Mapping Cyber-Protections to Regulatory Requirements for Fintech

Transcription

1 SESSION ID: PGR-R03 Mapping Cyber-Protections to Regulatory Requirements for Fintech Jonathan Fairtlough Managing Director Kroll, Cyber Security & Investigations Paul Haswell Partner Pinsent Masons, Risk Advisory Services, TMT Practice

2 Global Financial Cyber Security Regulations NIST NYC DFS Cyber Security regulations FFIEC assessment tool Personal Data Protection Ordinance (PDPO) Cyber Security Fortification Initiative (CSI) EU Directive 95/46/EC Data Protection Act EU General Data Protection Regulation 2016/679 (GDPR) Data Protection Law (DIFC) Personal Data Protection Act (PDPA) MAS Technology Risk Management Guidelines ABS Pen Test Guidelines

3 The Statutory Progression Dubai DIFC Law No.1 of 2007 US Gramm Leach Bliley Act (GLBA) Dubai DIFC Law No.5 of 2012 New York (DFS) Cybersecurity Regulations EU-95/46/EC Data Protection Directive Singapore Personal Data Protection Act EU General Data Protection Regulation

4 Security of Personal Data Hong Kong Ensure all practical steps are taken to ensure personal data is protected If data processor is used, adopt contractual or other means to protect data

5 Commonalities and Differences Protect Data Best Practices top 20 Leverage a Framework Access Controls Data segregation Encryption Engage in Testing Implement Incident Response Capability Data Classification What is covered under the statute Data Localization Where data can reside Notification Rules How and who you notify of a breach

6 Keeping Data Secure USA-New York DPS 23 NYCRR A regulated entity s cybersecurity program must ensure the safety and soundness of the institution and protect its customers HK- DPO Principle 4 The data user must to take all practicable steps to protect the personal data held by it against unauthorised or accidental access, processing, erasure, loss or use. GDPR Article 32, section 1 (d) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Singapore PDPA Sec III, 2 An organisation is responsible for personal data in its possession or under its control DIFC Data Protection law 16, 1 The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data against wilful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing

7 Security of Processing Personal Data - GDPR Article 32 The controller and the processor shall implement appropriate technical and organisational measures pseudonymisation and encryption of personal data confidentiality, integrity, availability and resilience of processing systems and services ability to restore availability and access to personal data process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures

8 Six Core Functions of Cyber Security Program 01 Identify & Assess 02 Defend 03 Detect 06 Report 05 Recover 04 Respond

9 What Constitutes Reasonable Security The 20 Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization s environment constitutes a lack of reasonable security. California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris

10 Top 20 Critical Security Controls 1 Asset Inventory 2 Software Inventory 3 Secure Hardware & Software Configurations 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Admin Privileges 6 Maintenance, Monitoring and Analysis of Audit Logs 7 and Web Browser Protections 8 Malware Defenses 9 Limitation and Control of Network Ports, Protocols & Services 10 Data Recovery Capability 11 Secure Network Configurations 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Training 18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises

11 RESPOND Leverage a Framework DETECT

12 Requirements: Conduct Pen Tests Pen testing All New offerings Specific testing standards CREST standards common Cybersecurity Fortification Initiative (CFI) MAS TRM Guidelines ABS Pen Test Guidelines Vulnerability Assessments GDPR Art 4 32 (d) Maturity Assessments NY DPS 23 NYCRR FFIEC Cybersecurity Assessment Tool

13 Requirements: Robust Incident Response Requirements: Detect Incident Response capability Have detection and monitoring in place CISC critical security controls Respond Incident response team in place Response to block attack Remediate/ Restore US NY DPS0 500 UK- GDPR (b) and (c) MAS TRM Guidelines 7.3

14 Commonalities and Differences Protect Data Best Practices top 20 Leverage a Framework Access Controls Data segregation Encryption Engage in Testing Implement Incident Response Capability Data Classification What is covered under the statute Data Localization Where data can reside Notification Rules How and who you notify of a breach

15 Differences: Notification Mandatory notification to regulatory and consumer within 30 days of breach GDPR- within 72 hours to competent authority Within 1 hour of breach to MAS No mandatory consumer notification

16 Differences: Data Transfer Data transfer rules are dependent on standards of other locations and the limits placed locally

17 Contacts Jonathan Fairtlough Managing Director, Kroll Cyber Security Investigations 555 S. Flower St, Suite 610 Los Angeles, CA O: +1(213) C: +1 (213) E: Paul Haswell Partner, Pinsent Masons, Risk Advisory Services, TMT Practice 18 Harbour Road, Level 50 Wan Chai, Hong Kong O: C: E: