longer adequate to meet modern cyber threats (Internet Security Alliance, 2013).

It is believed that many organisations find it difficult to understand how much budget should be allocated to information security, and following thereon, how to determine the return on investment thereon. However, given that only 40% of respondents to The Global State of Information Security Survey 2015 reported that the board of directors are involved in security budget decisions, it could very well be that management struggle to obtain robust funding in information security (PricewaterhouseCoopers LLP, 2014).

A recent Verizon-Secret Service Study, which conducts forensic analysis of hundreds of cyber security breaches, documents that as much as 97% of cyber events could have been prevented, or their damage mitigated, through the use of best practices (Internet Security Alliance, 2013).

119

6.1 Risk management and corporate governance policies

As has been discussed above, the reduction of risk through the adoption of a risk management program is consistent with the reasons for the existence of a firm. Thus, it is obvious that corporate governance codes focus strongly on risk management programs (Valsamakis et al., 2010). Furthermore, risk management should be entrenched within the entire hierarchy of the organisation (United Kingdom Department for Business Innovation and Skills, 2012) in order to ensure compliance with best practices and statutory requirements.

In this portion of the paper, the importance of corporate governance shall be considered, particularly with regards to risk management. The King Code of Governance for South Africa shall be contemplated, along with the Guidelines issued by the Organisation for Economic Co-operation and Development. Following thereon, a wide range of risk management policies and procedures shall be discussed in detail.

A lack of effective risk management and governance could result in increased exposures to risk and thus information risk must be owned at board level. Without effective risk governance processes it is impossible for the board to understand the risk exposure of the organisation. The board must be confident that information risks are being managed within tolerance throughout the lifecycle of deployed systems or services (United Kingdom Department for Business Innovation and Skills, 2012).

Governance is the set of responsibilities and practices exercised by those responsible for an organisation (e.g. the board of directors and executive management in an organisation, or the agency head for a state agency) with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organisation’s resources are utilised responsibly. Cyber security governance refers to the component of organisation governance that addresses the organisation’s dependence on cyberspace in the presence of adversaries. Cyber security governance thus encompasses information systems security governance. Whilst aspects of information security governance may address information outside of cyberspace, the flow of information between the non-cyber and cyber realms is so

120

prevalent that in general it is preferable for cyber security governance to encompass information security governance (Bodeau, Boyle, Fabius-Greene & Graubart, 2010).

Organisations could potentially miss out on business opportunities where risk decisions are being taken at junior level without effective governance and ownership back to senior levels. This practice may promote an overly cautious approach to information risk which may lead to missed business opportunities. Alternatively, an overly open approach may expose the organisation to unacceptable risks (United Kingdom Department for Business Innovation and Skills, 2012).

Ineffective policy implementation is a risk facing the organisation and thus the board of directors should have overall ownership of the corporate security policy. Without effective risk management and governance processes, the board will not have confidence that its stated policy is being implemented (United Kingdom Department for Business Innovation and Skills, 2012).

A lack of effective governance means that information risk management activities may be undertaken locally when they could be more effectively deployed at an organisational level (United Kingdom Department for Business Innovation and Skills, 2012).

Through the incorporation of the abovementioned risk management techniques into their corporate governance guidelines, the board of directors have three different responses available to them, in order to manage the risks faced by their organisation (Valsamakis et al., 2010).

• Avoidance: some risks can be avoided by not carrying out specific activities. This is rarely possible in the business environment. According to Ruse and Stroie (2011), where it is possible, managers should choose to not implement certain processes and procedures that could generate a higher level of risk, or could complicate the organisation’s activity.

121

• Acceptance: certain risks are inherent to a specific business. Trying to avoid them would mean disinvesting from a particular industry. If the risk-return properties are acceptable, the risk associated with that industry or type of business needs to be accepted;

• Mitigation: mitigation follows on from risk acceptance and is aimed at lessening the impact of the risk. Similarly, risk transfer, in the form of insurance could also be considered a risk mitigation technique. Insurance is considered to be a powerful risk management tool and thus, an in-depth discussion on this subject matter follows in section 7 hereunder.

Risks can be reduced by implementing security measures and procedures. When implementing these measures, it should take into account the cost benefits of the implementation. If the cost of the risk reduction outweighs the benefits which it offers, then accepting the risk should be preferred over the implementation of the costly security measures (Rusu & Stroie, 2011).

Consideration is now given to corporate governance policies which organisations in South Africa could consider implementing.

6.1.1 King Code of Governance for South Africa 2009 (King III) There shall always be a link between legal compliance, and good corporate governance, as the latter is not something which is separate from the law. Directors’ duties are divided into the categories of duty of care, skill and diligence; and their fiduciary duties (Du Plessis, 2008; Institute of Directors, 2009; Aina, 2013). Corporate governance pertains to the establishment and implementation of structures and processes to allow directors to discharge their legal responsibilities, whilst utilising legislation to oversee compliance. Governance codes, criteria and guidelines, in addition to legislative compliance, shall be utilised to determine whether a director’s standard of conduct is appropriate. As certain governance practices become entrenched, it is likely that courts shall regard conformance with same to be the required standard of care, and thus, non-conformance may result in directors being liable at law (Institute of Directors, 2009).

122

Organisations can be governed on a statutory basis, or through the codification of principles and practices. Along with 56 Commonwealth countries, and 27 states in the European Union, South Africa has opted to apply governance through a code of principles and practices. The code has been adopted broadly, with the Johannesburg Stock Exchange Limited (JSE) requiring that listed companies report, through a narrative statement contained in their annual reports, on their compliance with the principles of King III (Institute of Directors, 2009).

The King Report on Corporate Governance (King I) was published in 1994 by the King Committee on Corporate Governance, headed by Mervyn King S.C., a former High Court judge. Aimed at promoting the highest standards of corporate governance, King I was the first of its kind in South Africa. King I extended beyond the financial and regulatory aspects prescribed by corporate governance, advocating an integrated approach to good governance, in the best interests of all stakeholders. King II (the King Report on Corporate Governance for South Africa, 2002) was developed in response to evolving economic environments, along with legislative developments. The latest changes, as evidenced in King III, see a distinct move towards a triple bottom approach, embracing the economic, environmental and social aspects of an organisation (Institute of Directors, 2002).

Similarly, the King Code of Governance for South Africa 2009 (hereinafter referred to as King III) was compiled by the King Committee in order to bring the report in line with the new Companies Act no. 71 of 2008, as well as changes in international governance trends (Institute of Directors, 2009).

Whereas King II applied to business enterprises with securities listed on the Johannesburg Stock Exchange; banks, financial and insurance organisations; certain public sector enterprises and agencies (Institute of Directors, 2002), King III applies to all entities, regardless of sector or form of establishment (Institute of Directors, 2009).

123

The philosophy forming the foundation of the King III report is that of leadership, sustainability and corporate citizenship. Good governance arises from effective leadership, which is characterised by the ethical values of responsibility, accountability, fairness and transparency, all of which are based on moral duties. Effective leadership strives for sustainable economic, social and environmental performance. Sustainability is the second philosophy and is considered to be the primary moral and economic imperative of the 21st century as decision makers are compelled to understand how nature, society and business are complexly interconnected.

Application of the code is on an ‘apply or explain’ basis, with it being the legal duty of directors to ensure that the best interests’ of the organisation is upheld at all times. Thus, directors may opt to not follow a recommendation contained within King III, provided that it is believed to be in the best interests of the organisation and that the objectives of fairness, accountability, responsibility and transparency are achieved. Compliance requires that the organisation explain how the principles and recommendations were applied, and if they were not, the reasons for non-compliance (Institute of Directors, 2009).

The discussion which follows hereon focuses on corporate governance aspects emanating from King III, and with particular application to cyber exposures.

Although utilised as enablers to business, information systems have become extremely pervasive as it is now imperative to incorporate information systems into the business strategy. Not only has information technology become entrenched in organisations due to it being a fundamental in order to support, sustain and develop the business; but it is also a vital strategic asset required in order to attain and maintain competitive advantage. The evolution of information technology has resulted in significant risks which need to be well governed and controlled. Thus, the governance of information technology has become a corporate imperative (Institute of Directors, 2009).

124

Information technology governance is detailed in King III, for the first time, focusing on the most salient information systems governance aspects. With regards to information technology governance, it is imperative to note that directors are required to ensure that prudent and reasonable steps have been implemented. Information governance cannot be addressed through legislation alone, but that international guidelines should be utilised in order to develop an organisation’s corporate governance framework. The code also cautions that organisations should ensure that they are kept informed with regards to changing regulatory requirements impacting upon information technology.

The following principles and recommended practices, pertaining to the governance of information technology, are contained in Principle 5 of King III.

Table 1: Code of Governance Principle pertaining to Information Technology

Principles

5.1 The board should be responsible for information technology (IT) governance

Recommended practice

5.1.1 The board should assume the responsibility for the governance of IT and place it on the board agenda

5.1.2 The board should ensure that an IT charter and policies are established and implemented

5.1.3 The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language

5.1.4 The board should ensure that an IT internal control framework is adopted and implemented

5.1.5 The board should receive independent assurance on the effectiveness of the IT internal controls

125

5.2 IT should be aligned with the performance and sustainability objectives of the company

Recommended practice

5.2.1 The board should ensure that the IT strategy is integrated with the company’ strategic and business processes

5.2.2 The board should ensure that there is a process in place to identify and exploit opportunities to improve the performance and sustainability of the company through the use of IT

5.3 The board should delegate to management the responsibility for the implementation of an IT governance framework

Recommended practice

5.3.1 Management should be responsible for the implementation of the structures, processes and mechanisms for the IT governance framework

5.3.2 The board may appoint an IT steering committee of similar function to assist with its governance of IT

5.3.3 The CEO should appoint a Chief Information Officer responsible for the management of IT

5.3.4 The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and executive management

126

5.4 The board should monitor and evaluate significant IT investments and expenditure

Recommended practice

5.4.1 The board should oversee the value delivery of IT and monitor

the return on investment from significant IT projects

5.4.2 The board should ensure that intellectual property contained

in information systems are protected

5.4.3. The board should obtain independent assurance on the IT

governance and controls supporting outsourced IT services

5.5 IT should form an integral part of the company’s risk management

Recommended practice

5.5.1 Management should regularly demonstrate to the board that the company has adequate business resilience arrangements

in place for disaster recovery

5.5.2 The board should ensure that the company complies with IT

laws and that IT related rules, codes and standards are considered

5.6 The board should ensure that information assets are managed effectively

Recommended practice

5.6.1 The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy

5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified

127

5.6.3 The board should ensure that an Information Security Management System is developed and implemented

5.6.4 The board should approve the information security strategy

and delegate and empower management to implement the

strategy

5.7 A risk committee and audit committee should assist the board in carrying out its IT responsibilities

Recommended practice

5.7.1 The risk committee should ensure that IT risks are adequately

addressed

5.7.2 The risk committee should obtain appropriate assurance that

controls are in place and effective in addressing IT risks

5.7.3 The audit committee should consider IT as it relates to financial reporting and the going concern of the company

5.7.4 The audit committee should consider the use of technology to

improve audit coverage and efficiency

Note. From The King Code of Governance for South Africa, p. 39 – 41 by Institute of Directors in Southern Africa, 2009).

In order to avoid the exposures detailed in the previous section, a governance framework ought to be established that enables and supports information risk management across the entire organisation, with ultimate responsibility for risk ownership residing at board level (United Kingdom Department for Business Innovation and Skills, 2012). Broad participation of the management team is required in the risk identification process, in order to ensure that the focus remains on strategy, as well as the organisation’s primary objectives (Club de le Securite de L’Information Francais, 2008).

Corporate governance policies are the primary building blocks of every information security effort: they provide official statements of managerial

128

direction and support (Boulton & Knapp, 2006) and encompass the organisation’s security policies too. The board need to create and own an overarching corporate information risk policy to help communicate and support risk management objectives, detailing the risk management strategy for the organisation as a whole (United Kingdom Department for Business Innovation and Skills, 2012).

Tolerable risk also does not require the implementation of any counter measures, but is permanently monitored and if any growth is identified, supplementary actions carried out in order to reduce its level. However, should a risk have an intolerable level, then it requires an immediate response from management to identify and implement sufficient measures to either reduce or eliminate the risk (risk mitigation) (Rusu & Stroie, 2011).

The risks facing the organisation’s information assets (i.e. any form of information be it strategic or personal information of staff or third parties) should be a regular agenda item for board discussion. To ensure senior ownership and oversight, the risk of cyber-attack should be documented in the corporate risk register; entering into knowledge sharing partnerships with other companies and law enforcement can assist the organisation in understanding new and emerging threats that may pose a risk to the organisation, as well as to share the mitigations which may work (United Kingdom Department for Business Innovation and Skills, 2012).

An organisational asset is anything that could be of value or importance to an organisation, and includes primary assets such as information and processes and activities; and supporting assets such as equipment, software, networks, personnel, premises and organisational support (Club de le Securite de L’Information Francais, 2008).

129

Asset damage (i.e. the consequences of risk) occurs in different ways, depending on the type of asset. Assets could be damaged through loss, tampering or exposure, to name a few. The damage could present direct consequences or damage to assets, or alternatively risk could result in secondary or indirect consequences to the organisation’s processes or activities (Club de le Securite de L’Information Francais, 2008).

The level of information risk which the organisation is prepared to tolerate in pursuit of its business objectives needs to be agreed by the board of directors and a risk appetite established to guide information risk management decisions throughout the organisation (United Kingdom Department for Business Innovation and Skills, 2012).

The application of recognised sources of security management good practice should be considered, as well as physical, personnel, procedural and technical measures implemented (United Kingdom Department for Business Innovation and Skills, 2012). Furthermore, the effects of security measures should also be taken account whilst identifying the risks facing the organisation (Club de le Securite de L’Information Francais, 2008).

The result of the evaluation of the risk should be interpreted in order to determine the type of risk facing the organisation. Negligible risk does not require any measure to be applied, and should be monitored periodically. (Rusu & Stroie, 2011).

Given that the components of a risk can change over time, it is imperative that a continuous through-life process is adopted to ensure security controls remain appropriate to the risk (United Kingdom Department for Business Innovation and Skills, 2012).

130

6.1.2 Organisation for Economic Co-operation and Development (OECD) Privacy Principles The mission of the Organisation for Economic Co-operation and Development (OECD) is to promote policies that will improve the economic and social wellbeing of people around the world. It provides a forum in which governments can work together to share experiences and seek solutions to common problems. The 34 member countries of the OECD span the entire globe, from North and South America, to Europe and the Asia-Pacific region. Member countries include: Australia, Austria, Belgium, Canada, Chile, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Korea, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom (Organisation for Economic Co-operation and Development, 2013). OECD membership is limited to countries which are willing to commit to a market economy, in a pluralistic democracy. Moving towards possible membership, the OECD also interacts with other potential partners such as Brazil, China, India, Indonesia and South Africa (Jackson, 2013).

This unique forum enables governments and economies to work with each other (as well as in excess of 70 non-member emerging economies) in order to promote economic growth, prosperity, and sustainable development. In this forum, governments can compare policy experiences, seek answers to common problems, identify good practice and coordinate domestic and international policies. This has resulted in the OECD being a valuable source of policy analysis and internationally comparable statistical, economic and social data, for the past 50 years (United States Mission to the Organization for Economic Cooperation and Development, n.d.). Key policy recommendations that are discussed in this forum often serve as the basis for international standard and practices (Jackson, 2013). Furthermore, the past decade has seen the OECD deepening its engagement with trade unions, business and other representatives of civil society (United States Mission to the Organization for Economic Cooperation and Development, n.d.).

131

Concern was raised during the 1970s as to the extent to which the various privacy laws which were being enacted in respect of the processing and transfer of personal data, would result in inconsistencies and disrupt the global flow of information. In order to address these concerns, and facilitate interoperability, in 1980 the Organisation for Economic Co-operation and Development (OECD) published the first international information privacy guidelines. The Guidelines still form the basis of most information privacy legislation around the world today, establishing minimum standards for protecting personal data. Both the collection and utilisation of personal data should be either explicitly permitted by law or consented to by individuals to whom the data pertains. The data collected should be kept to a minimum and only utilised for the required purpose. Lastly, it is also a requirement that the personal data be secured, managed transparently, and reasonably accessible, with accountability (Cate, Cullen and Mayer-Schönberger, 2014).

A tool for organisations to consider regarding privacy and data security is the OECD Privacy Principles which is the most commonly utilised privacy framework internationally. They are reflected in existing and emerging privacy and data protection laws, and serve as a base for the creation for leading practice privacy programs (Advisen, 2012).

Not only do the OECD Principles of Corporate Governance provide specific guidance for policymakers, regulators and market participants in improving the legal, institutional and regulatory framework that underpins corporate governance, but they also provide practical guidance and suggestions for stock exchanges, investors, corporations and other parties that have a role in the process of developing good corporate governance. The guidelines are intended to promote a culture of security across all aspects of information systems, as well as to raise awareness about the risk to systems.

The OECD Principles of Corporate Governance (originally adopted by the OECD member countries in 1999) were revised in 2004 to respond to corporate governance developments including corporate scandals that focused the

132

minds of governments on improving corporate governance practices. Since they were first issued in 1999, the OECD Principles of Corporate Governance have gained worldwide recognition as an international benchmark for sound corporate governance. They are actively utilised by governments, regulators, investors, corporations and stakeholders in both OECD and non-OECD countries (Jesover & Kirkpatrick, 2005).

The OECD embarked upon a review of its guidelines in 2010, considering significant changes such as the volume of personal data being collected, used and stored; the range of analytics required in order to provide relevant statistics; the significance of privacy threats; the large variety and quantum of actors capable of protecting privacy, and of putting it at risk; the value of social and economic benefits which are released through new technologies and responsible data uses; and lastly, the global availability of personal data. The OECD Expert Group formed to contemplate the above ultimately recommended that the Guidelines be updated in several key areas (such as adding new material on “Accountability”, “Security Breach Notification” and “other topics”), however, no changes to the eight basic principles were suggested. Following these recommendations, the revised Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, were adopted by the OECD Council on 11 July 2013 (Cate et al., 2014).

The working group tasked with modernising the OECD Guidelines in 2013 identified the following priorities (Cate et al., 2014):

• The focus on data collection and the attending notice and consent requirements be reduced, with more focus being put on practical assessment of the benefits and risks associated with data uses; • The role of the Purpose Specification and Use Limitation principles either be reduced or eliminated; • The balance between privacy and the free flow of information (that was the original goal of the OECD Guidelines) be restored, as well as to avoid suppressing innovation with overly restrictive or inflexible data privacy

133

laws; • Transfer more accountability to data users for the personal data which they access, store, and use; as well as to hold data users liable when harm to data subjects occurs; • A broader definition of the “harms” which inappropriate uses of personal data can cause be adopted, as well as for practical frameworks and processes for identifying, balancing, and mitigating those harms to be implemented.

The revisions not only included basic changes [to the principles] essential to protection of personal privacy, but also avoided unnecessary user restrictions on the usage of personal information. Thus, the changes seek to find a balance between individual privacy challenges with valuable data uses. The changes also sought to shift data protection responsibility away from individuals, and to rather focus on data use. The revised principles present significant continuity with the original Guidelines of 1980, seeking to balance individual privacy whilst enabling the critical flow and utilisation of data. It is imperative that one bears in mind that the revised principles are merely guidelines to creating, adopting and implementing national laws (Cate et al., 2014).

Hereunder follows a discussion of the principles contained in the Organisation for Economic Cooperation and Development guidelines.

The Privacy Principles recommend that member countries demonstrate leadership and commitment to the protection of privacy and free flow of information at the highest levels of government. Furthermore, it is recommended that the privacy guidelines be implemented through processes that include all relevant stakeholders. In addition, it is recommended that the aforementioned is disseminated throughout the public and private sectors (Organisation for Economic Co-operation and Development, 2013).

134

The definition of personal data, per the Privacy Principles, means any information relating to an identified or identifiable individual (data subject). Furthermore, a data controller is defined in the Principles as a party who, according to national law, is competent to decide about the contents and use of personal data, regardless of whether such data are collected, stored, processed or disseminated by that party, or by an agent on its behalf (Organisation for Economic Co-operation and Development, 2013).

The guidelines put forward by the OECD apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a risk to privacy and individual liberties. The guidelines should be regarded as minimum standards which can be supplemented by additional measures (Organisation for Economic Co-operation and Development, 2013).

The Collection Limitation Principle states that there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. The collection of data is limited due to the data being perceived as especially sensitive. These limits may relate to data quality aspects, as well as limits associated with the purpose of the processing of data (i.e. that data collection should be restricted to the minimum necessary to fulfil the requirement) (Organisation for Economic Co-operation and Development, 2013). The Collection Principle replaces the Collection Limitation Principle (in the 1980 Guidelines) and reflects the deliberate attempt to shift data protection focus away from data collection and the consequent disclosure and consent requirements. It goes further to require adherence with other legal restrictions on collection, as well as not fraudulently or deceptively collecting personal data. Transparency, by avoiding hidden, unanticipated data collecting, is promoted. Government data collection should require general legal authority, and the collection should be for a legitimate purpose (Cate et al., 2014).

135

The Data Quality Principle asserts that personal data should be relevant to the purposes for which they are to be used; and, to the extent necessary for those purposes, should be accurate, complete and kept up to date. Data should relate to the purpose for which it is to be used – for example, data concerning opinions could be misinterpreted or appear to be misleading if it is utilised for purposes to which they bear no relation. The “purpose test” will assess whether the data subjects can be caused harm because of data being inaccurate, incomplete or out of date (Organisation for Economic Co- operation and Development, 2013). The revised Data Quality Principle is almost identical to its 1980 counterpart save for the fact that it applies only to personal data utilised for a decision affecting individuals. The revision was made in order to limit wasting of resources in assessing the accuracy, completeness and timeliness of data that was not being utilised in a manner which could impact upon individuals. The principle also extends to explicitly recognising that, in order to determine accuracy, completeness and timeliness of data, it is a requirement that the purpose of the utilisation of the data is known (Cate et al., 2014).

The Purpose Specification Principle requires that the purposes for which personal data are collected should be specified not later than at the time of data collection, and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. When data no longer serves a purpose, it may be necessary to destroy the data, or assign it an anonymous form, if practicable. When data is no longer of interest, control there over may be lost, which may lead to risks of theft or unauthorised access thereto (Organisation for Economic Co-operation and Development, 2013).

The Use Principle stipulates that a careful assessment of the advantages, risks, and risk mitigation tools be made by the data steward. The adoption of benchmarks, frameworks and models are encouraged to this end. The Use Principle anticipates that certain uses of data shall be routinely permitted without special data protection tools; however, others shall require a context-

136

specific risk assessment in conjunction with data protection tools. Notice and consent should provide a real option, accompanied by relevant understandable information, wherein the consequences are presented (Cate et al., 2014).

According to the Use Limitation Principle, personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle, except with the consent of the data subject, or by the authority of law. If data is transmitted freely, it may potentially expose the data to unauthorised access thereto, (Organisation for Economic Co-operation and Development, 2013).

Security Safeguards Principle stipulates that personal data should be protected by reasonable safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data (Organisation for Economic Co-operation and Development, 2013). The revised Security Safeguards Principle has merely been expanded in order to clarify that the obligation to protect personal data extends to both internal and external risks (Cate et al., 2014).

Principle 12 of the OECD’s Privacy Guidelines, the Openness Principle, states that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller (Organisation for Economic Co-operation and Development, 2013).

The Individual Participation Principle maintains that individuals should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller had data relating to him. Furthermore, individuals have the right to have communicated to them, data relating to

137

them within a reasonable time frame, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to them. In addition thereto, individuals should also have the right to be given reasons if a request is denied, and to challenge such denial. Data relating to the individual should also be able to be challenged by the individual, and if the challenge is successful, to have the data erased, rectified, completed or amended (Organisation for Economic Co-operation and Development, 2013).

The Accountability Principle purports that a data controller should be accountable for complying with measures which give effect to the abovementioned principles (Organisation for Economic Co-operation and Development, 2013). The revised Principle is far broader and demanding than the original Guidelines. Not only are data stewards responsible for compliance, but also demonstrating to regulators that they have sufficient tools in place in order to comply (Cate et al., 2014).

The Privacy Principles require that a data controller should have a privacy management program in place, which gives effect to the guidelines (in respect of all personal data under its control). The program should be tailored to the structure, scale, volume and sensitivity of its operations, and provide for appropriate safeguards based on privacy risk assessment. Furthermore, the program should be integrated into its governance structure and establish internal oversight mechanisms, as well as include a plan for responding to inquiries and incidents. The program should be updated in light of ongoing monitoring and periodic assessment (Organisation for Economic Co-operation and Development, 2013).

A data controller should be prepared to demonstrate its privacy management program as appropriate, in particular at the request of a competent privacy enforcement authority or another entity responsible for promoting adherence to a code of conduct or similar arrangement giving binding effect to the Privacy Guidelines (Organisation for Economic Co-operation and Development, 2013). It is also expected of the data controller to provide

138

notice to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data. Where the breach is likely to affect data subjects, a data controller should also notify affected data subjects (Organisation for Economic Co-operation and Development, 2013).

Part Four of the Privacy Principles pertain to basic principles of international application, and considers the free flow and legitimate restrictions in respect of personal information. It is stated hereunder that the data controller remains accountable for personal data under its control without regard to the location of the data. Where another country substantially observes the OECD’s Privacy Principles or sufficient safeguards exist (including effective enforcement mechanisms and appropriate measures put in place by the data controller to ensure a continuing level of protection consistent with the OECD Principles), a member country should refrain from restricting trans-border flows of personal data between itself and that country. Lastly, any restrictions to trans-border flows of personal data should be proportionate to the risks presented, taking into account the sensitivity of the data, and the purpose and context of the processing (Organisation for Economic Co-operation and Development, 2013).

The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, since their publication more than 30 years ago, have had great influence upon those who have attempted to strike an appropriate balance between the utilisation of data and the protection of personal privacy (Cate et al., 2014).

On 09 September 2013, the OECD revised its guidelines governing the protection of privacy and transborder flows of personal data. The guidelines reflect the requirement for a practical, risk management-based approach to the implementation of privacy protection, as well as the desire to enhance privacy protection on global level through interoperability. The latter is achieved through member countries entering into international arrangements that result in practical effect of the revised guidelines (Hunton & Williams, 2013).

139

National Implementation is the topic of Part Five of the OECD Privacy Guidelines. It requires that member countries develop national privacy strategies that reflect a co-ordinated approach across governmental bodies, as well as adopting laws that protect privacy. Furthermore, privacy enforcement authorities should be established and maintained, with the requisite governance, resources and technical expertise necessary to exercise their authority effectively, and to make decisions on an objective, impartial and consistent basis. Self-regulation should be encouraged and supported, as well as provision made for reasonable means for individuals to exercise their rights. Member countries are required to provide for adequate sanctions and remedies in case of lack of compliance with privacy legislation. Members should also consider adopting complementary measures, including education and awareness training, skills development, and the promotion of technical measures which assist in protection privacy. Lastly, members countries are required to consider the role of actors other than data controllers, in a manner appropriate to their individual role; and ensure that there is no unfair discrimination against data subjects (Organisation for Economic Co-operation and Development, 2013).

Contained in Part Six of the Privacy Guidelines are directives pertaining to international co-operation and interoperability, including the facilitation of cross-border privacy law enforcement co-operation (Organisation for Economic Co-operation and Development, 2013).

The fact that 63% of world GDP is accounted for by OECD members, three- quarters of world trade, 18% of the population, and over half the world’s energy consumption is illustrative of the importance attributed to this forum (United States Mission to the Organization for Economic Cooperation and Development, n.d.).

The fact that the OECD is involved in various forums pertaining to data protection legislation changes, statistics reflecting the flow of data, as well as the theft (and impact thereof) of data, means that the organisation is well

140

placed to continuously review and assess its guidelines in order to ensure that the Guidelines present strong recommendations for member countries to implement accordingly.

6.1.3 Staff awareness and training The organisation’s users are the weakest link in the security chain, thus exposing themselves as the primary focus for a range of external attacks such as phishing and social engineering. The success rate of such an attack is far greater than that of a technical attack, as well as cheaper to mount – a successful attack requires only one user to divulge their logon credentials, or open an e-mail containing malicious content (Internet Security Alliance, 2013).

Employee training has been a recognised task for effective computer security since the proliferation of the microcomputer. Given that every employee is part of the security team, an untrained employee is a high-risk asset given that they could potentially unintentionally exposure the organisation due to unconsidered actions. Security-trained employees should understand that cyber threats stem for a wide variety of avenues other than the stereotypical hacker, such as business competitors, foreign institutions and organised crime (Boulton & Knapp, 2006).

All users have a responsibility to manage the risks to the organisation’s information and communications technologies and information assets. Thus, appropriate training and user education should be provided to users (relevant to their role) and regularly refreshed. Furthermore, users should be encouraged to participate in knowledge sharing exchanges with peers across business and government (United Kingdom Department for Business Innovation and Skills, 2012).

Many security programs fail due to a lack of efficient communication. It is vital that any security program contain two essential components: awareness and communication programs. These programs should receive sufficient resources

141

and attention in order to achieve the goals. During the awareness program, employees are informed about the impact of the security policies on their behaviour (Rusu & Stroie, 2011). The best policies are wasted efforts if employees disregard them (Boulton & Knapp, 2006).

Several risks may present themselves in organisations which do not produce user security policies, or train their users in recognised good security practices. Without policies which clearly dictate what is considered to be acceptable use of the organisation’s information and communication technologies, certain actions by users may contravene good security practice, which may potentially result in the compromise of personal or sensitive information that could result in legal or regulatory sanctions, as well as reputational damage. Unless specifically communicated via corporate policy, staff might consider it acceptable to utilise their own removable media, or connect their personal devices to the organisation’s information and communication infrastructure. This could result in the import of malware, and the compromise of personal or sensitive commercial information (United Kingdom Department for Business Innovation and Skills, 2012).

In the event that users are not aware of any special handling or reporting requirements in respect of sensitive information, the organisation may be subject to legal and regulatory sanctions (United Kingdom Department for Business Innovation and Skills, 2012).

As is apparent from the above discussion, it is vital to conduct staff training in order to create awareness of potential cyber exposure, as well as to equip employees with safeguards to minimise exposure to the risks outlined in this dissertation above. An employee who is aware of the impact of their actions and the potential threats facing the organisation is an employee who is equipped to accordingly alter their behaviour and actions in order to prevent, or reduce, exposure to these threats (United Kingdom Department for Business Innovation and Skills, 2012).

142

Organisations should increase awareness of social engineering by educating employees about different methods of social engineering and the vectors from which these attacks could arise. In most instances, users click on links which they should not follow, and open attachments received from identified persons. Users should be rewarded for reporting suspicious e-mail and sites, and create the incentives for necessary vigilance (Internet Security Alliance, 2013).

Significant changes to an employee’s personal situation could make them vulnerable to coercion, resulting in their release of sensitive commercial information to others. Furthermore, dissatisfied users may attempt to abuse their system privileges, or alternatively coerce others, to gain access to information (or systems) to which they do not have access to. Another risk is the possibility that an organisation’s employees or users may attempt to steal, or physically deface, computer resources (United Kingdom Department for Business Innovation and Skills, 2012).

The above risks can be minimised and managed by the organisation, through the implementation of various practices and policies. A user security policy should be developed and implemented (as part of the overarching corporate security policy) that outlines what is acceptable use. Furthermore, security procedures for all information and communications technology systems should be produced that are appropriate and relevant to all organisational roles. New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies, as part of the induction process. Furthermore, their employment contract should be formally acknowledged and retained to support any subsequent disciplinary action which may result from non-compliance. Ideally, the initial user registration process should be linked to the technical access controls of the organisation. In addition, users should receive regular refresher training on cyber exposures facing the organisation, as well as on the risks which they as employees and individuals are exposed to.

143

Training is insufficient without ensuring that it is effective. The effectiveness, and value, of security training provided to staff should be tested. This should be done through formal feedback and areas that regularly feature in security reports targeted for remedial action.

An organisational culture which empowers staff to voice their concerns pertaining to poor security practices and security incidents, without fear of recrimination, should be promoted. Furthermore, it should be made clear that any abuse of the organisation’s security policies shall result in disciplinary action (United Kingdom Department for Business Innovation and Skills, 2012).

6.1.4 Security configuration By implementing corporate governance policies and processes to develop secure baseline builds and manage the configuration and the on-going functionality of all information and communications technologies (ICT), organisations are able to greatly improve the security of their ICT systems. Good corporate practice is to develop a strategy to remove or disable unnecessary functionality from ICT systems and keep them patched against known vulnerabilities [software companies send patches to rectify or eliminate exploitable flaws or weaknesses in a system’s design or operation after it was sold (Internet Security Alliance, 2013)]. Failure to do so is likely to result in increased exposure of the business and its ICT to threats and vulnerabilities and therefore increased risk to the confidentiality, integrity and availability of systems and information (United Kingdom Department for Business Innovation and Skills, 2012).

A typical patch cycle for an organisation’s database servers is three to six months, sometimes extending to twelve months. Out-of-support systems pose a particularly high risk, because many of the issues fixed for current versions continue to exist in the out-of-support versions, which open them to exploitation (Trustwave Holdings Incorporated, 2013).

144

Establishing and actively maintaining the secure configuration of ICT systems should be considered a key security control. ICT systems that are not locked down, hardened or patched will be particularly vulnerable to an easily preventable attack (United Kingdom Department for Business Innovation and Skills, 2012).

Organisations that fail to produce and implement corporate security policies that manage the secure configuration and patching of their ICT systems are subject to a myriad of risks. One potential risk is that of an attacker making unauthorised changes to ICT systems or information, compromising confidentiality, availability and integrity. An additional exposure is that of exploitation of unpatched vulnerabilities: new patches are released almost daily and the timely application of security patches is critical to preserving the confidentiality, integrity and availability of ICT systems. Attackers (utilising malware) will attempt to exploit unpatched systems to provide them with unauthorised access to system resources and information. Many successful attacks are enabled by exploiting a vulnerability for which a patch had been issued some months before the attack took place (United Kingdom Department for Business Innovation and Skills, 2012).

An attacker could exploit a system configuration that has not been locked down or hardened to compromise systems and exploitation through the import or export of information to gain unauthorised access to information assets or to import malware. Alternative methods include exploiting unnecessary functionality that has not been removed or disabled to conduct attacks and gain unauthorised access to systems, resources, services and information. In addition, attackers could connect unauthorised equipment to exfiltrate information or introduce malware; or create a back door for future utilisation for malicious purposes.

Without an awareness of vulnerabilities that have been identified and the availability (or not) of patches and fixes, the organisation shall be increasingly disrupted by security incidents.

145

Organisations need to ensure that they have implemented measures to minimise the risks posed by poor configuration control and insecure system configurations. Security controls such as implementing the latest versions of operating systems, web browsers and applications. Corporate policies should be developed and implemented to ensure that security patches are applied in a timeframe that is commensurate to the organisation’s overall risk management approach. Automated patch management and software update tools should be utilised to this end.

Inventories of authorised hardware and software which constitute the ICT systems across the organisation should be created. Ideally, suitably configured automated tools should be utilised to capture the physical location, business owner and the purpose of the hardware, together with the version and patching status of all software utilised on the system. In a similar vein, the tools should be used to identify any unauthorised hardware or software, which should be removed timeously.

A secure baseline build for all information and communications technologies systems should be documented and implemented, covering clients, mobile devices, servers, operating systems, applications and network devices such as firewalls and routers. Any service, functionality or application which is not required to support the business should be removed or disabled. The secure build profile should be managed by the configuration control and management process and any deviation there from documented and formally approved (United Kingdom Department for Business Innovation and Skills, 2012).

Organisations should utilise automated vulnerability scanning tools to run against all networked devices regularly and any identified vulnerabilities remedied within an agreed time frame. Furthermore, organisations should also maintain their situational awareness of the threats and vulnerabilities faced.

146

Policies and procedures defining and supporting the configuration control and change management requirements should be produced, for all ICT systems, including software. Furthermore, business requirements for user access to input/output devices and removable media ought to be assessed, as well as ports and system functionality that is not needed by the business disabled.

A list of white-listed authorised applications, detailing which software can be executed on ICT systems, should be created and maintained by the organization. In addition, ICT systems need to be capable of preventing the installation and execution of unauthorised software and applications by employing process execution controls, software application arbiters, and only accepting code that is signed by trusted suppliers.

Minimum system rights and permissions should be assigned to users, according to their business requirements. Users with standard privileges should be prevented from installing or disabling any software or service running on the system.

6.1.5 Network security Connecting to untrusted networks results in the exposure of the corporate network to attacks that seek to compromise the confidentiality, integrity and availability of Information and Communications Technologies (ICT) and the information which they store and process. This can be prevented by developing policies and risk management approaches to protect corporate networks by applying security controls that are commensurate with the risks that have been identified and the organisation’s risk appetite (United Kingdom Department for Business Innovation and Skills, 2012).

Networks need to be protected against both threats stemming from within the organisation, as well as externally. The level to which the networks are protected should be considered in the context of the organisation’s risk appetite, risk assessment and corporate security policies (United Kingdom

147

Department for Business Innovation and Skills, 2012).

An architectural strategy should promote layers of security to increase the time and resources necessary for attackers to penetrate multiple barriers. This defence-in-depth approach is similar to an architectural fortress of high walls and armed guards behind a protective moat. Although, in isolation, each barrier does not afford sufficient protection, together, a layering of firewalls with antivirus software, combined with intrusion detection and prevention systems can go a long way in repelling many types of attacks (Boulton & Knapp, 2006).

Organisations which fail to suitably protect their networks could find themselves subjected to a number of risks, such as information potentially being compromised by attackers (internal and external), through poor network design, potentially affording adversaries the opportunity to conduct authorised releases of sensitive information (United Kingdom Department for Business Innovation and Skills, 2012).

Inappropriate boundary security controls could lead to the import of malware, and the resultant compromise of business systems. Furthermore, network users could deliberately or accidentally release malware or other malicious content to business partners, or the general public, via network connections which are poorly designed and managed (United Kingdom Department for Business Innovation and Skills, 2012).

Networks which are connected to untrusted networks (such as the internet) are exposed to denial of service attacks, where access to services and information is denied to legitimate users, compromising the availability of the system or service (United Kingdom Department for Business Innovation and Skills, 2012).

148

The organisation’s reputation could be harmed and customer confidence impacted if attackers successfully compromise the network, causing damage to internally and externally facing systems and information (United Kingdom Department for Business Innovation and Skills, 2012).

It can take years to develop a good reputation in the marketplace and only moments for it to be tarnished as a result of a breach. Studies conducted by the Ponemon Institute and Javeline Strategy & Research have shown that many consumers have diminished confidence in an organisation’s ability to protect and manage personal data due to a breach and will be less likely to do business or continue doing business with them in the future. Whilst there is yet to be a widely accepted method of quantifying the reputational impact of a hacktivist attack, there is consensus that the type of attack and type of company play a role in the severity. For example, financial services, healthcare and retail are three industries frequently targeted by cyber criminals given that these industries are entrusted with and responsible for a wealth of personal identifiable information including health records, credit card numbers and identity numbers, among others. A breach of any of this information can severely impact customers’ trust, and have significantly greater reputational consequences (Advisen, 2012).

By producing, implementing and maintaining network security policies that align with the organisation’s broader information risk management policies and objectives, the risk can be managed. Recognised network design principles should be followed to define the necessary qualities for the perimeter and internal network segments, and to ensure that all network devices are configured to the secure baseline build (United Kingdom Department for Business Innovation and Skills, 2012).

The network perimeter should be policed with limited access to network ports, protocols and services, and all traffic at the network perimeter should be filtered and inspected to ensure that only traffic which is required to support the organisation is being exchanged. Inbound and outbound network

149

connections should be controlled and managed and technical controls to scan for malware and other malicious contents deployed Firewalls should be deployed to form a buffer zone between the untrusted external network and the internal network utilised by the organisation. The firewall rule set should deny traffic by default, and a white list applied that only permits authorised protocols and ports to communicate with authorised networks and network addresses. The exposure to network based attacks will be reduced hereby.

Protocols that transmit sensitive information in clear text remain an issue for many organisations despite secure replacements for many of these protocols that have existed for several years. These protocols are widely known to be vulnerable to passive and active attacks, from simple eavesdropping to session theft (Trustwave Holdings Incorporated, 2013).

In addition to the above, anti-virus and malware checking solutions with heuristic and signature-based capabilities should be deployed to examine both inbound and outbound data at the perimeter (in addition to internal networks and on host systems). The solutions utilised at the perimeter should be different to those protecting internal networks and systems in order to provide additional depth of the defence (United Kingdom Department for Business Innovation and Skills, 2012).

In order to protect the internal network it should be ensured that there is no direct connectivity between internal systems and those hosted on untrusted networks. The exposure of sensitive information should be limited and network traffic monitored to detect and react to attempted and actual network intrusions. Network assets should be segregated – critical business information assets and services should be identified, grouped and isolated, and appropriate network security applied controls to them. Another practise which shall contribute to the security of the internal network is permitting wireless devices only to be connected to other trusted wireless networks. All wireless access points should be secured and security scanning tools should have the ability to detect wireless access points. Capabilities to prevent

150

internal protocol addresses from being exposed to internal networks and attackers should be implemented. In addition, it should be ensured that it is not possible to route network traffic directly from untrusted networks to internal networks. Furthermore, administrator access to any network component should only be carried out over dedicated network infrastructure and secure channels utilising communication protocols that support encryption. It is important that exception handling processes should ensure that error messages returned to internal or external systems do not include sensitive information that may be useful to attackers. Network intrusion detection and prevention tools should be utilised and configured by qualified staff in order to monitor network traffic for unusual or malicious incoming and outgoing activity which could be indicative of an attack (or attempt thereat) (United Kingdom Department for Business Innovation and Skills, 2012).

Network access control devices, such as routers and firewalls, are often implemented and configured incorrectly. Analysis reflects that organisations not only implement the incorrect type of device in order to save money, but also implemented it with seemingly disregard for established security practices. Furthermore, access control rules that permit all protocols for all systems were commonly seen and essentially render filtering devices useless. In addition, many configurations also ignore any kind of egress filtering which can allow for virus/worm propagation and provide an attacker with an easy exfiltration channel (Trustwave Holdings Incorporated, 2013).

Alerts generated by these tools should be promptly managed by appropriately qualified staff. It is advisable that regular penetration tests of the network infrastructure should be conducted, including simulated cyber-attack exercises to ensure that all security controls have been correctly implemented, affording the required levels of security (United Kingdom Department for Business Innovation and Skills, 2012).

151

Penetration tests transcend merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them, and expose data. Having analysed the results of all 2013 penetration tests conducted by Trustwave, the latter compiled a list based on a combination of frequency which the vulnerability was observed, as well as its severity. Featuring in the top ten internal network penetration test vulnerabilities were weak administrator password, shared administrator password, accounts across security zones, weak Microsoft SQL password and unencrypted storage. Weak administrator password also featured in the top ten external network penetration test vulnerabilities (Trustwave Holdings Incorporated, 2013).

Fortunately for the organisation, there are various state-of-the-art technologies which can be implemented in order to protect sensitive or critical information such as biometric security solutions (which vary in complexity, capabilities and performance) and can be used to verify or establish a person’s identity. Leading biometric technologies include facial recognition, fingerprint recognition, hand geometry, iris recognition, retina recognition, signature recognition, vein recognition, DNA fingerprint, deep tissue illumination and keystroke patterns, amongst others. The utilisation of tokens (a piece of hardware or software device which is carried by, or in the possession of, a computer user) is a secure technology which organisations should consider. The token stores an electronically recorded and encrypted password. Alternatively, it may have an on-board processor which can store and retrieve such a password when required. Cryptography has a variety of purposes and requires different kinds of key management for its three applications in communications, storage, and digital signatures. In communications, communicators utilise cryptography to protect information whilst in transit when it is particularly vulnerable given that the transmitters and receivers typically do not have control over the communication route. This application requires short-term protection by encrypting the information before it is transmitted, and decrypting it upon arrival. Sender’s systems may generate keys, or receive keys, from the intended receiver for short-term use (Kumar & Singh, 2011).

152

6.1.6 Managing user privileges Users’ access privileges to information and communications technologies should be managed, allowing only the privileges required in order to carry out their duties – a principle referred to as the ‘least privilege’ principle (United Kingdom Department for Business Innovation and Skills, 2012). In order to minimise exposure to the above risks, the organisation should effectively manage user privileges, on the basis of ‘least privilege’ (i.e. the practice of limiting access to the minimal level that will allow normal functioning). This is done through the establishment of effective account management processes, which are corporate processes and procedures which should manage and review user accounts from the creation thereof, to the modification and eventual deletion (when an employee leaves the organisation). Unused or dormant accounts (possibly created for temporary staff or for testing purposes) should be removed or suspended. Data consistently demonstrates the value of reviewing user accounts on a regular basis. The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured and given appropriate (preferably least) privileges (Internet Security Alliance, 2013).

In order to subscribe to the above principle, organisations should understand what access to information, services and resources employees’ require in order to carry out their job (United Kingdom Department for Business Innovation and Skills, 2012).

Failure to effectively manage privileges could potentially result in the misuse of privileges, where users can misuse the privileges assigned to them to either deliberately, or accidentally, compromise information and communications technologies. An example hereof would be making unauthorised changes to the configuration of systems, resulting in a loss of the confidentiality, integrity or availability of information or information and communications systems. Ill- managed privileges may result in increased attacker capability as compromised user accounts can be used by attackers to carry out their attacks and, if permitted to do so, will return and reuse the compromised account on

153

numerous occasions (bearing in mind that the system privileges assigned to the compromised account shall be available to the attacker), or possibly even sell the access to others. Attackers thus seek access to root or administrative accounts, in order to gain full access to all system information, services and resources (United Kingdom Department for Business Innovation and Skills, 2012).

Furthermore, another potential exposure facing the organisation which fails to properly managed user privileges is the negation of established security controls. Attackers who have gained access to information and communications systems will attempt to cover their tracks by making changes to security controls or deleting accounting and audit logs, in an attempt to ensure that their activities are not detected (United Kingdom Department for Business Innovation and Skills, 2012).

The number of privileged accounts, for roles such as system administrators, should be limited and strictly controlled to ensure that this type of account is not utilised for high risk or day to day use activities, e.g. to gain access to external e-mail or browse the internet. Administrators should be provided with normal accounts for business use. Furthermore, the requirement to hold a privileged account should be reviewed more frequently than what standard user accounts are (United Kingdom Department for Business Innovation and Skills, 2012).

When considering the limitation of user privileges, organisations should only assign rights and permissions only to systems, services, information and resources which are required in order to fulfil the user’s business role, should be provided. Furthermore, the organisation should monitor all users’ activity particularly with regards to access to sensitive information and the utilisation of privileged account actions, such as the creation of new user accounts, changes to user passwords, or the deletion of accounts and audit logs.

154

Relationships with third party service providers should be carefully monitored and managed, particularly where they have access to the organisation’s data (CRO Forum, 2014). Third parties’ access rights should also be governed by the organisation’s policy.

Policies and standards for user identification and access control should be established - corporate policy should mandate the quality and lifecycle of user passwords. Ideally passwords should be randomised passwords generated by machine, however, where this is not possible, complexity rules should be enforced by the system. Some information and communication technologies require an additional authentication factor, such as a physical token. Again, it is reiterated that access controls should be determined according to business requirements and according to ‘least privilege’.

Along with changing default credentials, organisation should ensure that passwords are unique and not shared among users or used on different systems. The use of shared credentials has resulted in a number of breaches. This is especially problematic for assets managed by a third party (Internet Security Alliance, 2013).

An element which should be included in corporate policy is that of a personnel screening process which should be established wherein users undergo pre- employment screening to a level which is commensurate with the sensitivity of the information which they would have access to.

In addition to the above, access to the audit system and system activity logs should be limited, with activity logs from network devices being sent to a dedicated accounting and audit system which is separate from the core network. Furthermore, access thereto should be strictly controlled, in order to preserve the integrity and availability of the content. Privileged user access should be recorded by the organisation.

155

All users should be aware of the organisation’s policy regarding acceptable account usage, as well as employees’ personal responsibility to adhere to corporate security policies, as well as the disciplinary measures which shall be applied for failure to follow policy.

Authentication facilitates the security around the ascertainment of identity – this is an important response in dealing with identity crime because it has a focus on preventing the assumption of identity which is a key aspect of identity theft (Holm, 2012). (United Kingdom Department for Business Innovation and Skills, 2012).

6.1.7 Incident Management Unfortunately, in today’s cyber era, it is inevitable that all organisations shall experience an information security incident at some point. The security incidents shall range in their impact upon the organisation. Thus, establishing effective incident management policies and processes will assist in improving the organisation’s resilience, support business continuity, improve customer and stakeholder confidence, as well as reduce any financial impact on the organisation (United Kingdom Department for Business Innovation and Skills, 2012).

In order to ensure that the organisation has sound processes for detecting and responding to cyber-attacks, it is of paramount importance that responsibility for incident management is clearly defined. Incident response plans should include an escalation procedure, a communication plan, an incident response and an associated response time threshold, a recovery plan, as well as details of scenario testing of potential threats in order to ensure that the incident response is sufficiently robust and regularly tested (CRO Forum, 2014).

Given the resources expended to create event logs, the data procured should be utilised by the organisation as much as possible. Processes that provide sensible, efficient, and effective monitoring and response are critical to

156

protecting information. Event logs can help to formulate a rich data set for detecting, preventing and investigating breaches (Internet Security Alliance, 2013). Databases of cyber incidents should include near-miss and minor events, in order to provide the organisation with a broader understanding of the potential vulnerabilities, and tailor security controls and capacities accordingly (CRO Forum, 2014).

Research suggests that organisations would be better served to focus less on the “real-time” methods of detection, and more on the “this-week” methods. Shifting the compromise to discovery time frame from weeks and months to days could significantly reduce the damage from a breach. This switch does not necessary pose any increased financial burden as a simple script to count log lines / length and send an alert if out of tolerance could be quite effective (Internet Security Alliance, 2013).

Upon further analysis of the incident, it may indicate that there are more severe underlying problems. If organisations fail to implement an incident management capability that can detect, manage and analyse security incidents, a variety of exposures could materialise. For instance, failure on the organisation’s part to even realise that an incident has occurred, and to manage it effectively, could potentially compound the impact of the incident, leading to a long term outage, serious financial loss, and erosion of customer confidence. An organisation that fails to address the roots cause of security incidents by addressing the exposed weaknesses in the corporate security architecture could be exposed to consistent and damaging business interruption. Of even greater concern, an incident resulting in the compromise of sensitive information covered by mandatory reporting controls that are not adhered to could lead to legal or regulatory (or even pecuniary) penalties (United Kingdom Department for Business Innovation and Skills, 2012).

The type and nature of incidents that may occur shall largely be dependent on the organisation’s business profile. Thus, a risk based approach which considers all business processes should be utilised to shape the organisation’s

157

incident management plans. The quality and effectiveness of the security policies and standards applied by the organisation will also be contributing factors to preventing incidents. In order to mitigate and minimise these exposures, it is vital that the organisation’s board of directors understand the risks, and benefits, of incident management, and provide appropriate support and function to resource it and lead the delivery thereof. The resources and funding required to develop, deliver and maintain an organisation-wide incident management capability, which can address the full range of incidents that could occur, should be identified. The supporting processes and plans should be risk based and take into account any legal and regulatory reporting, or data accountability, requirements.

The incident response team may require specialist knowledge, as well as expertise across a number of technical and non-technical areas. Thus, the organisation should identify recognised sources of specialist incident management training, as well as to maintain the organisation’s skill base. Over and above the aforementioned, the organisation needs to appoint, and empower, specific individuals to handle information and communications technology incidents, and provide them with clear terms of reference to manage any type of incident which may occur. The required roles and responsibilities of these individuals should be clearly defined (United Kingdom Department for Business Innovation and Skills, 2012). The Chief Risk Officer plays a pivotal role within the organisation, collaborating with cross-functional internal stakeholders (including members of the board and executive), in order to promote awareness, communication and understanding, in order to support effective risk management of cyber risk (CRO Forum, 2014).

Data recovery capability should be established to ensure that a systematic approach is followed in response to an incident, to ensure the backup of the corporate information asset base. Backup media should be held at physically secure locations on-site and off-site (where at all possible), and the ability to recover archived data for operational use should be tested on a regular basis (United Kingdom Department for Business Innovation and Skills, 2012).

158

Sixty-eight percent of respondents in the 2011 Advisen survey indicated that they have a disaster recovery plan in place. The larger organisations which participated in the survey represented a larger portion of the total (79%), as opposed to 55% of the smaller entities engaged (Advisen Limited, 2011).

Regular testing of all plans supporting security incident management, including disaster recovery and business continuity, should be undertaken. The outcome of these tests should be utilised to inform the development, and gauge the effectiveness, of incident management plans.

Decision making regarding the access and sharing of information bound by specific legal and regulatory requirements should be given careful consideration. Organisations may have to report any incidents that affect the status of that information, within a specific time frame. All internal and external reporting requirements should be clearly identified in the organisation’s incident management plans.

Post-incident evidence should be collected and analysed, as the preservation and analysis of the user or network activity that led up to the event is critical to identify and remedy the root cause of the security incident. The evidence collected could potentially support any follow on disciplinary or legal action. Thus, the organisation’s incident management policy needs to set out clear guidelines to follow and comply with a recognised code of practice.

Furthermore, the actions taken during an incident should be logged, and the performance of the incident management process post incident (or following a test) should be reviewed in order to assess which aspects worked well, and what improvements should be made. The organisational response should be reviewed and any related security policy, process or user training which could have prevented the occurrence of the incident, should be updated.

159

Users should be aware of their responsibilities, as well as the procedures which they should follow to report and respond to an incident. Furthermore, users should be encouraged to report any security weaknesses or incident, as soon as possible without fear of recrimination.

Online crimes are to be report to the relevant law enforcement agency in order to build a clearer view of the national threat landscape, as well as to deliver an appropriate response (United Kingdom Department for Business Innovation and Skills, 2012).

For immediate or realised risks, some organisations determine an appropriate response to a cyber-incident dependent on where the particular incident can be categorised along what they call the “Cyber Kill Chain”. The “Cyber Kill Chain” is a model which recognises that, in order for most attacks to succeed, an adversary has to proceed through a series of seven steps within three phases, incident prevention, incident detection and incident response. Under incident prevention, reconnaissance is carried out by researching the attacker; weaponisation is created through identifying vulnerabilities and creating relevant malware. During incident detection, the exploitation phase sees malware exploiting vulnerabilities, and being installed on target systems. Thereafter, during the incident response phase, the command and control aspect sees the attacker gaining control of the system and / or date. Lastly, intent actions are carried out with movement and exfiltration being effected (Internet Security Alliance, 2013).

160

Figure 12: “Cyber Kill Chain” – Incident Contextualization for Incident Mitigation / Response

Note. From “Sophisticated Management of Cyber Risks”, p. 20, by Internet Security Alliance, 2013, United States of America.

Examining incident utilising this model allows the two companies to gauge how close to success the adversary is in achieving its objective, as well as their costs to contain and remediate the attack. As the above arrow indicates, as a would-be attacker accomplishes more and more steps along this kill chain, a company’s risk and cost increase (Internet Security Alliance, 2013).

6.1.8 Malware Prevention Information exchanges carry a degree of risk as it could expose the organisation to malicious code and content (malware) which pose a serious threat to the confidentiality, integrity and availability of an organisation’s information and its information and communications technologies on which the information is hosted. Malware infections can not only result in the disruption of business services, but also unauthorised access to sensitive information, material financial loss and legal or regulatory sanctions. There is a vast range of opportunities for malware to be imported, through the range, volume and originators of information exchanged with the organisation and the technologies which support them.

161

E-mail still provides the primary path for internal and external information exchange and can be utilised for targeted or random attacks (phishing) through malicious file attachments which release their payload when the file is opened, or contain embedded links that redirect the recipient to a website that then downloads malicious content.

Uncontrolled browsing and access to social media websites and applications provide prime opportunities for attackers to direct malicious content to an individual user, or lead to the download of malicious content from a compromised or malicious website. Removable media and personal devices expose the organisation to malware potentially being transferred to the information and communications system.

The exposures detailed above can be reduced by implementing suitable security controls, such as corporate policies, standards and policies that deliver the overall risk management objectives, but directly address the business processes that are vulnerable to malware, should be developed and implemented. A top level corporate approach to managing the risk of malware that is applicable and relevant to all business areas should be established across the organisation.

Another security control which should be implemented is that of anti-virus solutions which regularly actively scan for malware in order to protect all host and client machines. Furthermore, all electronic data imports and exports should be scanned for malicious content. Anti-virus and malicious code checking solutions with heuristic and signature-based capabilities should be deployed to continuously scan inbound and outbound objects at the perimeter, internal networks and on host systems, preferably utilising different products at each layer. This will increase detection capabilities whilst also reducing risks posed by deficiencies residing in individual products. Any suspicious or infected objects should be quarantined for further analysis. It is strongly recommended that stand-alone work stations (with no network connectivity), equipped with two anti-virus products, should be utilised to

162

scan the content contained on any type of media. In addition, each scan should ideally be traceable to an individual. Every network component should be regularly scanned, and security patches applied in compliance with the organisation’s patching and vulnerability management policy (United Kingdom Department for Business Innovation and Skills, 2012).

Anti-virus software should be consistently updated. The Verizon Security Service study found that for every vulnerability which was exploited by hacking and malware attacks in 2008, the patch necessary to prevent the breach had been available for at least six months prior to the incident. Furthermore, it was found that organisations were not patching often enough, with patch cycles well below the six month mark (Internet Security Alliance, 2013).

It should also be ensured that the perimeter gateway utilises blacklisting in order to block access to known malicious websites (United Kingdom Department for Business Innovation and Skills, 2012). Internet Protocol blacklisting should be utilised – organisations should consider blocking large blocks / regions in the event that they have no legitimate business purpose (Internet Security Alliance, 2013).

Application “whitelisting” can also be utilised in order to prevent malicious software and other unapproved programs from running. Rather than trying to identify and block malicious software, which creates the possibility that previously unknown attacks will not be stopped, using a “whitelist” means that only approved programs can run on a machine. This step eliminates much of the risk from malware (Internet Security Alliance, 2013). Organisations should ensure that firewalls should be installed on the host and gateway devices, and configured to deny traffic by default, only allowing connectivity associated with known white listed applications (United Kingdom Department for Business Innovation and Skills, 2012).

163

Given the ability of malware to attack any system process of function, security architecture principles should be adopted in order to provide multiple defence layers (defence in depth). The following controls are considered essential to managing malware risks (United Kingdom Department for Business Innovation and Skills, 2012).

Content filtering capabilities should be deployed on all external gateways in an attempt to prevent attackers delivering malicious code to the common desktop applications utilised by the user, with the web browser being a prime example. Furthermore, content filtering also assists in countering risks from a compromised information release mechanism or authorisation process which may allow sensitive data to be sent to external networks.

Applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers should be patched given that these applications are in daily use in most companies (Internet Security Alliance, 2013). As noted under the security configuration section above, patching systems against known vulnerabilities is one measure of good corporate governance (United Kingdom Department for Business Innovation and Skills, 2012). Patching closes off avenues that hackers will otherwise exploit. Software companies send patches to rectify or eliminate exploitable flaws or weaknesses in a system’s design or operation found after it was sold. Often, patches are developed in response to the discovery of a successful hack. A failure to install the patch leaves systems vulnerable. Most organisations already have some kind of patching system in place, but research suggests that even with these systems, 5% to 10% of computers will ‘miss’ a patch. This means that mitigation works if it is paired with monitoring (Internet Security Alliance, 2013).

Again, as noted in the above section regarding security configuration, operating system vulnerabilities should also be patched, for the same reasons as cited above. All operating systems have potential vulnerabilities – when software companies find and offer a fix, not using that fix leaves users susceptible to criminals and foreign intelligence agencies, who expend

164

considerable effort to find and exploit these ‘holes’ (Internet Security Alliance, 2013).

It is imperative that users understand the risks which malware pose, and the day to day secure processes which they need to follow in order to prevent a malware infection from occurring. The security operating procedures for the corporate desktop should include compliance with the removable media policy at all times, and specific mention that attachments to, or hyperlinks on, unsolicited e-mails should not be opened. Removable media received as a gift should not be connected to the corporate network; and unapproved personal devices should not be connected to the corporate network. The policy should highlight the importance of strange or unexpected system behaviours being reported to the appropriate security team. Furthermore, awareness of how a security incident should be reported should be maintained (United Kingdom Department for Business Innovation and Skills, 2012).

6.1.9 Monitoring Monitoring of information and communications systems allow organisations to detect attacks, and react appropriately whilst also providing a basis upon which lessons can be learned to improve the overall security of the organisation. Furthermore, monitoring of the use of information and communications systems allow the organisation to ensure that systems are being utilised in an appropriate manner, in accordance with organisational policies and procedures. Thus, monitoring is a key capability required in order to comply with security, legal and regulatory requirements (United Kingdom Department for Business Innovation and Skills, 2012).

Monitoring thus affords the organisation insight as to how the information and communications systems are being utilised by authorised users, and whether the organisation is being attacked. Without this monitoring functionality, the organisation will not be able to detect attacks, originating either externally, or from within the organisation as a result of deliberate or

165

accidental activity. Furthermore, the organisation’s ability to react to attacks in an appropriate and proportionate manner to minimise the resultant impact on the organisation shall be impacted. In addition to the aforementioned, the organisation shall not have a comprehensive understanding of how their information and communications systems or information assets are being utilised, or to enforce user accountability (United Kingdom Department for Business Innovation and Skills, 2012).

Failure to monitor information and communications systems and their utilisation for specific business processes could potentially lead to no- compliance with the corporate security policy and legal or regulatory requirements, or result in attacks bring levied without detection (United Kingdom Department for Business Innovation and Skills, 2012).

In order to manage this risk, organisations need to devise and implement strategies, policies, systems and processes to ensure that they are capable of monitoring their information and communications systems, and responding appropriately to attacks. A consistent approach, based on a clear understanding of the risks, needs to be adopted across the organisation. Amongst others, a monitoring strategy, along with supporting policies, should be established and implemented, based on an assessment of the risks facing the organisation. The strategy should take into account any previous security incidents experienced, and align with the organisation’s incident management policies. It should be ensured that the solution selected monitors all networks and host systems through solutions such as Network and Host Intrusion Systems and Preventions Solutions, and possibly supplement (as required) by Wireless Intrusion Detection Systems that work in harmony with the wired Intrusion Detection System. The solution should provide both signature based capabilities to detect known attacks, as well as heuristic capabilities to detect potentially unknown attacks through new or unusual system behaviour.

166

The organisation should monitor inbound and outbound network traffic traversing network boundaries on a continuous basis in order to identify unusual activity, or trends that could indicate attacks and the compromise of data. The transfer of sensitive data, particularly large data transfers, or unauthorised encrypted traffic should automatically generate a security alert, and prompt a follow up investigation. The analysis of network traffic is a key tool in preventing the loss of data (United Kingdom Department for Business Innovation and Skills, 2012).

Most breaches are not successful when the system is breached but rather when data is captured and exits the system. By monitoring, understanding and controlling outbound traffic, an organisation will greatly increase its chances of mitigating malicious activity (Internet Security Alliance, 2013).

The monitoring capability should also include the generation of audit logs capable of identifying unauthorised or accidental input or misuse of technology or data. It is critical that the user is identified, as well as the activity which triggered the alert, and the information which they were trying to access. It should be ensured that monitoring processes are in compliance with legal or regulatory constraints pertaining to the monitoring of user activity. Monitoring systems should be fine-tuned appropriately, to only collect logs, events, and alerts which are relevant in the context of delivering the requirements of the monitoring policy. Inappropriate collection of monitoring information could not only result in breach of data protection and privacy legislation, but could also pose an unnecessary financial expense in terms of storing the audit information, and hinder the efficient detection of real attacks.

A centralised capability that can collect and analyse accounting logs and security alerts from information and communications technologies across the organisation, including user systems, servers, network devices, security appliances, systems and applications, should be developed and deployed. The design and implementation of the centralised solution should not provide an

167

opportunity for attackers to bypass normal network security and access controls.

Given the vast quantities of data which can be generated, security managers should determine the type of information required to satisfy the organisation’s monitoring policy, and ensure that appropriate storage is made available. Furthermore, the organisation will have to lend consideration to the sensitivity of the processed audit logs, and any archiving requirements to satisfy regulatory or legal requirements (United Kingdom Department for Business Innovation and Skills, 2012).

Research has demonstrated that a large number of security breaches have occurred by accessing information for which the target company had no legitimate use. Organisations should establish reasonable data retention policies and only hold data for which there is a reasonable business need. Furthermore, operating with clean data files can reduce risk and increase efficiencies (Internet Security Alliance, 2013).

A centralised and synchronised timing source, which is utilised across the entire organisation to time-stamp audit logs, alerts and events to support incident response, security investigations, and disciplinary or legal actions should be utilised to support the monitoring and analysis of audit logs.

It is vital that security personnel should receive appropriate training on the deployment of monitoring capability, as well as the analysis of, and response to, incidents detected by monitoring solutions. Furthermore, processes to test monitoring capabilities should be implemented in order to learn from the security incident, as well as to improve the efficiency of the monitoring capability (United Kingdom Department for Business Innovation and Skills, 2012).

168

Attackers are targeting the application layer. Nearly half of the breaches Verizon found to be hacking or network intrusion SQL injection attacks, cross- site scripting, authentication bypass and exploitation. Web application scanning and testing would have found most of the problems that led to major breaches in the past year. In addition, regular reviews of architecture, privileges and source code are recommended. Incorporating a Security Development Life-Cycle (SDLC) approach for application development is recommended (Internet Security Alliance, 2013).

6.1.10 Removable Media Controls Failure to control or manage the utilisation of removable media could result in material financial loss, the theft of sensitive information, the introduction of malware, as well as the erosion of the organisation’s reputation. It is thus good practice to conduct a cost benefit analysis of the use of removable media, and to devise and apply appropriate security controls (United Kingdom Department for Business Innovation and Skills, 2012).

Utilising removable media to store or transfer significant amounts of information is an everyday organisational process. However, should this action not be controlled and managed by the organisation, the import and export of information using removable media could result in a number of exposures. The physical design of removable media increases the chances of it being misplaced or stolen, potentially compromising the confidentiality and availability of the information stored on the device. Furthermore, uncontrolled usage of removable media increases malware risks, if the media can be utilised on multiple information and communications systems. Certain media devices retain information even after user deletion thereof, which could lead to the unauthorised transfer of information. A loss of sensitive data often attracts media attention which could erode the organisation’s reputation and customer confidence in the organisation. The loss, or compromise, of sensitive information could result in the organisation being subjected to financial penalties (United Kingdom Department for Business Innovation and Skills, 2012).

169

In order to reduce the exposures introduced by the utilisation of removable media, such devices should only be utilised as a means of last resort. Under normal circumstances, information should be stored on corporate systems and exchanged using appropriately protected and approved information exchange connections. Corporate policies, processes and solutions should be developed and implemented in order to control the use of removable media for the import and export of information. Where the usage of removable media is unavoidable, the organisation should limit the media types which can be utilised, together with the users, systems and types of information which can be stored or transferred thereby. The organisation should ensure that all removable media introduced should be actively scanned for malware using an anti-virus solution, thereby protecting all host systems. Furthermore, the removable media policy should ensure that any media brought into the organisation is scanned for malicious content by a standalone media scanner, before any data transfer takes place.

All removable media should be organisation-issued and individuals held accountable for its secure use, and return for destruction, or reuse. Records of holdings and use should be audited. Information stored on removable media should be encrypted to a level proportionate to the value of the information and the risks posed to it. The monitoring strategy deployed by the organisation should include capability to detect, and react to, unauthorised use of removable media within an acceptable time frame. Appropriate steps should be taken to ensure that, when removable media is to be reused or destroyed, previously stored information will not be accessible. Dependent on the value of the information and risks posed to it, the process will be range from an approved overwriting process to the physical destruction of the media by a third party. Of paramount importance in ensuring that users are made aware of the risks posed to the organisation through the utilisation of removable media, and their personal responsibility for compliance with the corporate removable media security policy (United Kingdom Department for Business Innovation and Skills, 2012).

170

6.1.11 Home and Mobile Working There are great benefits to be enjoyed by both employees and organisations through mobile working. However, mobile working does expose the organisation to risks which may be challenging to manage given that it extends the corporate security boundary to the user’s location, in all probability across the internet to devices which may have limited security features. Mobile devices are used in public spaces where there is the potential for oversight, as well as a high vulnerability to theft and loss (United Kingdom Department for Business Innovation and Skills, 2012).

It is thus advisable that organisations develop risk-based policies and procedures that cover all types of mobile devices, as well as flexible working arrangements, in order to effectively manage the risks. Organisations should also plan for an increase in the number of security incidents, and have a strategy to manage the loss, or compromise, of personal and commercially sensitive information, as well as any legal, regulatory or reputational impact which may result there from. Due to their attractiveness and valuable, mobile devices are highly vulnerable to being lost or stolen. Furthermore, from a physical security point of view, mobile devices are often used in open view in locations which do not offer the same level of physical security as the organisation’s own premises.

Given the flexibility and convenience introduced by mobile working, users may work in public spaces where they could be observed when working on their mobile device, potentially compromising personal or commercially sensitive information, or even their user credentials. In the event that user credentials such as username, password or token are stored with a device utilised for remote working, and the device is lost or stolen, the attacker is equipped to compromise the confidentiality, integrity and availability of the organisation’s information and communications technologies. In the event that a device is left unattended, an attacker may attempt to subvert the security controls on the device, through the insertion of malicious software or hardware. This would afford the attacker the ability to monitor user activity on the mobile

171

device, which could compromise the confidentiality or integrity of information.

Users should be trained appropriately in order to ensure that they do not accidentally (or intentionally) remove or reconfigure a security enforcing control on the mobile device, thus compromising the secure configuration. This could result in the device being exposed to a range of logical attacks which could ultimately result in the compromise or loss of any personal of sensitive commercial information stored on the device (United Kingdom Department for Business Innovation and Skills, 2012).

In order to avoid, or minimise, the risk of the above exposures, the organisation should assess the risks posed through mobile working (including remote access whereby the device connects to the corporate network infrastructure) and in response thereto, develop a mobile security policy which would determine aspects such as the processes for authorising users to work offsite, device acquisition and support, the type of information which is permitted to be stored on devices, as well as minimum procedural security controls. Furthermore, consideration should be given to increased levels of monitoring on all remote connections and the corporate systems accessed (United Kingdom Department for Business Innovation and Skills, 2012).

In many instances, remote access services have been enabled and are Internet-facing. In addition, some organisations allow any device on the network to connect and remotely access any other device. Whilst these practices make for ease of convenience, it does increase the organisation’s risk exposure. These services should be tied down so only specific Internet Protocol addresses or networks can access them (Internet Security Alliance, 2013).

172

Organisations should implement a training regime whereby users are trained in order to introduce capability of operating the mobile device securely by complying with their user specific security procedures, which should include direction regarding:

o Secure storage and management of their credentials;

o Incident reporting;

o Environmental awareness;

All information and communications systems, including all types of mobile devices utilised by the organisation, should be configured to the secure baseline building. The amount of information stored on mobile devices should be kept at a minimum, and only to the extent to fulfil the relevant business activity which is being delivered, when working outside of the normal office environment. Furthermore, data at rest should be encrypted (if the devices support this capability).

Data in transit should be protected – if the user is working remotely, the connection back to the corporate network will, in all likelihood, utilise an untrusted public network such as the internet. Thus, the device and the information exchange should be protected by an appropriately configured Virtual Private Network.

Given that mobile working attracts significant risks and that security incidents shall occur despite user compliance with security procedures, the organisation should review their corporate incident management plans. The plans ought to contain sufficient flexibility in order to deal with the vast range of security incidents which could occur, such as the loss or compromise of a device in international locations. Furthermore, technical processes should be implemented in order to permit the remote disablement of a device which has been lost, or as a minimum, deny it access to the corporate network (United Kingdom Department for Business Innovation and Skills, 2012).

173

The detailed analysis of risk management techniques carried out above all serve to equip the organisation in their quest to address risk and respond appropriately. Armed with an understanding of the cyber exposures (discussed in section 2) which the organisation faces, and the legislatory environment in which the organisation operates, the organisation can consider implementing an appropriate risk management strategy which shall ensure its continued profitable operations. The discussion now turns to one crucial aspect of the risk management process, namely that of risk financing.

174

7. Risk financing

As is clearly illustrated by the statistics above, the cyber exposures facing organisations are a reality facing them, and for which they need to be prepared. Various methods which can be utilised have been discussed in detail above.

The final part of the risk management process is now being considered, that of risk financing. The two forms of risk financing, namely that of insurance or retention, are discussed hereunder.

Jain and Kalyanam (2012) suggest that there are two ways in which the potential financial exposure caused by cybercrime could be mitigated: transferring the risk to an external insurance company through the purchase of cybercrime insurance; or the internal assumption of risk by setting aside funds to compensate for the potential future loss (i.e. retain the risk within the organisation). The latter option is the riskier of the two given that the company needs to accurately understand and assess the risk, in order to set aside the appropriate level of funds.

Figure 13: Cyber-risk management framework for information security

Note. From “A Framework for Using Insurance for Cyber-Risk Management”, by Gordon, Loeb & Sohail, 2003, Communications of the ACM, 46(3), p. 84.

As depicted in the diagram above, Gordon, Loeb and Sohail (2003) suggest a three step framework to manage the risk arising from cyber incidents. In the first step, risk is assessed by the organisation assessing their current computer systems and determining the level of

175

information technology security. As a result of this process, a company can determine their risk exposure and potential loss in case of cybercrime. The second step is to reduce risk to acceptable level by utilising preventative measures and technologies to reduce the risk of security breach; and transferring the risk by adopting cybercrime insurance coverage. The last step is for the organisation to maintain risk to acceptable level through a combination of preventative measures and insurance allows a company to manage the cybercrime risk and maintain it at an acceptable level.

Further to the above, there are two additional options of avoiding the risk and self-protect and mitigate the risk. The first would involve preventing any action which could involve risk, and is clearly not realistic for Internet exposures, as it is nearly impossible to eliminate and prevent each of the multitude of cyber exposures facing organisations. The latter involves investing in methods to reduce the impact of the risk and the severity of damages. However, self-protecting against risk or mitigating risk does not eliminate risk. Thus, despite all the research, time and effort, and investment spent in Internet security, there remains a residual risk: the infrastructure and its users are still very much at risk; with accounted damages already reaching considerable amounts of money and possible damage even more daunting (Bolot & Lelarge, 2008). The first form of risk financing, that of insurance, is where the risk is transferred to an insurance company in return for a fee, which is the insurance premium. Insurance allows organisations to relieve financial distress through smooth payouts for uncertain events (variable costs of the damages associated with security risks) into predictable periodic costs (Bolot & Lelarge, 2008). Contemplating the economic cost of purchasing insurance as opposed to that of retaining risk is not a simple task given that it is not easy to estimate non-financial losses such as reputation loss. Thus, companies who purchase cybercrime insurance are only able to transfer the calculable financial loss risk to the insurer (Jain & Kalyaman, 2012).

7.1 Insurance

As discussed above, insurance is a form of risk financing, and is considered to be a risk shifting mechanism. A general discussion of insurance follows hereon followed by a more specific discussion on cyber insurance, wherein the development of cyber insurance is considered, as well as alternatives thereto which can be considered. The section shall close off with a look at the South African cyber insurance market.

176

Most organisations utilise a combination of technology and security procedures to prevent cybercrime incidences. Although information technology security technologies can provide preventative measures against cybercrime, it is impossible to ensure complete protection, particularly given that cyber attackers are continuously seeking new methods to exploit vulnerabilities (Jain & Kalyanam, 2012).

Despite continual vast improvements in risk protection techniques from a variety of computer science fields such as cryptography, hardware engineering, and software engineering, it is impossible to achieve a perfect / near-perfect cyber security protection. The impossibility arises primarily due to the following seven reasons (Hui & Ranjan, 2011):

• Non-existence of sound technical solutions

• Varied intentions behind network attacks

• Misaligned incentives between network users, security product vendors, and regulatory authorities

• Externalities and the free-riding problem

• Customer lock-in and first mover effects of vulnerable security products

• Difficulty to measure risks

• The problem of a lemons market

In view of the above mentioned inevitable barriers to 100% risk mitigation, the need arises for alternative methods of risk management in cyberspace (Hui & Ranjan, 2011).

Cyber-attacks could potentially emanate for a broad spectrum of actors, affecting all types of industry and causing damage to data, critical systems, physical property, and even impact upon business continuity. It is because of this vast array of exposures that a cyber-exposure could potentially trigger a variety of [non-cyber] insurance solutions. The physical damage to a power plant caused by fire, or machinery breakdown of a power transformer following a cyber-attack may trigger machinery breakdown insurance; damage to organisational assets resulting in an erosion of shareholder value

177

could trigger a directors’ & officers’ liability policy; the lack of power to large areas could potentially result in property damage or bodily injury; or the power plant operator could levy a claim against the service provider (be it due to programming error or maintenance failure) resulting in a professional indemnity policy response (CRO Forum, 2014).

Corporate directors and officers have fiduciary obligations to safeguard the organisation’s assets (Latham & Watkins LLP, 2014). Thus, data breaches could potentially also put directors’ and officers’ personal wealth at risk. The recent spate of mega data breaches experienced by the United States have resulted in class action lawsuits being levied against organisations, with victims of the data breach collectively seeking damages. The number and scope of data breach class actions experienced have been unprecedented. Data breach class actions can prove to be extremely costly – TJ Maxx’s 2007 data breach saw the organisation having 25 class action suits filed against it. The settlement cost was in the region of USD195 million (Hartwig & Wilkinson, 2014).

Organisations should thus consider purchasing Directors’ and Officers’ Liability insurance cover, with suitable limits of indemnity, to protect the organisation should they ever find themselves the subject of a class action suit emanating from a data breach. Whilst cyber liability insurance, discussed here below, shall not afford any coverage offered by a Directors’ & Officers’ insurance policy, the mere fact that the organisation has opted to purchase cyber liability insurance as a part of their risk management strategy shall go a long way to showing good risk management and corporate governance.

7.2 Cyber liability insurance

Having discussed the risk financing options above, namely that of risk retention or insurance, the conversation now moves to that of insurance specifically responding to the cyber exposures which have been considered in this body of work.

178

It is becoming a mainstream assumption that insurance carriers can help organisations with cyber exposure management, both in the traditional risk transfer sense and in the broader sense that they can act as neutral arbiters of cyber security best practices. This is readily demonstrated through the push by the United States of America’s White House to promote greater insurance carrier participation in the National Institute of Standards and Technology efforts to create a cyber-security best practices framework for critical infrastructure providers (Braunberg, 2013).

Industry experts argue that because inter-connection of computers increases the cyber exposure, organisations should invest more in information technology security technologies and buy more insurance to hedge against the increased likelihood of security breach (Ogut, Menon & Raghunathan, 2005).

A trade-off exists between the amount which a firm should invest in protecting against security breaches occurring and the amount it should spend on cyber-risk insurance. For a given level of information value-vulnerability, higher levels of security protection will require lower levels of cyber-risk insurance (and vice versa) (Gordon, Loeb & Sohail, 2003).

The concept of cyber insurance is growing in importance for three reasons, the first of which is that, ideally, cyber insurance increases network user safety because the insured increases self-defence as a rational response to the increase in insurance premium. The second reason is that, in the information technology industry, the mindset of ‘absolute protection’ is slowly changing with the realisation that absolute security is impossible and too expensive to even approach, while adequate security is good enough to enable normal functions the rest of the risk that cannot be mitigated can be transferred to a third party. The third reason is that cyber insurance will lead to a market solution that will be aligned with economic incentives of cyber insurers (i.e. the cyber insurers shall earn profit from appropriately priced premiums), network users (individuals / organisations will seek to hedge potential losses), and security software vendors (vendors could proceed with their first-mover and lock-in strategies) (Hui & Ranjan, 2011).

179

Bolot and Lelarge (2008) qualitatively state that insurance provides significant benefits to a network of users facing correlated, interdependent risks. Essentially, insurance is a powerful mechanism to promote network-wide changes and lead all users of the network to the desirable state where they all invest in self-protection. The benefits of insurance are such that they believe that the development of insurance products and markets, and the large scale deployment of insurance in the Internet are likely, if not inevitable.

7.2.1 Development of cyber liability product

The global insurance industry is currently in its infancy with regards to its development of bespoke cyber insurance products (Crawford & Company, 2014). Lloyds of London predicts that “e-commerce will emerge as the single biggest insurance risk of the 21st century” (Barker, Glad & Yost, 2001, p. 2062).

In their working paper for the Workshop on the Economics of Information Society, Böhme and Schwartz (2010) suggest that, whilst the transfer of financial risk associated with network and computer incidents to a third party through the risk migration tool of cyber insurance has captured the imagination and entrepreneurial spirits of professionals and researchers for many years, reality has resulted in the disappointment of cyber insurance proponents.

The beginning of cyber insurance dates back to the 1980s, yet events such as Y2K and 9/11 have further impacted on the ability for this insurance product to thrive, as well as impacting on the coverage available through such a product, postulate Böhme and Schwartz (2010). Coverage offered through such a product was generally niched in response to unusual demands Böhme and Schwartz (2010) explain, that advising clients interested in purchasing such cover were usually small-to-medium sized enterprises which required such insurance to comply with tender requirements, or alternatively, community banks which were too small to absorb potential risks presented through their online operations.

180

According to Böhme and Schwartz’s (2010) research, the business perspective of information security in the 1990’s rose to prominence, which further contributed to the development of cyber insurance as a risk management tool. Böhme and Schwartz (2010) detail that the approach was almost exclusively modelled on the demand of cyber insurance, as a risk migration tool to be utilised to trade-off the allocation of a security budget.

The market for cyber insurance truly started to develop in the late 1990’s with insurance policies offered by security software companies partnering with insurance companies as packages (i.e. software plus insurance) as a way to highlight the (supposedly high) quality of the security software being sold, and to deliver a “total” risk management solution (resulting in risk reduction and residual risk transfer) (Bolot & Lelarge, 2008).

Pricing of insurance products traditional relies on actuarial tables constructed from voluminous historical records. Since the Internet is relatively new, there are not extensive histories of electronic crimes and related losses. Furthermore, the repositories of information security breaches that do exist do not cover many years, and are tainted by the fact that organisations seldom reveal details pertaining to a security breach (Gordon, Loeb & Sohail, 2003). Thus, the slow development of cyber liability insurance is attributed by Böhme and Schwartz (2010) to insurers’ lack of experience with this new kind of risk, which is further exacerbated by the insufficient actuarial data, as detailed above, hindering the competitive pricing of this insurance product.

However, Braunberg (2013) anticipates that more transparency regarding cyber exposure and cyber-attacks is expected to drive greater adoption of cyber insurance, as a means of demonstrating better corporate risk management.

181

Information technology experts suggest that investment in cyber insurance is significantly low considering the volume of business that occurs over information technology networks. They attribute an immature insurance market characterised by few insurers and huge uncertainty in assessing cyber exposure, and lack of awareness about cyber insurance products among firms for the low level of cyber insurance coverage (Ogut, Menon & Raghunathan, 2005).

Much of the potential risk from conducting business on the Internet is not fundamentally new. For example, an organisation would incur liability risk of copyright infringement or defamation of character whether the information is distributed through the Internet or through television, radio or magazines. Similarly, a firm would suffer a loss of business whether an interruption is caused by a fire, a flood, or by a hacker’s denial-of-service attack (Gordon, Loeb & Sohail, 2003).

More transparency regarding cyber exposure and cyber-attacks is expected to drive greater adoption of cyber insurance as a means of demonstrating better corporate risk management (Braunberg, 2013).

There have been several developments which have contributed to the growth of cyber insurance, predominantly the recent increase in the number of cyber incidents, both in size and severity (Schutzer, 2015). The data breach statistics discussed in section 4 above clearly reflects that data breaches are on the rise. Confirming this increase is the fact that the dataset underpinning the 2014 Verizon Data Breach Investigation Report comprised of over 63,000 confirmed security incidents, 1,367 confirmed data breaches affecting organisations in 95 countries (with this the period under review being the first time that breaches topped the 1,000 mark) (Verizon Enterprise Solutions, 2013). PricewaterhouseCoopers’ The Global State of Information Security Survey 2015 discovered that the total number of security incidents detected by respondents had increased to 42.8 million (an increase of 48% from 2013) and, according to the Insurance Information Institute, as at 27 May 2014 there had

182

already been 311 data breach events, with 8.5 million records exposed (Hartwig & Wilkinson, 2014). On the back of such startling statistics, organisations are beginning to realise that, despite risk mitigation and management measures, the risk of a cyber-attack cannot be entirely eliminated (Schutzer, 2015).

7.2.2 Cyber liability insurance alternatives

Böhme and Schwartz (2010) assert that insurers need not be the last in a chain of risk transfers. Although not dealt with explicitly in cyber insurance literature at that point in time, Böhme and Schwartz distinguish three prototype cases for high-order risk transfer, namely that of cyber reinsurance, catastrophic bonds and exploit derivatives.

The idea of reinsurance for dealing with rare catastrophic events seems applicable to cyber insurance (Böhme & Schwartz, 2010; Fu & Khury, 2010). However, reinsurance is more efficient only if reinsurers can pool risks, which assumes the existence of many insurers with independent risk pools. Whilst this is achievable for conventional insurance branches through regional or international diversification, due to the global homogeneity of cyber exposure, oft attributed to the homogeneity of installed systems, cyber reinsurance is virtually non-existent. Böhme and Schwartz (2010) state that, in January 2002, reinsurers actually explicitly excluded cyber exposures from their contracts with insurers, in fear of global catastrophic events.

Reinsurers provide insurance coverage and risk transfer to insurers, providing stability to the insurance industry (Ernst & Young LLP, 2014). Reinsurers supply capital to an insurer in exchange for a portion of their premiums (Schutzer, 2015).

To date, the reinsurance industry has relied on insurers to assess what the risk means and how it can be transferred utilising existing industry mechanisms (as discussed under Cyber Liability Insurance Alternatives above) (Ernst & Young

183

LLP, 2014). To date, reinsurers have been inclined to exclude most cyber security risks. In order for reinsurers to consider offering cyber insurance in respect of selected risks, they would have to confident in the lead underwriter’s abilities (Schutzer, 2015).

Given that there are approximately 60 insurers underwriting cyber insurance, it is of paramount importance that the reinsurance industry considers potential accumulation as a result of large aggregated cyber-attacks. Thus, reinsurers need to establish internal resources in order to monitor these aggregation issues. Databases reflecting the frequency and severity of attacks, as well as the associated costs of the breach, are being developed in order for reinsurers to build cyber catastrophe models. These models shall assist reinsurers in creating excess of loss rates for reinsurance cover, mobbing away from historical quota share reinsurance. The models will also see the cyber reinsurance industry maturing in a similar fashion as natural catastrophe reinsurance lines did. Lastly, the inclusion of legal expenses in the models shall allow reinsurers to implement appropriate reserving methodologies (Ernst & Young LLP, 2014).

Cyber captives are an alternative risk transfer mechanism which could be considered in addition to reinsurance. A cyber captive is an insurance company attached to a parent insurer or group specifically formed in order to handle an organisation’s cyber risk. Advantages presented by the utilisation of cyber captive insurance is that they can be utilised to access the reinsurance market for capacity and; there is a longer timeline for claim reporting and payment, which permits an accumulation of essential captive claim reserves. Risk managers are considering cyber captives as an alternative to the traditional insurance market, allowing them to tailor the risk for their organisation. It should be cautioned however, that there is no risk transfer without data and risk models, and access to sound historical data is required in order to model the appropriate entry point and economics of a captive (Ernst & Young LLP, 2014).

184

Catastrophic bonds are financial instruments which pay a yield as a risk premium in periods without catastrophic events (Cummins, 2008), but lose their value in case such events occur (Böhme &Schwartz, 2010; Coval, Jurek, & Stafford, 2007). Catastrophic bonds were originally developed to facilitate earthquake insurance and related perils, however, Böhme and Schwartz’s (2010) opinion is that catastrophic bonds seem less suitable to transfer cyber exposure, as they may impose adverse incentives on investors, who could improve their financial wealth by causing or commissioning a cyber-attack. Whilst partnerships between government and private industry to create these bonds are particularly effective, these bonds’ lifecycle are usually a decade and thus, a special purpose vehicle with a shorter lifespan would be more suitable to cyber (Ernst & Young LLP, 2014). However, there is the potential for the Insurance Linked Security market to provide diversified returns on efficiently managed collateral (CRO Forum, 2014).

A special purpose vehicle referred to as sidecars, are a derivative of a captive where funds are invested in a risk via A-rated hedge funds. If the cyber event has not occurred within a certain time frame, investors recoup their investment with interest. This results in cyber risk being part of an uncorrelated portfolio investment. Investment can also be based on the severity level of the attack, in order to ensure that investments are not lost on all events. Although it will take some time for this type of approach to evolve above that of reinsurance and captives, combined with good data and analysis thereof, the ability to utilise capital markets as a cyber-risk transfer mechanism shall grow (Ernst & Young LLP, 2014).

Exploit derivatives avoids such adverse incentives (as presented by catastrophic bonds) by linking the payout of the financial derivative to the discovery of vulnerabilities in systems (at a stage before actual losses occur), note Böhme and Schwartz (2010). Whilst incentive incompatibilities cannot be ruled out entirely, compared to cat bonds, selfish actions of individual players are less likely to cause tremendous social damage (Böhme and Schwartz, 2010). Böhme and Schwartz further argue that exploit derivatives can form

185

predictive market facilitating information sharing regarding vulnerabilities, thereby mitigating the information asymmetries which are prevalent in the cyber security. Whilst exploit derivatives might work for threats which are related to undiscovered vulnerabilities, Böhme and Schwartz (2010) account this type of threat for only part of the cyber exposure which society is exposed to.

7.2.3 Cyber liability coverage under non-cyber liability insurance products

Organisations traditionally purchase insurance to safeguard against various business, natural and political risks. However, traditional policies do not comprehensively address the additional risk organisations face as a result of being part of the digital economy (Gordon, Loeb & Sohail, 2003). Traditional general insurance products do not cover cybercrime risk for a few reasons: the concept of cybercrime risk is relatively new, and the majority of commercial insurance provide coverage for tangible assets (Jain & Kalyaman, 2012).

Before the introduction of new products specifically designed to insure losses and liability flowing from computer crashes and the loss of data, internet companies had already sustained losses and would look to secure reimbursement under the “traditional” or standard form policies which they already purchased. These would include policies designed to cover “direct physical loss or damage” to covered property (first-party cover policies) as well as those designed to insure liability to third parties flowing from such losses (the third party liability policies, or commercial general liability) (Barker, Glad & Yost, 2001).

Many insurance companies have recently added cyber-risk-related exclusions to their traditional policies in order to limit the underwriter’s risk exposure to exposures which the relevant insurance policy was not intended to provide coverage for. Some view the growth in such policy amendments as the insurance industry’s way of forcing businesses to buy their more profitable cyber-related products (Gordon, Loeb & Sohail, 2003).

186

7.2.3.1 Commercial general liability (CGL) policies

Standard commercial general liability policies were developed and promulgated by insurance trade organisations in the 1940s, and periodically revised during the following decades in the United States. Most commercial general liability insurance written is based on the standardised policy structure developed by the Insurance Services Office, Incorporated (“ISO”), a for-profit, rating organisation based in the United States. The commercial general liability policy has been described as an insurance policy designed to offer insureds a buffet of standard business liability coverages, allowing the policyholder to select the types and amounts of coverage that are suitable to its organisation (Barker, Glad & Yost, 2001).

Berkeley, Beeson, Elbert, Lamden, Zgutowicz (2011) explain that in general, a commercial general liability (CGL) policy provides liability coverage for damages because of bodily injury or property damage caused by an occurrence (accident) and personal and advertising injury, defined as injury arising out of certain enumerated offenses, including violation of privacy rights. However, Berkeley et al. (2011) advise that amendments to policy definitions of “property damage” and “personal and advertising injury” result in there being limited coverage for data-related claims. Prior to 2001, CGL policies defined “property damage” as follows (Berkeley et al., 2011):

a) Physical injury to tangible property, including all resulting loss of use to that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or

b) Loss of use of tangible property that is not physically injured. All such loss shall be deemed to occur at the time of the “occurrence” that caused it

187

The commercial general liability policy’s core purpose is to protect the policyholder against liability for damages the insured’s negligence may cause to third parties. Among other specifically identified risks, the policy covers the possibility that the products or work of the insured will physically damage the property of another, creating liability for the insured. As a source of those goods or work, an insured may be responsible as a matter of contract law to make good on its defective work or products (Barker, Glad & Yost, 2001).

However, uncertainty prevailed, particularly when, in 2000, a federal court held that computer data lost during a power outage constituted direct physical loss or damage from any cause under an insurance policy. The court acknowledged that it found coverage because the claim arose at a time when computer technology dominates our professional as well as personal lives. To reach this result, the court simply read the word “physical” out of the contract, looking far afield to various federal and state statues dealing with liability for “computer damage” (Barker, Glad & Yost, 2001). Insurers were now paying for claims arising out of circumstances which they had not foreseen, nor intended to cover. Thus, insurers had to reconsider their policy wordings in order to ensure that there was no doubt about policy coverage intentions. Furthermore, there was concern that the judiciary may be tempted to shift cyber-losses onto insurers who never accepted such risks and never received a premium for them, particularly where policy holders face catastrophic financial losses and/or liability caused by lost or corrupted data (Barker, Glad & Yost, 2001).

According to Berkeley et al. (2011), there was disagreement among courts regarding whether lawsuits involving data loss could involve “property damage” under the pre-2001 CGL policy form. Disputes also involved the applicability of the “impaired property” exclusion (Berkeley et al. 2011).

188

Barker, Glad and Yost (2001) contend in their [somewhat outdated] journal article that, the insurance industry’s failure to keep pace with a technological revolution that gave rise to unexpected “cyber-risks” provided no basis to hoist upon insurers obligations they never assumed and that courts should decline the inevitable invitation to disregard the language of insurance contracts in an effort to find coverage where none exists (Barker, Glad & Yost, 2001).

The National Bureau of Casualty Underwriters are credited for having inserted the word “tangible” to clarify that the standard liability policy covered only damage to physical property – property that is perceptible to the senses, and thus capable of being touched, felt and seen. The intention of this was to ensure that there would be no argument that the commercial general liability policy was designed to insure the intangible, ephemeral or purely economic (Barker, Glad & Yost, 2001) exposures such as those emanating from a cyber-attack.

As a result of the above mentioned, Berkeley et al. (2011) advises that the CGL policy wording was amended to specifically state that electronic data was not considered to be tangible property. The aforementioned exclusion went further to define electronic data as “…means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment”.

Barker et al. (2001) consider various court considerations of intangible property: in Johnson v. Amica Mut. Ins. Co. bank account funds were found to not be tangible property because they have no physical presence and merely represent, or are evidence of value; in Peoples Telephone Co., Inc. v. Hartford Fire Ins. Co., the court held

189

that a misappropriated list of mobile telephone numbers as not tangible and thus not covered; and lastly, in Lucker Mfg. v. Home Ins. Co., the Third Circuit held that a design for a particular project – rendered less valuable by the discovery of a defect in one of its planned components – failed to constitute tangible property for purposes of insurance coverage (Barker et al., 2001).

Barker, Glad and Yost (2001) concede that the result in each of the above cases might have been different had the medium on which the movie, telephone numbers and the design had been stored or conveyed was actually damaged. However, even then, had damage to the physical medium occurred, the policyholder’s recovery would have been limited to the value of the damaged medium itself, not the diminished value of the represented intangible. The courts have carefully drawn this distinction, finding a basis for coverage where the recovery is “for the value of a tangible medium storing ideas” and no coverage where the recovery is “for the ideas themselves” (Barker, Glad & Yost, 2001, p. 2070).

The 2001 CGL policy wording (Annexure A) provided coverage for “loss of use” of tangible property resulting from damage to intangible data or software (refer to Definition 17b) and to this extent Berkeley et al. (2011) refer one to the case of Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (8th Cir. 2010) as an example wherein coverage for physical injury to computer hardware such as freeze-up (loss of use), caused by spyware, was afforded cover.

The 2004 CGL policy wording saw (refer Annexure B, exclusion p.) the “Electronic Data” exclusion extended, per Berkeley et al. (2011), to specifically note that coverage in respect of “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” would not be afforded there under. The endorsement sought to address errors

190

and omissions exposures facing software developers and manufacturers, programmers, data processing services and consultants (i.e. organisations who were perceived to have the greatest liability exposure for damaging a third party’s electronic data) (Woodward, 2004). Effective 01 December 2004, most revisions to the 2001 CGL policy wording were relatively minor in nature (Stanovich, 2004).

Thereafter substitutes for standard ISO “oral or written publication…” was replaced in the language, per Berkeley et al. (2011), to include “Oral, written or electronic publication of material that appropriates a person’s likeness, unreasonably places a person in a false light or gives unreasonable publicity to a person’s private life…”.

Berkeley et al. (2011) consider the following cyber liability exclusions in the 2004 CGL policy forms:

• “Exclusion – Violation of Statutes that Govern E-Mails, Fax, Phone Calls or other Methods of Sending Material or Information” (ISO No. CG 00 67 03 05)

• “Recording and Distribution of Material or Information in Violation of Law Exclusion” (ISO Form No. CG 68 05 09)

• “Information Distribution and Recording Violations Exclusion” (AAIS Form No. GL 1022 09 09)

However, according to Berkeley, Beeson, Elbert, Lamden, Zgutowicz (2011), there were post 2004 cyber liability endorsements which broadly eliminated coverage for bodily injury, property damage, or personal and advertising injury arising out of violations of the following United States pieces of legislation: The Telephone Consumer Protection Act (TCPA); The CAN-SPAM Act of 2003; The Fair Credit Reporting Act (FCRA) and any other law that “addresses,

191

prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material of information”. Berkeley et al. (2011) report that CGL policies were further amended to detail exclusions for “personal and advertising injury” (refer Annexure B, 2004 Commercial General Liability Policy Form).

The Insurance Services Office, Inc. has filed a number of data breach exclusionary endorsements, effective May 2014, for use with its standard-form, excess and umbrella policies (Latham & Watkins LLP, 2014).

As is evident from the discussion above, the elimination of intangible property coverage, as well as the subsequent electronic data exclusion provided much impetus for the entrance of an insurance product which would provide coverage where the commercial general liability could not. Enter the cyber liability insurance product, which shall be discussed in depth hereunder.

7.2.4 Cyber liability product offerings

7.2.4.1 Coverage

Given the fact that insurers do not have sufficient data and claims statistics, they are loathe to offer products which offer broad coverage to fully respond to all first and third party cyber exposures (Crawford & Company, 2014).

Depending on the individual cyber insurance policy purchased, coverage could potentially apply to both internally and externally launched cyber-attacks (Hartwig & Wilkinson, 2014).

192

Hereunder a general overview of the type of coverage afforded under a cyber-liability insurance policy shall be considered, namely that of first-party insurance and third party (liability) insurance. Policy wordings vary across markets but generally most include the covers detailed below. Given the nature of cyber exposures, and the fact that there are no boundaries to these exposures, it is generally found that policy forms across the European Union, United States and South Africa are generally similar.

7.2.4.1.1 First-party insurance

First-party insurance protects against losses occurring directly to the insurance holder, mainly for information asset damage, including damage to the data (i.e. data recovery), software and systems of an organisation, is covered (Jain & Kalyaman, 2012). Insurance products available in the London market include system damage to both hardware and software (Bailey, 2014).

First-party coverage also provides cover for loss of profits due to such things as theft of trade secrets, destruction of the insured’s property (including software, hardware, and data) (Gordon, Loeb & Sohail, 2003). The insurance policy would provide coverage for the value of the trade secrets stolen during a cyber- attack (CRO Forum, 2014).

Event Management provides coverage for the first-party costs for forensic investigations, legal consultations, and public relation expenses (Internet Security Alliance, 2013). Business interruption loss due to software or system failure is covered hereunder (Jain & Kalyaman, 2012) providing loss of income due to the network

193

security failure (Internet Security Alliance, 2013).

Cyber-extortion protection is provided, which covers ransom costs and negotiation expenses (Jain & Kalyaman, 2012) resulting from intentional security attacks against a company by an outside attempting to extort money, securities or other valuables, including monies paid to end the threat and the cost of an investigation to determine the cause of the threat (Internet Security Alliance, 2013). Thus, the settlement of an extortion threat against the organisation’s network is paid, as well as the costs associated with employing suitable security organisations to track down and negotiate with the blackmailers (Hartwig & Wilkinson, 2014).

Furthermore, notification expenses to customers affected by a data leak is covered (Jain & Kalyaman, 2012), as well as credit monitoring, whereby identity monitoring for parties affected by a data breach is provided (Internet Security Alliance, 2013).

Crisis management expenses are an important element of first party coverage, and which includes the cost of public relations consultants (Jain & Kalyaman, 2012). Lastly, and perhaps most importantly, regulatory actions, fines and penalties (where insurable by law) are covered hereunder (Internet Security Alliance, 2013).

Regulatory investigations and fines are also covered under cyber liability insurance products, where insurance thereof is permissible by law (Bailey, 2014).

194

Fines and penalties provided coverage hereunder are due to breach of privacy regulation (CRO Forum, 2014).

According to Advisen’s 2014 Cyber Liability Insurance Market Trends Survey, first party coverage under which data breach response such as notification, credit monitoring and forensics is afforded, is the primary driver of the cyber liability insurance product (Advisen Limited, 2014).

7.2.4.1.2 Third-party (liability) insurance

Third-party risks are those faced by the insured because of damages caused by him, directly or indirectly, to another firm (or individual) (Gordon, Loeb & Sohail, 2003). Third-party risk includes liabilities for event such as network liability stemming from losses due to the theft and misuse of data, including the payout to victims (disclosure injury), as well as the recovery cost is covered. Network liability (downstream) protecting against denial of service attacks and forwarding of viruses is also covered hereunder.

Media liability including infringement (intellectual property, trademark and copyright), as well as liability costs due to internet publishing, including websites, e- mail, instant messaging, and chat rooms is another third party liability aspect for which coverage is provided (Jain & Kalyaman, 2012). Libel, slander, defamation are also covered hereunder. This also covers liabilities associated with banner advertisement for other organisations located on the website (Hartwig & Wilkinson, 2014).

195

Liability of third-party loss arising from the negligence of an organisation coverage is provided, including conduit injury, including suits arising from system security failures that may result in hard to third-party systems (Jain & Kalyaman, 2012) including events such as a computer virus inadvertently forwarded (Gordon, Loeb & Sohail, 2003).

Another coverage aspect is impaired-access injury, including suit arising from system security failure resulting in an organisation’s customers’ systems being unavailable to their customers (Jain & Kalyaman, 2012) because a hacker of virus halted the insured’s delivery system (Gordon, Loeb & Sohail, 2003).

Lastly, reputational injury, including suits alleging disparagement of products or services, libel, slander, defamation, and invasion of privacy (Jain & Kalyaman, 2012) or contents placed on a company website (Gordon, Loeb & Sohail, 2003) is covered in cyber liability insurance product offerings.

Generally cyber liability policy wordings provide both first party as well as third party coverage under the ambit of a single policy form. This results in the policy wording providing comprehensive insurance coverage for most cyber exposures facing the organisation, and simultaneously ensuring that there are no gaps in coverage.

196

The challenges which are experienced by cyber liability insurance providers are now considered hereunder, in an attempt to understand the development of this important insurance product.

7.2.5 Challenges experienced by cyber liability insurance providers

Cybercrime liability insurance is a relatively new type of commercial risk and its inherent nature poses a number challenges. Furthermore, there are several external challenges that can result in a barrier to widespread availability of this type of coverage (Jain & Kalyanam, 2012). Hereunder we shall consider the inherent nature of cybercrime risk; the lack of standards, metrics and governance for cybercrime insurance; and lastly, reasons as to why cyber liability insurance is not being purchased.

7.2.5.1 Inherent nature of cybercrime risk

As an actuarial matter, underwriting risks of liability flowing from damage to intangible interests is difficult at best. Because risks to intangible interests are impossible to predict and properly price, the premiums a rational insurer would have to charge for such coverage would be prohibitively high (Barker, Glad & Yost, 2001).

Risk measurement and assessment requires that the probability of an occurrence, as well as the business impact, is predicted. It is extremely difficult to quantify the impact given that a cyber-attack or security breach could potentially lead to a variety of business consequences (Jain & Kalyanam, 2012).

The assumption that estimating damages in the Internet is so difficult and fraught with peril that insurance is not inevitable at all, but rather destined to remain a niche or an oddity. Reliably estimating damages is indeed an important task because it controls the profit of the insurer and the incentives for agents to invest in

197

self-protection. It is also true that quantifying risks for a good or an optimal premium value is difficult because the assets to be protected are so intangible because damages might be visible only long after a threat or an attack was identified, because risk changes can occur quickly, and because evaluating the insurability of new and existing customers is likely to be a complex and time intensive task. However, the insurance industry has been dealing with problems such as the quantification of risk for centuries and it is thus difficult to argue convincingly that Internet risks and damages absolutely cannot be insurable (Bolot & Lelarge, 2008).

Insurance companies are still building standard methodologies and financial models to determine an appropriate price for this risk, due to the fact that cybercrime is a relatively new concept. As noted in section 7.1 above (insurance), the lack of historical data is one of the foremost issues which insurers face when determining the premium rate of an insurance policy and deciding whether they shall in fact underwrite the risk (Jain & Kalyanam, 2012).

Cyber security incidents are highly linked given that a new vulnerability can be exploited simultaneously across the globe. Furthermore, cyber exposures are highly interdependent and a single compromised system may increase the vulnerability of other systems in an organisation, resulting in all software, information technology systems and infrastructure being opened up to attack (Jain & Kalyanam, 2012).

Cyber interdependence occurs in two ways. First, computers in different firms are physically linked via the Internet, and communication protocols allow access of machines by other trusted hosts. If a hacker is able to penetrate one firm due to its poor information technology security, he would be able to access other linked firms too. A second, and more subtle, reason for

198

interdependence of cyber exposure is the logical interdependence of systems. This type of interdependence occurs from ubiquitous computer technologies (Ogut, Menon & Raghunathan, 2005).

Ogut, Menon and Raghunathan’s (2005) analysis reveals that interdependence of cyber exposure may partly explain the information technology security risk management of strategies. Though interdependence increases the magnitude of individual organisation’s risk, it reduces the effectiveness of information technology spending causing organisations to invest less on information technology security. Compared to independent risk, organisations buy less insurance coverage when faced with interdependent risk. Interdependence causes insurers to raise insurance premiums due to the higher total risk borne (Ogut, Menon & Raghunathan, 2005).

The correlation between risks makes it difficult to spread the risk across customers – a sizeable fraction of worm and virus attacks, for example, tend to propagate rapidly throughout the Internet and inflict correlated damages to customers worldwide. Furthermore, entities in the Internet face interdependent risks, i.e. risks that depend on the behaviour of other entities in the network (regardless of whether or not they invested in security solutions to handle their risk), and thus the reward for a user investing in security depends on the general level of security in the network (Bolot & Lelarge, 2008).

Thus, insurers may find it difficult to monitor the changes to the risk of a particular cyber insurance policy, such as a reduction in information technology investment or change in service providers, which may result in an increased cybercrime exposure (Jain & Kalyanam, 2012). Furthermore, insurers are reliant on the insured to honestly declare what assets are retained and transmitted with their networks, and in the instance of a data breach, to be truthfully

199

report which assets have been affected by same (Ernst & Young LLP, 2014).

There is a substantial gap between the nature of new threats and the capability to detect same, monitor and prevent unauthorised exfiltration of information, and the security of information. Few insurers have direct insights into cyber exposures pertaining to intangible digital assets – they should assume that any insured infrastructure shall be compromised at some point in time (Ernst & Young LLP, 2014).

Proponents of cyber insurance believe that in the long run, cyber insurers would have a better estimate of risk values by covering different types of risks and this in turn would entail the design of insurance contracts that would shift appropriate amounts of self- defence liability on the clients, thereby making the cyber space more robust (Hui & Ranjan, 2011).

7.2.5.2 Lack of standards, metrics and governance for cybercrime insurance

The lack of standard legal definitions of cyber liability impacts upon the insurability of cyber exposures. Despite the global reach of the internet, jurisdictional restrictions are introduced due to geographical limitations. These restrictions result in confusion regarding the applicability of laws in respect of cross-border cyber- attacks (Jain & Kalyanam, 2012). As discussed in section 5 (Data Protection Legislation) regulatory differences can result in cross- border spillover. Regulatory spillovers could potentially cause trade disruptions, create wasteful bureaucracy, and inefficiencies for all involved parties (Krup & Movius, 2009).

200

As noted above, cyber security incidents are interlinked, resulting in the potential for a cyber-hurricane – a major disaster involving simultaneous cyber-attacks worldwide, resulting in several claims. It is this exposure which has resulted in there being limited reinsurance available across the cyber insurance industry (Jain & Kalyanam, 2012).

The complexities of information technology systems and cyber security standards may not be completely understood by insurers, which obviously may result in miscommunication or an incorrect estimation of the exposure. Thus, insurers should strive to establish a standard set of security metrics to quantify the security level of the assessed organisation (Jain & Kalyanam, 2012).

7.2.5.3 Reasons for not purchasing cyber liability insurance

Respondents to the 2011 Advisen survey cited several reasons as to why organisations do not purchase cyber liability insurance, including that organisations prefer to invest in prevention (such as the risk management products and techniques discussed in section 6 rather than insurance. The fact that there are limited markets for cyber liability insurance was also cited as a preventative factor. Survey respondents also cited broker disconnects and a lack of coverage clarity as a reason why they did not purchase cyber insurance. Pricing of premiums and high deductibles, along with limited policy coverage were considered as factors which hampered the purchasing process too. Respondents also suggested that the application process was too difficult, and that there was a lack of information to make informed decisions, as well as the exposure being difficult to quantify (Advisen Limited, 2011).

201

An immature insurance market also affects the organisations’ risk management strategies significantly. In a less (more) mature insurance market, self-protection (information technology security investment that affects probability of breach) is more (less) attractive compared to insurance to manage risk, and firms increase (decrease) information technology security investment and decrease their insurance coverage. Whether an organisation purchases more or less insurance as the insurance market matures depends on its effect on the insurance premium vis-à-vis security investments. A more developed insurance market may not increase organisation’s insurance coverage unless the development in insurance market reduces the prices of insurance. A more mature insurance market may not necessarily result in lower insurance price because organisations use insurance rather than investment to manage security risk in a mature insurance market, which increases the insurers’ risk. Consequently, conventional wisdom that organisations will buy more cyber insurance as the insurance market matures may not hold (Ogut, Menon & Raghunathan, 2005).

Seventy-three percent of broker respondents to Advisen’s 2014 Cyber Liability Insurance Trends Survey cited suggested that the biggest obstacle to selling cyber insurance was the insured’s lack of understanding of the exposures. Interestingly, brokers conceded that brokers’ lack of insurance product information and knowledge was another major factor. Lastly, 47% of broker respondents cited the lack of corporate budgets for cyber insurance being another limiting factor (Advisen Limited, 2014).

Underwriter respondents to the survey conceded that the underwriting process was also responsible for hindering the sale of cyber insurance, with applicants stating that the information requirements were too onerous (Advisen Limited, 2014).

202

7.2.6 Cyber insurance market

Respondents to Advisen’s 2014 Cyber Liability Insurance Trends Survey, reported that the sales cycle has shortened over the past two years, and that hit ratios had improved over the past ten months from 10% to 20%. Interestingly, the top three drivers of growth in cyber insurance were reported to be news of a cyber-related loss, increased awareness of the product, and lastly, a third party requirement that the coverage be purchased. Industries predominantly reflecting demand for cyber insurance were retail, healthcare, financial services, professional services and utility sectors (Advisen Limited, 2014).

Furthermore, 2013 renewal rates (measured by average and median annual changes in the year-over-year price per million of limits) remained generally stable in respect of both primary layers, and total programs (Hartwig & Wilkinson, 2014).

Much discussion has taken place regarding the development of the cyber liability insurance product, and the coverage which is offered thereunder. The discussion now turns to assessing the current cyber liability insurance market. We shall contemplate what the size of the cyber insurance market is estimate to be, and what providers are currently underwriting this type of insurance product. Furthermore, we shall also consider what capacity these underwriters are prepared to underwrite on this type of insurance policy. The discussion would be lacking if we did not consider product offerings, their limitations and the typical limits of indemnity purchased, as well as the deductibles which apply to these policies. Pricing shall also be discussed, leading up to an assessment of the South African cyber liability insurance market.

203

7.2.6.1 Size of market

According to the Advisen / Zurich survey of 2011, although the vast majority of professionals acknowledge that information security and other cyber exposures are at least a moderate threat to their organisations, only about one third of organisations currently purchase insurance as a part of their cyber exposure management strategy (Advisen Limited, 2011).

Organisations who did not currently purchase cyber liability insurance were questioned, through the 2011 Advisen survey, as to whether they would consider purchasing the coverage within the next year – 24.3% of respondents indicated that they would, 52% stated that they would not, and the balance were uncertain. The fact that nearly half of respondents who do not currently purchase insurance and were considering doing so, or were uncertain, is a strong indication that cyber liability coverage represents a growth opportunity for brokers and insurers (Advise Limited, 2011).

However, Advisen’s buyer penetration index reflects that, between 2006 and 2013, there has been a five-fold increase in the purchase of cyber insurance. The 2014 Advisen Cyber Liability Insurance Trends Survey estimates that the gross written premium written by the global cyber liability insurance market is in excess of USD1 billion. The United States cyber insurance market represents the vast majority of this, as there are approximately thirty five insurers who provide cyber insurance as a stand-alone product (as well as other providers who provide cyber coverage via endorsement) (Advisen Limited, 2014).

Crawford and Company (2014) suggest that the market is far larger, with annual gross written premiums emanating from the United States being in the region of USD1.3 billion. Schutzer (2015) places

204

market size closer to USD2 billion. Bailey (2014) agrees that the US market shall have exceeded USD2 billion in 2014.

The European cyber insurance market is estimated to be in the region of EUR60 million to EUR160 million in 2013. London in particular is a great insurance market for cyber insurance given that there are several insurers which can participate in single placements (Bailey, 2014). It is estimated that the European market shall reach EUR700 million to EUR 900 million by 2018 (Guy Carpenter & Company LLC, 2014).

7.2.6.2 Capacity available

Broker respondents to the 2014 Advisen survey indicated that they would often have to approach different markets in order to secure a placement, and in excess of 50% of the survey’s broker respondents stated that they had to occasionally build a tower in order to put together a placement. This suggests that there is an increasing requirement for excess market capacity (Advisen Limited, 2014).

Carriers are seldom capable of offering limits of indemnity in excess of USD50 million – most organisations underwrite a maximum limit of indemnity of USD10 million (Crawford & Company, 2014). Furthermore, insurers may in certain instances limit their coverage to non-technology organisations, or even go so far as to prohibit certain types of insured (such as tertiary education institutions or payment processors. Underwriters may alternatively avoid imposing stated restrictions but rather target specific industries (Latham & Watkins LLP, 2014).

Given the challenges outlined above in the discussion above, underwriters are generally reluctant to offer large limits of indemnity (relative to traditional insurance). However, Lloyds offers limits for

205

its e-Comprehensive policy of USD50 million and provides custom quotations of up to USD200 million. As more experience is gained in this area, it is expected that larger limits shall be proffered (Gordon, Loeb & Sohail, 2003).

7.2.6.3 Capacity providers

A plethora of cyber exposure insurance policies exist in the market place. Market players include Chubb, AIG, Hiscox, Legion, Marsh and St. Pauls (Gordon, Loeb & Sohail, 2003).

Advisen’s 2014 Cyber Liability Insurance Trends Survey attracted in excess of 500 responses, 45% of which were insurance carriers, 45% brokers and the balance risk managers and insurance buyers. Of the insurance carrier survey respondents, two third write cyber coverage as both stand-alone cover, as well as via endorsement to an existing policy. In fact, more than 80% endorse existing Errors & Omissions and professional lines policies, whilst 12% attach the cover to Directors’ & Officers policies, whilst the remainder endorsed the cyber cover onto General Liability, Property or Business Owner policies (Advisen Limited, 2014).

According to Advisen, there are nearly 60 insurers that underwrite cyber insurance (Ernst & Young LLP, 2014). Schutzer (2015) estimates that the number is closer to 50 major insurance providers. There were fewer new entrants into the market in 2013 than what was evident in prior years (Hartwig & Wilkinson, 2014).

7.2.6.4 Cyber liability product offerings

The policy forms available differ substantially, frustrating both brokers and underwriters with the lack of standardised coverage in the market. Given the aforementioned, the need to education brokers and clients on the exposures, and the differences between various product offerings was an ongoing requirement. Furthermore,

206

this often results in policy selection being based solely on pricing instead of a comprehensive understanding of the various offerings and the differences between them (Advisen Limited, 2014). This dissertation shall now consider generic exclusions which are found in cyber liability policy wordings, as well as a general commentary regarding limits of indemnity purchased, and deductibles being applied.

7.2.6.4.1 Exclusions

Generally, property damage resulting from a cyber- attack is not covered under any insurance policy. Standalone cyber insurance policies generally exclude property damage. However, there are certain market participants who are starting to include property damage and bodily injury exposures, as well as coverage for physical damage (Schutzer, 2015).

According to Schutzer (2015), state-sponsored cyber- attacks are not covered by cyber liability insurance. Given the difficulty to ascribe responsibility to a nation state rather than another group, insurers are reconsidering their stance hereon.

A fairly standard insurance policy exclusion is that of the contractual liability exclusion which excludes coverage for any liability which the insured has assumed under a contract or agreement, and which may be limited to situations where, but for the contract, the insured would not have been liable for the loss (Latham & Watkins LLP, 2014).

Fraudulent and criminal acts exclusions are also quite

207

common place in insurance policies, with the cyber policy being no different (Latham & Watkins LLP, 2014).

As discussed in section 4.1.4 above (physical theft / loss), theft of data due to physical theft or loss of information asset, is prevalent. Organisations should thus check to see whether their policy wording covers losses from theft of data only (in other words, it will not cover data exposure resulting from negligence, such as an employee losing a laptop containing sensitive data). Organisations need to ensure that they are covered for data loss, regardless of how the data was actually lost (Chickowski, 2013).

Typical clauses may preclude coverage for damages involving unencrypted data, or eliminate coverage for losses arising from the insured’s failure to reasonably maintain, upgrade and update its computer system (Wall, 2015).

Some exclusions contained in cyber liability policy wordings include (refer Annexure C: Camargue eRisks policy wording) the following:

• Any claim or circumstance notified to a previous insurer prior to the inception of this policy; • Any claim arising out of a wilful, deliberate, malicious, fraudulent, dishonest, or criminal act; • Insolvency or bankruptcy or the insolvency or bankruptcy of any other entity including, but not limited to, the failure, inability, or unwillingness to make payments because of the insolvency, liquidation, or bankruptcy of any individual or

208

entity; • The confiscation, commandeering, requisition, destruction of or damage to, hardware by order of a government de jure or de facto, or by any public authority for whatever reason; • Satellite failures; electrical or mechanical failures and/or interruption including, but not limited to, electrical disturbance, spike, brownout, or blackout; and outages to electricity, gas, water, telephone, cable, telecommunications, or other infrastructure, unless such infrastructure is under your operational control and unless such claim forms part of a first party insured event; • The wear and tear, drop in performance, progressive or gradual deterioration, or aging of electronic equipment and other property or hardware used by you or the failure of you or those acting on your behalf to maintain any computer, computer network or network, computer software, or other equipment; • Failure or gradual deterioration of overhead transmission, distribution lines or subterranean insulation or cabling; • Fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God, or any other physical event however caused, unless such claim is part of a first party insured event; • The actual or alleged inaccurate, inadequate, or incomplete description of the price of goods, products, or services; including your cost guarantees, cost representations, contract price or cost estimates being exceeded; • To a claim by a government entity brought in its

209

capacity as a customer of you arising in the course of your provision of technology professional services to such government entity; • Any employer-employee relations, policies, practices, acts, or omissions, any actual or alleged refusal to employ any person, or any misconduct with respect to employees. This includes but is not limited to claims arising under workers compensation or similar laws; • Any actual or alleged discrimination of any kind including, but not limited to, age, colour, race, gender, creed, national origin, marital status, sexual preferences, disability, or pregnancy; • The violation of any pension, healthcare, welfare, profit sharing, mutual, or investment plans, funds, or trusts; or any violation of any provision of the Employee Retirement Income Security Act of 1974 and its amendments and/or the Pension Protection Act of 2006 and its amendments, or any regulation, ruling, or order issued pursuant thereto; • A commercial decision to cease providing a particular product or service, • Gambling, pornography, prizes, awards, coupons, or the sale or provision of prohibited, restricted, or regulated items including, but not limited to, alcoholic beverages, tobacco, or drugs; • Any fine or penalty arising out of any agreement by you to comply with or follow the Payment Card Industry Standard or any Payment Card Company Rules; or implement, maintain, or comply with any security measures or standards related to any payment card data including, but not limited to, any fine or penalty imposed by a payment card

210

company on a merchant bank or payment processor that you have paid or agreed to reimburse or indemnify. However, this exclusion shall not apply to civil penalties and fines to the extent insurable by law arising out of an otherwise covered claim; • Any actual or alleged unfair competition, antitrust violations, deceptive trade practices, or restraint of trade or any actual or alleged breach of any competition or antitrust statute, legislation, or regulation; • The actual or alleged infringement of any patent or the misappropriation, theft, copying, display or publication of any trade secret by, or with the active cooperation, participation, or assistance of any insured, any of your former employees, subsidiaries, directors, executive officers, partners, principals, trustees, or any of your successors or assignees; • The use of programs that are not delivered programs (in respect of Business Interruption); • The knowing use of illegal or unlicensed programs that are in violation of the provisions or laws referring to software protection; • The existence, emission, or discharge of any electromagnetic field, electromagnetic radiation, or electromagnetism that actually or allegedly affects the health, safety, or condition of any person or the environment or that affects the value, marketability, condition, or use of any property; • Cover, payment of such claim or provision of such benefit would expose insurers to any sanction, prohibition or restriction under United Nations

211

resolutions or the trade or economic sanctions, laws or regulations of the European Union, United Kingdom or United States of America.

7.2.6.4.2 Limits of indemnity

Organisations purchasing cyber insurance cover tend towards purchasing higher limits of indemnity (Advisen Limited, 2014).

Cyber insurance limits of indemnity purchased in 2013 averaged out at USD11.5 million across all organisation sizes. Entities involved in communications, media and technology were inclined to purchase higher limits of indemnity, with an average of USD23.9 million in 2013. It was widely reported that Target purchased USD100 million in network security insurance (Hartwig & Wilkinson, 2014). Schutzer (2015) estimates that the maximum quantum of cyber insurance which a single organisation can obtain is approximately USD300 million. However, this shall only be achieved by obtaining capacity from a number of insurers.

The level of limit of indemnity which an underwriter shall be prepared to offer depends on the organisation’s financial position, industry, operations and the cyber exposures which they face. Furthermore, insurers may opt to sub-limit certain sections (such as forensics, notification breach costs, regulatory fines and penalties) (Schutzer, 2015).

212

7.2.6.4.3 Deductibles

Organisations should determine the portion of financial risk which they want the insurance company to cover, and the residual portion which they are willing to bear (Gordon, Loeb & Sohail, 2003).

Interestingly, Target’s retention on their USD100 million policy is US10 million (Guy Carpenter & Company LLC, 2014). According to Willis’ 2015 Marketplace Realities report, underwriters are increasing retentions on retailer risks (Willis North America Inc., 2014).

Over and above the standard deductible imposed, most cyber liability insurance policies also include a time element deductible to trigger business interruption coverage. The network would have to down for more than this specified number of hours in order for the business interruption coverage to apply (Schutzer, 2015).

7.2.6.4.4 Pricing

Due to the specificity of each policy to the insured’s individual situation, as well as the lack of uniformity in cyber exposures faced, there is a lack of standardised pricing in the cyber insurance market. There are several key underwriting factors which an insurer would take in account when formulating an appropriate policy premium: the cyber risk exposure prevalent in the insured’s industry; geographic spread of operations (and the varying regulations facing the insured); and the level of limit of indemnity required. The higher retention of the insured, by way of a deductible, shall generally

213

reduce premium levels. Organisations which have implemented high quality security controls would attract more competitive premiums than those who do not, particularly with regard to the management and security of personally identifiable information. Lastly, the insured’s historical claims experience, and remedial actions implemented subsequent thereto, shall have a strong bearing when determining premium levels (Latham & Watkins LLP, 2014).

Cyber insurance policy premiums can range from a few thousand dollars for base coverage (for a small organisation with less than USD10 million in revenue) up to several hundred thousand dollars for large organisations purchasing comprehensive coverage. 2013 average renewal increases ranged between 2% to 3% (Hartwig & Wilkinson, 2014).Due to the recent spate of mega-cyber-attacks launched against retailers, underwriters are increasing premiums in this sector. However, rates are competitive, with renewals being relatively flat (Willis North America Inc., 2014).

Insurers may potentially be willing to offer lower premiums in the event that they have the right to select the forensic investigations organisations, legal representation, public relations organisations and other response entities (Schutzer, 2015).

7.2.7 South African cyber liability insurance market

The South African cyber insurance market is growing quickly in response to an increasing demand for cyber cover. Santam and Mutual & Federal through Camargue, a specialist liability underwriting manager agency, are among local

214

short-term insurers who have introduced cyber insurance in response to SA’s growing demand (Jones, 2015) (refer Camargue policy wording under Annexure C). According to Cygeist (a South African underwriting agency underwriting cyber insurance liability on behalf of Guardrisk Insurance Company Limited), more and more South African specialist cyber insurance organisations opening up in response to widely publicised global data breaches (Van de Coolwijk, 2014) as has been illustrated in the Data Breaches Statistics section (4) above.

The imminent introduction of the Protection of Personal Information (POPI) Act is driving the trend of South African organisations looking to cyber insurance policies for coverage in the event of a data breach (Czernowalow, 2015).

According to Curtin (2015), there is a general sense of apathy across South African organisations when it comes to purchasing cyber liability insurance. A South African insurance brokerage, Aon South Africa, estimates that, based on local take up of cyber insurance, that in excess of 70% of South African organisations are unprepared for a major cyber-attack. Many organisations are even unaware that cyber insurance products exist (Van de Coolwijk, 2014).

Whilst cyber insurance is relatively new to the South Africa market, there are other markets where there are well-established models such as the United States and European markets (as discussed in section 7.2.6.3 above). Thus, South African cyber insurers are able to offer a sophisticated cyber insurance product (customised to the South African environment and legislation) having learnt from these markets’ experience (Van de Coolwijk, 2014).

South African cyber insurance policies vary from insurer to insurer, but typically will provide protection in the form of first and third party expenses (refer Cyber Liability Product Offerings, section 7.2.6.4 above), such as restoration costs, loss of business income, notification expenses, crisis

215

management expenses, as well as regulatory fines and penalties (Sutherland, 2015).

South African underwriting agency Stalker Hutchison Admiral has seen an increased appetite for cyber insurance, evident through the number of quote requests. Organisations are purchasing limited cyber coverage on an exploratory basis (Czernowalow, 2015).

As the demand for cyber liability insurance increases, so rates and terms become more favourable, particularly as this market sees new entrants (Jones, 2015).

216

8. Conclusion

This dissertation has considered the myriad of cyber exposures which organisations face today, due to the vast and significant developments in information technology. Given the fast pace of technological development, many of these risks are new exposures to the organisations and thus, many of them are not equipped to deal with them appropriately. Unfortunately for organisations, these exposures do not only have the potential to impact upon their own organisation, but pose severe consequences in respect of liability to third parties. The data breach statistics contemplated herein illustrate the severity of the impact of these cyber exposures on an organisation.

Through an understanding of these cyber exposures, organisations can fully contemplate an appropriate risk management program wherein cyber exposure risks can be managed. Given that data protection legislation governs these cyber exposures to a large degree, the discussion on data protection legislation was imperative as the latter may impose further obligations and liabilities on the organisation as a consequence of a data breach. Although South Africa’s data protection legislation is not yet effective, it is important to draw parallels between this legislation and that of data protection legislation which is already in place in the European Union and the United States, particularly since the data breach statistics currently available mostly emanate therefrom.

Risk management procedures and policies, guided by corporate governance frameworks, guide organisations in contemplating what security measures should be incorporated into their risk management policies. Once the organisation has determined their level of risk appetite, consideration of risk financing, in the form of insurance is contemplated.

Whilst insurance alternatives are available, and has been discussed in this dissertation, the focus is on the cyber liability insurance product. Given that this insurance product is relatively new to the South African insurance market, its development has been considered in great detail. From this analysis, it is evident that alternative insurance products are not appropriate for cyber exposures, and that there is a dire need for such an insurance product.

217

The need for this product is evident when one considers the global market analysis conducted. There are already several cyber liability insurance providers around the world, and significant capacity available. An assessment of the cyber liability product on offer by these providers reflects that this specialised product does indeed respond to the cyber exposures considered in this dissertation. Despite the cyber liability product being relatively new to the South African insurance market, there are already several insurers providing this coverage locally. The introduction of the Protection of Personal Information Act shall certainly drive the growth (and development) of this product in the South African market.

Whilst South African organisations are not immune to the cyber phenomenon, a well- constructed risk management program shall see them well placed to manoeuvre the vast world of cyber exposures.

The impact of the Protection of Personal Information Act No. 4 of 2013 on South African organisations shall be of great interest. As has been discussed in this dissertation, the current lack of legislation has resulted in scant information pertaining to local data breaches being available. Thus, once POPIA has been implemented and organisations are required to comply with the legislation, it is anticipated that there shall be a significant number of data breaches reported and publicised. This awareness will not only highlight consumers’ rights to privacy, but it will also highlight the requirement for individuals and organisations to implement stringent risk management processes to protect their personal information. Further research into just how the data protection legislation has impacted on the South African environment shall be required, particularly with regards to data breach statistics, and the impact on the current infantile cyber liability insurance market.

218

9. REFERENCES

Addessi, E., Annibali, A. & Barracchini, C. (2009). New Cyber Risk: Premises for a Cyber Coverage. International Review of Business Research Papers, 5 (6), 50-62.

Advisen Limited. (2011). A New Era In Information Security and Cyber Liability Risk Management: A Survey on Enterprise-wide Cyber Risk Management Practices in Europe. London: Author. Retrieved on March 09, 2015 from http://www.advisenltd.com/wp- content/uploads/Cyber_Risk_Management_Survey_Report.pdf

Advisen Limited. (2012). Hacktivism: The Growth and Implications of this 21st Century Method of Protest. Retrieved on March 09, 2015 from

Advisen Limited. (2014). Cyber Liability Insurance Market Trends: Survey. Retrieved on March 21, 2015 from http://www.partnerre.com/assets/uploads/docs/cyber-survey- results.pdf.

Aina, K. (2013). Board of Directors and Corporate Governance in Nigeria. International Journal of Business and Finance Management Research, 1(3), 21-34.

Anderson, N. (2012, December 11). Anon on the Run: How Commander X Jumped Bail and Fled to Canada – One Fugitive’s Epic Tale. Ars Technica. Retrieved on November 13, 2014 from http://arstechnica.com/tech-policy/2012/12/anon-on-the-run-how-commander-x- jumped-bai/3/

Anderson, R., Barton, C., Bӧhme, R., Clayton, R., van Eeten, M.J.G., Levi, M., Moore, T. & Savage, S. (2012). Measuring the Cost of Cybercrime. Workshop on the Economics of Information Security, Berlin, Germany. June 2012 proceedings. Retrieved on March 16, 2015 from http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf

Arthur, K. K. & Venter, H. S. (2004). An Investigation into Computer Forensic Tools. Department of Computer Science, University of Pretoria.

Australian High Tech Crime Centre, Australian Institute of Criminology, Australian Government. (2005). Hacking Motives. Canberra: Author. Retrieved on September 02, 2013 from http://www.aic.gov.au/publications/current%20series/htcb/1- 20/htcb006.html.

Bailey, S. (2014). Cyber: The London Market Experience. Markel. Retrieved on March 21, 2015 from http://www.nortonrosefulbright.com/files/cyber-london-120914.pdf

219

Barker, W.T., Glad, R.E.B. & Yost, P.M. (2001). In Search of Coverage in Cyberspace: Why the Commercial General Liability Policy Fails to Insure Lost or Corrupted Computer Data. SMU Law Review, 54, 2055-2087.

Berkeley, J. B., Beeson, B., Elbert, A. R., Lamden, S. D., Zgutowicz, C. C. (2011). What is Cyber Insurance and Is it Worth the Cost? [PowerPoint slides]. Retrieved January 05, 2014 from Neal, Gerber, Eisenberg website: http://www.ngelaw.com/files/Event/27d039f6- fe48-4523-8040-4bd4cfe9dcd2/Presentation/EventAttachment/7012875e-cfaa-4b9c- 9c7d- 1e31eb2c239b/What%20is%20Cyber%20Insurance%20and%20Is%20It%20Worth%20th e%20Cost.pdf

Bodeau, D., Boyle, S., Fabius-Greene, J. & Graubart, R. (2010). Cyber Security Governance. The Mitre Corporation.

Böhme, R. (2005). Cyber-Insurance Revisited. Technische Universitüt Dresden.

Böhme, R. & Kataria, G. (2006). Models and Measures for Correlation in Cyber-Insurance. Workshop on the Economics of Information Security (WEIS), University of Cambridge, United Kingdom.

Böhme, R. & Schwartz. (2010). Modeling Cyber-Insurance: Towards A Unifying Framework. Workshop on the Economics of Information Security (WEIS), Harvard University, USA.

Bolot, J. & Lelarge M. (2008). Cyber Insurance as an Incentive for Internet Security. In Proceedings of the International Conference on Computer Communications. Beijing, China.

Bolot, J. & Lelarge M. (2009). Economic Incentives to Increase Security in the Internet: The Case for Insurance. Retrieved September 02, 2013 from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.216.8227&rep=rep1&type=p df

Boulton, W.R. & Knapp, K. J. (2006). Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments. Information Systems Management Journal, 76 – 86.

Braunberg, A. (2013). Multiple Drivers for Cyber Security Insurance: Expectations Placed on Insurance Carriers Rise with Market Growth. NSS Labs. Retrieved January 15, 2014 from https://www.nsslabs.com/reports/multiple-drivers-cyber-security-insurance

Business Standards Institution Group. (2014). Proposed EU Data Protection RegulationL A BSI factsheet for business. Retrieved on March 16, 2015 from

220

http://www.google.co.za/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CEwQFj AI&url=http%3A%2F%2Fwww.bsigroup.com%2FLocalFiles%2Fen-GB%2Fiso-iec- 27001%2Fresources%2FBSI-Proposed-EU-Data-Protection-Regulation-UK- EN.pdf&ei=gWAGVfKiN5GX7Qbur4HgBA&usg=AFQjCNGEUY- dEQkM84bQy1J0PKKaBI0aQQ&bvm=bv.88198703,d.d24

Cate, F. H., Cullen, P., Mayer-Schönberger, V. (2014). Data Protection Principles for the 21st Century: Revising the 1980 OECD Guidelines. Oxford Internet Institute.

Center for Strategic and International Studies. (2014). Net Losses: Estimating the Global Cost of Cybercrime. Retrieved on February 22, 2015 from http://csis.org/event/2014-mcafee- report-global-cost-cybercrime

Chickowski, E. (2013, October 23). 10 Things IT Probably Doesn’t Know About Cyber Insurance. Retrieved on March 30, 2015 from http://www.darkreading.com/operations/10-things- it-probably-doesnt-know-about-cyber-insurance/d/d-id/1316862

Chittester, C.G., Haimes, Y.Y. (2004). Risks of Terrorism to Information Technology and to Critical Interdependent Infrastructures. Journal of Homeland Security and Emergency Management, 1(4), 1 – 20.

Cilli, C. (2005). Identity Theft: A New Frontier for Hackers and Cybercrime. Information Systems Control Journal, 6, 39.

Clark, G. (2003). Assigning Liability for Faulty Software. (Master’s thesis). Bowrie State University, Maryland, Europe.

Clemente, D., Cornish, P., Livingstone, D. & Yorke, C. (2010). On Cyber Warfare. Chatham House, The Royal Institute of International Affairs, London, United Kingdom.

Club de le Securite de L’Information Francais. (2008). Risk Management: Concepts and Methods. Retrieved on March 15, 2015 from http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-management.pdf

Corbett, N. (2009, November 16). Verona Man Admits Role on Church of Scientology’s websites. NJ.com. True Jersey. Retrieved on November 13, 2014 from http://www.nj.com/news/index.ssf/2009/11/verona_man_admits_hacking_chur.html

Council of Europe. European Treaty Services. (2001). Convention on Cybercrime. Budapest.

Coval, J. D, Jurek, J. W. & Stafford, E. (2007). Economic Catastrophe Bonds. Retrieved on March 30, 2015 from http://www.hbs.edu/faculty/Publication%20Files/07-102.pdf

221

Crawford & Company. (2014). The Future of Cyber Insurance. Retrieved on March 21, 2015 from https://us.crawfordandcompany.com/media/1614470/2014-06-13- cyberinsurance.pdf

CRO Forum. (2014). Cyber Resilience: The Cyber Risk Challenge and the Role of Insurance. Retrieved on March 21, 2015 from http://www.scor.com/images/stories/pdf/library/corporate/CRO_Forum_CyberRisk_Pa per.pdf

Cummins, J. D. (2008). CAT Bonds and Other Risk-Linked Securities: State of the Market and Recent Developments. Risk Management and Insurance Review, 11 (1), 23-47.

Curtin, K. (2015, February 18). Cyber Risks Severely Underrated by EMEA businesses. FA News. Retrieved on March 22, 2015 from http://www.fanews.co.za/article/short-term- insurance/15/general/1217/cyber-risks-severely-underrated-by-emea-businesses/17448

Cyber Risk and Insurance Forum (CRIF). (n.d.) Cyber Security Glossary. Retrieved February 22, 2015, from www.cyberriskinsuranceforum.com/content/cyber-security-glossary

Czernowalow, M. (2015, January 23). Imminent Privacy Law Drives Cyber Insurance. ITWeb. Retrieved on March 22, 2015 from http://www.itweb.co.za/index.php?option=com_content&view=article&id=140629

De Hert, P. & Galetta, A. (2014). A European Perspective on Data Protection and Access Rights. Retrieved on March 16, 2015 from http://www.google.co.za/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CC0QFj AD&url=http%3A%2F%2Firissproject.eu%2Fwp- content%2Fuploads%2F2014%2F06%2FEuropean-level-legal-analysis- Final1.pdf&ei=cWYGVZTFEoX- 7AaG0oGgBw&usg=AFQjCNGZpyWg2cVsAj_3fBzHSleuFrPloQ&bvm=bv.88198703,d.d24

Denning, D. E. (2001). Activism, Hacktivism, and Cyber terrorism: The Internet as a Tool for Influencing Foreign Policy. Networks and netwars: The future of terror, crime, and militancy, 239 – 288.

Detica Group Plc. (2011). The Cost of Cyber Crime. Retrieved on March 30, 2015 from https://www.gov.uk/government/publications/the-cost-of-cyber-crime-joint- government-and-industry-report

222

Dimov, D. (January 10, 2013). Differences between the Privacy Laws in the EU and the US. Management, Compliance & Auditing. Retrieved on March 29, 2015 from http://resources.infosecinstitute.com/differences-privacy-laws-in-eu-and-us/

Du Plessis. (2008). A Comparative Analysis of Directors’ Duty of Care, Skill and Diligence in South African and in Australia. Retrieved on March 30, 2015 from http://www.clta.edu.au/professional/papers/conference2009/du_PlessisCLTA09.pdf

Dunlevy, C., Shimeall, T. & Williams, P. (2001). Countering cyber warfare. NATO review. 49 (4), 16 – 18. Retrieved January 09, 2014 from http://www.nato.int/docu/review/2001/0104- 04.htm

Ernst & Young LLP. (2012). The Sarbanes-Oxley Act at 10: Enhancing the reliability of financial reporting and audit quality. Retrieved on March 16, 2015 from http://www.ey.com/Publication/vwLUAssets/The_Sarbanes-Oxley_Act_at_10_- _Enhancing_the_reliability_of_financial_reporting_and_audit_quality/$FILE/JJ0003.pdf

Ernst & Young LLP. (2014). Cyber Insurance, Security and Data Integrity – Part 1: Insights into Cyber Security and Risk - 2014. Retrieved on March 21, 2015 from http://www.ey.com/Publication/vwLUAssets/EY_- _Insights_into_cyber_security_and_risk/$FILE/ey-cyber-insurance-thought- leadership.pdf

Ernst & Young LLP. (2014). Mitigating Cyber Risk for Insurers – Part 2: Insights into Cyber Security and Risk - 2014. Retrieved on March 21, 2015 from http://www.ey.com/Publication/vwLUAssets/EY_- _Insights_into_cybersecurity_and_risk_(Part_2)/$FILE/ey-mitigating-cyber-risk-for- insurers.pdf

European Commission. (2014). Factsheet EU-US Negotiations on Data Protection. Retrieved on March 29, 2015 from http://ec.europa.eu/justice/data- protection/files/factsheets/umbrella_factsheet_en.pdf

Fu, L. & Khury, C. K. (2010). Optimal Layers for Catastrophe Reinsurance. Casualty Actuarial Society, 4(2) 191-208.

Ganatra, A., Kosta, Y., Patel, M. & Patel, N. (2008). E-commerce and Attached E-Risk with Cyber-crime. Changa: Computer / Information Technology Department, Charotar University of Science and Technology.

223

Golubchik, L. & Pal, R. (2010). On Economic Perspectives of Internet Security: The Problem of Designing Optimal Cyber-Insurance Contracts.

Gordon, L.A., Loeb, M. P. & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81-85. Retrieved January 25, 2014 from http://www.nyu.edu/intercep/lapietra/ACM_InsuranceforCyberSecurityManagement.p df

Grabosky, P. & Smith, R. (1998). Crime in the Digital Age. Sydney: Federation Press & The Australian Institute of Criminology.

Grabosky, P. (2000). The Mushrooming of Cyber-crime. Australian High Tech Crime Centre, Australian Institute of Criminology, Australian Government.

Guy Carpenter & Company LLC. (2014). Ahead of the Curve: Understanding Emerging Risks. Retrieved on March 22, 2015 from http://www.guycarp.com/content/dam/guycarp/en/documents/dynamic- content/AheadoftheCurve-UnderstandingEmergingRisks.pdf

Hartwig, P. R & Wilkinson, C. (2014). Cyber Risks: The Growing Threat. Insurance Information Institute. Retrieved on March 21, 2015 from http://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf

Himes, B. & Joseph, P. A. (2006). Information Warfare. Information Systems Education Journal, 4 (49), 2-8.

Holm, E. (2012). Responding to Identity Crime on the Internet. The Business School, University of Ballarat.

Huggins, D. (2003). Windows Server 2003 Network Infrastructure. Que Publishing.

Hui, P. & Ranjan, P. (2011). Cyber-Insurance for Cyber-Security: A Topological Take on Modulating Insurance Premiums.

Hunton & Williams. (2013, September 16). OECD Issues Updated Privacy Guidelines. Retrieved on March 29, 2015 from https://www.huntonprivacyblog.com/2013/09/16/oecd-issues- updated-privacy-guidelines/

Hustinx, P. J. (2014). EU Data Protection Law: The Review of Directive 95/746/EC and the Proposed General Protection Regulation. Retrieved March 29, 2015 from

224

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS /Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf

Institute of Directors in Southern Africa. (2002). The King Code on Corporate Governance for South Africa.

Institute of Directors in Southern Africa. (2009). The King Code on Corporate Governance for South Africa.

Institute of Directors. (2012). Business Risk: A Practical Guide for Board Members. London: Director Publications Limited

Institute of Risk Management. (2002). A Risk Management Standard. Retrieved March 10, 2015 from https://www.theirm.org/media/886059/ARMS_2002_IRM.pdf

Internet Security Alliance. (2013). Sophisticated Management of Cyber Risk. United States of America: Author.

Jackson, J. (2013). The Organization for Economic Cooperation and Development. Retrieved on March 29, 2015 from http://fas.org/sgp/crs/misc/RS21128.pdf

Jain, A. & Kalyanam, S. (2012). Using insurance to mitigate cybercrime risk: challenges and recommendations for insurers. Retrieved on January 25, 2014 from http://www.nl.capgemini.com/resource-file- access/resource/pdf/Using_Insurance_to_Mitigate_Cybercrime_Risk.pdf

Jerry, R.H. & Mekel, M. L. (2001). Cybercoverage for Cyber-Risks: An Overview of Insurers’ Responses to the Perils of E-Commerce. Connecticut Insurance Law Journal, 8 (1), 7 – 36.

Jones, G. (2014, February 20). Online Security Threats Drive Increase for Cyber Insurance. BusinessDay. Retrieved on March 22, 2015 from http://www.bdlive.co.za/business/financial/2015/02/20/online-security-threats-drive- increase-for-cyber-insurance

Kelleher, D. (2014). How Does Spam Affect Your Business? Retrieved February 22, 2015 from http://www.gfi.com/blog/survey-spam-email-disrupts-two-thirds-of-business-each-year- infographic/

Kim, H.J. (2012). Online Social Media Networking and Assessing Its Security Risks. International Journal of Security and Its Applications, 6 (3), 11 – 18.

Kim, S. & Wang, Q. (2009). Cyber-Attacks: Cross-Country Interdependence and Enforcement. Department of Information Systems, National University of Singapore.

225

Krepinevich, A. (2012). Cyber Warfare: A “Nucelar Option”? Center for Strategic and Budgetary Assessments.

Krup, N. & Movius, L. B. (2009). U.S. and EU Privacy Policy: Comparison of Regulatory Approaches. International Journal of Communication, 3(2009), 169–187. Doi: 1932- 8036/20090169

Kumar, R. & Singh, G.P. (2011). Violates computer security for little reason beyond maliciousness or for personal gain. International Journal of Research in Science and Technology, 1(3). doi:

Kushner, D. (2014, September 08). The Masked Avengers. How Anonymous incited online vigilantism from Tunisia to Ferguson. www.newyorker.com. Retrieved on February 22, 2015 from www.newyorker.com/magazine/2014/09/08/masked-avengers

Latham & Watkins LLP. (2014). Cyber Insurance: A Last Line of Defense When Technology Fails. Client Alert White Paper. (No. 1675).

Lewis, J. A. (2002). Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington, United States of America.

Lewis, N. (2013, January 17). Adobe attack analysis: Addressing Adobe security certificate issues. SearchSecurity.com. Retrieved on September 06, 2013 from http://searchsecurity.techtarget.com/tip/Adobe-attack-analysis-Addressing-Adobe- security-certificate-issues

Manzano, Y. & Yasinac, A. (2002). Honeytraps, A Network Forensic Tool. Department of Computer Science, Florida State University.

Mary, S.S.C. (2010). Evaluation of Vulnerability Assessment in System from Hackers in Cyber Security. International Journal of Engineering Science and Technology, 2(7), 3213-3217.

Mekel, M.L. & Jerry, R.H. (2001). Cyber Coverage for Cyber-risks: An overview of Insurers’ Responses to the Perils of e-Commerce. University of Florida Levin College of Law, UF Law Scholarship Repository, 1(1).

Menon, N., Ogut, H. & Raghunathan, S. (2004). Information Security Risk Management through Self-Protection and Insurance. School of Management, The University of Texas at Dallas.

Miller, B. (2014, November 10). Britain Jails Four LulzSec Hackers. ABC Radio Australia. Retrieved on November 13, 2014 from

226

http://www.radioaustralia.net.au/international/2013-05-17/britain-jails-four-lulzsec- hackers/1387919

National Initiative for Cybersecurity Careers and Studies. (n.d.). Explore Terms: A Glossary of Common Cybersecurity Terminology. Retrieved March 29, 2015 from http://niccs.us- cert.gov/glossary

Neal, D. (2011, June 27). Lulzsec calls it a day. TheInquirer.net. Retrieved on February 22, 2015 from www.theinquirer.net/inquirer/news/2081749/lulzsec-calls-day

NetDiligence. (2014). Cyber Claims Study 2014. Retrieved on March 21, 2015 from http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf

Nissebaum, H. (2003). Hackers and the contested ontology of cyberspace. New Media & Society 6 (2), 195-217.

Ogut, H., Menon, N. & Raghunathan, S. (2005). Cyber Insurance and IT security investment: impact of interdependent risk. In proceedings of Workshop on the Economics of Information Security (WEIS), Cambridge, USA.

Organisation for Economic Co-operation and Development. 2013. OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. France. Author. Retrieved on July 19, 2014 from http://www.oecd.org/sti/ieconomuy/2013-oecd- privacy-guidelines.pdf

Pal, R., Golubchik, L. & Psounis, K. (2011). A Novel Cyber-Insurance Model for Internet Security. In proceedings of Institute of Electrical and Electronics Engineers /ACM GameSec, Maryland, USA.

Pal, R. Golubchik, L. (2011). Pricing and Investment in Internet Security: A Cyber Insurance Perspective. Retrieved on March 30, 2015 from http://arxiv.org/pdf/1103.1552v1.pdf

Pal, R. (2012). Cyber-Insurance for cyber-security: A solution to the information asymmetry problem. University of Southern California.

Peter, J. (2003). The Electronic Communications and Transactions Act. Advocate, 16(1), 30 – 32.

Pillay, L. (2014). South Africa: Data Protection Legislation. Hogan Lovells Global Media and Communications Quarterly. Retrieved on March 29, 2015 from http://www.hoganlovells.com/files/Uploads/Documents/7%20South%20Africa%20- %20data%20protection%20legislation.pdf

227

Ponemon Institute. (2012). 2013 State of the Endpoint. Retrieved on September 07, 2013 from http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Secur ity%20WP_FINAL4.pdf

Ponemon Institute. (2014). 2014 Cost of Data Breach Study: Global Analysis. Retrieved February 22, 2015 from http://securityaffairs.co/wordpress/24717/security/ponemon- data-breach-study.html

Ponemon Institute. (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved September 08, 2013 from https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon- 2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

PricewaterhouseCoopers LLP. (2014). Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015. Retrieved on February 22, 2015 from http://www.pwc.com/gx/en/consulting-services/information- security-survey/assets/the-global-state-of-information-security-survey-2015.pdf

PricewaterhouseCoopers LLP. (2011). E-espionage: What Risks Does Your Organisation Face From Cyber-Attacks? United Kingdom.

Republic of South Africa. (1996). Constitution of the Republic of South Africa of 1996.

Republic of South Africa. (2002). Electronic Communications and Transactions Act No. 25 of 2002.

Republic of South Africa. (2013). Protection of Personal Information Act No. 4 of 2013.

Roach, R.M. & McKay, D.L. (2001). Technology Risks and Liabilities: Are You Covered? SMU Law Review, 54, 2009 – 2054.

Romano, S. (2015, March 20). The EU Data Protection Regulation: a Window of Opportunity to Boost the European Internet Industry. The eCommerce Blog. Retrieved on March 29, 2015 from http://ecommerce.blogactiv.eu/2015/03/20/the-eu-data-protection- regulation-a-window-of-opportunity-to-boost-the-european-internet-industry/

Roush, W. (1995). Hackers: Taking a Byte out of Computer Crime. Technology Review, 98 (3), 32-40.

Rusu, A.C. & Stroie, E.R. (2011). Security Risk Management – Approaches and Methodology. Informatica Economică, 15 (1), 228 – 240.

228

Schwartz, G., Shetty, N. & Walrand, J. (2010). Cyber-Insurance: missing market driven by user heterogeneity. In proceedings of Workshop on the Economics of Information Security (WEIS), Harvard University, USA.

Schutzer, D. (2015). As Assessment of Cyber Insurance. Financial Services Roundtable. Retrieved on March 21, 2015 from http://www.bits.org/publications/CTO/CTOCornerFeb2015.pdf

Sembrat, E. (2011). Hacktivism: How to Respond and Build Around Hacker Communities.

Shim, W. (2010). Interdependent Risk and Cyber Security: An Analysis of Security Investment and Cyber Insurance. (Doctorate thesis). Michigan State University, Michigan, United States of America.

Singh, K. (2011). Increment of Cyber-crimes against our Securities. International Journal of Computational Engineering and Management, 12, 116-121

Stanovich, C. F. (2004). The New ISO Commercial General Liability Policy: A Summary of December 2004 Policy Changes. Retrieved on March 29, 2015 from http://www.irmi.com/expert/articles/2004/stanovich10.aspx.

Stratford, J. & Stratford, J. S. (1998). Data Protection and Privacy in the United States and Europe. International Association for Social Science Information Services and Technology, 1998(4), 17-20.

Sutherland, C. (2015, January 27). Should You Insure Yourself Against Cyber-Attacks? Memeburn. Retrieved on March 22, 2015 from http://memeburn.com/2015/01/should- you-insure-yourself-against-cyber-attacks/

Sutherland, C. (2015, March 20). Cybercrime Threat in South Africa Highlighted at the Insurance Law Conference. MarketingSite.com. Retrieved on March 22, 2015 from http://www.themarketingsite.com/news/39909/cybercrime-threat-in-sa-highlighted-at- the-insurance-law-conference

TechTerms.com. (n.d). The TechTerms Computer Dictionary. Retrieved on March 29, 2015 from http://techterms.com

Thomas, J.L.C. (2001). Ethics of Hacktivism. SANS Institute. Retrieved on September 08, 2013 from http://freedownloadb.com/pdf/c-sans-institute-2000-2002-author-retains-full- rights-29232775.html

229

Triger, L. (2014, December 30). Changes in European Data Protection Regulation: A Look at the GDPR. Techradar.pro. Retrieved on March 29, 2015 from http://www.techradar.com/news/internet/policies-protocols/changes-in-european- data-protection-regulation-a-look-at-the-gdpr-1278235

Trustwave Holdings Incorporated. (2013). 2014 Trustwave Global Security Report. Author. Retrieved on July 31, 2014 from https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_R eport.pdf

Turgeman-Goldschmidt, O. (2008). Meanings that hackers assign to their being a hacker. International Journal of Cyber Criminology, 2 (2), 382-396.

United Kingdom Department for Business Innovation and Skills. (2012). 10 Steps to Cyber Security: Executive Companion. United Kingdom.

United Kingdom Department for Business Innovation and Skills. (2012). Cyber Risk Management: a board level responsibility. United Kingdom.

United Kingdom Department for Business Innovation and Skills. (2013). UK Cyber Security Standards: Research Report. United Kingdom.

United States of America. (2002). Sarbanes-Oxley Act of 2002.

United States of America Department of Defense. (2001). Systems Engineering Fundamentals. Virginia, United States of America.

United States of America Department of Homeland Security. (2013). Cybersecurity Insurance Workshop Readout Report. United States of America.

United States of America Department of Commerce. (2013). Exploring the Digital Nation: America’s Emerging Online Experience. United States of America.

United States Mission to the Organization for Economic Cooperation and Development. (n.d.). What is the OECD? Retrieved on March 29, 2015 from http://usoecd.usmission.gov/mission/overview.html

Valsamakis, A.C, Vivian, R.W & du Toit, GS (2010) Risk Management. Heinemann Publishers, Fourth Edition.

Van de Coolwijk, N. (2014, April 16). Ramping Up Cyber Security. ITWeb. Retrieved on March 22, 2015 from http://www.iweek.co.za/special-report/ramping-up-cyber-security

230

Van de Coolwijk, N. (2014, May 19). CyGeist Answers Some Frequently Asked Questions About Cyber Insurance . Insurance Gateway eZine. Retrieved on March 22, 2015 from http://insurancegateway.co.za/ShorttermConsumers/PressRoom/ViewPress/Irn=8279& URL=CyGeist+answers+some+frequently+asked+questions+about+cyber+insurance#.VQ 78iLAcSM9

Venter, D.P. (2003). Infosure: An Information Security Management System. (Unpublished Master’s thesis). Rand Afrikaans University, South Africa.

Verizon Enterprise Solutions. (2013). The 2014 Data Breach Investigations Report. Author. Retrieved on July 20, 2014 from http://www.verizonenterprise.com/DBIR/2014/

Wall, T. (2015, March 02). How Not to Void Your Cyberinsurance Policy. Risk Management Magazine. Retrieved on March 30, 2015 from http://www.rmmagazine.com/2015/03/02/how-not-to-void-your-cyberinsurance- policy/

Webber, M. (2015, March 12). US and European Moves to Foster Pro-active Cyber Security threat Collaboration. FieldFisher. Retrieved March 29, 2015 from http://privacylawblog.fieldfisher.com/

WhatIs.com. (n.d.). Find a Tech Definition. Retrieved March 29, 2015 from http://whatis.techtarget.com

Williams, M. (2005). Cybercrime. Encyclopaedia of Criminology. Cardiff University. Routledge, London.

Willis North American Inc. (2014). Marketplace Realities 2015: Edge of a Cliff? Retrieved on March 22, 2015 from http://www.willis.com/documents/publications/Marketplace_Realities/20141017_Mark etplace_Realities_2015.pdf

Woodward, J. (2004). The 2004 ISO CGL Policy. Retrieved on March 29, 2015 from http://www.irmi.com/expert/articles/2004/woodward04.aspx

Wray, S. (1998). Electronic Civil Disobedience and the World Wide Web of Hacktivism: A Mapping of Extraparliamentarian Direct Action Net Politics.

231