Cyber security and data protection in the Middle East
November 2013 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion on cyber security and data protection in the Middle East between James Bowden, a senior associate at Afridi & Angell, Alexander Blom, Financial Lines manager at AIG, and James Daniell, head of Financial Investigations Middle East at Kroll.
FW: What lessons should we draw from recent cyber breaches affecting companies based in the Middle East?
Bowden: One of the largest obstacles to effective IT security is awareness and accepting that the threat is real. The recent security breaches, including the high profile Saudi Aramco malware attack, should help emphasise that the risk of security breaches or so-called 'cyber attacks' is real, and the harm they can cause is substantial. IT security companies have been quoted in regional news sources saying they do not believe companies in the region will allocate the time and resources needed to effectively protect themselves until one or two major catastrophes occur as a result of IT security breaches. Solutions exist, but they require investment and management buy-in.
Blom: Recent cyber breaches in the region have demonstrated an apparent shift in the very nature of cyber crime. It is clear that cyber criminals are becoming more sophisticated, coordinated and organised in their actions than ever before. Cyber crime has become a large, globe-spanning industry involving a blend of highly-skilled, sophisticated hackers and organised criminal cells who can deploy targeted strikes from multiple locations at once. Recent reports of attacks on banks in the region demonstrate the potentially devastating results of such coordinated targeted attacks. Even mere employee negligence can lead to breach of data incidents, which can lead to irreparable reputational damage. The existence and growth of threats means that cyber security and risk management has now become a major operating issue for companies in the region. It is important that businesses move away from the notion that cyber security should fit snugly into the realm of the IT department. The threat of cyber crime is not just an IT risk, it is an enterprise risk and risk-managers as well as the entire C-level should be prepared to take an active role in its management.
Daniell: In December 2012 and February this year, RAK Bank in the UAE and BMI in Oman, were hit by an international gang of criminals. The gang hacked in to card processing firms, and increased the available balance and withdrawal limits on prepaid debit cards. They then coded fake cards and distributed these to gang members around the world who withdrew US$45m from cash machines in 27 countries. Such attacks are common across the region. The banking and financial services sector is firmly in the sights of cyber criminals, who use cyber attacks as a more profitable and less risky way of stealing money. In our experience of advising on similar matters, Middle Eastern banks are generally behind in their implementation of effective IT and data security measures. Bank and third party provider networks remain vulnerable to internal and external cyber-attacks and data breaches. Although financial institutions have worked hard to improve policies and procedures to meet international standards, implementation of security measures and monitoring are weak. Financial Institutions need to address these issues to minimise their exposure to future attacks.
FW: In your opinion, how serious is the threat of cyber attacks to companies operating in the region?
Blom: The threat of cyber attacks is very real for all companies in the region. The seriousness of this threat depends upon how much a particular company stands to lose as a result of an attack as well as the goal or aim of the attack itself; where it causes reputational harm, it is irreparable damage to the companies. The geopolitical landscape of the region, for example, makes it a major target for ‘hactivism’, where hackers penetrate networks as a means to furthering a political or ideological cause. These attacks usually take the form of Denial of Service (DOS) attacks where the aim is to temporarily or indefinitely suspend services of a host connected to the internet. There may be no financial gain element to these attacks, sometimes they are merely used as a means of registering dissent, therefore making high-profile, publically-visible companies the target for such attacks regardless of the potential value of data being held by these companies. Other attacks are motivated by the desire of hackers to steal valuable data such as customer details, health records, and financial information. This data can be used in other crime such as identity theft and has a potentially high re-sale value for cyber criminals. Cyber criminals usually target companies or entities that hold high volumes of customer or employee data such as health organisations and universities. SMEs are also key targets for these attacks, as cyber criminals often take advantage of the lack the resources of SMEs to properly protect their infrastructure. Financial Institutions like banks and money exchanges, in particular, are faced with serious threats from cyber attacks driven by a desire to steal money or funds. No company in the region is immune to the potential threat of a cyber attack and it is important that this threat is taken seriously and the risk managed accordingly.
Daniell: Threats generate from diverse and unpredictable sources including foreign governments, criminal syndicates, activists, terrorists, and lone individuals. These are well resourced and persistent adversaries driven by a variety of motivations and objectives. Cyber attacks are now a recognised and integral part of modern conflict. In March, the US Director of National Intelligence released a report listing cyber threats as the top threat risk facing US national security. US allies and enemies in the region face the same threat. The attacks suffered by the National Iranian Oil Company and Saudi Aramco in 2012 illustrate how serious the threat can be, the case of the latter infecting two thirds of the company’s computer network. Public and private companies involved in critical infrastructure including energy, telecommunications, transport and financial services are particularly vulnerable.
Bowden: The threat is very serious. The UAE has been reported as the fifth most targeted country in the world for cyber crime. It is generally accepted that there are hacker organisations based in Eastern Europe and China that focus exclusively on the UAE and Saudi Arabia. Dubai in particular, as a financial centre for the region, and with a connectivity network that is the most developed in the region, is a popular target. The most common attacks are malware attacks, phishing, and social engineering though email. In the past year or two several financial institutions have also been the victim of denial of service attacks, incapacitating their websites or other connectivity. There are hundreds of attacks each day in the UAE alone.
FW: Could you provide a brief overview of privacy laws across the Middle East, and provide an insight into some of the subtle differences?
Daniell: Unlike the European Union, there are no specific national laws governing data protection and privacy in the GCC, and there is no unified set of laws. However, national and federal constitutions across the region recognise an individual’s right to privacy and sector specific laws deal with data privacy in certain circumstances – particularly banking, healthcare and telecommunications laws. Comprehensive data protection regimes do exist in the free zones of Dubai International Financial Centre, Qatar Financial Centre and Dubai Healthcare City that are modelled on the EU data protection directive. Sharia law also plays an important role in the laws of GCC states and it is important to remember that in the absence of national laws covering a certain issue, judgement may be passed according to Sharia. Sharia principles prohibit invasion of an individual’s privacy and disclosure of secrets without the subject’s permission or if not in the public interest. Punishments for breaches are at the discretion of a judge.
Bowden: As a UAE practitioner, my response will focus on the UAE. The UAE has no comprehensive data protection or privacy law, though an important exception is the data protection law applicable in the Dubai International Financial Centre, which is one of Dubai’s free zones and which has its own laws. The development of such a law has been anticipated in recent years to 'modernise' the UAE’s privacy regime, but as yet no drafts have been made available. The UAE Penal Code, Labour Law, and more industry-specific legislation contain provisions that essentially prohibit the disclosure of data which is either personal information or is considered 'secret' for any reason. Such disclosure is a criminal offence in the UAE, attracting penalties of imprisonment, fines, or both. Some specific professionals or industries are subject to additional laws particular to them, such as traders, medical professionals, the banking and insurance sectors, and credit information, for example. The exact nature of measures that a company or employer is expected to take to prevent such disclosure from occurring is not specified in UAE law, and as a result companies need to exercise their judgment and should seek advice as to appropriate policies and procedures if they are uncertain. This uncertainty represents a risk. The most recent developments in this area have been the adoption of laws that address specific areas of data or privacy issues, or affect them peripherally. These include the adoption UAE Federal Law 6 of 2010 relating to Credit Information; UAE Federal Law 5 of 2011 Combating Cyber Crime; UAE Federal Law 3 of 2012 establishing the National Electronic Security Authority (NESA); and Cabinet Resolution 21 of 2013 on IT security regulations at federal government bodies.
Blom: There is no specific legislation on data protection and privacy in the region save for QFC and DIFC. The UAE issued an amended Cyber Crimes Law that came into effect in December 2012 to generally address the evolving nature of such criminal activities and reinforce the penal punishments of imprisonment or fine . However this law does not address specific privacy or data protection in great detail. As such, it remains that data protection and privacy issues are not governed through a single set of law but through various provisions in the civil codes, penal codes or other legislations observing the guiding principles within the general constitutions of the countries.
FW: What legal and regulatory changes do you expect to see in data protection and privacy laws going forward? Are there signs that regulators have increased their monitoring and enforcement activity?
Bowden: My expectation in the short term is for more detailed laws regulating privacy and data protection, and increased oversight and activity of electronic and communications security in the UAE as a result of the newly formed National Electronic Security Authority (NESA). The UAE authorities are keenly aware of the threat posed by hackers, privacy and security breaches, and other cyber crime, and have been vocal in news sources about their intention to improve legal, logical and physical security measures in the UAE. NESA is essentially a national authority on cyber crime, and is empowered to develop and implement national policies on electronic security. It is still in its infancy and has not become active as of the date of writing.
Blom: Rapid economic and cultural growth throughout the region over the last few decades is underpinned by a steady development of the legal and regulatory framework, with a view to encourage the growth of local and international investments. The willingness of international organisations to establish and conduct business activities in the region is a testimony that there is faith in a continued positive development of the legal and regulatory framework. The enactment of specific data protection and privacy laws in GCC countries may materialise to address the framework.
Daniell: Middle East states are not ready for national data protection laws – implementation of such a regime would present a significant compliance challenge to organisations in the region. However, they may not be far off – in Qatar for instance a draft law governing privacy of personal information was released in mid-2011 aiming to set a minimum standard for protection of personal information across all sectors of the economy. The draft law defines ‘personal data’ and establishes requirements for organisations to train employees in information protection practices. Qatar authorities insist that implementation is imminent. New cyber security laws also have important implications for data privacy. The UAE is taking the lead on this, enacting a Cyber Crimes Law in December 2012 which criminalises disclosure of electronically stored information without permission. At the same time the UAE established the National Electronic Security Authority (NESA), a national authority for cyber security. NESA has been tasked with developing policies and standards to ensure electronic security as well as suggesting further legislation – new policies and standards are likely to impact the processing and storage of personal data in the UAE.
FW: What steps do companies need to take to maintain compliance with data and privacy laws across the Middle East?
Daniell: Given the lack of consistency in data protection laws across the Middle East it is important to understand how constitutional and sector specific laws affect your company in the countries you operate in. All companies should apply general principles of confidentiality when handling personal data including obtaining the consent of the subject involved. Policies and procedures should be adapted to meet the requirements of the markets you operate in. Companies should also be prepared for an increasingly strict data protection environment across the region. It is likely that lack of effective data security and a lack of due diligence will give rise to liability for data breaches and data loss in the future. More legislation is no doubt on its way and corporations must be proactive in preparing themselves for this.
Bowden: As a general rule, the primary risk that companies face with data collection, storage, use, processing and transfer relates to complaints from parties who allege that a company failed to keep the data confidential. The generally applicable obligation is simply to 'not disclose' the data, which appears to be very low standard of care with no express obligation to pro-actively protect the confidentiality of the data. There are more specific rules that apply to certain industries, such as banking, insurance, medical providers, government offices, companies established in the Dubai International Financial Centre, and telecom providers, so companies should seek advice with respect to the laws specific to their industry. Generally speaking, our view is that a UAE court would be unlikely to hold a company liable for a privacy breach if it had taken commercially reasonable measures to protect itself that are typical in the relevant industry. The exact nature of such measures is not specified in UAE law, and as a result companies need to exercise their judgement and should seek advice as to appropriate policies and procedures if they are uncertain.
Blom: Considering there are no specific data protection laws in the GCC for ‘on-shore’ companies, I suggest companies maintain standards in line with global best practices.
FW: If a company suspects or confirms a serious data breach, what immediate steps should it take to conduct an internal investigation?
Blom: Companies should have both an incident response plan and a business continuity plan as well as a crisis management team in place to deal with a potential breach of network security. In our considered view, the first step should always be to involve an independent IT forensic specialist to determine whether or not the company has suffered or is suffering a data breach and the extent of breach. The forensic specialist can also advise on the best course of action to mitigate potential or further loss based on the nature of the breach. The plans should also address procedures in relation to notifying governmental authorities and regulators if necessary or required, communicating externally to media, clients etc ,identifying all necessary legal requirements and managing any potential reputational damage. The steps taken in the immediate wake of a breach are a vital part of mitigating adverse results.
Daniell: Because of the significance of cyber threats, all companies should put in place an incident response plan in anticipation of a potential breach. The plan will include details on when the plan will be activated, who will be on the incident response team and what role each person will play. In the event of a cyber breach, firms should first activate the incident response plan and establish how information will be shared internally. They must then contain the problem by limiting external and internal access to company networks, isolating infected systems and blocking compromised data packages. They must then launch an investigation – securing evidence, identifying what systems have been breached and the full population of compromised data. Firms must also conduct a security audit of access of compromised systems, and execute a notification programme, subject to local laws and regulations. It is also important that firms understand the impact on other parts of the organisation, and develop a stakeholder communications package.
Bowden: The more useful question organisations need to ask themselves is what they should be doing in advance, as reacting is always difficult and damage control is all but impossible. There are well established steps that can be taken to improve organisational readiness for a data security breach, but it is important to first assess how exposed an organisation is to such risks, and the nature of the risks, to ensure the steps taken are proportionate and appropriate. Each organisation will have different requirements, and a self-assessment process often called a 'privacy audit' can help identify weak points in an organisation’s privacy and data security practices. As a general matter, by way of example, these are three useful features of a responsible approach to data security breach readiness. First, appoint a privacy officer to ensure that new policies or procedures are followed, or else they will likely be ignored. Second, establish reporting obligations in internal policies. There should be a recognition that data breaches do and will occur. Most data breaches go undisclosed because the person who is aware of the breach does not know it was a breach, or covers up the breach for fear of repercussion. A pattern of periodic reporting to the Privacy Officer should be established to raise and maintain awareness of data security issues in the organisation. For this to be effective, employees responsible for a data breach need to be assured that they will not be penalised when they report it – unless there is a pattern of repeated mistakes, in which case disciplinary action would be appropriate. And third, include a clear response plan. Part of a company’s privacy and data security policies should include a clear, step by step plan which sets out how the company will respond in the event of a security or privacy breach. For breaches of any significance, a quick reaction is usually important from the perspective of damage control and public relations, and a plan that is approved by the company in advance permits a faster and more organised response.
FW: What liability issues might companies and their D&Os face if they fall victim to a cyber breach and suffer data loss as a result?
Bowden: Under the UAE Commercial Companies Law, directors and officers – or 'managers' as they are called in the UAE – are exposed to personal liability for fraud, abuses of power, breaches of the company’s constitution, and errors in management. There is a general rule relating to tortious liability set out in the UAE Civil Code as well, providing that a person is liable for 'acts causing harm' to another party. If a company suffers damages as a result of a data or IT security breach, and the breach is attributed to mismanagement or a wrongful act by a manager, then the manager could face personal liability for the damages. The key question would be deciding what constitutes a wrongful act or mismanagement in the absence of clear guidelines in the law as to what level of diligence and IT or privacy protections companies are required to maintain. If the managers ensured that a commercially reasonable level of diligence was used to prevent data or IT security breaches – for instance, they ensured the company was not negligent with respect to that risk – but a breach occurred anyway as a result of a crime committed by an employee or a third party, then the managers could point to the various reasonable measures they took to protect against that risk as a defence. If the manager was negligent with respect to ensuring reasonable protections were in place, the manager could very well face liability for mismanagement.
Blom: Companies are exposed to security and privacy liability due to the loss of corporate information or personal client data – for instance dealing with the defence and possible settlement of claims by third parties for financial loss resulting from sensitive data being disclosed in the public domain or being misused by perpetrators. Directors and Officers should be vigilant in ensuring proper implementation and maintenance of the IT- security risk management framework. The last thing a company wants is to have a data breach and then potential lawsuits that point to the lack of control from the board members regarding cyber issues and risks to the company.
Daniell: This will depend on the jurisdiction companies are operating but anybody in a senior position of responsibility should expect to come under close scrutiny by law enforcement in the event of a criminal cyber breach and leakage of personal data. This is particularly the case in instances in which the true perpetrators are not easily identifiable. Criminal measures can seem draconian and arbitrary and D&Os should understand the risks they face personally and prepare accordingly.
FW: In your opinion, do companies pay enough attention to the potential reputational damage the media may inflict following a cyber breach?
Bowden: Negative media attention is one type of harm that results from privacy or IT security breaches. It is widely recognised that this kind of media attention can be very damaging, and organisations in the region are aware of that risk. As noted in response to an earlier question, the real obstacle is getting to the point that organisations are willing to allocate significant resources to protecting themselves from these kinds of risks. This is simply a question of awareness and acceptance, which is growing very quickly in the region.
Daniell: Company reputation and the effects of reputational damage have become an important strategic risk for large companies across the globe. This has been driven by the spread of online media and the multiplying effect of social media which is becoming increasingly hard to control by Middle Eastern governments. The media is increasingly attuned to the growing trend of data breaches, covering such events as they unfold in detail. Social media acts as a catalyst in exposing incidents quickly and reduces an organisation’s ability to manage the situation. Companies in the Middle East are increasingly aware of the potential damage but lack an understanding of how to address problems as they arise. A well-prepared and clearly delivered message when managing the effects of a data breach reassures customers; reduces media speculation; ensures all stakeholders are properly addressed; and provides the right information in a timely and calculated manner. A good PR firm can help.
Blom: I certainly think that companies are concerned about potential reputational damage as a result of publication of data breaches, however, I believe that they can do much more in relation to being prepared for incidents if and when they arise. Proactive risk management is vital. Cyber security should be embedded into the culture of the business with senior management taking the lead in cyber risk management. Many of the companies we have dealt with in the region do not have incident response plan in place and therefore procedures for dealing with external communications in the wake of a breach are not formalised. A good communication and notification plan will go a long way in mitigating reputational damage.
FW: What advice can you offer to companies on protecting their data, including risk management and insurance solutions covering cyber security?
Daniell: We are in the era of ‘big data’ – accelerated by a proliferation of mobile devices, cloud computing and wireless communications. Consequently, it has become the responsibility of every organisation to protect its data and technology. Safeguarding this information is not only essential to good corporate governance; it is increasingly mandated by law and regulation. In order to protect your data, first, conduct a security audit – this will include an audit of the IT and physical security system which should be carried out by external advisers without a stake in the existing IT infrastructure. The audit will identify the population of sensitive data you keep, what systems store important data and how it is protected. The audit team will assess the company’s threat profile and any vulnerabilities in the systems and will assess access control procedures and data protection policies. Regular audits should be set up. Secondly, devise an Incident response strategy. Even the best preparation cannot prevent all attacks. This will include establishing a crisis response team able to quickly address potential attacks with senior decision makers, external lawyers and IT security consultants who are trusted to have access to secret corporate data.
Bowden: A good starting point is developing and implementing responsible privacy and IT security policies, and ensuring they are followed. These need to be monitored and followed up on constantly if they are to be effective, and appropriate resources need to be allocated – such as IT personnel, developing procedures such as daily maintenance of backups, using encryption if necessary, outsourcing to specialist service providers in some cases, such as a data centre or cloud provider, for example. Implementing change in an organisation requires time and energy, especially at the management level. As mentioned in my response to an earlier question, appointing a privacy officer is advisable to ensure that the policies are not ignored. In addition to organisational measures, there are insurance solutions for data loss and IT-related damage and loss. These policies should be reviewed very carefully by someone with a clear understanding of the IT aspects of the business and the physical and logical security that will actually be used by the company. In my experience, the conditions and exclusions in such policies have the effect of making recovery for damages from data loss quite challenging. An example is a condition requiring the insured party to maintain backups of all data and files, and maintain and upgrade programs to protect against unauthorised use or access of the insured’s systems. If this condition is met and backups are maintained diligently, and if unauthorised access is prevented, then loss or theft of data – other than by a rogue employee – becomes difficult to claim. Underwriters will negotiate their policies, but you need to know what to look for.
Blom: Invest time in assessing your company’s cyber exposures and more importantly, what the company’s response would be – to the regulators, clients, and business partners -- upon discovering a network security breach. The first line of defence is to adopt data protection policies that formally communicate how the organisation deals with sensitive data which include storage, work, transmission and destruction, and so on. Employees need to be an active part of the information security programme and have a good understanding of what they can and can’t do with client and company data. As for the risk management framework it is important that the stakeholders of all the different departments maintain a strong dialogue and provide their input in the incident response and business continuity plans. Clearly it is advisable for every business to consider the benefits of cyber insurance and assess how it can help to overcome cyber attacks and fill in coverage gaps of existing traditional insurance protection.
James Bowden is a senior associate at Afridi & Angell. He has advised extensively on a broad range of corporate and commercial, M&A and technology outsourcing matters in the UAE and Canada. Mr Bowden’s practice expertise includes: advising on all aspects of the purchase or sale of businesses; advising on and negotiating technology and business process outsourcing agreements, and associated data, privacy and risk management issues; advising on franchising and licensing matters, and a broad range of other commercial transactions. He can be contacted on +971 4 330 3900 or by email: firstname.lastname@example.org.
Alexander Blom is the Financial Lines manager for AIG in Middle East based in Dubai. The Financial Lines unit underwrites risks in relation to Cyber Liability, Directors’ and Officers’ Liability (D&O), Professional Indemnity (PI) and Bankers Blanket Bond (BBB) and other related financial lines insurances for the various licensed AIG entities throughout the Middle East. With a team of five underwriters and local claims support, the Financial Lines unit is excellently positioned to service the growing demand for Financial Lines insurance amongst commercial and financial related businesses. He can be contacted on +971 4 601 4420 or by email: email@example.com.
James Daniell is head of Kroll’s Financial Investigations practice in the Middle East. He has extensive experience in conducting fraud, corruption, and dispute investigations across the Middle East and Central Asia. Mr Daniell has taken lead roles in some of Kroll’s most complex multi-jurisdictional investigations, advising leading governments, financial institutions, corporations and law firms. Mr Daniell can be contacted on +971 4 4496709 or by email: firstname.lastname@example.org.
© Financier Worldwide
Afridi & Angell