Global menu

Our global pages

Close

Digital Financial Services: Data protection and cyber crime

Digital Financial Services: Data protection and cyber crime
  • United Kingdom
  • Financial services - Digital Financial Services

01-11-2016

On 5 October 2016, we hosted the latest in our Digital Financial Services seminar series: Data protection and cyber-crime. Matthew Gough, Head of Digital Financial Services, Paula Barrett, Global Head of Privacy & Information Law and Craig Rogers, Partner in IT & Outsourcing were joined by Adam Tyler of CSID and James Chappell of Digital Shadows.

Download the event materials

Data protection

Paula Barrett focused on the General Data Protection Regulation (GDPR) and the EU Network and Information Security Directive (NISD). GDPR is set to come into force on 25 May 2018. These new security rules will apply to both the controller and the processor of the data. Like the current law, the regulation adopts a principle based approach. Firms will have to provide evidence that they have the appropriate technical and organisational measures in place as well as proper controls and testing of such measures.

Some key changes the GDPR will bring are:

  • Mandatory breach reporting, a data controller has an obligation to notify the ICO within 72 hours of becoming aware of a breach. Furthermore unlike the previous regulation, the data processor also has an obligation to notify their data controller of a breach.  
     
  • The regulation emphasises the need for accountability in requiring firms to evidence they have security policies, effective means of recording and appropriate training in place to prevent security breaches.
     
  • The regulation also provides for a ‘Data Protection Officer’ (DPO) who has specific duties to ensure that security is not breached. Any work involving the profiling of individuals will need prior approval from the firm’s DPO.

A fine for breach of a data security obligation falls within the 2% turnover threshold. A breach of all other provisions are set at 4% of the global turnover of the ‘undertaking’ – which can include both the parent and subsidiary company.

Furthermore, the relationship between data processors and data controllers will fundamentally change. Firms will need to be aware of this when entering into contracts with their data processors and may want to conduct pre-contract due diligence to include terms and schedules in order to protect themselves against third party risk.

The NISD was adopted on 17 May 2016 and will come into effect in the UK in May 2018. Like the GDPR, the NISD further increases security and reporting obligations of the organisations it covers. The directive applies to two types of organisations: (i) essential service providers and (ii) digital service providers. However, even if a firm does not fall under one of these categories, it should be mindful when working with third parties as third parties could be covered by the directive and therefore have additional reporting obligations.

Privacy and how things have changed

Adam Tyler revealed how our world has been fundamentally changed by the use of technology. Digital attacks are now commonplace. This is fuelled by the commercialisation of services which provide targeted cyber-attacks. An example of these services is a website that provides the software to launch a distributed denial of service attack on any website for a small fee. Adam brought this point to life by demonstrating the ease by which anyone can assess these services. Other new forms of attacks have been against Wifi and 3G networks through the use of femto cells which allow hackers to insert fraudulent data into Wifi and 3G streams.

Adam concluded by saying that firms can defend themselves against such attacks by being aware that their biggest vulnerability can be their own employees. Adam spoke about BYOD or ‘Bring Your Own Device’ in which employees bring their personal devices into work and access the corporate network. By doing so, employees can open up the most secure corporate systems to malicious software. 

Cyber-security

Craig Rogers discussed cyber-security considerations for financial institutions and the importance of implementing robust policies and procedures to protect data and systems.  The risk and impact has grown in recent years due to increased reliance on technology, multiple entry points, and the increased scale and sophistication of attacks. 

Craig referred to a number of recent cases to highlight the shifting landscape: the theft of $81m from the Central Bank of Bangladesh following a breach of the SWIFT network; Fortelus Capital Management where the CFO was tricked into transferring $1.2m to dummy accounts; the DDoS attack on HSBC in January 2016; the Yahoo hack (where the personal data of 500 million users is thought to have been stolen); and the Carbanak hack (where hackers are thought to have misappropriated as much as $1bn from 100 banks in 30 countries).

The changing threat landscape, coupled with increased regulatory oversight, has resulted in increased focus at board level with specific responsibility allocated to the CISO (Chief Information Security Officer). 

Cyber attacks come in many different forms:

  • phishing or spear-phishing – emails sent to a groups of people or individuals to extract sensitive information or access to systems
     
  • DDOS – seeking to shut down a website or server by flooding it with web traffic
     
  • malware – software specifically designed to disrupt or gain access to computer systems
     
  • hacking - gaining unauthorised access to data or systems

“Cyber-Crime” is not a recognised concept in English law and as such we have to apply criminal law, civil remedies and regulatory requirements to seek redress against perpetrators; the nature of the internet means that it can be difficult to identify and bring proceedings against those responsible for theft, fraud, corruption and infringement of intellectual property rights.

Impacts of a Cyber Attack

A cyber-attack or data breach can have a devastating impact on a business:

  • damage to reputation & brand;
     
  • loss of business;
      
  • drop in consumer/shareholder confidence;
     
  • drop in share price;
     
  • compensation payments;
      
  • costs of remediation; and
     
  • regulatory fines and sanctions.

In the case of financial institutions, a material data breach might be suggestive of systemic failures and the FCA has powers to impose fines (and ultimately to suspend or revoke firms’ authorisations); these powers may be exercised in addition to any ICO fines imposed.

Importance of a robust IT security strategy

Craig highlighted the importance of defining a coherent IT security strategy which includes:

  • strong physical, organizational controls;
     
  • HR policies, training and awareness;
     
  • robust perimeter and access controls;
     
  • end-to-end supply-chain & asset management;
     
  • monitoring, compliance & reporting;
     
  • business continuity, resilience and backup procedures;
     
  • continuous system maintenance and security patching; and 
     
  • a detailed incident response plan. 

Above all it is important that these processes and procedures are regularly reviewed, tested and updated to address all vulnerabilities and evolving risks.

He outlined the Regulator’s expectations, as set out in the FCA Handbook, the FCA’s 2016/17 Business Plan and various guidance notes (including “Guidance for Firms Outsourcing to the Cloud” and “Guidance for Off-the-Shelf Banking Solutions”).

Craig concluded by citing a recent speech* given by Nausicaa Delfas, Director of Specialist Supervision at the FCA:

“We strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.”                                               –

* Source: FT Security Summit 21 September 2016

Questions

Is it better for a business to be less connected to the internet in order to be safer?

Adam Tyler: The problem nowadays is that businesses cannot survive without being linked to the internet. You can take proactive measures by placing data in a secure area away from the corporate network however if your employee is allowed to bring their own device, this can bring in any infection from outside.

Matthew Gough: In the case of financial institutions, it is very hard for banks for not be digitised. Some challenger banks only provide services digitally and each week new digital products are brought to market.

How can firms best protect themselves from such attacks?

Adam Tyler: Ideally firms should have cyber protection, which for a minimal cost helps reduce the risk of cyber attack and gives specialist support and access to easy-to-use security tools that safeguards their data.

In addition focus on the ingress and the egress of our networks. Just like having a security guard at the front of your building, we need to have the same for our networks by having exact knowledge about what information is coming in and going out.