Howden/RPC Cyber and Data Protection Conference...Howden/RPC Cyber and Data Protection Conference...

Howden/RPC Cyber and Data Protection Conference Post conference guidance

15th November 2017

Contents

Section 1 KPMG – Gauging Cyber Risk 3

Section 2 KPMG – Securing the Digital Enterprise 11

Section 3 RPC – General Data Protection Regulation 42

Section 4 Data Protection – Lessons from Across the Pond 54

Section 5 GDPR and the Right to Erasure 57

Section 6 Storm Guidance – Mitigating the Impact of a Cyber Incident 61

Section 7 Cyber Liability Protection and Mitigation Insurance 85

Section 8 Why buy Cyber Liability Cover? 89

Contacts 92

Section 1

KPMG – Guaging Cyber Risk

3

Gauging cyber risk David Ferbrache OBE

4

© KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a

Swiss entity. All rights reserved.

5

A CONVENTIONAL VIEW OF RISK

IMPA

CT

LIKELIHOOD

Bad

OK ish

Aggregation Agile Digital Adversarial Cascade

1:1 1:100



6

A VIEW FROM THE CYBER CRIMINAL



8

THEIR RISK CALCULUS?



9

Section 2

KPMG – Securing the Digital Enterprise

11

Whitepaper | Securing the digital enterprise 1

Securing the digital enterprise The cyber security journey – from denial to opportunity

12


Foreword

Businesses have every reason to be concerned about the rising threat level facing organisations today; rarely a week goes by without security hitting the headlines around the world.

Most recently WannaCry and Petya renewed our focus on cyber security. Threats do not necessarily require technologically advanced tools, but may be very damaging by simply exploiting known weaknesses.

Organisations who will be able to defend themselves more successfully during a signi�cant attac� �ill �e th�se that treat c��er securit� as a ��urne� and n�t a destinati�n � it cann�t �e ��ed�� cusing �n inn��ati�n� the� can �aintain a sustainable risk position against the evolving threat landscape.

With c��er securit� �eing the c�rnerst�ne ��r ��st �usinesses� digital inn��ati�n� the r�le �� the �hie� �n��r�ati�n Securit� ��cer ��S�� is central t� all this� �ut their r�le is changing from being technology-led to business-led.

Which begs the question: can the CISO lead the way in terms of changing an �rganisati�n�s culture t� e��ed securit�� s their r�le t� ena�le a digital �usiness�

Together, BT and KPMG have developed this paper based on their experience with organisations they work with. It will hopefully provide a practical guide to those organisations that are on their journey to use security as a business enabler as well as a useful checklist for those who are already on their journey.

Brian T Geffert, Global Chief Information Security Officer, KPMG and Mark Hughes, President, BT Security

13


Executive summary

��er cri�e is �ig �usiness� and it�s �ec��ing ��re �� a threat e�er� da�� as ��re and ��re pe�ple and devices connect to the internet. The chances of a business or an individual becoming a victim have never been greater. Cyber security dominates the media. State-sponsored attacks. Multi-billion dollar organised crime. And the occasional over-enthusiastic teenager.

�n �ur �rst �hitepaper last �ear�� and KPMG focused on how cyber crime is changing, who these ruthless criminal gangs and individuals are, and how to �ght �ac��

�his �ear� �e�re ta�ing a di�erent approach. We look at the practical steps businesses go through on their journey towards managing the risks.

This is a real risk

�n �ul� �� the ��s �ati�nal �ri�e Unit found cyber crime had overtaken �traditi�nal� cri�e ��r the �rst ti�e� �ith over two million incidents of computer misuse that year.

There are those who criticise cyber security companies for scaremongering

and exaggerating the threat to drum up business. But boards struggle to set the issue in a business context, and demystify a world of complexity.

S�� it�s ti�e t� l�� di�erentl� at c��er security. Move beyond the jargon and understand the real risks of the digital world.

14


Make sure you know where you are on your journey

Trying to run before you can walk wastes energy and resources, and it makes you a target not just for cyber criminals but for over-zealous cyber security salespeople. �here are ��e stages t� the �aturit� ��urne�� denial� ��rr�� alse c�n�dence� hard lessons, and true leadership.

�t each stage� ��u�ll �restle �ith di�erent pr��le�s�

Secu

rity

capa

bilit

yDenial Worry

False

confidence Hard

lessonsA true leader

Cyber security isn’t an issue for us; it’s all

hype anyway

I don’t understand how we were breached...

There is no absolute security. We need to

manage risk

We can’t do this alone - we are part of the community

We need a more agile approach to match the threat

I am worried... but not sure what to do

Security breaches

Here?

Here?

Or here!...and a strong

compliance function

I have robust policies/defences...

Denial – ‘It won’t happen to me’

��er cri�e is �nl� h�pe� right� �t �nl� a�ects large c��panies � �an�s� the defence industry, major retailers, perhaps oil and gas. But not us. Even if it is real, if large �r�s can�t get it right� �hat chance d� � ha�e�

�he hard realit� is that all �r�s �ace c��er attacks. Any business is a potential target.

�ut the �asics help� �eaching ��ur sta�� and being aware of how criminals work, is just as important as the technology you use.

�he �ati�nal ��er Securit� �entre ��S�� believes that getting the essentials right �ill �l�c� a signi�cant nu��er �� attac�s� and help make criminals look elsewhere ��r their �uic� pr��t� �hings li�e �eeping software up to date, using decent passwords, and having simple backups.

Worry – ‘Get as much security as possible’

��u �n�� there�s a ris�� ut n�� u�re a target for the salespeople of security

“Many people look at the technical issues but not the business holistically.” Paul Wood, Chief Risk & ��pliance ��cer� �l��erg

Security 101

Keep securitysoftwareupdated

Have acontingency

plan

Make surepasswordsare strong

�ducate sta�and refresh

training regularly

Have up-to-datesecurity policies

in place

Make sure datais regularlybacked up

�r�s� ��u �u� ne� s��t�are� and in�est in a vast array of malware detection and containment systems. But while some see technology as the cure-all, others see the answer as policies, governance and standards.

�ither �a�� during this phase �r�s �egin t� gain c�n�dence in their de�ences� �he��e g�t the �asics in place� and their s�ste�s are secure� �he��ll �e �ne� ��ter all� the��e put in place pe�ple� pr�cesses and techn�l�g�� he �� is d�ne� right�

15


“Security is not a project, it is a journey.” Christine Maxwell, Governance, Risk & Compliance Director, BP

turns to cyber scenarios. Cyber exercises. Planning for major incidents. Senior management begins to understand just what it could feel like.

From this point, cyber defences become ��re resp�nsi�e� �he��re less a��ut process and compliance, and more about responding to an ever-changing and adaptive threat.

True leadership – ‘We must work together’

�rue leaders thin� di�erentl� a��ut security. They see cyber security as an opportunity – a business unit, not a cost centre. They assess the risk and understand how to apply scarce resources to what matters most, realising they cannot secure everything. They are involved in building new services, and tracking and monitoring their security, to continuously adapt their defences to deal with the changing threat.

False confidence – ‘We’re ready’

But more sophisticated attacks do happen. Criminals stop hitting companies indiscriminately, and begin to target individuals. Insiders steal data and de�raud e�pl��ers� ��u�ll �e sh�c�ed �� what can happen, and the damage to your reputation it can cause.

So, you relook at your policies, question your assumptions and investments, and start to translate the jargon to actually understand the risks and issues your company faces.

Hard lessons – ‘There’s no absolute security’

�t�s n�t until ��u��e �een attac�ed that ��u realise� it�s part �� usiness in a digital ��rld� �� s�ste� is per�ect� �nd s�� that�s �hen �r�s thin� ��re a��ut c��er insurance – as they try and soften the blow from a more extreme attack. Talk

But most importantly, they realise that people are at the heart of security. �t�s n�t �ust a��ut teaching the�� ut about understanding people and their behaviour, so that you can spot the unusual and the di�erent�

�eaders realise the��re part �� a community. The whole community faces cyber risks. Criminals, state attackers and casual hac�ers d�n�t respect �ur boundaries, our stovepipes or our professional groupings, so true leaders build communities of defenders, consider the mindset of the attackers, and see �alue in �a�ing their li�es ��re di�cult And, ultimately, to choosing the right path.

16


Chapter 1 – Denial

�espite the h�pe and �edia c��erage �� large scale attac�s� the realit� is that all �r�s �ace l��le�el cyber attacks every day. The majority of these are unsophisticated, but depressingly e�ecti�e ne�ertheless�

Ransomware has become endemic – just look at WannaCry, which hit over 200,000 systems across organisations in 150 countries. Attacks like these encrypt your data and the criminals demand a ransom of a few bitcoins to free it.

But WannaCry was avoidable. Had companies updated their computers, they ��uld ha�e �een �ne� �ut� �ecause the� didn�t� it �eca�e a real crisis ��r th�se with outdated, unsupported operating s�ste�s� �r ��r th�se �h� hadn�t set up their �re�alls as tightl� as the� should have.

�usinesses als� see c�n�dence tric�s� Criminals will try and persuade gullible employees to make fraudulent transfers. The latest FBI statistics included over $5.3 billion� of reported CEO frauds and business email compromises.

�t�s eas� ��r �r�s t� a�and�n their c��er security journey, in the belief that if large �r�s can�t get it right� �hat chance d� the� ha�e�

‘This is all media hype anyway…’

As more and more people and devices connect to the internet, the opportunities for criminals just get greater. In the UK, ��r e�a�ple� the ��ce ��r �ati�nal Statistics reported in July 2016 that cyber crime and fraud had overtaken

�traditi�nal� cri�e�. And in its yearly crime survey, it recorded two million computer �isuse ��ences t� the �ear ending September 2016.

Sophisticated, highly organised cyber crime gangs are running global networks. They cost the global economy hundreds of billions of dollars. Some of the ��rld�s t�p �an�s� retailers� airlines and g��ern�ent sites �nd that �� per cent �� their tra�c are �r�� tnets��.

S� �h� d� s��e �r�s n�t thin� c��er cri�e is a threat, when all the statistics show that it�s increasing�

‘Nobody’s interested in hacking my firm…’

� l�t �� r�s succu�� t� �it �ill ne�er happen t� us� s�ndr��e � that s��eh�� their c��pan� is di�erent and that c��er crime happens to other people, not them.

Many companies, especially small and �ediu� enterprises �S��s�� elie�e the��re i��une� �et hal� �� S��s su�ered at least one cyber attack in the last year�. William Dixon, Director of Intelligence at Barclays, sees the criminals looking at s��ter targets� �We�re seeing cri�inals increasingly targeting SMEs and high value account holders.”

While not always the prime target, hackers can also use SMEs as a backdoor t� an�ther �r��s s�ste� � �ne �urther along the supply chain. Take the US discount retailer, Target. One weak link in their supply chain cost them an estimated $260 million to their bottom line.

There are several reasons for this denial. �ut ��r �an�� it�s �ust that c��er cri�e is a�stract� �t�s n�t al�a�s ��i�us� �r �isi�le� s� �e d�n�t pa� attenti�n t� it�

Cyber crime can also be disconcerting and uncomfortable, especially when pe�ple d�n�t understand the techn�l�g� �ehind it� ��en the ter� �c��er� carries a mystique and can obscure rather than clarify the nature of the threat.

Attitude plays a role. Millennials, for example, are far more adept at using technology than their parents – bravely running into new trends. Yet this fearlessness means they can also be foolhardy. Many young people are simply unaware of the seriousness of online crime and its implications6, preferring to just click and get what they want. We also increasingly see this behaviour in business.

��er cri�e has n� ��undaries� �here�s n� a�s�lute i��unit�� regi�n� industr� �r organisation is bulletproof.

17


Cyber security:get the basics right

Start with good housekeeping:

�re�alls� anti��irus� patching, password

security and backups

Make sure everyone has a responsibility for

cyber securityRaise awareness Inventory your assets

Train your people in security

Focus on investing in protecting your most sensitive information

Be ready to respond

Start with good housekeeping, it will address the majority of issues. Get the �asics right � �re�alls� anti��irus� patching, password security and backups.

Make sure everyone has a responsibility for cyber security, not just the IT people. Basic common sense for all employees �especiall� the leadership� is essential�

Inventory your assets and focus on investing in protecting your most sensitive information.

What questions should you be asking yourselves to get to the next stage?

• �� d� �ur e�isting securit� c�ntr�ls stac� up against g��ern�ent c��er guidance� ��r e�a�ple the �� ern�ent�s �c��er essentials� guidance�

• What steps ha�e �e ta�en t� educate and in��r� �ur e�pl��ees�

And then ask yourself whether you, as a leader, are doing your part.

Recommendation one: get the basics rightBe ready to respond if you do have a security breach. Cyber insurance can ��er real �ene�ts �� gi�ing ��u specialist support if the worst happens.

Changing how people behave can be a di�cult tas�� he ��st c��n pass��rd is still password123. Train your people in security. Raise awareness. Run campaigns to get key messages across. You should make the training mandatory for all new joiners, and run regular refresher courses.

But also think about more tailored training and regular updates to keep it fresh.

Getting the essentials right will help to deter criminals and make them look elsewhere.

18


Chapter 2 – Worry

�nce the signi�cance �� g��d c��er securit� has �nall� sun� in and ��u �ull� appreciate the p�tential damage of an attack, the next step in your journey begins: worry.

Boards start to fret about how best to protect themselves. How much should the� spend� �nd �n �hat� S��e see technology as a cure-all, while others see the answer in policies, governance and standards. �ither �a�� suddenl� ��u�re a target ��r the salespe�ple in securit� �r�s� ��panies �u� ne� s��t�are� �ash� hardware arrives in the data centre, and a growing array of malware detection and containment systems appear.

When ��u�re n�t a specialist in the industr�� h�� d� ��u �lter the g��d in��r�ati�n �r�� the �ad� �� can ��u ch��se �hat t� �u�� Wh� d� ��u trust in the �ace �� edia h�pe�

So, you hire new people to join the team. � �hie� �n��r�ati�n Securit� ��cer ��S�� the �� securit� nerd�� ut in the ��rst case, they just become a scapegoat when there�s an attac��

“The organisation was growing in terms of the problems we were dealing with rather than the direction we needed to travel in.” Colleen McMahon, Deputy CISO, GSK

19

Whitepaper | Securing the digital enterprise �

‘I can buy my way out of the problem’

�he �rst th�ught is ��ten t� in�est � heavily. Firewalls, anti-virus, malware detection, DDoS protection, and every other kind of technology to prevent a potential breach. In fact, 60 per cent of IT decision-makers say they intend to spend more on security�. IDC predicts that by 2020 organisations will spend $101 billion on cyber security software, services and hardware�.

Investing in IT security is important. But h�� d� ��u decide �hat t� �udget ��r� �erhaps there�s ��re t� c�nsider here. Have we really got the balance right� Sh�uld �e n�t �ust �e �unding techn�l�g�� ut in�esting in pe�ple� �n training the�� ducating the�� aising a�areness� �nd creating pr�cesses� �hich change h�� pe�ple �eha�e�

�ut it�s �ust as danger�us t� depend �n process as it is to depend on technology.

“Compliance is not a signal to sit back and say �e��e crac�ed it�� Craig Rice, Director of Security, Payments UK

“How rigorously do you deal with employees �h� d�n�t ta�e securit� seri�usl�� here �ust be real consequences.” Paul Wood, Chief Risk & ��pliance ��cer� �l��erg

‘Security is not my problem – the IT department sorts it out’

People can be the weakest link in the security chain. But with a little work they can be your greatest asset. Indeed, our recent CEO research found the top three most important factors in cutting your security risks. These are: security governance processes, security technology,

and sharing tools and knowledge with peers and partners.

Take phishing, for example. This attack method has been growing in sophistication over the last few years. In the past� it�s had a �er� l�� success rate because the lack of personalisation, and poor spelling or grammar became well-�n��n red �ags�

Criminals are now targeting more speci�call� t� i�pr��e the success rate�

You can create an environment where policy and compliance becomes king. And security becomes just a tick-box exercise.

20


“Policy should be combined with education and training as an ongoing pr�cess� n�t a �ne�� Paul Wood, Chief Risk & ��pliance ��cer� �l��erg

The top three most

important factors

in cutting your

security risks

Security

governance

processes

Security

technology

Sharing tools and

knowledge with

peers and partners

Think of phishing as casting out a rod and hoping something bites. Well, now it�s turned int� �spear�phishing�� he� see a �sh and the� target the� speci�call�� The criminal business model has changed. They spend more time researching their target. And then use that information to personalise their approach. Criminals are after information, so they can use it to get to your corporate data, or to help them commit fraud.

�Whaling� �r �� raud g�es a step �urther� �he ��ig phish� in an �rganisati�n� the CFO or other senior executives, are the target here. If a criminal steals the ��s e�ail� the� can i�pers�nate the�� and abuse their authority, like making fraudulent money transfers. Sometimes these phishing emails come from third parties ��u �ight trust� legal �r�s or accountants who have been hacked themselves.

Everyone at every level in an organisation is vulnerable to this type of attack. When a phish gets through your technology, your employees need to be able to recognise the danger. This is where education and awareness come in. You have to put in programmes to change ��ur pe�ple�s �eha�i�ur and culture towards information and business security.

��ducati�n �� sta� is �� signi�cant �ene�t� we routinely see companies investing in technical solutions while neglecting the human aspects. �here is a signi�cant �ene�t ��taina�le �here in�esting in sta� education is undertaken but explaining it as a �ene�t t� their h��e li�e and that of their families and children. People buy into this free personal education much more readily than another compulsory work policy.” Steven Wilson, Head of Business, European Cybercrime Centre, Europol

21


‘It’s impossible to stop this anyway, so why bother worrying?’

Automated security defences are getting �etter� �he��e e��l�ed� �nd despite high�pr��le �edia c��erage� ��dern IT systems are far harder to break into than the� �ere ��e �ears ag�� he latest �perating s�ste�s ha�e �ar ��re e�ecti�e countermeasures to attacks.

But, of course, criminals adapt too. Securit� researchers ��und ��e ne� malware variants every second in 2016�.

Whate�er �e create� cri�inals l�� t� �nd a way around.

Fingerprint, eye scans and other biometric ID checks have helped. As has looking into how people behave, and the methods and techniques they use. Combining all of these will help us check whether people are who they say they are. Biometrics in particular c�uld �nall� s�l�e the pr��le� of weak and reused passwords.

But technology alone will only win battles. �t ��n�t �in the �ar� We �ust c��ine technology, people and processes to stand a chance.

22


�ec��endati�n t�� d�n�t start �ith techn�l�g��u�ing techn�l�g� sh�uldn�t �e ��ur �rst pri�rit�� ssess ��ur current c�ntr�ls against best practices, and take the time to understand how they may protect the assets ��u ha�e against threats ��u�re actually seeing. Once you understand the gaps� ��u can re�ne ��ur c�ntr�ls� and �a�e sure ��u�re getting the �ull �ene�t from them.

�t�s i�p�rtant that ��u d�n�t �ust concentrate on one aspect of security – even if you do it really well. You could have the most robust policies and g��ernance� �ut the��ll �nl� ��r� s� �ar�

�ut als�� d�n�t ta�e it all �n at �nce� ��u�ll ne�er succeed �ith a scatter�gun approach. Prioritise. Decide what matters most. Use your new CISO and business strategy to help guide you and spend the money wisely. Demand that your CISO talks with the broader business, and challenge him or her to come up with usable security solutions rather than just saying no.

Consider that, from a return on investment perspective, you may be �etter �� getting the �asics right and then focussing on your highest value

assets. As you do that remember to invest in preparing for your response to a cyber incident.

�e�e��er there�s n� a�s�lute pr�tecti�n against cyber attack. Accept that you ��n�t �e a�le t� de�end against highl� targeted attac�s e�er� ti�e� ��u�ll get breaches. What matters is how you respond to common scenarios, when they do occur. Plan and run exercises for these scenarios. Teach your team, and streamline your responses.


• �a�e ��u g�t the �alance right �et�een pe�ple� pr�cess and techn�l�g��

• �re ��u clear �hat the �usiness reall� needs t� pr�tect� and �h� has decided that�

• �a�e ��u planned� prepared and e�ercised ��r p�tential attac�s�

1.

2.

3.

4.

5.

Prioritise

Decide what matters most

Use your CISO and business strategy to guide you

Demand your CISO talks with the wider business

Demand usable security solutions.

23


�hapter � � �alse c�n�dence

The next step in the journey is for organisations to move beyond worry to a certain le�el �� c�n�dence in their securit� de�ences� ��ter all� the��e in�ested in the s��t�are� pe�ple and pr�cesses� �he ��s d�ne� right� ��u��e �ra�ed ��ur �S� �� certi�cates and ��u��e g�t c��pliance �uncti�ns �n trac� � particularl� i� ��u�re in a hea�il� regulated industry.

But more sophisticated attacks do happen. Criminals stop hitting companies indiscriminately, and begin to target speci�c indi�iduals� �nsiders steal data and defraud employers.

‘My new CISO will deal with all the problems for me…’

�t�s eas� t� ��erl�� the i�p�rtance �� people in these circumstances, especially in teaching your employees about the ris�s� �ut i� �r�s are thin�ing a��ut the pe�ple� it�s usuall� the ne� ��S� � and handing the responsibility over to them.

�ut h�� uali�ed are these pe�ple� �a�e you considered whether they even need t� ha�e c��er securit� e�perience� �re the� ��re guard d�g than guide d�g� Someone focused on technology is more li�el� t� create an en�ir�n�ent �� n�� n�t �h�� hich c�uld dela� ��ur strateg� and lose you opportunities.

There are many reports that explain h�� there�s a s�ill gap in c��er securit�� from network engineers to the board. Demand for skills is high, while supply is l�� ut �an� �r�s ��ten use the r�le as a scapegoat when things go wrong – if the� su�er a data �reach� the ��S� is the �rst t� g��

Many so called �e�perts� are a �it too full of actual �luster and �lu� about management and risk, they focus on the IT aspect – �ith an ��e g�t a �etter t��l than ��u� type attitude. We have approached security to enable the business to do good business, focus on delivery which is a mixture of people, processes and tech, rather than an over reliance on a single domain and a focus on the use case rather than the function.

24


“We are re-writing our security strategy now because we think things have fundamentally changed.” Christine Maxwell, Governance, Risk & Compliance Director, BP

‘I’ve invested in security, so nothing will happen’

Our CEO research found 68 per cent �� s are entirel� ��r ��stl�� c�n�dent about how they can transform their business without compromising on security.

Your cyber dashboard is green, so what can g� �r�ng�

�ut �hen did ��u put in ��ur p�lic�� When did ��u last re�resh it� Wh� ha�e ��u shared it �ith� When did ��u last test it� �as it reall� st��d the test �� ti�e�

A one-page security policy that they wrote several years ago, perhaps to res�l�e an audit �nding isn�t g�ing t� stand that test� �erhaps it �as �led s��e�here� �ut hasn�t �een shared �ith the pe�ple �h� need t� use it� �r it�s very high level, with few or no processes underneath to show how people can use it� and d�esn�t �atch the �usiness� strategy anymore.

Policies should let people ‘do the right thing� and sta� secure and agile �hen the��re ��r�ing�

When the��e �gured �ut the si�e �� the problem, put the right processes, governance and people in place and installed the right software, companies often rest on their laurels. They get lazy.

�ut c��er securit� isn�t s��ething ��u d� once and then forget about. Criminals are evolving, so you have to, too. Attacks can and d� happen� ��u�ll �e sh�c�ed �� hat can happen, and the inevitable media coverage which follows.

So, you relook at your policies, question your assumptions and investments, and start to translate the jargon to actually understand the risks and issues your company faces.

�here�s n� a�s�lute securit�� and ��u need to make hard judgements.

Case study company Z

An organisation who implicitly trust their 20 administrators d�n�t audit �r l�g an�thing on those privileged accounts. They never imagined someone else may gain the credentials and do harm.

“Security is not an afterthought, not a bolt on after the event.” Paul Wood, Chief Risk & ��pliance ��cer� �l��erg

"The rapidly changing threat landscape calls for new cybersecurity tactics in the enterprise to meet the ever evolving cybersecurity challenges." Tracey Pretorius, Director Cybersecurity & Cloud Strategy, Issues Management at Microsoft Corporation

25


‘I’ve got the right security culture in my organisation’

��u can�t c��pletel� pr�tect against an attac�� deter�ined attac�er �ill �nd a way.

Criminals now realise that the people, processes and tech inside many of the large corporations have become more di�cult t� �reach �n�t i�p�ssi�le� �ust n�t c�st e�ecti�e��

S� �here d� the� turn their attenti�n� �� the supply chain.

Those companies with people who have physical access – like cleaners, �aristas� canteen sta� �r agenc�

“Drive security down in contracts with your suppliers.” Security advisor at a national Computer Emergency Response Team

workers – to gather information. How many conversations or meetings are in the canteen� �� uch c�n�dential information thrown away in regular �aste� �hich the cleaners c�llect� �� an� �� adges d� pe�ple �apparentl�� l�se� �nd� �� c�urse� the �ide range �� uts�urced �r�s �h� supp�rt e�er� aspect of a modern business.

"From individuals to enterprise businesses, vendors must be committed to helping customers get secure - and stay secure - especially in a new world of persistent cyberthreats." Tracey Pretorius, Director Cybersecurity & Cloud Strategy, Issues Management at Microsoft Corporation

26


‘I’m prepared’

What would you do if you had to pay bitcoins after 2,000 computers �ere l�c�ed�

You might have a process for dealing �ith a hac�� ut the �rst �uesti�n ��u need to answer is: ‘Do you pay the rans�� n��rtunatel�� a t�pical ans�er is usuall�� h� � d�n�t �n�� h� �a�es that decisi�n��

Well� �hat�s the i�pact �n the �usiness� If you pay them are you opening yourself up as a target� What�s the pu�lic percepti�n� Wh� �a�es the decisi�n� �� d� ��u handle �edia� �r i� ��u d�n�t pa�� h�� uch ti�e �ill ��ur

“We are battle-ready, but not battle-tested.” Scott Mcelney, Head of Threat Intelligence & Consultancy, Clydesdale Bank

�usiness �e a�le t� �eep running� What�s the cost going to be to recover, versus the c�st �� pa�ing a �e� hundred p�unds�

�� u pa� the� �and �e �n�� pe�ple d�� u need t� ha�e �r �u� �itc�ins� ��t as eas� �ith anti��ne� laundering regulations in force.

�r is there a hal��a� h�use� �� u neg�tiate ��r ��re ti�e t� �� it� �r ��re ti�e t� get a �etter price�

These are just one set of typical discussions around a ransomware scenario. Other scenarios include data breaches, distributed denial of service attacks, sabotage and cyber fraud. Perhaps a combination of these.

27


Recommendation three: check your assumptions�a�e sure ��u��e th�ught �� all the li�el� scenari�s� and �n�� hat ��u�re g�ing to do. Make sure you have a process that regularly reviews your security strategy and the policy that underpins it. Make sure the board and CEO champion and lead by example. Leaders must walk the talk.

�e�t� as� ��ursel� the �ig �uesti�ns� Is the policy still appropriate for your needs� �a�e ��u had an� changes that ��uld a�ect ��ur p�licies�

You need to give your processes a bit of �e�� s� the� can change �uic�l� �hen ��u

need them to, for example if you acquire a new company, or a new type of attack appears.

��u�re �nl� as str�ng as ��ur �ea�est lin�� s� �a�e sure all ��ur p�licies �� to your suppliers too. If you can, think about how their business is changing too. Consider asking them to show you how they follow your policies. Get them to audit themselves, for example with the cyber essentials or ISO 27000, but also be ready to probe and test whether they reall� �get c��er securit�� and �ust h�� they would respond to a real cyber attack. �re ��u c�n�dent in their resp�nse� and


• �s the ��ard and e�ecuti�e reall� ta�ing ��nership �� the c��er strateg� and h�� it ��r�s da��t��da��

• �� ur e�pl��ees reall� understand their r�le in pr�tecting the �rganisati�n�

• �a�e �e �ade c��er securit� part �� ur incident resp�nse and �usiness rec��er� plans� �nd tested th�se plans�

• �� are �e dealing �ith �ur suppl� chain�s c��er securit��

how would it impact you as a consumer of their ser�ices�

Think about rolling training out to suppliers and sub-contractors too. You can use it to cover the physical threat, like tailgating and social engineering, as well as cyber risks, like spotting phishing emails.

Make sure your business recovery strategy has cyber scenarios. And that you have the right response tools in place to help you work through major cyber incidents and more rapidly recover from loss or disruption.

Make sure all suppliers are adequately prepared and

follow your policies

Checking your assumptions

Think of likely scenarios and responses

Have a regular security review process

Make sure the board and CEO champion

and lead by example

Assess policy changes

and suitability

�ll�� e�i�ilit� in case the threat changes

28


Chapter 4 – Hard lessons

“WannaCry was good in helping drive awareness. It gives us an opportunity to drive home the message on good cyber security.” Security Advisor at a national Computer Emergency Response Team

“Unfortunately, your risk appetite the day before the incident is very di�erent t� ��ur ris� appetite the next morning.” Glen Attridge, Head of Cyber Defence and Security Response, Royal Bank of Scotland

Even the best prepared organisations often learn hard lessons after a major cyber attack. Suddenly, the media spotlight turns on senior executives, and it�s te�pting t� pla� the �la�e ga�e�

tr�ing t� �nd the guilt� part�� hich can cost jobs.

But these incidents are a time for le�el�headed resp�nses� �nd the c�n�dence to look at why it happened, and sensible steps to avoid it happening again.

Cyber attacks drive companies to focus ��re �n the particular ris�s� �hich the��re forced to live with and can insure against. Talk turns to cyber scenarios, to cyber exercises and to planning for responses to a �a��r attac�� r�� this p�int� �r�s get ��re resp�nsi�e� �t�s less a��ut pr�cess and compliance, and more about being agile and changing.

So just what are the real lessons from these surprising incidents� �nd �h� d� �r�s �h� ha�e in�ested �illi�ns in c��er securit� still get caught �ut�

29

Whitepaper | Securing the digital enterprise ��

‘We bought everything, so how did this happen?’

�e� �r�s reall� set up their tech �ell� and �an� d�n�t ha�e the s�ills t� �anage it all. Understanding your security architecture matters: how do all these de�ices ��r� t�gether� �� d� the� counter common attacks, and where are the ��erlaps �r � ��rse � gaps�

When ��ur t��ls are c��ple�� u�ll have trouble getting them to work well t�gether� �r ��u�ll ha�e t��ls �nl� �ne person can use properly – which will take the ��cus �� hunting�

S�� u need t� in�est in the �glue� � the small marginal investments in people and integration – which help you to get the most from your technology. The more you can link the controls to an understanding of the threats you face day-to-day, the better.

Another danger lies in the time it takes ��u t� r�ll �ut e�er�thing ��u��e ��ught� �ll t�� ten� �e see that the tech is ��ld� �e��re it�s read� t� r�ll�

Case study company M

�� e d�n�t d� net��r� in�ent�r� �anage�ent � �e d�n�t see it as a security control. We have however just bought a great high tech solution because we had some security budget left over. We ha�en�t g�t it �perati�nal �et �ut that�s the plan ��r ne�t �ear��

‘Should we outsource the problem?’

Faced with such a daunting problem, some companies may feel cyber security is t�� di�cult� and that �uts�urcing is the answer. Sometimes this can be a great solution – reputable managed security ser�ice pr��iders n�� er a �er� high

“If you bring something in you need to implement it, not just leave it on the shelf.” Scott Mcelney, Head of Threat Intelligence & Consultancy, Clydesdale Bank

le�el �� securit�� he��re �ell ad�inistered and supported by teams who are used to dealing with cyber attacks and the consequences.

But you can never really outsource all of your cyber security – only the technology. Ultimately, only you can decide about the risks and how to deal with an attack. Only you carry the ultimate reputational and legal risks of getting it wrong. Two-thirds of IT decision makers say they want their securit� t� �ec��e ��re �e�i�le and cust��ised t� �t the speci�c needs �� their organisation��.

�he realit� is� it�s a partnership� �ll t�� often people outsource functions without thinking about how they will stay an intelligent customer, and without helping their provider to be an intelligent supplier.

The challenge is then one of building a genuine partnership with the most important suppliers. Companies and suppliers are co-dependent. If a supplier gets breached, so does the company – and both take the reputational hit. The goal is to move the relationship between a company and its suppliers beyond the usual contractual discussions into a �c��er ec�s�ste�� in��l�e suppliers in planning scenarios and running exercises, and working together to understand how best to manage those cyber risks.

30


‘How do we insure ourselves against this in the future?’

Everything is becoming cyber – our world is now digital – and so is business. Traditional insurance has started to think about how it would address cyber security. �n �rganisati�n�s data has �ec��e an asset which needs to be protected. Access to that asset needs to be protected from interrupti�n� �r it can�t generate re�enue - which could be costly in terms of money, customer trust and customer loyalty.

�nderstanding h�� ur �rganisati�n�s digital business generates revenue will be the key to knowing what you need to insure, and how long that data can be inaccessible before you start to lose money.

Cyber insurance provides your organisation with a means to mitigate risk through

transferring it, but it needs to be used in conjunction with an active information security program. It will provide you with access to a panel of specialists that can help with communications, brand and reputational risk management, legal advice or forensic capabilities; which you may not keep readily to hand, through an event. Finally, it can provide you with resources to supplement your team in maintaining the potentially upbeat tempo over a long period of time to recover from an event.

Insurers too have started this journey and may not necessarily have all of the actuarial data and experience that they have with other areas they insure. That means it will be important to understand their experience and comfort level with underwriting in the cyber area as you look to make them a part of your security program.

31


�ec��endati�n ��ur� ��ur �usiness is uni�ue� it�ll need a unique approach

Overly complex tech can make security gaps ��rse� �� ur tea� can�t understand the techn�l�g�� the��ll �e distracted� �nl� �nce ��u�re c��rta�le that ��ur t��ls and processes are working should you look to close any gaps with technology or new processes.

When picking new technology, think about whether your people know how to use it. It might be better to get a tool that�s an �� per cent �t� �ut e�er��ne knows how to use it, or it works well with �hat ��u ha�e� �r it�s eas� t� aut��ate� Better that than the most technically �rilliant t��l that�s harder t� dri�e and d�esn�t integrate�

��n�t ha�e a �ne si�e �ts all approach - what may be relevant for one area of your business may not be okay for another. You have to align your approach to your business strategy.” Paul Wood, Chief Risk & Compliance ��cer� �l��erg


• �a�e �e reall� integrated �ur securit� c�ntr�ls c�rrectl�� and ha�e �e �een �illing t� test and pr��e th�se c�ntr�ls�

• �an �e �e agile en�ugh in updating and re�reshing �ur c�ntr�ls t� �atch a changing c��er threat�

• �� e understand the r�le �� c��er insurance in helping us deal �ith the ��re e�tre�e scenari�s�

• How long could we maintain a major IT remediation crisis before it impacted daily business and strategic projects, and do we need t� stretch that ti�e�

• �� e ha�e the relati�nships that c�uld supp�rt us thr�ugh an incident i� needed � ��th ��r ��ing the incident and running �usiness as usual�

��n�t �e a�raid t� �uts�urce areas that aren�t lin�ed t� ��ur c�re �usiness� �r ask others for help. If you do need to fully outsource your security, treat your outsourcer as a partner. Work with them. Make sure you have someone who has overall accountability, and is focused on getting the right service and results.

Over time, your company will change. �a�e sure ��u d�n�t set ��ur ser�ice le�el agreements and metrics too high. But make sure providers hit them. Ideally, ��u need t� �a�e the c�ntract �e�i�le enough to cope with the fact that the kinds of attack you face could change.

Make sure you document the scope, the capacity and responsibilities. Review them often to make sure the service always �eets ��ur needs� �ut d�n�t under�esti�ate h�� uch it c�sts t� �� things after an attack.

If you need to divert your people for a month to deal with the aftermath �� an incident� it�ll ripple �ut and dela� everything else – which could cost you in various ways. Insurance and having the right relationships in place to get help can soften this blow. And people often overlook this.

32


Chapter 5 – True leadership

Thinking about cyber risk

�here are three ��nes� ��u can end up in here. The zone of routine, the zone of surprises and the zone of catastrophe. To start, it can be hard to get to grips �ith c��er ris�� st �r�s get used to the routine cyber attacks after a while – their controls deal with the attacks, their Security Operations Centre manages the incidents, and the e�ecuti�e �nds �ut h�� ten and h�� drastic the attacks are. Everyone starts t� get c��rta�le � ��u�re in the zone of routine.

Likelihood %100 1

Annu

al lo

ss £

milli

on

Zone of routineObservableManageable

Zone of surprisesUncertainInsurable

Zone of catastrophesRare/ExtremeChallengeResillience

Sunk investment

in cyber security

Rising costs

of incidents

Infrequent but high impact

events - growing uncertainty

10x

10,000x What loss am I expecting in a

given year?

In a year what is

the chance that

your losses

will exceed

this level?

1,000x

100x

�is� �uanti�cati�n

�ttac�ers d�n�t pla� �� the same set of rules we do – they d�n�t ha�e t� deal with regulators and data protection authorities.

�rue leaders thin� di�erentl� a��ut security. They see cyber security as an opportunity – a business unit, not a cost centre. They help implement new services, tracking and monitoring their security, continuously adapting their defences to deal with the changing threat. They develop metrics of security which resonate with the business, and

gi�e seni�r leaders appr�priate c�n�dence in the �rganisati�n�s securit� stance�

Most importantly, they realise that pe�ple are at the heart �� securit�� t�s not just about teaching them, but about understanding them and their behaviour, so you can spot the unusual and the di�erent�

Leaders realise they are part of a community. The whole community faces cyber risks. Criminals, state attackers and casual hackers are against all of us. True leaders build communities of defenders, consider the mindset of the attackers, and see value in making their lives more di�cult� �he� ��cus �n pu�lic�pri�ate partnerships for help and data exchange.

33


“Cyber attacks will continue to evolve, which is why the public and private sectors must continue to work at pace to deliver real-world outcomes and ground-breaking innovation to reduce the threat to critical services and to deter would-be attackers. �� single �rganisati�n can defend against the threat on its own and it is vital that we work together to understand the challenges we face. We can only properly protect UK cyberspace by working with others, particularly with business and wider society.” Ciaran Martin, CEO, �ati�nal ��er Securit� �entre

�ut the ��st c��er�sa�� r�s thin� about the more unusual events – the potential surprises. These are the scenari�s that are p�ssi�le� �he��e happened t� �ther �r�s� �a��e n�t in the same sector, but close enough that you could imagine how criminals could develop a similar attack for your industr�� Sa�� r�s pla� these scenari�s out, sometimes testing the board and executive, other times letting ethical hacking teams loose in their systems.

And so, attacks are less surprising.

Leaders have got the plans to deal with unseen but proximate events, so they can �u� c��er insurance that�s realistic and lin�ed t� �hat�s actuall� li�el�� he��re dealing with the zone of surprises.

�� c��es the real challenge� the ��ne �� catastr�phes� �his is �here ��u ha�en�t

seen these kinds of cyber attacks before, �r perhaps the c��unit� thin�s the��re a �ne�� he� scare pe�ple� �ut pe�ple si�ultane�usl� thin� the� ��n�t happen�

�here isn�t an ans�er t� these e�ents� �ut there is a resp�nse� S��eti�es it�s ��rth thin�ing di�erentl�� s� ��ursel�� hat would really disrupt your business if it happened� ��agine the ��rst case� and then as� �hat can ��u d�� What sh�uld ��u d�� he ans�er �ight n�t actuall� �e security. It might be choosing to structure ��ur �usiness di�erentl�� r accepting that, in these worst cases, parts of your business will fail.

These are big business choices, you sh�uldn�t ta�e the� lightl�� he trigger which causes catastrophe could just as easil� �e an �� utage �r a supplier�s business failing, just as it could be a deliberate cyber attack.

“We have really �ene�ted in the area �� cyber security because banks have collaborated. We work hard to be part of that community. We can�t d� it �n �ur ��n�� Scott Mcelney, Head of Threat Intelligence & Consultancy, Clydesdale Bank

34


“Cybercrime is increasingly a global issue, it needs a global response to tackle it e�ecti�el�� he sharing of information allows industry to develop a collective exterior shield that slows down or disrupts attacks before they hit corporate defences. The concept of continuing to defend only against attacks is outdated and there needs to be a partnership with law enforcement to disrupt and arrest key actors who to date have acted �ith i�punit�� c�n�dent that their technical skills could hide them from the authorities.” Steven Wilson, Head of Business, European Cybercrime Centre, Europol

‘We’re in this alone’

Security is quite a secretive business. Worse still, when handling a major incident� it�s hu�an nature t� �eep tight�lipped� n�t sharing an�thing until ��u��e dealt with the issue.

�ut ��st attac�s d�n�t target a single organisation. Organised crime groups carry out campaigns of attacks. They target hundreds �r th�usands �� r�s� More indiscriminate attacks can hit millions of people. State espionage campaigns aim to collect intelligence on particular topics, but will target any company with that information or which helps the attacker get closer to the source.

�n sh�rt� i� ��u�re �eing attac�ed � s� is s��e�ne else� ��u�re ��th sitting in ��ur windowless incident room, wrestling with the consequences, blissfully unaware of each other; but you both probably have a vital piece of the jigsaw, and so might the police and government.

��u can�t �uild trust �et�een c��panies half-way through an attack. You have to nurture these relationships beforehand.

�a�ing the ��ld step �� sharing �hat�s happening also matters. Many advise against it: cautious legal advisers, embarrassed executives, secretive security experts.

�e �ra�e and reach �ut� ��u�ll �e surprised at the results.

35


“A clear cyber strategy, that the leadership team has bought into, means that �e�re all �n the same page.” Christine Maxwell, Governance, Risk & Compliance Director, BP

‘Twice a year is fine, or is it?’

How often should the board and e�ecuti�es thin� a��ut c��er securit�� t�s al�a�s a �a��r t�pic �� de�ate � particularly for regulators. Most boards, executives, risk and audit committees now have a regular slot on their agenda for cyber security; perhaps twice a year.

The problem with these sessions is that they often treat cyber security as a separate and disconnected issue from the broader operational risk, or even business strategy discussions, and they come with scary war stories, attack statistics and a few incidents. They might include a s�eep up �� hat i�pr��e�ents the �r� has made, and maybe some research to compare yourself to your peers – just to give you that feeling of being ‘in the pac��

We need to stop this. We need to stop treating cyber security as something special.

Make it a main concern. Make it part of all ��ur �ther discussi�ns� When ��u�re

talking about risk, think about what happens in a cyber attack, rather than ha�ing a single ��l�� n the ris� �ap called cyber.

You can only do this if you separate out the i�pact �� er� di�erent t�pes �� cyber attacks: the major data breach, the ransomware attack, the denial of service attac�� the c��er �raud� the c�n�dence tric�s �li�e phishing��

�alling e�er�thing c��er d�esn�t help�

And when you release a new digital service, you need to think about the cyber security. Balance the risk and reward: these are business judgements. How much business could you lose if customers can�t use the ser�ice �ecause ��ur securit� �as la��

�� uch are ��u e�p�sed t� �raud� Would people think you negligent if a hac�er g�t int� this ser�ice� �nd �here ��uld the lia�ilit� lie� �hese are all hard business questions.

"A top management issue continues to be driving business innovation and growth while simultaneously providing the right protection against an ever evolving cybersecurity threat landscape." Tracey Pretorius, Director Cybersecurity & Cloud Strategy, Issues Management at Microsoft Corporation

36


New challenges, new opportunities

�� u can ha�e a �uch deeper relationship with your customers. Suddenly you can give them custom services.

�n the �ther hand� ��u�re �uch ��re likely to get attacked.

So you need to balance giving a good customer experience, and making your service secure. Perhaps there are some �in��in scenari�s here� When ��u�re ��re secure� ��u can �e ��re c�n�dent that a customer is who they claim to be – and can do a lot more for them.

�ass��rds see� �ld �ashi�ned� We�re much more likely to see biometrics, like �ngerprints� c��ined �ith anal�sing pe�ple�s �eha�i�urs� t� rec�gnise who they are. Firms can then score individual purchases for risk. We can keep monitoring fraud, and tweak the alert levels to keep fraud to acceptable levels. These are business judgements.

Look for opportunities to embed security as ��ur �usiness changes� �alue �e�i�ilit�� embed accountability and build resilience.

The future has great potential. But we need t� l�� at c��er securit� di�erentl��

We need to change.

"Security used to be one of the reasons organisations were slightly hesitant to move to the cloud - now security is the very reason why they are wanting to move to the cloud." Tracey Pretorius, Director Cybersecurity & Cloud Strategy, Issues Management at Microsoft Corporation

Be ready for some big shifts

According to our research, only 26 per cent of CEOs see security as a di�erentiat�r in their digital transformation programmes. Cyber security is in for some big changes. The shift to cloud holds bigger surprises. Companies with no IT have arrived. Businesses who work entirely in the cl�ud� �he� d�n�t ha�e the traditi�nal infrastructure we would expect.

�nd that �eans the de�ences �e�d see at the perimeter have disappeared.

Meanwhile, employees are bringing their own devices. This can be scary, not just for the business and the CISO, but for regulat�rs� Suddenl� the��re �nding that how people should secure their network d�esn�t ��r� an��re�

And suddenly the CISO has no IT security r�le� it�s all in the cl�ud� �ut the�

de�nitel� still ha�e t� thin� a��ut h�� to secure their information, while playing a vital part in linking the business to the technology services.

Cloud providers have started to ask themselves hard questions. How much ris� are the� prepared t� ta�e �n� Where �ight the lia�ilit� lie ��r �reaches� �nd� h�� d� the� charge ��r it�

37


�ec��endati�n ��e� �e part �� the community, and share your experiencesBuild a network of peers and trusted information sources in your sector and �urther a�eld� �e prepared t� share �hat your organisation is seeing and seek to get involved with the community thr�ugh things li�e the �� S��s Cyber Information Sharing Portal, but remember: sharing is a two-way street; you have to give something back to the community.

Think about a blend of building relationships with your peers, formal sharing platforms and maybe even commercial threat feeds.

�� u�re g�ing t� share � �a�e it ti�el�� The quicker you can tell others about an attack, the quicker the community can do something about it: together.

Make cyber security something you always consider. Talk about it like you


• �re �e reall� prepared t� pla� �ur part in the c��unit� as leaders� �� share intelligence� g��d practice and hard� ��n less�ns�

• �a�e �e reall� c�nsidered the �ull range �� c��er scenari�s and ris�s� �nd �hat �e need t� d� t� i�pr��e�

• �� e reall� see c��er securit� as a �a��r part �� ur �usiness strateg�� a�e �e g�t the �alance right �et�een using ne� digital channels and �anaging the ris�s�

• Has cyber security become mainstream in our business, and are we really thinking about how to help the business succeed and ta�e ad�antage �� ne� �pp�rtunities�

would any other business concern. If you can think of it as an everyday part of doing business, you can manage the fear and uncertainty much better.

�nd �e �pen t� thin�ing �er� di�erentl� a��ut c��er securit�� t�s a��ut helping ��ur �usiness succeed� �t�s n�t a��ut saying no. Challenge old ways of thinking: the� ��n�t help ��u succeed in a digital world.

38


Conclusion – Where are you on ��ur ��urne��

We can all learn lessons from those who are further ahead on their journey to becoming a true security leader.

�he hard realit� is that all �r�s �ace c��er attac�s� �n� �usiness is a p�tential target�

�s ��u ��e �r�� rr�ing t� �alse c�n�dence� ��u�ll get the pe�ple� pr�cesses and techn�l�g� t� pr�tect ��ursel�� ut it�s ��ten n�t until ��u�re attac�ed that ��u trul� understand what the risks of working in digital are like, let alone how to start thinking di�erentl� a��ut securit��

From the board down, we must change how we see cyber security. The mindset and models �ill �ust �eep us sa�ing the sa�e things� �t�s n�t sustaina�le� �hese ��ths �ill �ec��e traps� unless we make security another thing we always think about.

Technology is changing. The threats are changing. We have to cut through the jargon, and thin� a��ut �ur r�les di�erentl�� e �ant t� understand the ris�s �e need t� c��unicate �etter� �he r�le �� the ��S� is shi�ting� �r�� guard d�g t� guide d�g� �he��re ��ing int� r�les �hich �ean the� need t� start thin�ing a��ut h�� securit� a�ects �igger business decisions.

By starting to ask ourselves some hard questions, we can change our approach and help our businesses succeed.

39

Whitepaper | Securing the digital enterprise ��

References ��a�ing the ��ensi�e � W�r�ing t�gether t� disrupt digital cri�e� http��gl��alser�ices��t�c��u��en�p�int��ie��disrupting�c��er�cri�e

2. FBI, Public Service Announcement, I-0540417-PSA, Business Email Compromise https��ic��g��edia��asp��n�

3. ��ce �� ati�nal Statistics� �ri�e in �ngland and Wales� �ear ending September 2016

�� https��threat�etri��c��digital�identit��l�g�c��er�securit��cc�hit� ��tnet�attac��

�� https��securit�intelligence�c��e�e��pening�c��er cri�e�statistics� ��ccessed ��

6. https��ci�as��rg�u��secure�c�ntent��upl�ads�d�cu�ents��ternal��ritain��hin�s��i�as��ung��e�ple��ep�rt��ung��e�ple�s��ttitudes�t��iting��raud�pd� ��ccessed ��

7. Ovum Security Intelligence Market Research commissioned by BT, April 2017

�� http��rtune�c��c��er securit��gl��al�spending� ��ccessed ��

�� http��silic�n�c��u��r�space��e��al�are��ariants�sec�nd�� ccessed ��

10. Ovum Security Intelligence Market Research commissioned by BT, April 2017

40


Offices worldwide

Find out more at: ��t�c��securit�

41

Section 3

RPC – General Data Protection Regulation

42

ADVISORY | DISPUTES | TRANSACTIONS

General Data Protection Regulation

What’s the issue? • The GDPR requires organisations to develop clear policies and procedures to protect

personal data. The requirements are a considerable step up from those currently in place. • The GDPR will require insurers and brokers to take action to ensure that their current

procedures are updated to comply with the GDPR. • The GDPR also imposes more stringent requirements for responding to data breaches,

including compulsory notification of the ICO within 72 hours in most instances where there has been a breach.

TimetableThe GDPR comes into effect on 25 May 2018.

What do clients need to do? • Review privacy notices and policies (regularly) to ensure compliance. • Review systems for recording consent to ensure that there is an effective audit trail. • Be prepared for data subjects to exercise their rights under the GDPR such as the right to

data portability and the right to erasure. • Document what personal data is held, the legal basis on which it is held, where it came from

and who it is shared with. • Ensure that privacy is embedded into any new processing or product that is deployed. • Designate a Data Protection Officer, if applicable. • Consider whether their contractual documentation is adequate in respect of the obligations

imposed on data processors. • Ensure that there is a legitimate basis for transferring personal data to jurisdictions that are not

recognised as having adequate data protection regulation (this includes intra-group transfers). • Put in place policies and procedures to detect, report, notify, investigate and manage

data breaches.

What’s the impact on the client if they aren’t ready? • There is a tiered approach to penalties for breaches of the GDPR – fines can be up to the

higher of 4% of annual worldwide turnover or EUR 20 million. • Other specified infringements could attract a fine of up to the higher of 2% of annual

worldwide turnover or EUR 10m.

Any comments or queries?

Jon BartleyPartner+44 20 3060 [email protected]

Richard BreavingtonPartner+44 20 3060 [email protected]

Nicola CainLegal Director+44 20 3060 [email protected]


General Data Protection Regulation: key features

Wider reach and bigger finesTerritorial scope The scope of the GDPR is wider than the current regime. The GDPR applies to the processing of personal data of data subjects who are in the EU if the processing relates to either: (1) offering goods and services in the EU; or (2) monitoring their behaviour in the EU, regardless of whether the controller or processer is established in the EU. The GDPR also applies to data processing by controllers and processors who are established in the EU, even if the processing occurs elsewhere.

Personal dataThe definition of personal data is wider, expressly covering any information relating to an identified or identifiable person, including location data, online identifiers or factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. The GDPR also introduces the concept of “pseudonymisation” whereby information which allows data to be attributed to a particular data subject is held separately and subject to technical and organisational measures to ensure non-attribution. Although pseudonymous data is still personal data, pseudonymisation is encouraged as it can, for example, limit the amount of personal data processed thus mitigating data security risks.

A one-stop shopThe GDPR aims to create a one stop shop for enforcement. The supervisory authority located in the Member State where the relevant controller or processor has its main establishment shall be able to act as lead supervisory authority in relation to cross-border issues. The intention is to reduce the administrative burden for multi-national organisations. The GDPR contains a detailed framework for cooperation between supervisory authorities.

Fines and penaltiesSupervisory authorities can impose fines against controllers or processors for breaches of the GDPR. The GDPR also provides for direct judicial remedies against controllers and processors, in either the Member State where the controller or processor is established, or in the Member State where the data subject is habitually resident (subject to some exceptions in relation to public authorities). This is a significant increase in risk for processors who largely side-step direct statutory liability under the current data protection regime.

The maximum fine for breaches is the greater of €20,000,000 or 4% of annual turnover for a company/undertaking. This fine applies to breaches of key terms such as a failure to adhere to the principles of data processing or breaches involving sensitive personal data.


Oliver BrayPartner+44 20 3060 [email protected]




43


General Data Protection Regulation: key features

Wider reach and bigger finesTerritorial scope The scope of the GDPR is wider than the current regime. The GDPR applies to the processing of personal data of data subjects who are in the EU if the processing relates to either: (1) offering goods and services in the EU; or (2) monitoring their behaviour in the EU, regardless of whether the controller or processer is established in the EU. The GDPR also applies to data processing by controllers and processors who are established in the EU, even if the processing occurs elsewhere.

Personal dataThe definition of personal data is wider, expressly covering any information relating to an identified or identifiable person, including location data, online identifiers or factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. The GDPR also introduces the concept of “pseudonymisation” whereby information which allows data to be attributed to a particular data subject is held separately and subject to technical and organisational measures to ensure non-attribution. Although pseudonymous data is still personal data, pseudonymisation is encouraged as it can, for example, limit the amount of personal data processed thus mitigating data security risks.

A one-stop shopThe GDPR aims to create a one stop shop for enforcement. The supervisory authority located in the Member State where the relevant controller or processor has its main establishment shall be able to act as lead supervisory authority in relation to cross-border issues. The intention is to reduce the administrative burden for multi-national organisations. The GDPR contains a detailed framework for cooperation between supervisory authorities.

Fines and penaltiesSupervisory authorities can impose fines against controllers or processors for breaches of the GDPR. The GDPR also provides for direct judicial remedies against controllers and processors, in either the Member State where the controller or processor is established, or in the Member State where the data subject is habitually resident (subject to some exceptions in relation to public authorities). This is a significant increase in risk for processors who largely side-step direct statutory liability under the current data protection regime.

The maximum fine for breaches is the greater of €20,000,000 or 4% of annual turnover for a company/undertaking. This fine applies to breaches of key terms such as a failure to adhere to the principles of data processing or breaches involving sensitive personal data.






44

General Data Protection Regulation: key features 2


Smaller fines, up to the greater of €10,000,000 or 2% of annual turnover, can be given for a number of lesser breaches, such as a failure to maintain appropriate records.

Information collection and consentsConsentRequirements for obtaining effective consents from data subjects have been tightened. Consent must be freely given, specific, informed, and unambiguous, and it must be given by a “clear affirmative action”. It must be as easy to revoke consent as to give it. In practice, it will become difficult to show that consent is “freely given” if performance of a contract is conditional on agreeing to data processing that is not necessary for the performance of that contract. Request for consent must be presented in a manner which is “clearly distinguishable” from any other information, and in an intelligible and easily accessible form.

Consent to sensitive personal dataAs is currently the case, a higher threshold, “explicit consent”, is applicable to consent if it relates to sensitive personal data. This category has been expressly expanded to include genetic data and biometric data that can uniquely identify a data subject.

Children and ConsentThe age of consent for agreeing to data processing within online services (such Facebook) has been set at 16; otherwise parental consent is required. Individual Member States may elect to lower this age to 13, but no further.

Data collection noticesThe GDPR is more prescriptive about what data subjects can expect to be told at the time of data collection. Specifics include the identity and contact details of the controller, the purposes of processing, the recipients of the data, the period for which data will be stored (or how this will be determined), and the data subject’s rights to erasure and rectification. The principle of fair and transparent processing shall remain paramount. The GDPR paves the way for such information to be provided in combination with standardised icons to create readily understood “shorthand” for data usage. This could be introduced by the European Commission via delegated authority under the GDPR.

Rights for data subjectsRights of access to data (ie data subject access requests), and rectification of information which is incorrect, are retained in the GDPR. Data subjects are also given new rights, with an emphasis on transparent information, communication and methods for exercising the rights of the data subject.

Right to erasureData subjects will have a new right to require a controller to erase their personal data, broadly in circumstances where there is no (or no longer any) legitimate grounds for such processing. This gives a formal statutory footing to the “right to be forgotten” principle already established by the European courts in the Google Spain case1. However, the right is not absolute, and will still be subject to various public interest exemptions.

Right to object to processingAt any time, a data subject will have the right to object to the processing of his or her personal data which is based on “public interest” or “legitimate interest” grounds, unless the data controller can demonstrate “compelling legitimate grounds for the processing” which override

1. Case C-131/12 Google Spain SL,

Google Inc. v Agencia Española

de Protección de Datos and

Mario Costeja González.

45


the data subject’s rights and interests. This will potentially require controllers to put much more thought and effort into how to show that they have carried out appropriate balancing tests before processing.

Right to data portabilityThis will allow data subjects to obtain personal data that they have provided to a controller, in a “structured and commonly used and machine readable format”. Where feasible, the controller will also have to transmit that data directly to another controller.

Profiling and Automated Decision Making. “Profiling” is defined specifically in the GDPR, acknowledging that there has been an exponential increase in the use of automated data processing to evaluate or predict the behaviours of individuals (based on factors such as health, personal interests, behaviour and location). Decision-making based on automated processing, including profiling, is restricted if it has a legal effect on the data subject, or otherwise significantly affects them.

Responsibilities of data controllers and processors“Privacy by design”The concept of privacy by design or, more specifically, “data protection by design and default”, has been expressly incorporated into the GDPR. Currently widely regarded as “best practice”, the controller is now required to take appropriate technical and organisational measures for ensuring that, by default, only personal data necessary for the specific purpose of the processing is processed. This would include a default position of not making personal data accessible to an indefinite number of individuals without appropriate consent.

Data protection impact assessmentsAnother current best practice that has been expressly incorporated into the GDPR is the concept of an “impact assessment” to assess the impact of any planned processing operations on the protection of personal data. Controllers will be obliged to carry out an impact assessment when there is a high risk of impacting the privacy of individuals, particularly when using new technologies. Impact assessments will also be specifically required before: (1) carrying out automated processing and profiling; (2) large scale processing of sensitive personal data; or (3) systematic monitoring of a publicly accessible area on a large scale.

Record keepingIn order to demonstrate compliance with the GDPR, both controllers and processors are expressly required to maintain records of processing activities under its responsibility. These must be provided to the relevant supervisory authority upon request. Smaller companies may be exempt from this requirement, depending on the nature of the data that they process.

Data securityControllers and processors are still required to use appropriate technical and organisational measures to ensure an appropriate level of security. Pseudonymisation and encryption are both mentioned expressly as methods to consider as part of overall security.

Notification of data breachesReporting of breaches becomes much more prescriptive under the GDPR for both controllers and processors. The controller must report personal data breaches to the relevant supervisory authority within 72 hours unless it is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of relevant data subjects. The data controller must also inform

46



the data subject directly if the breach will pose a “high risk” to the individual, but not otherwise. Processors shall have a direct obligation to notify the controller after becoming aware of a personal data breach “without undue delay”.

Mandatory Data Protection Officers (DPO)It will be mandatory for controllers and processors to designate a DPO where processing is carried out by a public authority, or where the processing involves: (1) regular and systematic monitoring of data subjects on a large scale; or (2) large scale processing of sensitive personal data. Otherwise the appointment of a DPO will be optional, although Member States may impose additional DPO requirements.

International data transfersThe regime for transferring personal data outside the EEA remains broadly unchanged. The Commission’s white-listed countries and “Model Clause” arrangements remain valid although there is recognition within the GDPR that these schemes will need to be monitored by the Commission on an on-going basis. Binding Corporate Rules are now officially recognised and put on a statutory footing. The GDPR does not deal with the specific issues arising out of the recent “Safe Harbor” decision2, albeit note that the new Privacy Shield has been in place since August 2016 as a replacement to Safe Harbor in order to legitimise transfers of personal data to the US.

• 12 steps to take now3

• ICO overview

2. Maximillian Schrems v Data

Protection Commissioner,

Case C-362/14, 6 October 2015.

3. https://ico.org.uk/

media/1624219/preparing-for-

the-gdpr-12-steps.pdf

47


Tower Bridge House St Katharine’s Way London E1W 1AA T +44 20 3060 6000

Temple Circus Temple Way Bristol BS1 6LW T +44 20 3060 6000

11/F Three Exchange Square8 Connaught PlaceCentral Hong KongT +852 2216 7000

12 Marina Boulevard#38-04 Marina Bay Financial Centre Tower 3Singapore 018982T +65 6422 3000

The road to GDPR: priorities

What should you be putting in your processor contracts?Some examples

Processor contracts

Train staff in the context of data privacy

Co-operate fully with the ICO or other data protection authority

Comply with standards and controls, including model clause

Inform the controller of ICO or other data protection authority approaches.

Comply with the data controller’s assistance and information requests around process and data compliance

Notify the controller of any actual or suspected data breaches within 24 hours.

Not engage sub-processors without consent

Maintain records of technical measures, staff training etc and make these available on request

Immediately inform the controller of instructions that infringe data regulations

Indemnities for data breaches, fines/penalties and remediation compensation costs

UK/EU data controllers

• Get the Board’s buy-in • Assemble your team • Understand your data • Prepare for a security breach • Build new rights into your tech/contracts • Aim for explicit data consents

Non-EU data controllers

• Monitor developments • Revisit your EU-customer data

consents, privacy and cookie policies • Toughen up your sub-contracts with

data processors • Consider methods of international

data transfers

17138

48


GDPR compliance audit

Suggested process

The aim of a compliance audit is to achieve compliance with the EU General Data Protection Regulation 2016/679 (GDPR) across the organisation’s group of companies by the GDPR implementation date of 25 May 2018.

Process and deliverablesIn order to achieve this, we suggest following the following 10-stage process:

Awareness and education

1 Communicating and ensuring understanding of how GDPR will impact the group, including in relation to:

• obtaining consent • privacy notices • processing of special categories of data • rights of data subjects • data protection impact assessments (DPIA) • responsibilities of the Data Protection Officer (DPO), if applicable • breach notification and, • data transfers, including international transfers post-Brexit.

Gap analysis in existing documents

2 Review and update of existing policies and contracts for compliance with GDPR:

• policies covering data issues • contracts dealing with data.

Data audit, mapping and inventory

3 Creation of a data inventory detailing:

• the sources and categories of data processed across the group • the purposes and legal grounds for processing the data • the location and “journey” of the data • the security and access rights in respect of the data • the retention and deletion of the data (including any anonymisation procedures).

4 Data flow mapping of business processes, where appropriate.

5 Audits of existing data processors.






49


GDPR compliance audit – suggested process 2

Report and recom

Howden/RPC Cyber and Data Protection Conference...Howden/RPC Cyber and Data Protection Conference...

Documents

Transcript of Howden/RPC Cyber and Data Protection Conference...Howden/RPC Cyber and Data Protection Conference...