WEBINAR: Managing cybersecurity risk – a life sciences perspective

July 12, 2019 posted by



thank you everyone for joining us and what is the first in a series of webinars focusing on contentious issues for life sciences companies there will be details coming out soon for the next webinars on theories so please do keep an eye out for that and join us or any that any literature of interest my name is Paul glass I'm a partner here at Taylor Wesson and head of the cybersecurity practice I'm joined today by Rin banshee the head of the data protection practice here at a low wedding and Jessie prin and associates in the disputes and investigations team for the first webinar on the series we're going to talk about cybersecurity risk for life sciences companies and this is a topic that we've chosen because we've particularly seen life sciences companies targeted in the last couple of years sometimes leading to significant loss of intellectual property confidential information and/or personal data and we're going to focus primarily in this webinar on some external threat but many of the issues and mitigations we'll talk about are also equally applicable to internal threats such as employees human error as well so what we're going to talk about today Ben is going to talk first about these legislative and regulatory background I'm then going to talk about why life sciences companies are our targets for for hackers and attackers jesse is going to talk a bit about responding to data breaches and cyber attacks and then I'll finish with some of the steps you can take and things to think about to prepare for cyber attacks and to mitigate risk and then we'll have some time for questions at the end so please do send those in air if you have any we'll talk a bit today about legal and non-legal issues and the reason for this is that I don't think you can quantify manage and mitigate the business risk arising out of cyber and data loss without understanding so yes the legal risks and the background the legal framework but after the commercial risks and what might go wrong and that's why some of our own legal team in this area also have a good understanding of the technical issue user hacking as well so enough for me onto these substantive part of the webinar so first we hand over to vin who's going to talk about the legislative and regulatory background thank you very much Paul it should not be a surprise that when you talk about cybersecurity with then the words data or personal data are often very close by and in fact therefore the topic of gdpr becomes very close by to that topic if not poor and rather central to that particular discussion area so what I wanted to do just just today just to set out the sort of core scene around data in GPR so you can keep that context in mind as we start and expand this topic out into the areas of cyber security itself now we can't do the whole topic of GDP our justice and just a few slides and particularly in this introductory way so we do have a lot more resource on almost every bullet point that we cover today in much more detail and in some cases with webinars that focused purely on those discrete points that's all available on our global data hub which is our microsite that talks to all all things data protection cyber and security and there you will find more content thought leadership as well as our virtual Bank of learning through our webinars but I'm sure many of you will be aware that the GDP are entered into effect on the 25th of May 2018 it's been around for again and it's a law that we've seen a lot of activity on over the last year in the UK we've seen a lot of activity as the GDP RS being implemented and and expanded on to a degree through the UK Data Protection Act 2018 which they see braless sent on the 23rd of May this year and we've also seen how other countries across Europe have implemented the GDP on added their own although and interpretation and indeed derogations in some some cases around the TDP are so it's far from the one harmonized uniform law that we thought it might be and we thought was promised when consultation the initial dream of gdpr came to play so it's still very much an area where the gdpr itself is the core substantives at all but you do still need to look at the relevant country legislations as well and you'll see other just focus for a moment on on the UK date section at 2018 there are some substantive elements which then begin to expand over and above what we see in the previous legislation you start to see area such as digital consent derogations around areas such as special categories of data and I'll talk about special categories in a moment also the right of data subjects and the exemptions around being able to use the data and so on and so forth whole environment that's very much part of the UK data protection act and that's in part – and then of course we see the duties and powers of the ICO and part Farnese and what that's very much aimed at the teachers and powers of the ideal as a enforcement machinery if you like and the lead regulator what we are seeing is if the codes of practice for example that are being issued under this power are becoming much more influential a much more determinative and actually provide a source of interpretation as well and then of course there is an element that deals with enforcement's and we see a replication of the liability and defined the replication of the sort of two and four percent of you see are in terms of fines that could be levied against your global annual revenue and we also seen the introduction of various offence some of these strike at the very heart of the type of data processing activity that you see within the life sciences context so offenses around the re-identification of anonymized personal where that takes place without the consent of the data subject or trying to to get around the disclosure requirement or a subjet access request and particularly in cases of altering that Victor you could again find it before me power or something these offences under the UK legislation so it's just examples of how countries and third of the UK begin to add and slightly depart from the core law as we see it under the gdpr itself now I mentioned a moment ago that we have the context of special categories of personal grade or or sensitive personal data as we read under the old data protection regime and it's when you start to look at the definitions you begin to see that when there are references as we've put in bold on the slide to genetic data or data concerning health you soon begin to see this very clearly falls under the realms of special categories of data which is so important and so integral to set to life like life science and you can read more about that in our in terms of article 9 or the gdpr that begins to elaborate on that and it also does in terms of the restrictions that then begin to apply and processing special categories of things though genetic data data concerning health is and this is the starting what it's prohibited unless there is a legal basis for it so it's really important under this new regime of GDP are but you assess the data processing activity and there is the concept of record of processing activity and this is assessed against the concept of the specific purposes which will be matched against the specific face it against you hang you have to say this data being processed for that purpose is therefore lawful and this is the assessment through otherwise you could find that you're falling foul of the regime set out in the GDP are and replicated into needed data steps 92018 and you must be able demonstrate map and that is one fundamental difference between the old law of states protection and the new regime and the GDP are and that there is now a front-line obligation of being able to demonstrate the steps you've taken to ensure compliance so it's a very very different regime to the old one I mentioned a moment ago that there also within this regime there are rights there are obligations under the GDP are as we saw under the old law and I'm not going to go through these details but just to highlight below that what you see on the slide there is that these are sort of core and fundamental rights at all basis subject have so as an organization within the life sciences industry how you process the data has to be set out and has to be capable of being operational I in the context of data subjects being able to exercise these right and if you can't then that's when you begin to above some of the tensions that could lead to non-compliance and the potential risk of those XE fine that I mentioned a moment ago but also these are the sorts of right and that you could find that begin to erode your asset value of your asset value is the data itself and actually begin to create to a degree Asset risk and the degree to which its created depend on the degree to which your GDP our compliance program has actually genuinely taken on board some of these key points of GDP our framework that are meant and alter beginning to supply light the point that data isn't a concept of ownership from a data protection law perspective is really one of guardianship and responsibility and it's one where it very much will impact on your ability to say this data is mine and mine only the law actually says something different and that's why GDP art really does come into play GDP ah goes further and start to talk about concepts which weren't not which were not mentioned before and these start to play more into the area of security and cyber in particular because you'll start see more references in GDR GDP are around data minimization you'll start to see more references about anonymization and Sudan annihilation so this whole key coding concept which isn't necessarily new but is new when you look at the source of data protection law now in the GD P R so will now find that actually as you move through and get deep dive into the obligations under GD P are you begin to see that there is more of a focus on protecting data more of a focus on data security and minimizing the data minimizing the risk to the data and recognizing some of the concepts such as anonymization and siddhanam ization and what they actually mean and how they apply so unlike the old law under GD P R it's very clear there is no silver bullet off of consent or standard policy that that can actually get you through this particular journey you need to make sure that you've looked at the obligations of GDP on you but actually operationalize that robustly and there is a plotline compliance obligation that has a sting to it because that's really the area of the 2 percent find regime under the genie so everything you hear about impact assessments and record of processing activity and requirements to assess the parties whether you're a controller or process that you're sharing the data under a data sharing protocol these are not terms that should be taken lightly they are obligations under the new framework around how you handle the data much of which also focuses on how you understand what data you're holding and why but also the measures you take to keep it secure so security remains a key component of GDP our legislation and there is a complex formula which becomes more complex don't operationalize and deal with the issues on the GPR correctly so just a brief introduction as I mentioned and we have more information on all of these topics available and we'll point that out again to at the end of the webinar but hopefully just to set the scene that this is very much a regulated area and it is very easy in terms of the type of data that we see in the sector for it to be caught by the GD P R and for those GD P our obligations to flow through all the different parties in the chain with this upstream or downstream around how the data is handled and it's the link between personal data the data per se that organizations hold and how that perhaps manifests itself in other aspects of IP and asset which become often the source of the risk under cyber security and this is where perhaps I hand over to Paul to talk a little bit more around why this matters more from a side of perspective and context thank Thank You Ven and one of the reasons we go back to GDP are in relation to personal data released in in in the UK is that we don't have that equivalence of Hippo in the US or that's health sector specific legislation and so I there is some sort of NHS digital guidance around data security and that kind of thing in reality it all refers back to the underlying data protection legislation when we're looking at that aspect of it so what I'm going to pick up now this is why life scientists companies are targets for external attackers and what those threats are and the reason for covering this early is we're fairly often hear the refrain from companies that they're that they don't believe that they would be a target or they don't understand who might be targeting them or why and this a particular particularly the case where smaller or younger companies and understanding why you might be a target is an important factor in considering the risks surrounding your data what security you should have in place and therefore the risk that attaches to the data that you hold now for life scientists companies as you'll know in particularly biotech but across the whole industry more generally it's often the case that a lot or even most of the value in the company is in its intellectual property its technology or its data and this is even more the case now with the the revolution into digital health that with that were only really at the start at the same time in our experience and research to indicate that say for what you might call Big Pharma while life sciences companies are IP and data rich you might call them through security poor and there are only a plenty of examples of compromised of networks after date or loss of healthcare data in the public domain and I've referred on the slide there to one of the one of the bits of research in the US and this is the healthcare sector as a whole but from 2017 research in the u.s. healthcare and public health sector Coordinating Council showed that – whilst on average across all sectors the average spend on i.t secured under cyber and security as a proportion of the overall IT budget is between 10 and 14 percent in the healthcare sector it's half of that it's sort of between four and seven percent and so that does sort of match up with our experience but fairly often companies in the life sciences that aren't as secure as they perhaps could be earn against other companies so given the the nature of the data that life sciences companies hold the way the sector operates and does what appear to be sort of degree of underinvestment insecurity doesn't mean that the sector is considered by attackers and criminals as a good target in terms of risks and reward so we're going to talk a bit now about that what the main external risks are and the first of these which is probably the first one that springs to mind it is intellectual property theft this is a substantial risk across the sector in the past and frankly we see little sign of this changing it tends to come from certain specific jurisdictions where companies in those jurisdictions are trying to play catch-up in terms of their capabilities for research and development and those are also jurisdictions where minimizing the the risk of use of or chasing down stolen data or or of even obtaining damages following data sets is very difficult and this isn't an uncommon issue we do see it happening this lens of research in the public domain about it and that means the life scientist company should be making themselves as hard harder targets as possible the second risk is really success to personal and medical data and we appreciate this is more likely if you're relevant so for some of you who are doing as well perhaps trials where you actually hold more of this data and to be honest the risk is more focused on the US healthcare sector but to give you an idea why why this data is an attractive target currently full profiles of data subjects which have been stolen through breaches of health care providers sale for the most money on dark web markets and this is by very very wide margin it's not even close to the second it's a muscle as of seven or eight times the value per record so that pert that's a medical record full profile of individuals it is a prime target as I briefly mentioned before we'll be remiss of me not to mention some insider threat which can be either deliberate theft of data or accidentals data loss the employee who goes out for drink up on a Friday after work and leaves their laptop in the purple or have a phone or laptop stolen we're not going to do it in detail on this today save to note that some of those mitigating risk mitigating actions that could be taken that I'll talk about later do apply equally to this area as well one of the other things that we've seen a lot of activity recently is on ransomware and the two main varieties of ransomware I want to break that down into the first is as everybody will be aware of the sort of Warnock Rai type incident they hit the NHS very very heavily a couple of years ago although actually that malware wasn't ransomware it was actually just data wiping disguised as ransomware and this is locking computers on a network usually with malware deadly locks individual computers that spreads very quickly across the network and you get a ransom saying for each one pay 350 euros worth of Bitcoin and we're unlock your computer and the latest variants of this type of malware do spread very very fast across a network usually by using some exploits which were unfortunately stolen from the NSA in the u.s. a few years ago they are now into regular commercial use commercial I mean criminal commercial use and as an example of this you'll have seen in the US and past couple of weeks that two US city authorities have paid 1.1 million dollars in ransom to have their IT systems unlocked this one's been in the news because the public body nature of the victim organizations they have to declare that they're using effectively public money to the sender's uninsured to pay this or to ransom and again you may seem North Hydro a couple of months back where impacts with ransomware they elected not to pay they are still dealing with the cleanup and it was reported last week because their costs around forty five million pounds and still increasing and there is a lot of this activity going on cyber liability insurers are reporting significant increases in claims or ransomware and one issue one legal issue I want to put out here to consider is what would you well technically she leads on to legal issues what would you do if your network was subject to ransomware what are your require recovery plans how quickly can you restore from backups and how much data might you lose in going to the last backups that's a commercial with us risk aspect looking at the legal side of it what might the effect of that be on your ability to meet contractual milestones have you considered whether ransomware would fall within contractual definitions of force majeure this hasn't really been considered much yet by the English courts as force majeure is usually defined as an event beyond the control of either party that brings in the question of whether the victim business had adequate protection in place against the ransomware attacking question to use the GDP our language around security did the business have adequate technical organizational measures in place to ensure the security of data it hasn't been tested under English rule yet I very much expect that it will be tested in in the reasonably near future the second area I wanted to pick up in terms of ransomware is that we've seen quite a lot of is a theft of data with blackmail that then follows so this is attack as obtaining access and that works usually by phishing emails moving laterally within the network stealing large amounts of data and then demanding payment in cryptocurrency for the hackers not to release into the public or sell the stolen data we've had several clients overall targeted in this way in the past two years we know of tens probably now hundreds of others through activity that we've done for clients on data recovery and analysis and working with UK and other other countries police cybercrime teams well and this is it's a it's becoming more and more common and it puts the company in the situation of knowing that some of its data often highly commercially sensitive is out there that data will not necessarily belong only to the company because typically for life sciences companies you'll have collaboration license agreements drug development agreements where you have not only your own IP in confident information but also the IP and confidential information of your partner and that will be subject to contractual confidentiality obligations and I'll come on to that in a minute one point just to mention now while we're on the topic is I referred to police cybercrime teams if you do find yourself in this kind of situation the police police cybercrime teams in the national cybersecurity center of the NCSC will get involved and will provide actually now very good support and one message the NCSC is very keen to get out at the moment is that they will when they are supporting a business who's been the victim of a cyber attack they will not pass information on to regulators and they're absolutely explicit about this because they've had feedback that businesses are worried about involving the NCSC or the police because it means that in the authority to see all their dirty laundry that everyone that passed on to the regulator that doesn't happen in practice there are issues to manage around privileged legal privilege but not experienced police cybercrime to the teams and the NCSC are sensitive to this and do mostly understand it another issue that we've seen a reasonable amount of is cyber security risk around M&A activity we're not going to go into detail on that here because it is it's an entire talk in itself but in sectors where there is extensive M&A activity like the life sciences sector this library is a particular risk and this can be anything from is the IP in the company that you're buying worth a lot less than you think it is because it's already been stolen and used elsewhere develop similar product or have there been data breaches within the company relating to personal data for example that don't get uncovered you and you during due diligence and again impact the value of the acquisition that's an issue across all sectors for M&A but it is particularly a problem in the life sciences sector one final point to flag up here is when we refer to breach for cyber attacks people tend to automatically default to data theft related loss and that's that's impact on the confidentiality of data we're really talking about confidentiality integrity or availability of data and just as an example of that we've seen a situation where code design two randomized trial results with inserted into a company's computer software by a disgruntled employee and that rendered trial results effectively useless non-availability is a third party reliant on access to data that you hold in real time such that if that data is no longer available because you have a ransomware attack or it's stolen and deleted losing access to that data causes a third party loss now appreciate the gain that's slightly less likely in this life sciences sector than for example financial services but I think as we see greater chains of data management and data been used for for more extensive research in the life sciences sector we can see this becoming more of an issue so hopefully that should give you an idea of why life sciences companies are at risk jesse is now going to talk a bit about responding to data breaches yes thank you Paul so as Paul said I'm going to talk about how you should respond to a data breach in the event that one occurs first of all a cyber security breach should be treated as a crisis management event which may sound obvious but the point about this is that your ability to coordinate who is responsible for managing the incident internally who you are going to instruct externally establishing the precise extent of the breach what you need to do who you need to notify about it all has to be done and it has to be done as quickly as possible so having a preferably practice crisis management approach is important it may have caused be that because of the nature of the breach and the services that it's affecting so where for example is Paul mentioned IT systems are locked this in any event forces a crisis management response where the organization can't contain you to function as normal priorities for your response will include verifying the breach and containing it confirming the extent of it and the data or services affected by it and then identifying the risks arising to the business and others from it in order to do this you're likely to need to instruct external forensic IT support as well as legal advisors and just one point which Paul touched upon which is privileged so regulators cannot require disclosure of privileged materials there have been some quite interesting and significant decisions in the past few years relating to privilege as concerns internal investigations that organizations undertake so just to cover this by wherever I'm sure might remind us from most of you legal advice privilege attaches to confidential communications between a lawyer and a client for the purpose of obtaining or giving legal advice whereas litigation privilege attaches to confidential communications between a lawyer clients and either of them and a third party which where those communications are creative to the dominant purpose of obtaining or giving legal advice in relation to actual or contemplated litigation or for the collection of evidence in May 2017 the High Court handed down a decision in the SFO and ENR see litigation where it was held that in relation to and documents created but in an internal investigation carried out by E NRC having been alerted by the SFO to allegations against potential allegations against the NRC that neither legal advice or litigation privilege attached to those documents and the finding in respect of litigation privilege was that in because the proceedings in contemplation criminal proceedings which required a higher standard of proof than civil proceedings the litigation was not actual or contemplated also in terms of the dominant purpose the court found that it was not the dominant purpose was not made out because the documents had been created for the internal investigation to help en RC prepare for an external investigation by the SFO and find out what had happened I should say that these documents included interviews with employees are but also included forensic accountants work product which is analogous here to forensic IT support the that decision was overturned by the court of appeals and in certain respects and including and respect of the dominant purpose which means that the court the court found that obtaining advice and assistance in order to head off a void or settle contemplated proceedings was protected by litigation privilege and the important application points from this is that you have to ensure that there are contemporaneous or it certainly helped to ensure there are contemporaneous records to support the assertion of litigation privilege over documents being created for an internal investigation and also sending out litigation hold notices and suchlike will help where a forensic IT consultant is therefore instructed at the time of data data breach you are more likely going to be able to support the fact that this is because of contemplated proceedings obviously the data breach has happened you need to establish the extent of it and out of that may slow regulatory and potentially civil proceedings where it becomes where the area is still tricky in terms of involvement of forensic IT support is where there hasn't been a cyber security breach so where you may have supports in terms of doing penetration testing for preparation against such a breach in that situation at present with seeking to establish legal advice privilege our view would be that it assists have legal advisors instructed both to assist with the instruction of the IT forensic firm as well as the dissemination of their advice as a safe for litigation privilege in an internal investigation context where there's being a cyber security breach it's likely to be easier to establish that that applies but it does help to have solicitors involved and to keep contemporaneous notes that litigation is in prospects which is why the investigation is being undertaken once you have begun to get a sense of the scope of the breach the next point to be considered is whether you need to notify the regulator and here obviously in the UK that will be the ICO you'll also need to consider whether it's necessary to notify data subjects in terms of the ICO the requirement tons of the gdpr is to notify unless it is unlikely to result unless a breach is unlikely to result in a risk to the rights and freedoms of individuals the notification has to include various details which is where it's helpful to have a helpful to have IT forensic support in order to be able to get all the details you need for the notification and that has to be done within 72 hours so it's three days in terms of data subjects and notifying them this has to be done without undue delay where there is a high risk to the rights and freedoms of individuals and so that is a higher bar has been referred to per medical data or medical and health personal data is a high risk area and it's compromised in a cyber security breach it's highly likely to require notification not only to the ICO but also to the data subjects the can I'll just mention briefly the challenges in terms of identifying data subjects which can require the use of document review platforms to try and work out if personal data has been compromised if it's possible to identify data subjects from that personal data and if they're therefore they should be notified also it's just worth mentioning that life sciences companies can of course be subject to other regulatory requirements so for example for companies registered with the Care Quality Commission they are subject to the Health and Social Care Act 2008 regulated activities regulations which require that the holding of records and systems and processes support the confidential confidentiality of those using the service in question and meet data protection legislation at present that refers back to the GD P R so in effect by complying with the GD P R you will be compliant with the Care Quality Commission regulations in that regard however it's worth keeping in mind that you will also be subject to their regulations in terms of cybersecurity breaches and what actions you need to take in that regard the CQC also requires its regulated service providers not only to comply with the GD P art but also with the National Data Guardians standards so those are the standards that James Fiona called court has looked into at various reviews finally I'll just mention that as well as your IT forensic support your legal advisers it's also likely you'll require PR communications support and communications support with cybersecurity experiences critical turning then to the other aspect or another important consideration for life sciences companies and that is data contracting so as has already been touched upon life sciences companies often enter into joint venture type arrangements these are very common being that by way of licensing agreements supply manufacture agreements etc and these agreements are likely to cover among other things the scope of rights licensed the purposes for which the data can be used ownership of the underlying rights and rights to derive data as well as warranties of compliance with laws and regulations such as data protection and confidentiality provisions we would recommend that the obligation to keep third party data confidential is preferably done on a reasonable endeavour's basis or with slightly more onerous a best endeavors basis but that an absolute in-depth basis is avoided the important point is to be aware of the third-party information rights if you have a breach and how you manage that information flow it is fairly common for these types of ingredients to include confidentiality provisions which mean that any third parties with whom you contract so subcontractors sub licensees have to enter into equivalent confidentiality obligations there's also a question about the degree of care with which the confidential information is managed and the may well be notification requirements set out within those agreements that similarly to the regulatory requirements you have to notify your third the third party's counterparties with undue delay where a cybersecurity event has occurred so these are the various factors that life sciences companies have to consider in responding to a data breach and of course the preferable situation is that a data breach is avoided altogether and I'll hand over to Paul who's going to talk about some of the ways in which that can be achieved we will aim for achieve I think will go for more about more about mitigating risk at this stage of things so I mean the starting point here to be honest around reducing risk and preparing it is understanding your data and just to pull out a few points here effectively this started one accuses data classification and this is understanding what data you have within your organization so you'll have for example data in your laboratory information management system if you use it within an electronic laboratory laboratory notebook software but then you'll have HR data you'll have non sensitive commercial data you have sensitive commercial data you'll have your own intellectual property and commercial data and as we've touched on already the commercial data and intellectual property of the parties who are you who you're collaborating with or manufacturing for or who are manufacturing for you and the key here is have these considering these different types of data considering the risks that attach to those different types of data both business and legal and having appropriate processes and measures within the business to to manage the risk that attaches to that data and so that that really does go to that high risk data and then how do you and how should you protect it the second issue is is what do how does data move within your organization and this is this involves looking at your questions like do staff do things like extract data from from your limbs or elsewhere and yet save it in dev SharePoint for example email it around how does data move inside and outside your organization and it's important to have a good understanding of what inside and outside means a lot of life scientists companies still in to some degree haven't shifted to cloud but cloud it's the best way to think of cloud whatever if your implementation of it is basically somebody else's computer so having a proper understanding of what is inside and outside the corporate network is very important and the issue here really is how does they to really move and this is not how your policy set shouldn't say it should move because employees never ever follow policies up to what they should be doing with and how they should be managing data but actually happened that understanding of how people access transfer and utilize the data within your organization and thinking about appropriate security you can put in place around that that still allows good behavior but also restricts bad behavior and what I'm talking about bad behavior you know you can pick up examples like the classic one of a major listed company in Sweden that had policies preventing the use of Dropbox etc and fairly well-known incident where the CFO decided just because it was easier than remoting in from home because he had some connectivity difficulties that he'd just done polluted financial information in Dropbox and then access from it that from his own computer that kind of behavior should be prevented by policies and systems but equally you don't want to move too rigid so that the business with too much friction within the business and this again applies to the high risk data identifying what it is whether it's IP clinical trial data medical personal data understand how you can operationally protect it but still run the business and not create too much friction I referred in that to IT policies yeah mighty security policy will be the main policy for these purposes and you should absolutely have one of those but you also need to think about things like acceptable use policies privacy policies that all form that passes tweeter policies that touch on information security in some way or another should form part of the staff handbook and their staff sign up to when they join and this means that stuff then understand the standard that they should be operating to you should absolutely have a set a specific breach response plan and this is separate from from your PCP your business continuity plan and the National cybersecurity Center actually last week just published some useful guidance for small to medium sized companies for developing breach response plans and they've got three historic guidance for larger companies so I would absolutely recommend looking at those on the NCSE website and the important thing here is the plan should be tested at least annually with forth of like live tabletop exercises and then a post-mortem afterwards change is made to the plan as necessary and a tabletop exercise is effectively a live-fire simulation you are you have all the relevant people on your breach response team within the room or within the business and all working for the same on the same time for half a day on an unfolding scenario that they don't know what it is you have either somebody else's in the business or external provider tasked with running the exercise and this is invaluable in seeing how the recruit response plan works how people followed it how people didn't follow it it means you can see how people respond in the highly pressured situation and can think about who actually is that person the right person to have and the breach response team it means that if you do have a breach and you're in a highly pressured situation the team aren't doing it for the first time and this is and that's probably the greatest value edge of this and we we do help clients run these exercises at times this should be standard practice we're amazed at how often it still isn't but there should be at least annual preferably six monthly penetration tests or red teaming exercises however you want to call it but you're an external party third party contracted to effectively attack your systems and try and break in and this should be a cart launch try and break into our systems not a please attack this narrow IP range and see what you can do when that narrow IP range is the small part of your network that just isn't enough anymore it's not it's not sort of accepted as good practice within the industry there are a lot of standards out there that you can use for information security I put ISO 27001 and nest nest 800 to the relevant standards they're quite a lot of work to comply with and they certainly don't guarantee you won't be the victim of a breach I've seen plenty of businesses that have ISO 27001 and then have a data breach but they are a good place to start even if you're not actually going to go through full certification and and get the standard itself but going through those and applying the principles is within the business is a very good starting place and obviously you consider later on whether you do want to go down the route of getting full certification I've already referred to the NCSC website has a great source of information for preparing for and responding to breaches the last thing I put on this slide is you should have a director who is responsible for understanding and managing cyber risk and it doesn't need to be somebody who is an expert in security it needs to be somebody who knows enough to understand the risks and the posture that the business is taking around security and ask appropriate questions and challenge the IT and security function and also to deal with cyber risk as a standing item at every board meet on the agenda for every board meeting and it should be a standing item on the agenda for every single board meeting the next slide this is just sort of a starter for ten on reducing risk and as I said I know I've added number 11 I'm a lawyer and accountant I can't count this is really just things that you should be thinking about and this this applies to a lot of companies but also it's slightly more tailored to life sciences companies this comes from an American PHA publication on specifically managing cyber security risk it's quite useful it's large I'm not going to go through some detail here it's a list of things to think about if you're the director or senior exec or head of legal tasks responsibilities cyber risk from a business perspective have a look at these issues a bit more online or if you just want to Precog you're headed by to your security just ask them what they're doing to manage endpoint risk or how you're dealing with network security risk or something like that and they'll wonder we'll notice you've been reading the last one I've added here is staff training this is key for a couple of reasons that I'll get onto in a minute it's now common even standard practice to have at least six monthly preferably more often than that staff training on cyber security issues it's not enough anymore to simply deal with it when you onboard new staff it has to be more regular than that and running quickly through because I'm conscious of time and got some good questions coming through actually I talked about identifying the key data and protecting that and part of that is the issue who needs access to that data when do they access to it how do they need access to it this is an issue across a range of industries that we've seen a perhaps more often in in life sciences under they're sort of guys at all but somebody within the business might need access to that data at one day and so there's often even no access control sometimes in our experience the reality is that often people working on project alphabet will have no reason to see the data or information in relation to project zebra but businesses do still have a default you know everybody can see everything this shouldn't be the case it comes from the data protection data management more generally but the principle of minimum access is what should be thought about and applied here and what this means in practice is locking down data save for the relevant project team what this means from a security perspective is that if an attacker does get access to your network they can't simply move laterally across shared network drives and access and exit rate whatever they want if you've got access controls and lock down certain network drive that does restrict their ability to get access and move across the network and accelerate more data one point on here as well that I haven't put on the slide is thinking about encryption encryption of any valuable data at rest now is becoming standard practice encryption in transit is more difficult it's more CPU intensive and can slow things down quite a bit that's want to think about whether it's practical for the data in question obviously in day of data is in use on a continual basis there anything then encryption isn't really an option but if you do have data which falls within that category think about access management and also access logging so that you can always see who is access to data when they've accessed the data if there is an issue later on I talked a bit about staff training one of the key things here really is is around phishing phishing is still incredibly successful depressingly effective this halls really into two categories the first is Nigerian Prince's with 10 million dollars that they want to get out of the country if only you or your employees will click on this link to give them your bank details that's less of a risk really I would have intelligent people working for you don't believe that bags of cash fall out of the sky and get handed over to them the real target ear is targeted the real story threat here is targeted phishing and this is world created phishing emails aimed at the person in question having done a bit of research around social media LinkedIn etc so they look more believable and in reality what's going on here is is these emails are hacking the human not the computers it's a language sometimes used and one good way to think about this is actually considering the characteristics of key staff who have access to this high-risk data and what are they like what are they likely to fall and this is around social engineering so one way of working on your security posture and reducing risk around phishing it's a training to the traits of your staff that make them high risk and in a life sciences organization this might be putting a cyber to the board and execs on the financial side it might be your scientists your engineers so having a think about what pushes their buttons when when they might most vulnerable what are they most likely to respond to and then actually helping them to understand their blind spots or potential weaknesses that means they're more likely to fall for phishing emails I prefer to link scanning on the slide and mine casters think of the podcast is good other tools are available obviously and this is just automated systems that scan any link somebody comes to on an email that somebody tries to click on validate this is a good link or a bad link they're never 100% successful but they're you know are very very very good at minimizing the risk of phishing is that they also don't work with attachment so some form of attachment scanning system is also a good idea one other thing to think about here which is becoming more common practice I wouldn't say standard practice yet but it's happening more and more is sending fake phishing emails around the business seeing who clicks on them if somebody does fall for them they get it they get a prize of extra training but also monitoring that seeing are your rates of stuff who fall for the fake phishing email falling over time if not if you're training good is it appropriate is it achieving what you want it to achieve another point here is where externally emails come into the organization you can set rules in a clerk at a server level to put a nice beat with red text at the top of an email saying this email has come from an external source be careful this sort of thing and that's a useful flag as it's rewarding to people I refer to NFA multi-factor authentication for any cloud systems we are seeing a huge amount of attacks around office 365 and Google Drive and things or terrain with credential harvesting the attackers then log in Excel traits first the last the most recent six months of emails from the mailbox and then if they've got time they go back further and this has been validated and confirmed by the NCSE as what they're seeing in terms of activity on this and they then basically go through that data and see what they can use to try and monetize it and that could be anything from invoice fraud hi you haven't paid our invoices and you here's a reminder invoice which changes the bank details through to actually then you're after attackers have been found and kicked off a network setting up a spoof email address for an employee replying to a legitimate chain of emails that's been a discussion within the business from the spoof email address but making it look as though it's from a legitimate employee that then got another document with malware attacks and that's a good way of reinfecting somebody's system and there's a whole raft of things in between simple sale of data etc what happens with that kind of thing so multi-factor is a really really important thing if you are moving to cloud remote access anything like that to be honest multi-factor it is a must now I've got a number of other points I did want to talk about here but just in the interest of time we might pass on those for now might add a couple more slides on and circulate those around afterwards if anybody else is interested hopefully that was useful run through some of the risks that we are seeing in practice and some of the things you can do to mitigate those risks and risk around cyber security for or life sciences companies we do have a couple of questions so I think we'll turn quickly to those the first question is what level of maturity do you see from Life Sciences clients in having specific Suites of contractual fiber clauses to address and mitigate some of these risks eg specific definitions of cyber attack or security incident with specific consequences or and termination force majeure audit rights for mediation planned separate liability regimes etc which is a very good question I think of in was going to comment first on that yes so this is an interesting question and I think the answer is largely driven by I guess what period of time are we talking about because we're seeing an evolution not only in the floor but we're seeing an evolution in the way which organizations are perhaps becoming better prepared in this area so if I have to say the answer this question looking back say two years I'd say the level of maturity probably low and at best low to medium if I'm saying more recently I think actually many ways it's probably moving up to two you know it in for a great in terms maybe even you know medium to high in some cases so definitely we're looking at sort of amber or green ratings as we're seeing more and more often but certainly over the last two years within a lot of low to medium type of representation in this area so what do I mean by that I think in my experience they going back to three four years they just wasn't the emphasis to focus on data information the threat environment around it and actually really manipulate that and express it in to contractual clauses what we saw bra references around this area but actually not a lot of depth around what that meant not a lot of depth around the linkage between the different types of different aspects of a call consequences accept but we are seeing that change we are seeing that shift and I think the reason we're seeing that shift it's because and I will put it down gdpr practitioner I put in and partner GPRS forced organizations to think about what data they hold not guess not estimate or guesstimate but actually assess what they hold document that and really understand it and then map that against the purposes and risks and so on so when you look at the application of gdpr and you start to see that there is an increasing or a better understanding of what date has been held and then you see the other aspects of GDP our compliance such as record or processing activities or more importantly maturity in in techniques such as privacy impact assessment in other words our organizations go further than simply recognizing and understanding what data they have but genuinely in a more mature way assessing why they have it what the risk part of the data that's what we're seeing also being represented in some of the more recent contractual clauses and mechanisms that we're seeing where it's not necessarily the cases we just see that broad term around data or security or or incidents but actually something a little bit more specific something that's more tailored to the activity under the contract tailored to the data processing that's going to take patient of the contract tailored to the role of the parties under those agreements and I think that's the biggest shift that were beginning to see I think we're only just beginning to see it but we are seeing it I don't think there's a standard position on the way in which the consequences of that linked to causes such as termination and force majeure I think in some cases we are seeing a move towards a specific linkage and that fact shift that we're seeing but I think what we're seeing more importantly than that is actually not just provisions that begin to say this is what we recognize as an actual or suspected incident but this is what we now think you should do when that when that particular event has been triggered and this sophistication is beginning to flow around the consequence in other words notifies and notifies within a certain period stop doing this or do that so we're seeing much more around that I think also that links to a lot of what Paul mentioned only lack of lines because more and more organizations are not only gearing up towards the implementation of TDP on a more meaningful way but actually as we begin to see more organizations mature out from GDP our programs and start to reassess their data security readiness and so you'll for armed with all of that and then start to see well how does this manifest itself into contractual slowdown so in short I think the maturity level has been fairly low in the past but we are seeing that shift and just quickly on Natomas bid to refer to GDP are quite a bit I think that has driven a shift in behavior because of the potential ramifications of getting it wrong what we have seen more of is around around audit audit writer security ability and contractual remediation plans that follow failures termination is less common still it's more sort of agreeing a roadmap for remediation separate liability regimes we're absolutely seeing more and more of which is that liability for data breaches are more often carved out of or are subject to a higher cap than the standard contractual limitation of liability cap so the second question that we have is what guidance do you have in relation to privilege for global crisis teams eg spanning the UK US India and China particularly when teams are using informal comms eg I am texts or even whatsapp and Jessie was going to pickup point on this first and then I'll comment more generally yes so just quickly on that it's an interesting question about this really comes down to the definition of client base so litigation privilege and legal advice privilege now also of course the litigation privilege it covers communications between lawyers clients and third parties and those third parties can include employees within the organization if they're providing information towards the con some plated litigation however where the client is or where the employees would really be coming within the definition of clients the important point to assert privilege is to define all those people who are going to be receiving or obtaining advice to come within the definition of clients at the same time we would be suggesting as the law stands at present that the definition or that the number of people who are the clients is kept as small as possible because it assists in meaning that you don't have waiver of privilege but if it is a bigger group you should define it the other thing I would just mention the case I was talking about SFO and ENR see the Court of Appeal didn't reverse the decision on legal advice privilege which those who were involved with the case on well and on the appellant side I know we're disappointed about and a very keen to take to the Supreme Court the definition of client particularly bearing in mind and legal advice privilege context because it is very narrow from the Three Rivers decision and it does mean that in global organizations where many people need to be involved in an incident such as this it causes real practical difficulties so there is an appetite to try and challenge the definition of client as it stands for legal advice privilege purposes particularly on if someone has the appetite to do so and just on a more macro level on this question because it does come up fairly often in data breaches of C they tend to be international in nature it's a there's a couple of points really one is about understanding what the risk around privilege is in the different jurisdictions in question and how those jurisdictions manage did deal with privilege under national law therefore what is the risk or weight risk of waiver of privilege and understanding you're sort of lowest common denominator basically so what are the jurisdictions where you have the highest risk of loss of privilege and it then becomes a question of sort of information flow management to a large degree and it may be that for the jurisdictions which are higher risk for loss of privilege that actually they receive less those in the jurisdiction dealing with the information Lee receive less information or the information flow is very much from that jurisdiction to those managing the information internationally so that you limit you limit the risk of wave them more broadly but also you have a better argument that if there is a risk of waiver privilege it is in the jurisdiction is limited to that jurisdiction which has the the higher risk of loss of waiver than others and just on the point on informal calm to throw into I own text even water it's actually quite an apposite question for data of cyber security issues and I've had several matters where we've ended up advising the client over whatsapp because the client wasn't certain of the security of their own systems really the risk here is around fact that it's an informal communications channel so people tend to be less guarded in what they say there's no specific issue arising out of using those channels as opposed to for example email other than that in formality of communication it still disclosable in the same way if you do end up in written in it in the area where privilege has been waived so it's it's really about understanding what is the information which you need to manage how do you may need to manage that information in relation to certain jurisdictions and really having a good understanding at the start what the risk is hashing to your higher privilege risk jurisdictions is and trying to minimize the risk of loss of privilege in those jurisdictions we've run out of time we picked sort of the two questions that were hopefully the most most used to people just so please do keep an out for the next webinars in the series which will be focused I think on more traditional issues for disputes around life sciences companies we thought we pick us lightly off the wall one fourth as the first one if you are interested in some of the issues we touched on today please do get in touch and if you're not already on the mailing lists or checking sign ups around Life Sciences issues which is the publication that we put out specifically for the life sciences industry or our global data hub which is the more data protection focus content that we push out please do get in touch and we can make sure that you are added to those lists thank you very much for dialing in everybody and we hope you find it useful

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *