What is happening in the financial sector is relevant to everyone, according to Deloitte partners Stephen Bonner and Nick Seaver.
“We think financial services is the canary in the coalmine,” Bonner told delegates at the 2018 IISP Congress in London.
“We see that whatever regulation starts in financial services ends up being copied in other industries,” he said. “So what we see starting to be developed in financial services around the management of cyber risk, we expect to see implemented in other industries.”
Although it is fairly well understood that financial institutions can lose data, Seaver said that in the past two years there has been a growing focus on data integrity and data availability.
“As a result, financial services firms have been struggling this past year with things like the encryption of sensitive data at rest due to regulatory pressure,” he said.
Other areas of concern and debate in the past year have included how to create and maintain a cyber security culture to support IT controls, identifying key data assets, breach reporting and recovery plans, he said.
“Breach reporting is becoming increasingly complex, especially with most regulators expecting breaches to be reported, once discovered, within a fairly short timeframe,” said Seaver. “One financial sector regulation in Singapore requires notification within just one hour of discovery.
“There are also increasing regulatory requirements for financial institutions to be able to recover their core systems within timeframes that are nearly impossible.”
Looking ahead, Seaver said organisations should note the increased focus in financial sector regulations around penetration testing and red teaming, having adequate resources to recover from cyber attacks, business continuity capabilities, the ability to quantify and mitigate cyber risks, back-up capabilities to avoid ransomware attacks, and being able to demonstrate adequate cyber security skills.
The obvious “biggie” for 2018, said Bonner, is the EU’s General Data Protection Regulation (GDPR). “And while there has been a lot of focus on the compliance deadline of 25 May, there are things that need to be done after that,” he said.
Many organisations have concentrated on manual solutions and other quick-fix options to be in a “good position” for the compliance deadline, said Bonner. “But there isn’t necessarily an adequate level of preparation for achieving a sustainable, long-term view,” he added.
Three key areas are likely to attract the attention of the regulator, said Bonner – crises, complaints and crusaders.
“So if you have a massive data breach or accidentally sell 87 million people’s data, then the regulator is going to pay attention,” he said.
“While it is generally not possible to control when you have a crisis, quite often the cause of these crises is a cyber security incident, so it is worth information security teams in organisations engaging with the privacy teams to help understand where the organisation’s core risks lie, so they can prepare for these crises. A good response makes a huge difference.”
Another thing that “absolutely attracts regulator attention”, said Bonner, is “pockets of complaints”, because even if the regulator does not have the resources to follow up on every single isolated complaint, if there are several customer complaints about a single organisation, the regulator will pay attention.
“The lack of resources means that regulators will draw conclusions based on the nature and volume of the complaints,” he said. “So it could be by chance that a couple of entirely separate parts of your organisation have an issue that gets escalated to the regulator, but the conclusion will be that the organisation has a systemic problem. So making sure you can manage complaints well is very important.”
Two of the most likely drivers of complaints, and therefore areas that organisations need to focus on, are poorly handled data subject access requests and unsolicited emails and texts, said Bonner.
“In this context, security professionals can help the privacy team by helping them to know where to look for the personal data needed for subject access requests,” he said. “Helping shorten the time it takes to respond will reduce the likelihood of complaints.”
Information security professionals also have a role in helping organisations to ensure they are not spamming customers and that communications teams within organisations are following best practices, he said.
Thirdly, said Bonner, organisations need to understand that there are “crusaders” who are dedicated to finding and highlighting privacy issues.
Again, security professionals have a role to play because they should have a good inventory of their organisation’s external-facing websites, said Bonner. “Security teams typically scan external-facing websites for security risks, and may be able to extend that to identify privacy notices to ensure they are being kept up to date and that any outdated ones are removed.”
Follow the ICO’s lead
These three areas are the key focus as the “regulators spin up” for enforcing the GDPR in the next six months, said Bonner, but in the longer term, organisations should follow the lead of the UK Information Commissioner’s Office (ICO) in terms of technology areas to focus on.
“The ICO’s technology strategy highlights another three key areas that they are going to be focusing on in the medium term around privacy – namely cyber security, artificial intelligence and machine learning, and device tracking,” he said.
Bonner also highlighted the ICO’s plans to set up a “regulatory sandbox” to enable organisations to test and safety check innovations using personal data before taking them live.
According to information commissioner Elizabeth Denham, the facility will enable organisations to beta test initiatives and will support innovative digital products and services, while ensuring that the right safeguards are in place.
Another key thing for organisations to note within the GDPR is the possibility of class actions, said Bonner.
“There is still debate around how this will work in the UK post-Brexit, but organisations need to be aware that the GDPR provides the opportunity for groups of people to come together to drive their own legal challenges rather than relying on the regulators, which could be a big and important change,” he said.
In summary, Bonner said that customers, politicians and the media are paying more attention to cyber security and, consequently, so are the regulators.
“But the focus is not just on traditional cyber security, but also on privacy and the respect and treatment of customers,” he said. “While the focus has been on the financial services industry, we fully predict that the trends in this sector will eventually affect just about every other type of business, and so it is probably wise to get ahead of the regulation before things like red teaming become mandatory.”