Cyber Crime Seminar 8 December 2015

Similar documents
Cyber risk Getting the boardroom focus right

Dealing with Security and Security Breaches

Prohire Software Systems Limited ("Prohire")

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

Regulating Cyber: the UK s plans for the NIS Directive

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Enterprise resilience and the role of Standards

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Global Statement of Business Continuity

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

M&A Cyber Security Due Diligence

Cyber Risks in the Boardroom Conference

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

CYBER INSURANCE: MANAGING THE RISK

The NIS Directive and Cybersecurity in

GDPR: A QUICK OVERVIEW

Introductory guide to data sharing. lewissilkin.com

Cybersecurity: balancing risks and controls for finance professionals

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Cyber Security Law --- Are you ready?

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

How to be cyber secure A practical guide for Australia s mid-size business

WELCOME ISO/IEC 27001:2017 Information Briefing

Cyber security and awareness for non-financial services. 24/25 May 2017

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Canada Life Cyber Security Statement 2018

A practical guide to IT security

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Annual Financial Services Cyber Security Summit

To update firm name and trading names, website address, accounting reference date, auditors, locum, contacts and addresses.

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cybersecurity in Higher Ed

Response to the Security of Network and Information Systems Public Consultation Compiled on behalf of the UK Computing Research Committee, UKCRC.

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

1. Introduction and Overview 3

GUIDANCE NOTE ON CYBERSECURITY

Notification to amend firm details

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Knowledge Portal User Guide (Interactive PDF)

Data Processing Clauses

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Data Breach Notification Policy

The Impact of Cybersecurity, Data Privacy and Social Media

Strengthening your fraud and cyber-crime protection controls. March 2017

The Role of the Data Protection Officer

NEWSFLASH GDPR N 8 - New Data Protection Obligations

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Headline Verdana Bold

Information Security Controls Policy

NYDFS Cybersecurity Regulations

Eco Web Hosting Security and Data Processing Agreement

DATA PROCESSING AGREEMENT

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

Physical security advisory services Securing your organisation s future

Data Protection and GDPR

Error! No text of specified style in document.

John Snare Chair Standards Australia Committee IT/12/4

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Business continuity management and cyber resiliency

Clyst Vale Community College Data Breach Policy

CYBERAID + The Cyber Solution for UK SMEs THBGROUP.COM

Data protection breach notification form

ALGORITHMIC TRADING AND ORDER ROUTING SERVICES POLICY

Information Security Strategy

Why you should adopt the NIST Cybersecurity Framework

An overview of mobile call recording for businesses

Data Sheet The PCI DSS

Directive on security of network and information systems (NIS): State of Play

Cyber Threat Landscape April 2013

Data Breach Notification: what EU law means for your information security strategy

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Global Security Consulting Services, compliancy and risk asessment services

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Data Breaches and the EU GDPR

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

The value of visibility. Cybersecurity risk management examination

European Union Agency for Network and Information Security

AFC Compliance Careers

The GDPR Are you ready?

HPE DATA PRIVACY AND SECURITY

A Framework for Managing Crime and Fraud

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

What It Takes to be a CISO in 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

A new approach to Cyber Security

Keys to a more secure data environment

Transcription:

Cyber Crime Seminar Cyber Security & Financial Services in a changing regulatory landscape John Salmon Partner, Pinsent Masons LLP @uktisa Cyber Security and Financial Services: A changing regulatory landscape 8 December 2015 John Salmon, Partner Head of Financial Services Sector 1

Overall impact key considerations Operations Broader than data protection compliance Reputation Profitability Other regulatory issues IP theft Confidential information Wider regulatory framework Financial crime Fraud Intelligence sharing requirements Financial stability 3 The wider picture Regulators Compliance framework Risk management Incident response 4 2

Who are the regulators? Central bank / prudential authority: BoE / PRA Role Regulation Conduct regulator: FCA Data protection regulator: ICO Network and information security regulator? (ENISA) Payment services regulator? (EBA, ECB) Guidance Sanctions Certificatio n 5 Compliance framework PRA: resilience focus FCA: process and controls, supply chain focus ICO: organisationl and technical measures / supply chain focus CBEST testing regime SYSC, PRIN, Listing Principles, FCA Financial Crime guide DPA, ICO guides, Cyber Essentials, ISO standards ENISA NIS in the finance sector recommendations 6 3

7 The PRA and compliance 7 PRA focus Cyber Resilience Effectiveness Cyber resilience questionnaire of August 2015 to be signed off at board level for the UK regulated entity Firewalls and intrusion detection systems, are no longer enough Cyber resilience is about the management rather than the elimination of cyber risk. 8 8 4

Resilience assessment Governance and leadership Identify Protect Detect Respond & Recover 9 10 5

The FCA and compliance 11 FCA focus: what constitutes compliance? FCA Rules SYSC 3.2.6R, 3.2.6A Systems and controls SYSC 6.1.1R Policies and procedures SUP 15.3.1R, 15.3.2G Notification: Significant reputational adverse impact; or Firm's ability to continue to provide adequate services 12 6

What constitutes compliance? FCA Guidance Examples of good practice Examples of poor conduct Clear figurehead Data security is an IT issue Coordination across the business Effective incident response plan Monitors outsourcers compliance Customers are never contacted after a breach A blame culture discourages staff reporting Review staff roles regularly Keeps track of digital assets Unsure how suppliers protect customer data 13 14 7

The ICO and compliance 15 What constitutes compliance? DPA requirements 7th Principal Schedule 1 Part I Appropriate technical and organisational measures 7th Principal Interpretat ion Schedule 1 Part II State of the art security technology 7th Principal Interpretat ion Schedule 1 Part II Reasonable steps reliability of employees 16 8

Incident response in five steps 1. Overall impact on business 2. Containment and recovery Guidance on data security breach management Data Protection Act 3. Assessing the risks 4. Notification of breaches 5. Evaluation and response 17 Data protection reform overview Data breach notification regime Processor liability Greater accountability & sanctions 18 18 9

Notification Regime Regulatory notification Undue delay OR 72 hours High risk only breaches? Notifying customers Only where: adversely affect customer(commission / Parl) OR result in a high risk for customers (Council) Without undue delay agreed Not required where appropriate security in place 19 19 Data protection reform proposed enhanced sanctions Subject access request failures: Other compliance failures 4% Depends on Size of organisation Nature, gravity, previous breaches Intentional or negligent Technical and organisational measures Co-operation with ICO 20 20 10

The NIS regulator 21 NIS Directive reform overview Article 14 Systems and controls Detect and Manage proportionate technical and organisational measures State of the art technology ensure a level of security appropriate to the risk presented Core services minimise the impact, ensure continuity 22 22 11

NIS Directive reform overview Article 14 Notification Notify without undue incidents having a significant impact on the continuity of core services Significant incidents Number of users affected Duration Geographic spread Publicity Regulator may inform the public The possibility to be heard before notifying the public 23 Conclusions Regulators Awareness of relevant regulators Understanding the compliance framework Compliance framework Clear leadership Internal regulatory compliance coordination - data protection, AML, fraud detection, others Technical compliance Risk management Due diligence Processes and controls Monitoring and management, including supply chain Testing and audits Insurance Incident response Overall impact on business Containment and recovery Notification of breaches Evaluation and response 24 12

Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word partner, used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the members of the LLP, and of those non members who are designated as partners, is displayed at the LLP s registered office: 30 Crown Place, London EC2A 4ES, United Kingdom. We use 'Pinsent Masons' to refer to Pinsent Masons LLP, its subsidiaries and any affiliates which it or its partners operate as separate businesses for regulatory or other reasons. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those subsidiaries or affiliates as the context requires. Pinsent Masons LLP 2014 For a full list of our locations around the globe please visit our websites: www.pinsentmasons. com www.out Law.com 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback