Cyber Crime Seminar Cyber Security & Financial Services in a changing regulatory landscape John Salmon Partner, Pinsent Masons LLP @uktisa Cyber Security and Financial Services: A changing regulatory landscape 8 December 2015 John Salmon, Partner Head of Financial Services Sector 1
Overall impact key considerations Operations Broader than data protection compliance Reputation Profitability Other regulatory issues IP theft Confidential information Wider regulatory framework Financial crime Fraud Intelligence sharing requirements Financial stability 3 The wider picture Regulators Compliance framework Risk management Incident response 4 2
Who are the regulators? Central bank / prudential authority: BoE / PRA Role Regulation Conduct regulator: FCA Data protection regulator: ICO Network and information security regulator? (ENISA) Payment services regulator? (EBA, ECB) Guidance Sanctions Certificatio n 5 Compliance framework PRA: resilience focus FCA: process and controls, supply chain focus ICO: organisationl and technical measures / supply chain focus CBEST testing regime SYSC, PRIN, Listing Principles, FCA Financial Crime guide DPA, ICO guides, Cyber Essentials, ISO standards ENISA NIS in the finance sector recommendations 6 3
7 The PRA and compliance 7 PRA focus Cyber Resilience Effectiveness Cyber resilience questionnaire of August 2015 to be signed off at board level for the UK regulated entity Firewalls and intrusion detection systems, are no longer enough Cyber resilience is about the management rather than the elimination of cyber risk. 8 8 4
Resilience assessment Governance and leadership Identify Protect Detect Respond & Recover 9 10 5
The FCA and compliance 11 FCA focus: what constitutes compliance? FCA Rules SYSC 3.2.6R, 3.2.6A Systems and controls SYSC 6.1.1R Policies and procedures SUP 15.3.1R, 15.3.2G Notification: Significant reputational adverse impact; or Firm's ability to continue to provide adequate services 12 6
What constitutes compliance? FCA Guidance Examples of good practice Examples of poor conduct Clear figurehead Data security is an IT issue Coordination across the business Effective incident response plan Monitors outsourcers compliance Customers are never contacted after a breach A blame culture discourages staff reporting Review staff roles regularly Keeps track of digital assets Unsure how suppliers protect customer data 13 14 7
The ICO and compliance 15 What constitutes compliance? DPA requirements 7th Principal Schedule 1 Part I Appropriate technical and organisational measures 7th Principal Interpretat ion Schedule 1 Part II State of the art security technology 7th Principal Interpretat ion Schedule 1 Part II Reasonable steps reliability of employees 16 8
Incident response in five steps 1. Overall impact on business 2. Containment and recovery Guidance on data security breach management Data Protection Act 3. Assessing the risks 4. Notification of breaches 5. Evaluation and response 17 Data protection reform overview Data breach notification regime Processor liability Greater accountability & sanctions 18 18 9
Notification Regime Regulatory notification Undue delay OR 72 hours High risk only breaches? Notifying customers Only where: adversely affect customer(commission / Parl) OR result in a high risk for customers (Council) Without undue delay agreed Not required where appropriate security in place 19 19 Data protection reform proposed enhanced sanctions Subject access request failures: Other compliance failures 4% Depends on Size of organisation Nature, gravity, previous breaches Intentional or negligent Technical and organisational measures Co-operation with ICO 20 20 10
The NIS regulator 21 NIS Directive reform overview Article 14 Systems and controls Detect and Manage proportionate technical and organisational measures State of the art technology ensure a level of security appropriate to the risk presented Core services minimise the impact, ensure continuity 22 22 11
NIS Directive reform overview Article 14 Notification Notify without undue incidents having a significant impact on the continuity of core services Significant incidents Number of users affected Duration Geographic spread Publicity Regulator may inform the public The possibility to be heard before notifying the public 23 Conclusions Regulators Awareness of relevant regulators Understanding the compliance framework Compliance framework Clear leadership Internal regulatory compliance coordination - data protection, AML, fraud detection, others Technical compliance Risk management Due diligence Processes and controls Monitoring and management, including supply chain Testing and audits Insurance Incident response Overall impact on business Containment and recovery Notification of breaches Evaluation and response 24 12
Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word partner, used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the members of the LLP, and of those non members who are designated as partners, is displayed at the LLP s registered office: 30 Crown Place, London EC2A 4ES, United Kingdom. We use 'Pinsent Masons' to refer to Pinsent Masons LLP, its subsidiaries and any affiliates which it or its partners operate as separate businesses for regulatory or other reasons. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those subsidiaries or affiliates as the context requires. Pinsent Masons LLP 2014 For a full list of our locations around the globe please visit our websites: www.pinsentmasons. com www.out Law.com 13