GDPR: data protection rules seen as ‘burdensome’ one year on

By Gavin Hinks

EU flag, data protection rules, GDPR

One year on, not everyone is impressed with data protection rules. Indeed, a survey reveals that many organisations feel the introduction of the General Data Protection Regulation (GDPR) by the European Union 12 months ago, has led to no significant improvement in their knowledge of how to manage and protect data. That’s a shame, but GDPR is not going away—and we now know the consequences.

Research by ICSA: The Governance Institute reveals that 42% of those polled feel their understanding of data protection has remained the same over the past 12 months, despite the introduction of GDPR.

A total of 39% believe the new rules have “significantly” improved their understanding. That either leaves the regulatory authorities, or the organisations subject to the rules, with big questions to answer.

ICSA found much negativity about GDPR: It has “increased overheads”; become a “huge burden on resources”; and created “much extra work for little extra benefit”. Furthermore, data access requests take up a “disproportionate” amount of time and create “significant compliance burdens with no clear additional benefit to data subjects”.

That said, some of those polled by ICSA found good things to say. GDPR has prompted “much more awareness of data issues”; it has forced the improvement of procedures; databases have been culled; it has promoted a greater understanding of data security; and has given lawyers a greater role in monitoring compliance. As ever, lawyers do well.

According to Peter Swabey, ICSA’s director of policy and research, companies have experienced both upsides and downside to GDPR, but he warns there is more to come.

“While GDPR has concentrated people’s minds on personal data, it a continuing obligation whose burden is yet to be fully felt.” Bad news for those who have seen no benefits.

‘Fundamental privacy rights’

Burden or not, GDPR is already having an impact on those companies who fall foul of data protection rules.

Indeed, in recent weeks the Information Commissioner’s Office (ICO), the UK’s data regulator, has announced its intention to impose huge fines on companies who appear to have got it wrong. Indeed, British Airways (BA) is in the process of appealing an eye-watering fine of £183m, while the hotel group Marriott International faces a fine of £99m—both for GDPR-related issues.

In BA’s case the fine comes after cybercriminals diverted the personal information of half a million customers to a false website where it was harvested.

Information Commissioner Elizabeth Dunham said at the time the fine was announced: “People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear—when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

In Marriott’s case 339 million guest records were “exposed” in a cyber-attack. The records included 30 million from people the European Economic Area, and seven million UK residents.

In its annual report, the ICO said GDPR’s introduction had been the “biggest moment” of the year and saw “people wake up to the potential of their personal data”. Data protection complaints to the ICO doubled between 2017–18 and 2018–19.

Facing a big GDPR fine is clearly now a significant regulatory and reputational risk. And there is no sign that the EU will relent. In a speech in July, Vera Jourova, the European commissioner for justice, revealed much enthusiasm for GDPR in Brussels, saying that one year after the introduction of GDPR, “data protection finally matters”, with the EU having “entered a digital era on a strong footing” and GDPR promoting data flows “based on high standards”.

SMEs will receive more EU support to understand the requirements of GDPR, but data protection rules around the world will only become tighter.

“Finally, on the international stage GDPR has become a reference point of a modern and high digital standard,” Jourova said. “More and more countries in Asia, Latin America or Africa are adopting new laws or changing their existing ones and are taking the GDPR as a reference point. This is a true example of the EU as a rule maker and a standard setter.”

Like it or not we live and work in a digital age. If companies want to use data to build businesses they will have to come to terms with laws to protect it. Best to find out where the value is in those rules.

The post GDPR: data protection rules seen as ‘burdensome’ one year on appeared first on Board Agenda.

From:: GDPR: data protection rules seen as ‘burdensome’ one year on

Ransomware attacks: what to do when the worst happens

By Gavin Hinks

ransomware, Ryuk ransom note

It can cause bankruptcy and feel like a “violation”: Ransomware attacks are on the rise, enabling cybercriminals around the globe to extort vast sums of money from businesses while indiscriminately threatening their very existence.

The danger was recently thrown into sharp relief when reports emerged that the Brussels-based police forensic services provider Eurofins Scientific had paid a “huge ransom” of “hundreds of thousands of pounds,” to regain access to computer systems after criminals gained access to their networks. And this was after the involvement of intelligence agencies.

Ransomware also hit the headlines recently when music giants Radiohead were targeted. Criminals gained access to unpublished music archives and threatened to make them public unless the band paid up. Never ones to be intimidated, the band countered by simply making the tracks public themselves, thus removing the extortionist’s leverage.

On that occasion the extortionists miscalculated. Most victims, however, will not have the same advantage and a ransomware event becomes a nerve shredding process for managers as they weigh costs against potential disaster.

Managers at Eurofins could be forgiven for feeling outraged. Those who have seen the effects of ransomware attacks first hand have witnessed the damage it can do to companies and the individuals involved.

“You talk to people who have had their house broken into and you see that similar reaction in many ways in corporate executives… that they have had their company, their possessions, violated by a third party”

—Mark Deem, Cooley

According to Mark Deem, a partner and IT specialist with law firm Cooley, the distress is real. “You talk to some people who have had their house unfortunately broken into and you see that similar reaction in many ways in corporate executives… that they somehow have their company, their possessions, violated by a third party.”

The precise ransom payment by Eurofins remains unconfirmed, but the scale cited in reports would not be surprising. Local government organisations in the US have made public ransoms of up to half a million dollars.

These developments come as the number of ransomware attacks is expanding while, anecdotally, experts say the size of ransom demands is rising. While the targets used to be small and medium-sized companies, large corporations are beginning to find themselves in the cybercriminals’ crosshairs. That makes coming to terms with the possibility of an attack acutely important for IT departments and boards—non-executive and executives alike—concerned with the risk profile of their companies, their reputations and the survival of their businesses.

The most frequently publicised advice is straightforward: back up computer systems and ensure the backups are protected from cyber-intrusion and infection from ransomware. The less well illuminated area is what happens after an attack has begun. Moreover, how does a board reach the conclusion that a ransom payment is the only way forward, and what are the risks involved with that decision?

Growth industry

Ransomware is being taken seriously not only because of the risks to business, which are potentially lethal, but also because of the increasing scale of the problem.

The global cost of ransomware attacks has been estimated to be $20bn by 2021 in ransom payments and lost business, making it the fastest growing form of cybercrime. Databarracks, a firm of IT disaster recovery experts, estimates 28% of companies will be hit by an attack in 2019, up from 16% three years ago.

When Verizon Enterprise Solutions published its 2019 annual security report examining 41,000 IT security incidents, it found that 70% were aimed at financial gain and ransomware was the second most frequent “malware action” by criminals, behind “command and control” attacks sometimes to steal data. Verizon’s report says security specialists have “not learned” their lesson about ransomware and it remains “a major issue for organisations”. Things may be growing worse.

What is ransomware?

Image: Shutterstock

Ransomware is software (malware) used by criminals to either lock up or encrypt data owned by a target organisation. Ransomware doesn’t need to actually steal data to be successful as a method of extortion—it merely has to make it inaccessible or useless.

The first unexpected sign of peril often comes when workers log on in the morning to find a pop-up window on their screens (see photo) suggesting that data has been encrypted or locked away, that doing anything about it might damage or destroy the data and the only course of action remaining is to pay the cybercriminals large sums, usually in Bitcoin, to receive the decryption key.

Mark Deem describes ransomware attacks as typically coming in three levels of severity: First, entry level attacks consisting of nothing more than a pop-up window attempting to trick computer users into making payments. The cyber-intrusion goes little further than placing the window on screens with no real damage to the integrity of data.

The next level sees criminals “lock up” data making it impossible to access. “Like someone putting their padlock on your gym locker,” says Deem. The data is in situ and likely undamaged.

The most serious level is what has become known as the “cryptolocker” style of attack. Not only is the data locked up but it is also encrypted so it is no longer usable by the company and its employees.

“There are only two ways to recover from ransomware attacks—to restore the data from backups or to pay the ransom”

—Peter Groucutt, Databarracks

It is a chilling moment. The criminals can’t be traced, their identities remain a mystery and the threat to the company can be existential. In addition, ransomware can bring with it a sense of helplessness because the criminals will frequently use customised malware unused anywhere else before. It is, unfortunately, open to very few remedies. According to Peter Groucutt, managing director of IT security firm Databarracks: “There are only two ways to recover from ransomware attacks—to restore the data from backups or to pay the ransom.

“You might get lucky and find that a decryption tool [key] has been created for your particular type of ransomware, but don’t count on it.”

Bill Siegel, chief executive and founder of New York-based security specialists Coveware, agrees: “By and large it’s not an option to crack the code.”

This inevitably means engaging with the attackers. Internal IT teams are likely to find themselves ill-equipped to deal with the technical demands made by an attack. The orthodox advice is for companies to seek out a reputable incident response company to advise and conduct the communications.

That done, many advisers suggest a “dual path” once dealing with a ransom demand: scope out the potential for restoration of data from backups or other sources, while at the same time beginning communication with the criminals. If one process goes wrong a victim company can fall back on the other without having to start from scratch, says Bill Siegel.

Scoping the project is a critical step. Restoring data could be painfully expensive. Building a picture of what data sources are left to work with (one option is the use of emails saved locally on individual machines), and the way it might be restored, can give a fairly good estimate of how much it might cost. That can then be compared with the price tag criminals have placed on releasing and decrypting computer files.

Legal consequences

There is also another set of factors to consider before signing off on payments to the criminals: the legal consequences. There is no legal prohibition against paying a ransom. It comes down to a judgement involving the criminal and the victim. But there are legal implications to consider as a result of a ransomware attacks that may play a part in deciding whether to give in to demands.

According to Mark Deem, data inaccessible due to ransomware could mean failing to deliver promised work or services. That could place victims in the position of being in breach of contract. From a business position that could also mean losing commercial relationships, another considerable cost. Though it is possible, depending on the terms of a contract, that a cyber-attack could give a company a valid defence. That, however, would need to be established through a review of contracts.

It is also worth considering that an attack is likely to cast a shadow over the reputation of a company over time, even if resolved. According to Deem, in the event of a significant deal, such as a merger or acquisition, the details of the attack and the remedies undertaken post-resolution would need to be disclosed.

Some victims may find themselves with with very particular risks and potential liabilities. Steven Windle says hospitals could face the appalling risk of causing death if they fail to pay up.

Major regulatory implications also present a risk. An attack could place a company in contravention of GDPR (General Data Protection Regulation). This grim outcome results if the subjects of personal details held on computer systems held by a company cannot access that information. “If you hold that personal information, and you’re effectively denying the data subject access to it, that is a potential breach,” says Deem.

This, he says, is a critical issue. Many companies have done their homework and prepared for compliance with the demands of GDPR. But cybercrime holds a bigger threat.

“With organisations’ intensive focus on GDPR and especially personal data leading up to 25 May 2018, there may now be a less heightened state of awareness of the potential damage which could be caused by a cyber-attack, which strikes at the heart of their IT network and may well extend beyond purely personal data,” says Deem.

If a company does move to paying a ransom demand, there is one last chilling implication to consider: the possibility of terrorism.

Although a ransom payment is not illegal in itself, if a payment is made and it ends up with a terrorist organisation a company could be in contravention of Section 17 of the Terrorism Act.

“To the extent that you can,” says Deem, a company and its board have to assure themselves there are no indications of terrorism in the ransomware attack, a process that can be fraught with uncertainties given the murky way attackers communicate and obscure their identities.

Keeping the authorities informed and updated on the developing negotiations is one way of building a defence should there be allegations relating to terrorism later.

Paying up after ransomware attacks

cybercrime, cybersecurity, data security

Image: Shutterstock

The early stages of an attack and communication with the attackers is an important moment to assess the attackers’ objectives. Steven Windle, Accenture’s cyber investigations and forensic response lead in Latin America and Europe, says an attacker’s motive may be financial, but it may not. It could just be about destruction.

“It’s important to understand the objective as this will determine whether the attacker is serious about returning the data,” he says.

Once the decision to pay is made, there is broad agreement that a specialist should take over the process of communication with the criminals. Contact can take place at odd times of the day and, though often by email, can also involve messages across the Dark Web on so-called Tor sites, shadowy outposts on the internet that allow untraceable and anonymised communication between parties. The Tor site could also be the location for virtual wallets where victims will send their Bitcoin ransom payments.

Specialists also come to know the attackers over time by monitoring the tech they use and their favoured patterns of communication and behaviour. Bill Siegel estimates that fewer than 100 groups are responsible for the majority of global ransomware attacks. Knowing the group’s modus operandi and past history can help experts gauge how a negotiation is likely to play out. That, in turn, helps with the comparison against restoration costs.

“You’re being targeted by an industry and your data is the method by which they monetise their business. And it is a large industry, highly specialised and globally distributed”

—Bill Siegel, Coveware

Once contact is made there comes a crucial moment in the process that helps assure negotiators that the cybercriminals can do what they claim: the “proof of concept”.

This is the equivalent to the “proof of life” moment in a kidnapping scenario. With proof of concept, the attackers prove they can decrypt sample files sent to them by the victim company’s advisors. This proves they have the means to decode the missing data, though at that stage it may not give a full picture of how much is recoverable post-decryption. Siegel warns that companies should consider they are dealing with highly sophisticated operators, whose businesses centre on the internet and data aggregation.

“You’re not being targeted even by a group,” says Siegel, “you’re being targeted by an industry and your data is the method by which they monetise their business. And it is a large industry, highly specialised and globally distributed. It has a specialised means of communication, logistics, coordinating, trading, cash movement, clearing and settlement of goods and services: It has all the hallmarks of an industry.”

It is the stuff of business nightmares. There is broad agreement that settling with cybercriminals should be avoided, if at all possible.

Peter Groucutt makes the point emphatically: “Paying ransomware should absolutely not be the first choice. Paying ransomware encourages more of the activity and funds further cybercrime. It should only be entertained if it is not possible to recover from backups.”

That said, it has become inevitable for many companies. Digitisation of business has expanded the number of potential targets and given the criminals greater leverage. That places a premium on being prepared.

According to Steven Windle: “An organisation should have an incident response plan prepared for a ransomware attack and practice it by running through various simulated scenarios.”

This sort of exercise will give companies an idea of the right personnel to be involved from the beginning. Windle says this could vary depending on the sector a business is in (see box below for considerations).

Bill Siegel says there is a growing recognition that corporate incident response plans should include the possibility of paying a ransom. That’s depressing news. But boards should prepare. Business who fail to do so could pay the ultimate price.

“For the victims it’s incredibly stressful,” says Siegel. “You picture a company where people went into the office expecting a normal day and then they realise the gravity of the situation, some of them realise the company could fail. And we’ve seen it. We’ve had to handle cases where the end result was bankruptcy.” That should be a warning to everyone.

Considerations for managing ransomware attacks

By Steven Windle, Accenture

  • The security team (incident response) should be involved to run the investigation, identify, understand, contain, and eradicate the problem. If a company lacks internal resources, or is overwhelmed by the scale of attack, an external IR provider may need to be brought in. The benefit of this is not just deep technical expertise, but also extensive experience of dealing with ransomware cases across various industries.
  • An IT manager is required if it is determined that workstations or endpoints must be rebuilt, rather than restored, and to validate with critical systems and whether they have been impacted and if there are any backups.
  • The board should be involved from a strategic and crisis management perspective.
  • Depending on the scale of infection, involvement of multiple business units may be necessary: HR, Legal, Health & Safety. For example, legal needs to be involved if PII has been exposed, communications may need to be involved to handle reputational damage and interaction with media.

The post Ransomware attacks: what to do when the worst happens appeared first on Board Agenda.

From:: Ransomware attacks: what to do when the worst happens

APRA’s latest attempt to rein in bank bosses’ bonuses may just create new problems

By Andrew Robertson

Shamed by the banking royal commission and slammed by a recent review, the finance sector regulator has its sights set on bonusses for bank bosses but might just be playing “whack-a-mole” rather than ensuring customers get a fair deal, writes Andrew Robertson.

From:: APRA’s latest attempt to rein in bank bosses’ bonuses may just create new problems

Imbalance of power: loyalty shares threaten ‘one share, one vote’

By Marion Plouhinec

scales, balance

One share, one vote. It’s a compelling premise for corporate governance, but it is being eroded by developments around the world, including in Europe. At LGIM, we are actively working to push back for equality.

If you bought one share in a company that had issued 100 shares, you would reasonably expect to control 1% of the voting rights in that company. If you bought more shares, you would also hope that your voting rights would increase correspondingly.

This, however, is increasingly not the case across Europe. One reason for this is the rise of so-called loyalty shares, which generally give their holders double or multiple voting rights. Such mechanisms already exist in France, Italy and the Netherlands. Belgium also recently introduced legislation on loyalty voting shares, and now Spain is seeking to do same.

Loyalty shares effectively create an imbalance of power among shareholders and are therefore problematic for minority shareholders

There are several different ways to implement loyalty shares. In France, the 2014 Florange law facilitates the automatic award of double voting rights to shareholders who have held company shares for at least two years, unless the company and a two-thirds supermajority of shareholders are opposed (“opt-out”).

Italy has enacted a similar system, in which companies need the approval of two-thirds of shareholder votes to adopt loyalty shares in their articles of association (“opt-in”; with simple majority for six months after introduction of the law).

Overall, we find that they effectively create an imbalance of power among shareholders and are therefore problematic for minority shareholders.

Fair and equal treatment

LGIM supports the principle of “one share, one vote” whereby each investor is treated in an equitable manner. We believe this embeds the fair and equal treatment of all shareholders by allocating control in direct proportion to the level of economic interest and exposure to risk.

We support the International Corporate Governance Network’s recent push against the introduction of double voting rights legislation in Spain.

There are several lessons that we have learnt so far from the experiences of France and Italy. Firstly, double voting rights can reinforce the entrenchment of family and government holdings. Recent research on the French market highlights that “mandating double voting rights reinforces insiders’ entrenchment”. Similarly, in the Italian market “the adoption of tenured voting coupled with a tradition of ownership concentration sharply empowers controlling shareholders”. This is a key issue and appears even more problematic given that many companies in the concerned markets already tend to have significant government and family-owned shareholders.

Double voting rights can reinforce the entrenchment of family and government holdings

Awarding these long-term investors double voting rights allows them to reinforce their influence over companies through voting power without having to increase their shareholdings. This is at the expense of other long-term minority shareholders such as LGIM, who in general already find it difficult to weigh in conversations with companies with a significant family or government shareholder.

Secondly, loyalty shares do not necessarily mean more long-termism. One of the main reasons put forward by legislators in favour of double voting rights is the fear of short-termism in financial markets. Research on the French market would suggest that loyalty voting shares do not in fact lead to more loyal shareholders. It actually found there was no significant difference in the average holding periods between firms with loyalty voting shares and firms without before and after the Florange law.

Thirdly, the system is not rewarded by the market. Research also finds that the market reacts positively to successful opt-out votes when it comes to loyalty shares. Those who failed to reject double voting rights, on the other hand, tend to deter foreign ownership and, as a consequence, increase their cost of capital .

As a large and long-term investor, LGIM believes that the equal treatment of shareholders by allocating control of a company in proportion to their economic interest is vital for a well-functioning market. Voting rights are a fundamental characteristic of equity capital. They are the central mechanism through which shareholders exercise their ownership rights and underpin investor stewardship.

Loyalty shares further afield

The weakening of the “one share, one vote” principle is not limited to Europe. US tech companies, typically those with a founder-led culture, are a prime example. Snap Inc, for instance, does not grant any voting rights to its public shareholders. It is worth noting that Snap is not included in many popular equity indices; this is something that institutional investors, including LGIM, publicly advocated.

Nonetheless, we still observe that an increasing number of index providers are relaxing their rules to remain competitive and attract those companies who do not apply the “one share, one vote” principle, at the expense of minority shareholders. As a long-term investor who works to protect our clients’ interests, we will continue to push for one share, one vote.

Marion Plouhinec is a corporate governance analyst at LGIM.

The post Imbalance of power: loyalty shares threaten ‘one share, one vote’ appeared first on Board Agenda.

From:: Imbalance of power: loyalty shares threaten ‘one share, one vote’

Top proxy advisers sign up to new code of practice

By Gavin Hinks

stocks, asset management, shares, investor engagement

Proxy advisors this week took an important toward demonstrating they have heard recent criticism as some of the largest became signatories to a new code of best practice.

Complaints about proxy advisers—consultancies that advise shareholders how to vote on resolutions at annual general meetings—has been under way for some time, especially in the US where the debate has been vociferous and seen calls for major regulatory change.

This week, the biggest firms—Glass Lewis, ISS and Manifest, along with Proxinvest and Pirc—agreed to abide by new principles that sees them reveal policies for how to deal with potential conflicts of interest.

Criticism has been levelled at proxy advisers because they provide services to both investors and to listed companies on how to please investors.

The new principles come as the result of a two-year review by the Best Practice Principles for Shareholder Voting Research and Analysis Group (BPPG) to update guidelines first published in 2014.

Danielle Melis, chair of the BPPG’s review, said signatories had worked on a voluntary basis to develop the new principles.

“They respected investor as well as issuer concerns, as well as difference in various service provider models, notwithstanding being competitors in their respective markets, in order to promote the integrity and efficiency of shareholder voting research services, which play an important role in investors exercising their stewardship rights and responsibilities effectively.”

The new agreement will see an oversight committee created to review the compliance statements of proxy advisers, as well as the principles themselves.

The committee could also sanction signatories who fail to comply with the principles.

The revised principles follow a report from the European Securities and Markets Authority. The EU’s Shareholder Rights Directive already calls on proxy advisers to disclose their process and report publicly on any code of conduct they apply.

Calls for regulation

Proxy advisers are the subject of major lobbying campaigns in Washington where academics, public company CEOs and lawmakers have argued over the need for regulation.

The calls stem not only from concerns about conflicts of interest but also because the dominant advisers stand accused of encouraging “robo-voting”—automatic voting by asset managers without reviewing advice received from their proxies. There are also concerns in the US that proxies have risen to the position of quasi-regulators without any regulatory powers or public accountability.

The Securities and Exchange Commission—the US financial watchdog—is said to be considering new regulation that forces proxy advisers to be more transparent about the processes used to develop advice.

An influential paper by three Stanford professors published in 2018 has formed the core of arguments for new regulation of proxy advisors. Their recommendations include:

  • Improvements to the reliability of recommendations
  • Reliability testing of proxy advice
  • Past recommendation data should be provided for third-party evaluation
  • An increase in transparency about their models and guideline development
  • Development of mechanisms for incorporating market feedback on models and guidelines
  • Disclosure of commercial relationships with issuers
  • Introduction of an explicit fiduciary-duty standard.

The professors said of proxy advisers that there was “little empirical evidence to suggest that their voting recommendations lead to improved future value for shareholders”.

However, there are some who argue that current calls for change have been driven by those who believe proxy advisers have pushed companies too hard to include environmental and social issues among their corporate responsibilities. Regulation is viewed as a way of slowing the rise of ESG as a central corporate concern.

There is momentum behind mandatory regulation in the US. Though the new principles are intended to have “global” application they are unlikely to halt the introduction of new rules by regulators. Proxy advisors have entered a new era.

The post Top proxy advisers sign up to new code of practice appeared first on Board Agenda.

From:: Top proxy advisers sign up to new code of practice