GDPR – Don’t be afraid!

Posted on : 28-02-2017 | By : kerry.housley | In : Cyber Security, Data

Tags: , , , , , ,


GDPR comes into effect in May 2018. Type “GDPR” into LinkedIn and you will find a deluge of posts from “experts” offering advice as to how you need to act NOW! Fail to do so and your business will suffer catastrophic consequences.  Some commentators have made comparisons to the Millennium Bug which had consultants jumping over themselves to fix your Y2K problem!

It does seem that maybe we are somewhat being taken in by the FUD again. As organisations ring-fence budgets and on board their new, and often costly, experts I wonder if a lot of them are either frantically reading up or collectively thumb twiddling? (it would be interesting to track how many profiles have been updated to add it as a specialism…)

However, it is of course a serious thing. If we look behind the headlines, there is no doubt that there are some hard facts which make disturbing reading for any business. Take the Talk Talk data breach last year, and the implications of GDPR become clear. Talk Talk was fined a record amount of £400,000 by the Information Commissioner’s Office (ICO), but had the breach happened after May 2018 when the new GDPR rules apply then the fine would potentially have been 70 million euros (under GDPR rules fine is 20 million euros or 4% global annual turnover, whichever is greater).

Traditionally, the ICO has not been keen to impose large fines so the EU rules show a major change in this respect where business will be harshly punished should they fail to comply. Also, GDPR states that should a company suffer a data breach it must be reported in 72 hours.  This will be a tall order for many companies.  According a recent FireEye Report it takes an average of 146 days to discover a breach, and in many cases, it could be years. It took Yahoo 5 years to report a breach!

So, compulsory breach notification and onerous fines will have a significant impact on the business community and should not be taken lightly.

However, if we look behind the headlines, GDPR offers a great opportunity for businesses to review their information security strategy and close any gaps in systems and processes to protect data.

Irrespective of the legislation, clients are increasingly concerned about the security of their data. Any business that cares about its reputation and the needs of its clients and employees should be paying attention anyway to protecting its data. Data privacy and protection should be part of business as usual operations and not viewed as just another compliance requirement.

The first thing any company should do is find out exactly what data they hold and where it is stored.  You need to know how this data is used and who is using it. Processes must be in place to ensure easy access and the ability to delete when you no longer have the authority to retain it.

If you have any suppliers that use your data, then they too must comply. For companies with a large supply chain it is important to have systems and processes in place to manage the data risk. Having a supplier management system in place to manage this risk is essential.

In order to comply with Data Protection legislation, it is imperative that companies can demonstrate that they take data protection seriously and can show clearly the steps they take to safeguard that data. Having data protection policies and processes in place is a good start. Using a GDPR audit tool or a supplier management system are an effective way of demonstrating the steps you have taken whilst providing an audit trail which can be reviewed at any point in time.

Information security is an ever-moving target. It is not possible to guarantee breach prevention, but there are many ways in which the likelihood and impact can be significantly reduced.

If you would like a balanced view on the impacts of GDPR (without any doomsday predictions), the practical steps to be ready or discuss governance and tooling which can help, please contact us.

Insurance companies and their Cyber Insecurity

Posted on : 26-02-2016 | By : kerry.housley | In : Cyber Security, Finance

Tags: , , , , , , , , ,


In October 2015 all UK insurers were asked to provide details of their cyber resilience to the Prudential Regulation Authority. The Bank of England has been concerned about UK financial institutions’ cyber resilience for some time now and has extended their concern to the focus on the insurance sector.  The regulator is keen to understand the current policies and capabilities of the insurers and the steps they are taking to protect their information. Should they be found to have inadequate measures in place, strong action will be taken against them.

Information security is also a key focus for the FCA (Financial Conduct Authority). They are particularly worried about insurance companies due the nature of their business which involves large volumes of personal data. The biggest fines for data breaches so far imposed by the FCA are on insurance businesses, highlighting the reason for the regulator’s intense concern.

Insurance information is particularly attractive to hackers because of the number of highly personal individual details they hold. The Anthem healthcare insurer was breached last year and it is reported to have lost the personal information records of 80 million customers and employers.

Health care breaches are particularly on the rise as there is a lucrative resell market for these types of records. While credit card details typically trade at $10, insurance data typically trades at $100.  The US government is so concerned about its US insurance companies’ lack of preparedness that the National Association of Insurance Commissioners has set up a Cyber Security Taskforce to tackle the issue.

European policymakers are yet to agree the final provisions of the new General Data Protection Regulation. However, the new Regulation means that data privacy issues should now be a key concern for all insurers and they should be prepared to review and amend their data protection programmes. In general, regulation is likely to become increasingly formalised and more rigorous in its application.

The rise of big data presents opportunities to offer more creative, competitive pricing and, importantly, predict customers’ behavioural activity.  This is great news for insurers but a concern for the Information Comissioners Office (ICO). The ICO monitors how firms respond to subject access requests and complaints handling and firms will be invited to do an audit if the ICO has concerns. Compared with other EU Member States, such as France and Italy, the UK carries out relatively few audits.

However this too is changing. The FCA has announced that it is conducting a market study into how insurance firms use big data. Big data raises the possibility that an individual’s circumstances may not be factored in to an insurance risk assessment. As part of its market study, the FCA may examine whether such an approach is contrary to Principle 6 of its Principles for Businesses which requires that firms treat their customers fairly. Depending on the outcome of the review, the FCA may introduce specific consumer protection measures for the use of big data in underwriting.

Compliance measures will need to be reviewed and a risk assessment undertaken in order to implement appropriate security measures. These measures need to be documented and made available to regulators on request.

An insurance professional was recently reported as saying that most companies in the global market are not compliant with international standards. Many firms have no incident response plans in place to let their customers know that a breach has occurred. They are simply ill prepared for a data breach incident that is inevitable. A survey by technology company Xchanging in Nov 2015 reported that only one third of insurers in the London market believed that they could withstand a major cyber attack.  As in all areas of business, customers will be increasingly concerned about the cyber security of a company offering services.  Failure to demonstrate good cyber security will mean failure to win new customers.

2016 looks like this will be the year that insurance industry will be forced to take cyber security more seriously and make it a top priority for their board.

Why Company Boards must take Cyber Security out of the too difficult pile!

Posted on : 27-11-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , ,


Lady Barbara Judge was recently quoted as saying that the “whole issue of cyber security is so overwhelming to boards that they often put it in the ‘too difficult’ category”.

A recent survey of the UK’s FTSE350 companies showed that although companies are worried about cyber security about a quarter of them fail to take any action.  In the age of a growing cyber security threat landscape and the resulting rise in litigation this a risk that boards can no longer afford to ignore!

So what are the reasons for this complacency?  The  FT/ICSA Boardroom Bellwether survey  found that companies simply feel they have bigger fish to fry and there are more important risks to be concerned about.  Politics and the debate about the UK leaving the EU together with litigation were considered more critical risk factors.  Is this because, fundamentally as Lady Judge said, boards often lack the knowledge to understand the cyber threat and all that it entails?

Cyber security is seen as a buzz word associated with scaremongering and not a reality.  Members of boards are baffled by cyber threat terminology, not understanding the IT language in which cyber security is often communicated. In the cases where directors do accept that a cyber attack is likely to happen, they think that financially they can afford to “take the hit”.  However, with the increasing litigation over cyber security breaches and the fact that litigation generally is high on their risk list, companies will be forced to take more proactive approach to their information security.

UK Companies are governed by the UK Corporate Governance Code which states that Directors are expected to assess and mitigate principal risks facing the company, with UK listed firms required to make a statement to this effect in their Annual Company Report.  Although this is not legally binding the Institutional Share Services organisation can recommend, under extraordinary circumstances, to vote against individual directors for material failure of governance of stewardship and risk oversight.

After the Target breach in the US the CIO and CEO resigned as a result of public and shareholder pressure.  Whilst most litigations a result of a cyber attack have been in the US it is only a matter of time before we see a significant case in the UK.  This shows us that shareholders are not afraid to scrutinise company directors and the board for their role in not taking adequate steps to protect their information and prevent the damage.

Litigation in the UK until now has been rare, the main reason being the difficulty in establishing the nature and extent of financial loss in the aftermath of a breach. However, in the case of Google v Vidal – Hall  earlier this year the court found that the claimants could claim for distress without having to prove pecuniary loss. This has greatly increased the scope for compensation claims in the future.

Regulators are also keen to be seen to be taking tougher action on data loss with fines from the Information Commissioners Office (ICO)  and the Financial Conduct Authority (FCA) on the increase. At the moment the ICO has the ability  to set fines of up to £500,000.  When the EU Data Protection regulation comes into force we will see fines of up to 5% of annual worldwide turnover or 100M Euros whichever is the greater.  

Directors in the UK are under increasing pressure to account for any failures of their company’s data protection policies.  They must reassess their duties to exercise reasonable skill and care to mitigate the principal risks to their business. This now means reviewing their information security risks, protecting their most critical information and putting robust plans in place to deal with a breach when it happens!

To find out how Broadgate might assist with this, please visit our Assurity page.  We specialise in working with boards to identify their key cyber security risks and how to protect them.