Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Size: px
Start display at page:

Download "Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows"

Transcription

1 Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne

2 Agenda Top 10 legal need-to-knows, including: What is cyber crime What is the current legal position and obligations on businesses What to do in the event of an information breach How to protect your business and benefit from secure information Looking ahead proposed changes to information security requirements 2

3 1. What is Cyber Crime? 3

4 1. Key Numbers 4

5 1. What is Cyber-Crime? "There are two kinds of big companies in the US. There are those who've been hacked, and, those who don't know they've been hacked" FBI Director, James Comey High profile cyber attacks Sony personal correspondence, employees personal data, executive pay ebay 233 million users personal details were stolen Dominos Received a ransom for $40,000 in exchange for 600,000 Belgian and French customer records 5

6 1. What is Cyber-Crime? "an attack on the confidentiality, integrity and accessibility of an entity's online/computer presence or networks - and information contained within" - Research Department of the IOSCO and the WFE Four main types: Nuisance hacking Hacking for financial gain: from stealing customer credit card information to targeting a company's financial function to obtain its earnings report before it is publicly released so as to acquire and dump stock Advanced persistent threat: stealthy and continuous computer hacking processes targeting a specific entity Hacktivism: goal is to change or create a public perception about a brand, e.g. obtaining and disclosing sensitive information to the public 6

7 1. Top Concerns New technologies: Mobile, social and cloud - e.g. mobile devices have their own powerful peer-to-peer networks and employees might not realise the risks being introduced when sharing, sending or receiving corporate information on such devices Increasing sophistication of perpetrators: functions like a business, with management structure, quality control, offshoring etc. Increasing sophistication of attacks: perpetrators are more specific in who they target and play the long-game Global nature: makes it difficult to investigate and prosecute Proposed legislation: compliance burden which could cause the business to lose sight of what really matters 7

8 2. What laws do I need to be aware of? 8

9 2. Regulation laws regulating safe processing of personal / confidential information and conduct of financial services. ICO / FCA Statutory duties Criminal sanctions criminal offences for computer misuse, unauthorised obtaining of personal data, unauthorised access to communications data civil claims to recover loss or damage caused due to negligence or breach of statutory duty Civil sanctions injunctive relief and disclosure orders (ISPs) against perpetrators 9

10 2. Criminal / Civil sanctions Computer Misuse Act 1990 (as amended by PJA 2006) offence to deliberately penetrate, alter or damage computer systems without authorisation Data Protection Act 1998 s.55(1) offence to knowingly or recklessly obtain or disclose personal data or procure the disclosure without consent from the data controller Regulation of Investigatory Powers Act 2000 s.1 offence to deliberately intercept a communication across a public telecommunications system without authorisation Civil liability breach of statutory duty / duty of care breach of confidence breach of contract civil award (injunctive relief / damages) 10

11 2. UK Cyber Security Strategy Published December 2014 Objectives: make UK one of the most secure places in the world to do business in cyberspace make the UK more resilient to cyber attack help shape an open, vibrant and stable cyberspace build the UK's cyber security knowledge, skills and capability 10 Steps to Cyber Security updated in January Cyber Security Governance Health Check for FTSE350 companies Cyber Essentials Accredited 11

12 3. Who is responsible for governing compliance? 12

13 3. Regulators Information Commissioner Office Database owners, data controllers and public communications providers Financial Conduct Authority Regulation of financial service providers National Crime Agency Enforcement against criminals involved in undertaking a cyberattack 13

14 3. Regulating those who hold the data DPA 7 th principle : take appropriate technical and organisational measures against unauthorised or unlawul processing accidental loss or destruction or damage FCAPRIN 3 : a firm must take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems DPA 8 th principle : only transfer outside EEA where that country ensures adequate level of protection 14

15 3. Does this affect my business? Processing personal data in the context of a UK establishment? Providing regulated financial services within the UK? Providing a public communications service regulated under the Communications Act? 15

16 3. What is the risk if I don't comply? Information Security deserves the fullest attention at the highest levels Lloyd s Risk Index 2013: Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world s number three risk overall Risks include: Financial losses Intellectual theft Reputational damage Fraud Legal exposure regulatory fines and law suits Loss of shareholder value Extortion 16

17 4. What should I do in the event of an attack? 17

18 4. What to do in the event of an attack Assemble an incident response team Stop additional data loss Commence internal review Contact regulators Instruct experts cybersecurity and forensic Secure evidence Preserve computer logs Document the breach Communicate the breach to customers & media 18

19 4. What to do in the event of an attack (2) Wider reporting Contact police Conduct interviews of personnel involved Re-issue or force security access changes Do not: probe computers and affected systems turn off computers and affected systems image or copy data, or connect storage devices/ media, to affected systems run antivirus programmes or utilities reconnect affected systems 19

20 5. Who should be notified in the event of a data breach? 20

21 5. Who must I notify in the event of a breach? Breach related to activity undertaken by a financial service provider? FCA Breach relating to personal data processed by a service provider offering public communications services? ICO Breach by professional with duty of confidentiality in respect of client's data? Relevant professional body e.g. SRA, Institute of Chartered Accountants 21

22 5. Who should I notify? If serious loss of personal data? ICO If fraudulent element to crime? National Fraud Authority Action Fraud enables online reporting Notification will trigger a police investigation Internal departments Professional advisors and customers Third parties such as ISPs, insurers and affected persons 22

23 5. What happens if I don't notify? Failure to report to ICO not itself grounds for formal action however: considered aggravating factor investigations enforcement notices monetary penalties (up to 500,000) Failure to comply with enforcement or monetary penalty notice is a criminal offence fine potential personal liability PRA/FCA Rules power to impose unlimited fines for breach of PRA/FCA rules 23

24 6. How can I proactively protect my information? 24

25 6. How can I proactively protect information? Ensure information security is key priority for business Board member with IT understanding Update data protection policy to include general information security requirements Ensure business has a crisis plan in the event of an attack 25

26 6. Do I need a CISO? Chief Information Security Officer Bridge gap between IT and business risk Work collaboratively with GCs to manage risk Joint response team in the event of a breach 26

27 7. What is the biggest risk area to address? 27

28 28

29 7. Identify risk areas Insider Threats 69% of data breaches arise as a result of insiders (majority of which are careless as opposed to malicious) Balance between managing risk and ensuring flexible working environment BYOD Who is a risk? plants malicious employees careless employees 29

30 8. What does good practice look like? 30

31 8. Good practice Having a strategy in place and not just being reactive Having a high-level security chief who reports directly to a senior executive and who can help the management team to think and talk about how security affects business decisions Possessing a deep understanding of the types of security events that have occurred in the organisation Measuring and reviewing the effectiveness of policies and procedures annually Looking at outsourcers' data security practices both before doing business and after appointment Having an appropriate business continuity plan in case of an attack, including a clear plan to respond to data loss incidents including informing and advising affected customers (redress?) When things go wrong identifying what went wrong, how it went wrong and what can be done to prevent it happening again 31

32 8. What does poor practice look like? Failing to contact customers after their data security is compromised Treating data security as an IT or privacy issue without also recognising the fraud risk A blame culture discouraging staff from reporting data losses Being unsure how suppliers protect data 32

33 9. What upcoming changes do I need to be aware of? 33

34 9. What are the upcoming changes? EU Directive for Network and Information Security EU Data Protection Regime Member States must adopt a NIS strategy set up a NIS Authority designate National Computer Emergency Response Teams (CERT); cooperate with other Member States and EC to share early warnings on risks and incidents "market operators" must adopt risk management practices report major security incidents affecting their core services 34

35 9. Network Information Security Directive (NIS) includes internet payment gateways credit institutions, stock exchanges and counterparty clearing houses regulate market operators; set standards; liaise with ENISA / DPAs / law enforcement NIS strategy NIS authority CERT response team "market operators" (information society services & CI in fields of financial market infrastructure, banking, transport, energy, healthcare) ENISA / EC / US co-operation network coordination with local regulators (FCA / ICO) monitor & respond to incidents; set common standards for reporting and handling incidents and managing risk s implement appropriate measures to manage NIS security risks adopt specific measures to ensure continuity of service notify breaches which have a significant impact on security provide evidence of compliance / information to NIS authority comply with audit requests / instructions given by NIS authority 35

36 9. EC Data Protection Regulations Headline changes: "personal data breaches" must be reported to the regulator enforcement: fines up to 2% global turnover for negligent / deliberate breaches Extended responsibilities: data processors to be directly responsible for compliance (including adopting appropriate security measures) obligations to carry out routine security risk assessments / audits obligation to appoint DPOs with wide remit to include monitoring compliance with security measures 36

37 9. How will the changes affect me? Security measures take appropriate and proportionate technical and organisational measures to detect and effectively manage the risks posed to the security of the networks and information systems under control and use measures should guarantee a level of security appropriate to the risk presented having regard to 'state of the art'. Business continuity take appropriate measures to prevent and minimise the impact of any incident affecting security of their networks and information systems on the core services they provide to ensure continuity of services Breach notification notify to the (NIS authority) of incidents having a significant impact on the continuity of the core services factors: number, duration, geographic spread voluntary notification sector specific criteria protections for public disclosure Provision of evidence of compliance eg a security audit carried out by a qualified independent body or national authority and make the evidence thereof available to the NIS authority. sectoral decorations Standardisation use IS standards to ensure convergent implementation Information duty provide information to the NIS authority as required to assess the security of networks and information systems Binding instructions comply with instructions from NIS authority 37

38 10. What are my next steps? Date of presentation 38

39 10. Checklist (1) Identifying Sensitive Data What data do you (outsource provider) hold? Where is the data located? What laws and regulations apply to the data? What controls are around the data? Is data being sent to third parties? If so, is this done securely? Resources: Are sufficient resources allocated to cybersecurity measures? Management and Reporting: Does management receive sufficient management information to understand and assess the organisation's exposure to cybercrime risk? Are there clear formal upward reporting lines in place for cyber-security? 39

40 10. Checklist (2) Record-keeping: Do you keep record of information about the frequency, type and/or source of security breaches? And how those breaches have been dealt with? Documented Policy: Do you have a cyber-security policy in place, with the terms cybercrime, cyber-attacks and cyberthreats clearly defined? Is the effectiveness of security policies and procedures reviewed annually? Business Continuity: Does your disaster recovery plan cover cybercrime risk? Do you have a clear strategy for responding to attacks? Employee Awareness: Are employees aware of information security risks if they don't follow company policy? Are they kept up-to-date on new cybercrime threats? 40

41 10. Checklist (3) Outsource Service Providers: Is the organisation aware of the cyber-security measures in place at its suppliers, including in particular any outsourced service suppliers? Cooperation Arrangements: Are arrangements in place to share information on attempted and successful cybercrime with authorities and regulators? Board level awareness, engagement and action 41

42 Conclusion Doing nothing is no longer an option Be aware of the requirements and your responsibilities Proactively consider information security strategy don't just react to an attack Monitor future changes 42

43 Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

Cyber and data Policy wording

Cyber and data Policy wording Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and

More information

The era of hacks and cyber regulation

The era of hacks and cyber regulation 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Cyber and Data Security. Proposal form

Cyber and Data Security. Proposal form Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Cyber Risk Management

Cyber Risk Management Cyber Risk Management A short guide to best practice Insight October 2014 So what exactly is 'cyber risk'? In essence, cyber risk means the risk connected to online activity and internet trading but also

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security An Internal Audit perspective on the threats and responses within the Retail Sector 15 th May 2014 Agenda Introductions

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Cyber security initiatives in European Union and Greece The role of the Regulators

Cyber security initiatives in European Union and Greece The role of the Regulators Cyber security initiatives in European Union and Greece The role of the Regulators Constantinos Louropoulos President of Hellemic Telecoms and Post Commission Agenda Cyberspace challenges EU security initiatives

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014 Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

Cybersecurity y Managing g the Risks

Cybersecurity y Managing g the Risks Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

The Cancer Running Through IT Cybercrime and Information Security

The Cancer Running Through IT Cybercrime and Information Security WHITE PAPER The Cancer Running Through IT Prepared by: Richard Brown, Senior Service Management Consultant Steve Ingall, Head of Consultancy 60 Lombard Street London EC3V 9EA T: +44 (0)207 464 8883 E:

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES OF THE PROPOSED CYBERCRIME DIRECTIVE? Dr Mark Abell, Graeme Payne and Joseph Jackson, Bird & Bird, London, UK Cybersecurity is arguably receiving more

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority Purpose and scope 1. This Memorandum of Understanding (MoU) sets

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Regulation of Investigatory Powers Act 2000

Regulation of Investigatory Powers Act 2000 Regulation of Investigatory Powers Act 2000 Consultation: Equipment Interference and Interception of Communications Codes of Practice 6 February 2015 Ministerial Foreword The abilities to read or listen

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),

(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX (Police Force), DATE OF INFORMATION SHARING AGREEMENT JULY 2015 PARTIES (1) LIVE NATION (MUSIC) UK LIMITED (Company Number 02409911) whose registered office is at 2 nd Floor, Regent Arcade House, 19-25 Argyll Street,

More information

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity Sebastian Meissner Security Incident Information Sharing Workshop Berlin, 26.07.2013 Introduction Opening question Privacy & cybersecurity:

More information

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION In the ever-evolving technological landscape which we all inhabit, our lives are dominated by

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill THE ANATOMY OF A CYBER POLICY Jamie Monck-Mason & Andrew Hill What s in a name? Lack of uniformity in policies: Cyber Cyber liability Data protection Tech PI The scope of cyber insurance First party coverage

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Commonwealth Fraud Control Guidelines Annual Reporting Questionnaire 2009-10

Commonwealth Fraud Control Guidelines Annual Reporting Questionnaire 2009-10 Commonwealth Fraud Control Guidelines Annual Reporting Questionnaire 2009-10 Please read this first In accordance with the Commonwealth Fraud Control Guidelines (the Guidelines) issued under Regulation

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32. A call for views and evidence

EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32. A call for views and evidence EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32 A call for views and evidence 22 nd May 2013 Contents Contents... 2 Overview: The EU Directive on Network and Information Security...

More information

Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014 Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014 Cyber Exposures Joan D Ambrosio Reported data breaches continue

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

DATA PROTECTION LAWS OF THE WORLD. India

DATA PROTECTION LAWS OF THE WORLD. India DATA PROTECTION LAWS OF THE WORLD India Date of Download: 6 February 2016 INDIA Last modified 27 January 2016 LAW IN INDIA There is no specific legislation on privacy and data protection in India. However,

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor Cyber Risks Management Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor 1 Contents Corporate Assets Data Breach Costs Time from Earliest Evidence of Compromise to Discovery of Compromise The Data Protection

More information

Council of the European Union Brussels, 5 March 2015 (OR. en)

Council of the European Union Brussels, 5 March 2015 (OR. en) Council of the European Union Brussels, 5 March 2015 (OR. en) Interinstitutional File: 2013/0027 (COD) 6788/15 LIMITE TELECOM 59 DATAPROTECT 23 CYBER 13 MI 139 CSC 55 CODEC 279 NOTE From: Presidency To:

More information

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry Dino Wilkinson Partner Norton Rose Fulbright (Middle East) LLP 3 February 2015 The growing challenge of cyber risks From

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

Cybersecurity and the Threat to Your Company

Cybersecurity and the Threat to Your Company Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Financial Services Act 2010

Financial Services Act 2010 Financial Services Act 2010 CHAPTER 28 CONTENTS Objectives of FSA etc 1 Financial stability objective 2 Enhancing public understanding of financial matters etc 3 Meeting FSA s regulatory objectives Remuneration

More information

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone: Company or Trading Name: Address: Post Code: Telephone: E-mail: Website: Date Business Established Number of Employees Do you have a Chief Privacy Officer (or Chief Information Officer) who is assigned

More information

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

Is your Organization SAFE?

Is your Organization SAFE? Is your Organization SAFE? About Enterprise Risk Management (ERM) About The Presenter Mike Sanchez, Senior Vice President at ERM Captain, USMC (Ret.) COBIT 5 Certified Possesses over 20 years of experience

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Data Security Breach Management Procedure

Data Security Breach Management Procedure Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG

More information

Cyber Security Strategy

Cyber Security Strategy NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information