Over the last many years, Ransomware has surged up significantly, with 236.1 million attacks being reported in 2022 globally. As more traders rely on digital platforms for trading, they become more vulnerable to such attacks.
The primary concern after a ransomware attack is restoring access to your financial data. It may seem like paying the ransom is an easier solution, but it's not advisable. There's no guarantee that you'll get your data back, and you may be exposing yourself to further attacks.
Here are some steps you can take to recover your financial data after a ransomware attack:
Restore From Backups
It's essential to keep regular backups of your financial data to ensure you can recover it in the event of an attack. So, if you have a backup in an external storage device, simply connect it to a system that's not affected by the Ransomware and restore the data.
Similarly, you can also access your lost financial data through Windows Backup Restore. For that, go to Control Pane l> Select external device > Select Backup and Restore. Follow the instructions accordingly to restore your backup. While we have given an example for the Windows system, you can restore your financial backups according to your OS.
Also, make a habit of keeping backups of every trading data that's relevant to you. To avoid the hassle of backing it up all at once, you can keep storing it as you get the data. For example, if you have recently discovered something crucial about crude oil future gains, quickly save the data in your system and make a backup of it side-by-side.
Connect with Data Recovery Professionals
If you don't have backups, don't worry! You can still get access to your data by connecting with data recovery service providers. With years of experience and proficient assistance, a good data recovery provider can help you with full data recovery after a ransomware attack.
These Ransomware recovery services are secured with diverse benefits to save you from data loss. They can work by initiating a thorough investigation, decrypting data, and providing cyber-security analysis to ensure the best outcomes.
If you choose a good service provider, you can stay assured of as much as a 96.7% success rate in data restoration. In most cases, the professionals under data recovery services work by:
Evaluating: Identify the Ransomware attack and come up with an immediate plan.
Reviewing: Review and analyze all the situations to understand the problem.
Recovering: Implement the best strategies to recover the financial data.
Verifying: Verify with you whether they have restored all the financial data you may have lost.
Delivering: Send you the complete financial database in a drive either digitally or through secure shipping.
Taking help from data recovery professionals is the easiest and most secure way to get back your financial data after a Ransomware attack. That's because Ransomware is an awful cyber threat. Any wrong move can become a loss for you or your organization. So, it's best to connect with experienced individuals and let them do their work.
Things You May Do Before the Data Recovery Professionals Arrive
Until the data recovery professionals arrive, you can try some methods to prevent any further data loss from your system. For example, you can:
Note Down the Details: Quickly take a look at the Ransomware file and note down the important details like file name, extension, and a ransom note. You can also take a quick picture of these details if you don't want to save time during data recovery.
Isolate the Infected System: Next, isolate the infected system so it doesn't spread across other files. It's the quickest way to secure your networks and prevent any further data loss.
Disconnect Other Devices: If you have any device connected to the infected network, disconnect it immediately. In most cases, people often connect their phones, tablets, and pcs to their systems. As these devices may have crucial financial information, it's more prone to be attacked by hackers.
Change Passwords: If you have any online accounts logged in to the infected system, change the passwords of these accounts through another device. Once the Ransomware clears off, change the password again to be on the safer side.
Remember, protecting your financial data is just as important as managing your portfolio. Take precautions and follow cybersecurity regulations to prevent such attacks from occurring again.
Final Note
By remaining calm and taking the right steps, you can restore your trading data after a ransomware attack. Back up your data regularly, connect with data recovery professionals, and take steps to prevent further data loss. We hope this guide was helpful with your concern.
Grainne McKeever, Marketing and Communications Consultant at Imperva, shares an outline of the regulations with which financial services must comply in 2020.
The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.
The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.
The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.
Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.
A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.
[ymal]
Data Protection
Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.
Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.
Data Discovery
To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.
To protect your assets, first you need to know where your databases are located and what information they contain.
Data Monitoring
A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”
Incident Reporting
Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.
Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.
With a plethora of privacy and security regulations grounding themselves in organisations across the world, there is no choice but to adhere to them to ensure the security of others, as well as making sure that accountability is at the forefront of all businesses in the financial sector. By financial services adhering to data protection, data discovery, data monitoring and incident reporting they will be able to continue to flourish whilst having security at heart.
To put this into perspective, the U.S. banking system alone held an estimated $17.4 trillion in assets at the end of 2017, whilst it also generated a staggering net income of $164.8 billion.
Banks are set to become more profitable in the future too, with advanced technology such as artificial intelligence (AI) expected to introduce more than $1 trillion in savings by the year 2030. This highlights the impact that technology is continuing to have on banking, with this relationship growing increasingly intertwined with every passing year.
In this article, we’ll explore this further whilst asking how the most recent innovations are impacting on banking in the digital age.
1. It has Ushered in the Age of Digital and Mobile Banking
Whereas banking used to require standing in queues and liaising with tellers, most transactions are now completed through digital means. In fact, an estimated four out of every 10 UK customers now bank using a mobile app, and this number is set to increase incrementally in the years to come.
So, whether you want to make an instant payment, transfer funds or open a brand new account with a service provider such as Think Money, the quickest and most efficient way of doing this is through digital means.
Technology is also making digital banking increasingly secure, with methods such as 2-step authentication having transformed the space in recent times.
We’re also seeing a significant rise in the use of biometric security methods, including advanced techniques such as fingertip authentication and facial recognition. These options provide the ideal compromise between high security and a seamless customer experience, and this something that remains at the very heart of banking in the digital age.
2. It’s Using AI to Improve the Customer Experience
We touched earlier on AI, and how this will enable banks to make considerable savings and become more profitable in the future.
AI is also having a considerable impact from a consumer perspective, however, especially in terms of the banking experience that they enjoy.
Take the use of chatbots, for example, which can enhance the onboarding process when positioned as helpdesk agents. More specifically, they can answer the most basic and commonly asked questions and anticipate popular requests, enabling customers to resolve their queries as quickly as possible.
AI can also afford bankers a more detailed look at their customers’ behaviours and financial history, making it easier for them to provide real-time insights and offers that offer considerable value.
3. It’s Improved Data Protection in the Banking Sector
In the first half of 2015, it’s estimated that around 400 data breaches took place in the U.S. alone.
This number has fallen in recent times, as banks have identified the core issues that compromise customer details and introduced measures to provide more robust data protection.
Aforementioned biometric and 2-step authentication techniques have helped to secure users’ passwords, for example, whilst phishing scams and malware are also being combatted by 128-bit encryption and higher.
As a customer, you can also take advantage of secure wireless connections to safely access your bank accounts in the modern age, negating the risk posed by public networks and unsecured Wi-Fi hotspots.
When the General Data Protection Regulation came into force in May, it affected every company that does business within the European Union and the European Economic Area EEA. Its main purpose is the protection of each individual’s data, but their privacy and compliance obligations have put a significant burden on companies of all sizes and across all sectors.
Similar legislation exists in Turkey, although there are distinct differences. On one notable point, however, they are in harmony: just as not complying with GDPR requirements carries substantial penalties, so does any breach of Turkish provisions. Failure to comply can lead to administrative fines and criminal penalties. As a result, every company that does in Turkey already, or which plans to do so, needs to be aware of how these laws might affect their operations.
Partly in anticipation of GDPR, Turkish Data Protection Law (DPL) was enacted in 2016. Turkey’s supervisory authority, The Personal Data Protection Board (DPB), is still publishing assorted regulations and communiqués relating to it, as well as draft versions of secondary legislation. Under these changes, data controllers who deal with personal data are subject to multiple obligations. In addition, the legislation also applies to ordinary employees, making it significant for every company operating in Turkey.
The grounds for processing under DPL are similar to GDPR - saving that explicit consent is needed when processing sensitive and non-sensitive personal data.
So when comparing DPL with GDPR, what are the differences that impact businesses operating in Turkey? Although it stems from EU Directive 95/46/EC, DPL features several additions and revisions. It does, however, contain almost all of the same fair information practice principles, except that it does not allow for a “compatible purpose” interpretation and any further processing is prohibited. Where the subject gives consent that data may be compiled for a specific purpose, the controller can then use it for another purpose as long as further consent is obtained, or if further processing is needed for legitimate interests.
The grounds for processing under DPL are similar to GDPR - saving that explicit consent is needed when processing sensitive and non-sensitive personal data. Inevitably, this is much more time-consuming. Such a burdensome obligation would initially make it seem that DPL provides a higher level of data protection compared to GDPR, but DPL’s definition of explicit consent also has to be compared to GDPR’s regular consent. ‘Freely given, specific and informed consent ‘ is common to both, while GDPR further requires ‘unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
While DPL consent might appear to be less onerous than GDPR, no DPB enforcement action has yet occurred: interpretation of explicit consent therefore remains uncertain. Under DPL, the processing grounds for sensitive personal data are notably more limited than under GDPR – with the exception of explicit consent, the majority of sensitive personal data can be processed, but only if it is currently permitted under Turkish law. The sole exception is data relating to public health matters.
Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities.
Equally burdensome under DPL is the cross-border transfer of personal data to a third country. As determined by the DPB, the country of destination must have sufficient protection – either that, or parties must commit to provide it. DPL also states that: “In cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organisations”. Under this provision, data controllers must decide whether a transfer could cause serious harm, and if it does, they need to obtain DPL approval. However, it is unclear how these interests might be determined.
Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities. Instead it has a hybrid solution: registration and record-keeping requirements. DPL specifies a registration mechanism: data controllers have to register with a dedicated registry. Under a draft DPB regulation, before completing their registration they are required to hand over their Personal Data Processing Inventory and Personal Data Retention and Destruction Policy to the DPB.
For businesses which have to comply with DPL, GDPR, or both, it would be prudent to ensure that they are not duplicating their efforts. The best way to achieve this is by aiming for a flexible compliance model that successfully meets the obligations of the regulatory authorities across multiple jurisdictions.
Website: www.kilinclaw.com.tr/en/
Effectiveness So Far
The run up to the implementation date of the EU General Data Protection Regulation on 25 May 2018 saw a flurry of activity – most visibly in communications with customers; notifying them of changes in privacy policies and seeking their opt-in consent for marketing activities. While many communications were not strictly necessary, they reflected the focus of many businesses on external-facing compliance initiatives, such as their public facing privacy policies and contractual arrangements with vendors.
The key practical challenges for businesses have centered on thoroughly operationalising GDPR and creating a GDPR compliance culture. The GDPR introduces some new and enhanced rights, such as the right to erasure, but equally importantly, it introduces principles which require changes to internal procedures and systems. Technology changes have often been time-consuming and expensive to implement. Creating a GDPR compliance culture has, for many businesses, been equally challenging. For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration. While many aspects of GDPR compliance have taken the form of a ‘re-papering’ exercise, the challenges in becoming compliant are generally much deeper.
For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration.
Practical challenges faced by businesses
Some of the practical challenges faced by businesses have been in identifying and understanding the scope of the personal data held and processed – including its nature, location, security requirements and, most fundamentally, the business drivers and legal grounds for collecting and processing such data in the first place. While principles of data minimisation and purpose limitation are not new under the GDPR, they were frequently overlooked under previous legislation as businesses collected increasing amounts of personal data and used them in ways in which were not necessarily consistent with the original purpose. Many businesses have not properly addressed these fundamental issues which are frequently coming to light in practice in two key areas: managing data subject rights and responding to data breaches.
For example, the right to erasure applies in a specific set of situations but many organisations do not possess the level of granular detail about their processing operations required to respond accurately or efficiently. Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing. This often makes responding to such requests much more time-consuming, and in certain cases leads to organisations fulfilling requests by default to save administrative burden. This is far from ideal, particularly where some data categories processed about an individual are likely to be outside the scope of the right to erasure. Moreover, there may be legitimate business reasons for retaining such data. A related practical issue is the lack of uniformity across European jurisdictions on exemptions to and derogations from the rights of individuals to have access to their personal data, and the lack of guidance from regulators on the scope of some of the exemptions.
Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing.
Another area where the lack of internal awareness becomes apparent is in respect of data breaches. The GDPR defines a data breach extremely broadly. Media attention is often focused on large-scale breaches involving millions of records containing financial and sensitive personal data. However, practically any unauthorised access to personal data (including within an organisation) can amount to a notifiable breach. This reflects the volume of data breaches which regulators are handling – with some European regulators handling between six and twelve breach notifications each day. The GDPR imposes a well-publicised default period of 72 hours during which the appropriate regulatory authority must be notified. This frequently exposes, in real time, knowledge gaps within an organisation relating to the nature and location of the personal data held, security arrangements and internal processes.
Overall impact on businesses
The GDPR is a reflection of the increased importance placed by EU law on personal privacy as a fundamental right, which needs to be taken into account when treating personal data as an essential input in business processes, if not a commodity in itself. That is simply an unavoidable cost of doing business. While increased awareness of such rights has been positive, the notification fatigue suffered by individuals has been less beneficial. This resulted partly from the lack of concrete guidance from regulators sufficiently early in the run up to the implementation date. Similarly for businesses outside the EU, the uncertainties regarding the GDPR’s extra-territorial scope has often resulted in protracted discussions and unnecessary compliance burdens. That said, there is an almost inevitable harmonisation upwards towards EU privacy standards. For example, Japan has harmonised its laws to EU standards, and there are forthcoming changes in the United States – currently the state of California, but potentially at a federal level – to move towards GDPR standards. The key test of the GDPR’s effectiveness and overall credibility will be in enforcement. Six months in, it is still too early to gauge regulatory appetite for the headline fines of up to 4% of global revenue. In the coming months, the results of investigations and enforcement actions will start becoming clear. The internal costs to businesses are more difficult to assess, although they are largely unavoidable.
Website: https://www.faegrebd.com/
To hear about GDPR in Portugal, this month we connected with João de Sousa Guimarães, Managing Partner Teixeira & Guimarães (T&G). Based in Proto, and with a branch office in Lisbon, the boutique firm provides financial and corporate legal support to national and global companies.
GDPR came into effect on 25th May – how did the Portuguese Government prepare for the new regulations?
The truth is that until recently, there haven’t been any national regulations in relation to GDPR. The Portuguese Government in fact tried to dismiss the penalties for the public sector’s non-compliance, which was faced with divided opinions, as it meant that private companies are being treated differently. Thus, the Government didn´t get the national parliament’s approval to pass a set of regulations and the issue is still to be discussed.
Are the majority of Portuguese companies compliant with the new regulations now?
No, they are not. The previous EU data protection directive has been in effect over the past 20 years, but Portuguese companies weren’t taking it seriously. Since November 2017, we have noticed the effort that big corporations have been making to be GDPR compliant, but there’s still a long way to go – especially for Portuguese SMEs and the public sector.
What are the key GDPR challenges that Portuguese SMEs are faced with?
I believe that the key challenge they are faced with is the paradigm shift. Up until now, most of the SMEs in Portugal simply haven’t considered data protection as a major issue in today’s world. And I’m not only talking about digital customer relationships – there are so many companies that collect and store customer data in physical form, without having any internal safety policies. Most SMEs don’t fully understand the importance of data protection. They see the implementation of GDPR as something unnecessary that will only cost them money, as opposed to an opportunity to improve their relationships with the company’s stakeholders and clients.
The paradigm is shifting. And even though most SMEs are afraid of the penalties (and so is the Portuguese government itself), things have started to improve.
What is your piece of advice for companies that are not GDPR compliant yet?
I think the most important thing for companies that are not compliant yet is to understand this paradigm shift. They need to find the gaps between their current policies and what GDPR requires. They then should seek advice on how to become compliant and properly handle their clients’, employees’ and service providers’ personal data.
About Teixeira & Guimarães
T&G has recently started the ESSA (Early Stage Startup Advising) programme, which consists of a number of legal services that entrepreneurs usually need assistance with. This includes things like intellectual property, corporate support and more.
The firm has excellent relationship with several universities, being the first (and only) law firm that has been case studied by an MBA International programme (at Catolica Porto Business School).
By January 2017, T&G was the first law firm in Portugal that had its quality management system certified by SGS ICS, within the scope of Legal Service Provider and Credit Litigation.
T&G is a founder associate of the Portuguese Association for FinTech and InsurTech (AFIP) and has been involved with the Portuguese Youth Entrepreneur Association (ANJE). The firm has provided legal mentoring to the Startup Porto Accelerator as well as to the Portuguese Business Angel Association (APBA).
Teixeira & Guimarães was awarded Boutique Law Firm of the Year 2018 by the Corporate Livewire Innovation & Excellence, as well Litigation Advisory Firm of the Year 2018 by the Finance Monthly Global Awards.
Website: http://www.tesg.pt/
Online fraud against UK citizens has become a topic for widespread discussion as more avenues for data theft are opened to criminals. Below Finance Monthly discusses with experts at Money Guru, the true value of your personal data and the cost of keeping it safe.
Experian places the annual cost of fraud against Brits at £6.8bn and, with more and more of our personal information available online, it’s likely to rise unless proper precautions are taken.
If you aren’t savvy with your data, which includes everything from social media logins to financial details, it could end up being available to malicious actors online through channels like the dark web.
Personal finance experts Money Guru have conducted research on several Dark Web marketplaces to find the average cost of stolen data. Their findings are shocking to say the least.
You could have access to someone’s entire online identity is available for less than £750.
26 of the most commonly used accounts available on the Dark Web, can be purchased for a grand total of… £744.30.
Digging deeper into the online services that each individual Brit is likely to use, it becomes even more shocking with the full details of 16 accounts including finance, travel, entertainment and email credentials, available for £696.90.
Let’s look at each individual data classification to find out how the loss of even one set of account details could seriously affect you.
Financial Information
Scammers can buy credit card and debit card details, online banking logins, passwords and PayPal account information – that’s all of these combined - for £619.40. This not only allows malicious actors access to your funds, but also a wealth of personal data that can be used for identity fraud.
Online Shopping Details
You may not be overly concerned with the security of your online shopping accounts, but they provide a great level of insight into your transactional habits as well as providing criminals the ability to order products through your account via a mail drop.
Travel Account Information
With access to accounts like Uber and Airbnb, malicious actors are given access to a lot of sensitive locational data. Not only can they access the basic details you enter to create an account, they will also be able to monitor your travel habits.
Entertainment Account Information
It’s tough to find someone who doesn’t have a Spotify or Netflix account these days making them a popular target for online criminals. At the less serious end of the spectrum it enables access to free entertainment while on the more sinister side it provides password clues to other associated accounts.
Social Media Account Information
There are few better methods of gaining insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft.
Email & Mobile Account Data
Being able to access emails and mobile account data provides fraudsters with a treasure trove of information about their target. It offers a jump off point for the popular, low-effort practice of spear-phishing – where a malicious actor tries to gain the credentials to more valuable accounts via social engineering and malware.
To compile this study, Money Guru accessed some of the most popular dark web marketplaces (‘Dream Market’, ‘Wall St Market’ and ‘Berlusconi Market’) to find an average price for each piece of personal data.
The big takeaway from their research is that your personal data really isn’t worth a great deal to online criminals. While the average amount stolen from a UK fraud victim is relatively small, 39% of cases result in £250 or more being stolen. In 25% of cases, this amount can vary from £500-£40,000.
The fact that it costs scammers less than £750 to access 26 accounts when it would only take a fraction of this number to potentially access tens of thousands is a frightening one.
The long-awaited General Data Protection Regulation (GDPR) becomes legislation in a week, on 25 May 2018. Below Narrinder Taggar, Partner and defendant personal injury insurance litigation specialist at Shakespeare Martineau, sheds light on the extended implications of the regulation on the insurance sector.
With GDPR coming into play, organisations across a wide variety of sectors and industries, including insurance companies, will be forced to adjust and assess their data protection strategies or face fines of up to €20 million or 4% of annual turnover, whichever is greater.
The GDPR contains rules protecting individuals when their personal data is processed. This also includes further rights around how this personal data is handled and shared with other parties.
The sensitive nature of personal information used in many insurance claims could cause a serious headache for the industry and is set to cause significant disruption to how all parties involved in the insurance claims process store, manage and process personal data. The risk created when information is shared between claimants/their advisors, brokers; insurers and other parties, such as medical professionals, all of which would be classed as “data controllers”, is great.
A data controller determines the purposes, conditions and means of the processing of personal data. The data processor is the entity that processes data on behalf of the data controller.
But what about accident investigators, who are instructed to process data on behalf of the data controller? They may well be data controllers for the purposes of obtaining and drafting witness statements which would be subject to legal professional privilege until such time the statements are disclosed to any third parties. Of course, it should be noted that a claimant does not have a right to access any data which is subject to legal professional privilege.
With the GDPR placing a greater emphasis on transparency and accountability, the insurance industry will have to be even more careful with the storage of sensitive data. With personal data being intrinsically linked to the claims process and regularly being shared with third parties, the need to be prepared is particularly urgent and parties must rethink exactly how this information is shared during the process.
Hard copy documents such as instructions to barristers may have previously been sent in the post. However, under the new GDPR it remains to be seen whether this way of sharing sensitive documents will still be deemed to be a compliant activity. Instead, encrypting files containing sensitive personal data is set to become the norm.
Under the GDPR all data controllers will be responsible to ensure not only that the receiver, or processor, is GDPR-compliant, but also to find how they intend to store and use data and delete the data once it is no longer required. This can be achieved through the arrangement of a data sharing agreement. This might include a description of the data processing, an assessment of any possible risks and how those risks will be mitigated. Because of the need to ensure compliance throughout all stages of the process, those involved in insurance claims, for example insurers and their solicitors, should set up data sharing agreements with their contacts and suppliers; including other data controllers.
However, duty of compliance also continues after the claims have been settled. The 'right to be forgotten' places a responsibility on the controller to delete any personal data if requested by the subject and not to keep data any longer ‘than is necessary for the purposes for which the personal data is processed’. Yet, there are a number of grounds in which data controllers may keep personal data, including if it needs to be retained in case of any further legal proceedings for example appeals. Therefore, organisations may need to set their own retention periods for data depending on the information in question and how it may be used in future. It is worth remembering in this case that any data deemed relevant must be recorded and held securely offline.
Under the new requirements, data controllers will be obliged to report breaches to the relevant authority within the first 72 hours. Should a breach occur under the new legislation, the fault will lie not only with the data controller but could also lie with the data processor who shared the information, making it vital for all parties to be accountable for the information they process.
The GDPR has undoubtedly changed the goal posts for the insurance industry and many questions still remain around the identification of sensitive information and how the usual correspondence between parties will be affected after the new legislation is introduced. With such large penalties coming into play, the worry of doing something wrong has never been greater.
The industry currently awaits further guidance from the UK Information Commissioner on what the legislation will really mean in practice. However, with the deadline fast approaching, doing nothing is no longer an option. The industry must prioritise collaboration and transparency, in order to ensure they are fully prepared for the changes ahead.
GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)
As the GDPR go-live date of 25th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ - about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.
The impact on business reputation from effective third-party management
Most business sectors rely upon a complex network of interrelationships and interconnected processing - the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.
That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising? Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.
The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.
As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.
Organising and prioritising GDPR work on third parties
Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:
| 1. Do we have an up-to-date inventory of all contracts and agreements with our third parties?
2. Do we have a process to classify our third parties, from a personal data processing and GDPR perspective? 3. Have we determined how much management effort will be required to manage and/or remediate the position, and what should we prioritise? |
The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.
Identifying ‘processors’ and compliant contractual terms
The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.
Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.
Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.
If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.
For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.
Ongoing responsibilities regarding privacy, oversight & assessment
A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.
Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.
- Third-party privacy management approach
The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.
For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.
- Third-party oversight and control framework
Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.
Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.
- An ongoing third-party assessment programme
An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.
When it’s done right, it’s never done
Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation - including where events or incidents arise.
GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.
Website: www.crowehorwath.com/UK
Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.
Darren Craig is an Associate Partner within Northdoor plc- an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes involved in meeting GDPR legislative requirements. The Northdoor Rapid Response programme allows clients to quickly define their strategy, clarify their existing position around data and data security and create a clear roadmap to allow them to progress towards meeting their GDPR target. Once the roadmap has been defined, Northdoor has a combination of consultancy services and a series of solutions to detect, encrypt and secure client data to ensure that their environment meets their needs. Here Darren tells Finance Monthly more about the GDPR-related services that Northdoor offers and the challenges that UK businesses are faced with less than 6 months before the looming deadline.
With the European Union General Data Protection Regulation coming into effect in May 2018, in your opinion, what are UK companies doing in terms of preparing for GDPR?
I think that so far, many companies have spent a lot of time educating themselves and building their awareness of what GDPR is. We’re finally beginning to see companies that are starting to implement programmes of work. However, there's still a large percentage of companies that we talk to every day that haven't even started their formal programmes yet and don't expect to start one until January next year.
Do you think that this will give them enough time?
It depends on the size of the company, but I think that there will be a lot of British companies that won’t manage to be fully compliant by 25th May 2018.
Why do you think so many businesses in the UK have yet to initiate a GDPR compliance programme?
I think it's a mixture of reasons. One of them is connected to the lack of marketing in relation to GDPR that the Information Commissioner’s Office (ICO) has done. I’m under the impression that a lot of companies think that GDPR is just another version of the Data Protection Act, which is not the case. It is in fact a very significant change, when compared to what the Data Protection Act expects them to do.
What are the first steps towards GDPR compliance?
The first step is understanding the gaps within your business. It is fundamental for businesses to accept that data protection is not just an IT issue - it's a cross-business challenge that requires all departments to come on board as part of the GDRP project and identify the data protection gaps they have between their current processes.
What does a typical GDPR compliance project entail?
As mentioned, the project itself starts off with a gap analysis where companies identify the gaps they have. This is then followed by a discovery exercise in order to identify all the personal data information that the business currently processes. The third stage of the project is then taking that data and mapping it back to a process within the business. Finally, companies have to carry out a Privacy Impact Assessment (PIA) against the process - only then they fully understand the amount of work that they need to do in order to become GDPR compliant.
When assessing compliance, what areas do you find businesses commonly struggle with?
The most common challenge relates to marketing. Traditionally, companies use marketing data from lots of different sources, but under GDPR, they will require explicit consent to be able to use this information going forward.
The other challenging area is HR - the requirements are for Human Resources to make sure that they have the right legal basis in place to process their employee information.
The third area where we see companies struggle is third-party supply chains. Under the Data Protection Act, the supply chain wasn't liable, however, under GDPR, the supply chain and the owner of the data are equally liable. Thus, there's a legal requirement for every company to ensure that the third-party supply chains that they work with are also fully compliant.
Can you tell us more about the work you’re doing in the field of GDPR?
The work we're primarily doing at the moment is advisory work where - helping companies understand how much work they need to do around GDPR compliance and establish their project plan.
Why should companies choose Northdoor to help them with their GDPR compliance projects?
Northdoor is not a company that's just jumped on the GDPR band wagon – we have been a business for over 28 years and our key priority is to advise clients and help them manage their information assets effectively. We not only advise them in relation to compliance of data, but we also help them secure their data and get value from it. We manage the whole lifecycle of information assets throughout the business and this has always been our core focus.
For more information, please go to: https://www.northdoor.co.uk, email: info@northdoor.co.uk or call 0207 448 8500.
The rationale behind the regulation
The General Data Protection Regulation (GDPR), referred to by some as ‘the’ biggest change to European privacy laws in the last two decades, is causing commotion across the globe as businesses rush to become compliant by May 2018 or risk facing heavy sanctions.
Finalised in April 2016 the new regulation, which will replace the Data Protection Directive 95/46/EC, has the goal to better protect an individual’s personal data. For clarification purposes that could be any form of information leading to a person’s identification including but not limited to their name, email address, ID number, location data, income and bank details, health information and IP address.
So why a greater focus on the data subject?
Not so dissimilar to the rules of the road, a poignant comparison made by David Lewis, GRC Manager at cyber security specialists Imperva, a person visiting a website should be protected. When browsing online it is expected that our personal information is secure and makes it to its end destination safely too.
Unfortunately, as recounted in the press all too often of late, the risk of a visitor’s data being breached has increased exponentially.
In November of this year, details surrounding a breach suffered by Uber in 2016 surfaced. According to the company, 57 million people have been affected as a result of the cyber-attack. A month prior, detailed card payment information of approximately 60 000 Pizza Hut customers among other user data was thought to have been exposed to hackers. A month prior Deloitte was involved in a cyber-attack for which the real fall out has yet to be defined but is said to have compromised Deloitte's global email server. In July 2017, it became clear that Bupa’s data breach had impacted half a million customers. In 2016, Android malware compromised over a million Google accounts. In 2013, Yahoo also disclosed a breach affecting up to 3 billion of its email users.
In response to the drop in user trust and confidence which inevitably negatively impacts businesses and the economy, governments are increasing regulatory safeguards. Unlike the Directive, the GDPR will provide a single set of rules for all companies handling, storing, sharing and processing EU related personal data. Organisations will have to implement new measures to meet the requirements of the regulation and be extremely careful how they acquire, collect, use and store the data of their clients, customers and employees.
The implementation of a single regulation is thought to facilitate business processes in the long run and incentivise organisations to consolidate and streamline data in one place from the offset, where it can quickly be anonymised. The significant reduction in organisational costs, the potential for innovation and the building of greater rapport with customers as well as the decrease in brand and reputational damage associated with avoidable breaches are also argued to be among the benefits of the new regulation.
Cloud services and the GDPR
The rules of the GDPR apply irrespective of whether data is stored in the cloud or on paper. The former in particular presents several challenges with regards to compliance.
On the one hand, according to Elastica’s Shadow Data Threat Report, as little as one percent of cloud providers’ internal processes are compliant with the new legislation. Less than three percent enforce secure password policies to meet the requirements of the GDPR. This has in part got to do with the Directive’s emphasis on the controller rather than the processor, leaving many a provider unaccountable for the role they play in data privacy and security. Aside from the scenario where direct contractual obligations are enforced on behalf of the controller, processors are not held liable for loss or exposure of information. Where regulation isn’t an issue cloud service providers can limit their focus to ease of use and navigation of their platforms and services.
On the other hand and according to the most recent Netskope Cloud Report, EU firms are unaware of how many cloud applications their organisations are actually using, which on average is believed to be over 600 software programs.
Under the new regulation, the rules will be far more stringent, the threat of fines as high as 20 million EUR or four percent of a companies’ annual revenue (whichever is highest) real, and the sharing of liability binding between both processor and controller. Cloud providers as well as users must enforce a series of technical and organisational procedures to guarantee the level of security required. According to Dr. Rois Ni Thuama, Head of Cyber Governance at OnDMARC the fines are not necessarily the biggest threat to a business’s bank account. The data subject’s right to sue following a breach, whatever the implications, is far more concerning.
“What we are seeing now is a clear division between a growing number of companies that say ‘wait, this GDPR thing is real’, and those who still don’t understand you cannot simply move data around the cloud without addressing data privacy. Privacy regulation is becoming mainstream in IT, in the same way that drug licensing became so for the pharmaceutical industry. It’s either make it clear that you comply, or forget about selling to serious customers,” says Bostjan Makarovic Founder of Aphaia, a GDPR-focused consultancy.
The attitudes of controllers and processors will need to change drastically especially when it comes to negotiating agreements. Strict provisions on the scope of duties of the controller and processor will need to be defined and implemented. Annabel Jones, UK Director at ADP commented: “contractual due diligence will be even more important as businesses seek to partner up with companies that can show data is processed lawfully”. An increase in third party due diligence and a greater focus on insurance policies will most likely also be discernable.
Steps to compliance
When selecting a provider, cloud using organisations need to ensure they choose vendors that are, in the first instance, able to tell their clients where the data they process and store is located. According to the GDRP data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under certain circumstances. Currently only 11 countries meet such standards.
It is equally important that companies are made aware of any third parties involved in the processing of the data. According to Trustwave’s Global Security Report, approximately 63% of data breaches involve third parties who are often considered a company’s biggest area of risk exposure. As a result they will be the first to be investigated by regulators. If the latter are involved at some stage of the process, measures need to be taken to ensure that they too are compliant.
Security should be a top priority for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss. All data centers must be compliant with the latest ISO certifications, the storage and transmission of documents should be carried out exclusively via SSL connection with AES 256-bit encryption. Regular penetration tests should be carried out to assess data security. Two-factor authentication, data deletion, trash retrieval and access controls are just some of the ways data owners can have autonomy on how and whether their data is kept.
About Drooms:
Drooms, Europe’s leading virtual data room provider, works with 25,000 companies around the world including leading consultancy firms, law firms, global real estate companies and corporations such as Morgan Stanley, JLL, JP Morgan, CBRE, and UBS. Over 10,000 complex transactions amounting to a total of over EUR 300 billion have been handled by the software specialist.
Website: https://drooms.com
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
With only 12 months left until the new GDPR regulations come into force, many organisations are already busy, preparing for May 2018. But for others, the challenge is still about getting started with a proportional approach that will enable sufficient progress in the time remaining, and provide a defensible position in the event of any breach or incident. Unfortunately, there is no blueprint for easy compliance and no easy, plug-in solution. Each firm will have a different starting point and will therefore need to determine its own approach.
The ICO has described GDPR as a “journey”. This is very true, however, it is one that is best prepared for by taking into account some practical advice.
Give GDPR the level of sponsorship it deserves. Compliance with GDPR regulations, and data protection more generally, should be regarded as a key operational risk. As such, the board should appoint a member of the management committee to oversee progress. The potential for significant fines, exposure to legal action, and the inevitable bad publicity and reputational impact, should an incident occur, necessitates the need for senior management oversight. However, GDPR is also about the rights of the individual, and the expectations individuals have of the firms holding their data and acting as custodian. Therefore, GDPR is also an issue of ‘conduct’ which, as Financial Services firms know all too well, can cause significant problems with the regulator if not taken seriously.
As with any business change, the direction, drive and tone from the top can be one of the main differences between success and failure, so it is worth ensuring you have the right sponsorship in place.
Getting started. There are many reasons why plenty of firms are struggling to get started. However, one of the key issues is that GDPR is a principles based regulation and, in addition to detailed guidance on a number of key areas still being work in progress, the regulation is, quite simply, open to interpretation. As a result, in the absence of a more prescriptive GDPR “instruction manual”, organisations need to determine for themselves what GDPR means. This includes the organisation deciding where to set the “bar”, especially in areas where the regulations refer to rather unhelpful terms such as “appropriate” or “sufficient”.
Really understand what happens to data across the organisation. This is such a simple statement to make, yet it is an absolutely critical starting point. Organisations have to be brutally honest about the personally identifiable data they have, why they need it, where it came from, how it is used, where it is stored and where it goes. For many organisations, performing this step is a daunting prospect. However, firms do not need to take a ‘scorched earth’ approach to understanding their data - even some high level work will most likely reveal where the key areas of concern exist.
Gaining this understanding as early as possible will prove extremely insightful, and should form the basis of many other areas of work over the next twelve months.
Identify the areas of greatest impact. Although GDPR introduces a number of new requirements, for example in relation to gaining consent, or customer requests such as the right to ‘erasure’, much of it is not actually new and it is really just an extension of the core principles of the existing Data Protection Act (DPA). An organisation’s existing maturity against the DPA will therefore have a significant bearing on the breadth and depth of scope that needs to be addressed under GDPR. In the absence of a detailed or recent DPA gap analysis, almost every organisation will have one or more open audit points relating to data protection, which is usually a good place to start.
Invest time upfront in developing formal data protection related polices and standards. Strong governance is important for lots of reasons, and well written policies and standards provide the foundations of good governance. In the case of GDPR, investing time early on to revise existing data protection policies to ensure they address the requirements of GDPR will help create clarity and focus for the organisation, and a point of reference against which compliance can be assessed. The exercise will also inevitably produce some surprises in terms of other related polices that will need to be amended to address GDPR, such as HR, Procurement, Outsourcing, and Information Security.
If in doubt, complete a Privacy Impact Assessment (PIA). The principle of embedding is key to successfully implementing any change, and in support of this aim for data protection, the ICO published guidance in 2014 on the use of PIAs as a business-as-usual (BAU) “tool”. In effect, a PIA is a structured assessment of a given business situation with the explicit purpose of assessing the level of data protection related risk. Though originally conceived as a tool to be used in BAU, completing a PIA against areas of concern or uncertainty as you work towards compliance can be a very powerful, and extremely revealing, approach.
Model your response to Customer Requests. Subject Access Requests (SARs) are not a new concept. But GDPR means they will become free of charge for members of the public. GDPR also introduces new customer rights, around areas such as portability and erasure. Therefore, it is reasonable to expect that volumes of customer requests will increase after May 2018. To address this situation, it is key to establish what would be involved in providing the information outlined in the regulations, including for the new request types. Also key is the testing of scenarios where volumes significantly increase from historical levels, in order to understand their potential operational impact.
Don’t forget Third Parties. The changes in accountability and liability regarding Data Processors are significant under GDPR. While Data Controllers remain liable for infringements caused by their Data Processors, those Processors now also have direct duties under the GDPR. It is therefore critical for both Controllers and Processors to understand what has to happen to keep processing operations compliant. As most organizations have tens, if not hundreds, of third parties that they rely upon, this can be no small task and needs to be sized and tackled with the priority it deserves.
Information Security is key. This won’t be a surprise to most people, however, too often organisations seem to “miss the wood for the trees” when it comes to information security. There is little point spending small fortunes on leading edge IT protection systems if a firm isn’t sure it has the basics in place – as an example, look no further than the recent attack on the NHS and issues caused by the lack of recent Windows patches. Also, information security is not just about the structured data held in core systems, it equally needs to apply to physical data and the unstructured or “dark” data that resides in emails, on network drives and the Excel downloads from core systems that all organisations possess.
Staff training and awareness. Kicking off a gradual programme of awareness and training around the principles of data protection, and explaining to staff how the organisation is addressing the needs of GDPR, is essential. How staff handle data related queries with customers and third parties will be a key factor in mitigating data protection risks, and demonstrating to customers, and the regulator, that the organisation takes data protection seriously. Organisations need to be careful not to neglect the ‘people’ side of things in favour of more tangible areas such as IT.
Complying with GDPR. Complying with new regulations is almost always harder than originally expected - vague requirements from the regulator, a fixed end date and a lack of in-house experience don’t tend to mix well. In reality, given the breadth of impacts from GDPR, most organisations will struggle to address every last detail before May 2018. Though this may be true, what is key is that organisations can demonstrate they understand the size and nature of the gaps they have to address, they have a plan in place and are making good progress, and they can show the regulator, and other key stakeholders, that they are in control and are taking GDPR seriously.
Crowe Horwath is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR.
For more information, please email justin.baxter@crowehorwathgrc.com, neil.adams@crowehorwathgrc.com or neil.mockett@crowehorwathgrc.com
