Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen"

Transcription

1 Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015

2 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or sophisticated, on UK and global networks pose a real threat to the UK s economic security. The mitigation of these risks and management of these threats in other words cyber security is one of the biggest challenges we all face today Iain Lobban, Director GCHQ UK Govt Information Security Breach Survey (2015) 90% of large organisations had a security breach in last 12 months Average cost of worst security breach: 1.46m m 41% of organisations : reputational damage had the greatest impact 68% of large organisations were attacked by an unauthorised outsider in last 12 months 90% of large organisations suffer a breach each year 84% of large organisations suffered a malware attack in the last 12 months 1 / B_LIVE_EMEA1: v1

3 Cyber Security the corporate response It is rising up the corporate agenda: 72% of large organisations provide ongoing security awareness training to staff 82% say that senior management regard cyber security as high / very high priority 86% have briefed their board on security risks 72% provide on-going security awareness training to staff 46% of businesses expect to spend more on cyber security next year If it is not a priority then it should be: 72% of companies with poor security policy awareness had staff related breaches (v 56% where the policy was well understood) 81% of businesses said there was some staff involvement in breaches Cost of getting it wrong is high (expense / reputation / regulatory intervention) 2 / B_LIVE_EMEA1: v1

4 The Law - data security obligations Data protection legislation applies to Personal Data (according to the Directive/UK Data Protection Act 1998 (DPA)) data (automatic equipment / relevant filing system ) relating to a living individual identified from that data or from that data in combination with other data Definitions can vary across different jurisdictions Note that whilst data protection legislation protects personal data, this and other data may be protected by regulatory requirements/ confidentiality/ contractual obligations 3 / B_LIVE_EMEA1: v1

5 The Law - data security obligations Appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing (Directive) Appropriate technical and organisational security measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (DPA) What businesses have to guard against: destruction/loss alteration access/disclosure all of which are either accidental/unauthorised/unlawful includes actions of third parties (e.g. hacking) 4 / B_LIVE_EMEA1: v1

6 The Law - data security obligations Having regard to the state of technology and cost security must be appropriate to: the harm that might result from such unauthorised or unlawful processing or accidental loss / destruction / damage the nature of the data Reasonable steps to ensure the reliability of employees who have access to data Do businesses have to notify individuals/regulators? data protection generally best practice rather than law but some exceptions (e.g. Germany/US) sector specific regulatory requirements Generally an assessment of the harm/risk likely to be suffered by individuals and volume of data 5 / B_LIVE_EMEA1: v1

7 Data Security proposed EU Regulation Risk-based approach to the implementation of security measures to protect against loss or unauthorised disclosure of personal data Data controllers and data processors must implement appropriate security measures and implement a security policy New, mandatory requirement for data controllers to notify national data protection authorities of security breaches without undue delay Data controllers will be required to notify affected individuals in wide-ranging circumstances Data controllers will have to keep records of security breaches Much larger sanctions for breach 6 / B_LIVE_EMEA1: v1

8 Cyber Security proposed EU Directive The issue? Under EU rules only telecoms companies and data controllers have to adopt security measures and telecoms companies alone are required to report significant incidents Note computer crime laws such as the Computer Misuse Act 1990 (which set out offences relating to hacking and denial of service attacks) remain law Key provisions In-scope organisations: Applicable to a range of Market operator entities where disruption / destruction of infrastructure would have a significant impact on a Member State Technical and organisational measures: required in relation to network and information security (NIS), proportionate to risks (similar to current DP law) Notification: to NIS authority and, where required by NIS authority, to public, incidents which have a significant impact on the security of the core services they provide NIS strategy: Requirement upon member states to adopt a national NIS strategy and appoint competent NIS authorities Co-operation: Designed to limit cyber risk, requires co-operation among NIS network (NIS authorities and EC) ability for market operators / technology companies to receive and share information CERTs: Requirement upon member states to set up a national Computer Emergency Response Team Sanctions: to be set by member states at a level which is effective, proportionate and dissuasive 7 / B_LIVE_EMEA1: v1

9 Financial Regulatory Interest & Action UK Financial Policy Committee June 2013: The dependence of major banks and financial market infrastructure on highly complex information technology (IT) systems made them potentially vulnerable to cyber attack, where an individual or group sought to exploit vulnerabilities in IT systems to disrupt services or for financial gain. Such attacks were increasing in frequency and sophistication. The Committee recognised that mitigating cyber attack was not a matter of systems enhancements alone but also required changes in processes and culture. All boards of financial institutions needed to consider their own arrangements to ensure effective management of cyber risk. FCA Business Plan 2014/2015 focus on assessing and testing the financial services critical national infrastructure s resilience to cyber attacks Link to subject of IT resilience: 2012: Dear Chairman letter to banks 2014: RBS / Natwest fined 56m by FCA / PRA 8 / B_LIVE_EMEA1: v1

10 Financial Regulation - UK Relevant FCA principles / rules: Principle 3: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems SYSC 3.1.1: A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. SYSC 3.2.6: A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. Principle 11: A firm must deal with its regulators in an open and cooperative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice. FCA guidance on information security 9 / B_LIVE_EMEA1: v1

11 RBS / NatWest IT resilience failings Three Lines of Defence : Technology Services Risk: did not devote sufficient time and attention to specific risk management activity. Focus on reporting risk and sign off rather than understanding and managing risk did not take initiative to identify risks they were reactive rather than pro-active Business Services Risk: did not adequately challenge the first line of defence focused on collating and reporting risk information Group Internal Audit: did not explain its view of IT risk to first and second lines did not close out IT audit issues; instead they rolled from audit period to audit period did not highlight that it did not have the necessary documentation to fully test the IT controls 10 / B_LIVE_EMEA1: v1

12 RBS / NatWest IT resilience failings The RBS Group had a limited understanding of IT operational risk their IT function did not have a sufficiently prominent role at Board level or direct involvement in business prioritisation Their BCP plans focused on low probability events rather than on more probable events (like software failures) The BCP plans should have included more on IT resilience and the need to ensure the continuity of systems critical to servicing customers. 11 / B_LIVE_EMEA1: v1

13 Enforcement Action relevant factors Nature of the breach Culpability Data / systems affected People affected: type and number Risk to affected people Loss / distress caused Preparedness Security adopted (technical & organisational) Policies / plans Staff training / awareness Nature of the offender Repeat offences Financial resources Financial benefit from the breach Reaction to the breach Speed of response Quality of the response Notification to regulators Co-operation with regulators Customer protection / redress Acting on lessons learned 12 / B_LIVE_EMEA1: v1

14 Cyber Security security measures UK Govt Ten Steps To Reduce Cyber Risk Review data assets and their business criticality Identify the risks and reconsider as technology use changes Information risk management regime User education and awareness Home and mobile working Incident management Manage user privileges Removable media controls Monitor systems and networks Maintain secure configuration Anti-malware defences Protect the network perimeter 13 / B_LIVE_EMEA1: v1

15 What should you do now? Assess your level of preparedness and current security measures Do you have an appropriate cyber / data security plan? What needs to be protected? How should each asset be protected? Does it cover all probable events (not just the Black Swan)? Is it reviewed / tested? Does it have senior management engagement? Do you have a breach management plan? How will breaches be detected? What will you do in the first hour / 6 hours / day / week? What will the incident management priorities be? Who needs to be involved? How will you manage regulators / reputation? How will you remediate / learn the lessons? 14 / B_LIVE_EMEA1: v1

16 15 / B_LIVE_EMEA1: v1

17 simmons-simmons.com elexica.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. 16 / B_LIVE_EMEA1: v1

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Why is this a challenge? When personal data is compromised, mandatory or recommended notification

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Key HR Legal Issues for Asset Managers. Andrea Finn, Ian Fraser & Julian Taylor

Key HR Legal Issues for Asset Managers. Andrea Finn, Ian Fraser & Julian Taylor Key HR Legal Issues for Asset Managers Andrea Finn, Ian Fraser & Julian Taylor October 2015 Overview FEMR people recommendations Culture focus Remuneration 1 / B_LIVE_EMEA1:2813797v1 Culture and conduct

More information

Cloud Computing Adoption in the Financial Services Industry

Cloud Computing Adoption in the Financial Services Industry Cloud Computing Adoption in the Financial Services Industry James Cotter Lawrence Brown 07 and 08 October 2015 Agenda Recap on what cloud services are Differences between cloud services and more traditional

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

Session 7: Introduction to Supply Chain Finance and Receivables Purchasing

Session 7: Introduction to Supply Chain Finance and Receivables Purchasing Session 7: Introduction to Supply Chain Finance and Receivables Purchasing Jolyon Ellwood-Russell Richard McKeown 30 October 2015 Agenda Overview of Receivables Risks and credit quality Specific structures:

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

The era of hacks and cyber regulation

The era of hacks and cyber regulation 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

Managing tax disputes: What the non-tax-lawyers need to know

Managing tax disputes: What the non-tax-lawyers need to know Managing tax disputes: What the non-tax-lawyers need to know So, what is a tax dispute? A difference between HMRC and taxpayers over what is the right amount of tax due or when the tax is due Interpretation

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

Disability discrimination: managing disability in the employment lifecycle. Philip Bartlett and Sarah Wybron

Disability discrimination: managing disability in the employment lifecycle. Philip Bartlett and Sarah Wybron Disability discrimination: managing disability in the employment lifecycle Philip Bartlett and Sarah Wybron 04 March 2015 Introductions Legal position and recent case law Recruitment Performance management

More information

evolving nature of cyber security risks

evolving nature of cyber security risks Managing the evolving nature of cyber security risks NatWest Trustee & Depositary Service Fund Management Industry Conference 21 April 2016 Agenda 1. Overview of the cyber security landscape 2. Cyber security

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

Insurance issues for commercial development

Insurance issues for commercial development Insurance issues for commercial development Mark Waghorn, Partner, Banking (Simmons & Simmons) Steve Cox, Executive Director (Willis) and Jack Rutherford, Associate, Projects (Simmons & Simmons) 1 December

More information

Cyber Risk Management

Cyber Risk Management Cyber Risk Management A short guide to best practice Insight October 2014 So what exactly is 'cyber risk'? In essence, cyber risk means the risk connected to online activity and internet trading but also

More information

Summary. Key business impacts. Key business impacts. Trading venues. Product intervention commodity derivatives

Summary. Key business impacts. Key business impacts. Trading venues. Product intervention commodity derivatives Key business impacts Trading venues Product intervention MiFID 2: commodity derivatives Summary The Markets in Financial Instruments Directive (MiFID) required member state implementation by 1 November

More information

www.pwc.co.uk Information Security Breaches Survey 2013

www.pwc.co.uk Information Security Breaches Survey 2013 www.pwc.co.uk Information Security Breaches Survey 2013 Agenda and contents About the survey Security breaches increase External versus insider threats Understanding and communicating risks Implementation

More information

Identifying Cyber Risks and How they Impact Your Business

Identifying Cyber Risks and How they Impact Your Business 10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

If you are unclear about the implications of Auto Enrolment you will find our Guide to Auto Enrolment a good starting point.

If you are unclear about the implications of Auto Enrolment you will find our Guide to Auto Enrolment a good starting point. The Pay Check Auto Enrolment Service A service designed for Pay Check clients who are looking for a first class pension solution that is simple to administer, cost effective and guarantees full compliance

More information

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

National Occupational Standards. Compliance

National Occupational Standards. Compliance National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Cyber security: A major issue for Australian business

Cyber security: A major issue for Australian business Cyber Security: A major issue for Australian business: February 2016 1 Cyber security: A major issue for Australian business Contents Introduction and background Is your industry particularly vulnerable

More information

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

The EBF would like to take the opportunity to note few general remarks on key issues as follows: Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

Firm Registration Form

Firm Registration Form Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Robert Bond Head of Data Protection & Information Law Group Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Our team Speechly Bircham is an ambitious, full-service law

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

APRIL 2015 ARE YOU READY FOR THE SENIOR MANAGERS AND CERTIFICATION REGIME?

APRIL 2015 ARE YOU READY FOR THE SENIOR MANAGERS AND CERTIFICATION REGIME? APRIL 2015 ARE YOU READY FOR THE SENIOR MANAGERS AND CERTIFICATION REGIME? Page 2 SECTION 1 INTRODUCTION In July 2014 the PRA and FCA published a joint consultation paper titled, Strengthening accountability

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms

Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms Statutory duty of candour with criminal sanctions Briefing paper on existing accountability mechanisms Background In calling for the culture of the NHS to become more open and honest, Robert Francis QC,

More information

The Cloud and Cross-Border Risks - Singapore

The Cloud and Cross-Border Risks - Singapore The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

London Business Interruption Association Technology new risks and opportunities for the Insurance industry London Business Interruption Association Technology new risks and opportunities for the Insurance industry Kiran Nagaraj Senior Manager, KPMG LLP February 2014 Agenda Introduction The world we live in

More information

Tax Fraud in Financial Services

Tax Fraud in Financial Services Tax Fraud in Financial Services Innocent Until Proven Careless? Nick Skerrett Stephen Gentle 30 September 2014 Contents Where are financial institutions exposed to fraud? Civil enforcement Statutory tax

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS

STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS 1. DEFINITIONS AND INTERPRETATION 1.1 In these Conditions the following words and expressions shall have

More information

Marketing under AIFMD The Final Countdown Series. Getting a Grip - the Article 42 registration process under AIFMD. Devarshi Saksena.

Marketing under AIFMD The Final Countdown Series. Getting a Grip - the Article 42 registration process under AIFMD. Devarshi Saksena. Marketing under AIFMD The Final Countdown Series Getting a Grip - the Article 42 registration process under AIFMD Devarshi Saksena Catherine Weeks Simmons & Simmons LLP Friday 06 June 2014 Introduction:

More information

ESKISP6054.01 Conduct security testing, under supervision

ESKISP6054.01 Conduct security testing, under supervision Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Financial Regulation: An overview of the FCA s proposal of the new Consumer Credit regime October 2013

Financial Regulation: An overview of the FCA s proposal of the new Consumer Credit regime October 2013 Financial Regulation: An overview of the FCA s proposal of the new Consumer Credit regime October 2013 Consultation Paper 13/10: Detailed Proposals for the FCA regime for Consumer Credit In early October

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

Anti-Money Laundering Policy

Anti-Money Laundering Policy Money laundering is the process by which criminals attempt to conceal the true origin and ownership of the proceeds of their criminal activities. If undertaken successfully, it also allows them to maintain

More information

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry Dino Wilkinson Partner Norton Rose Fulbright (Middle East) LLP 3 February 2015 The growing challenge of cyber risks From

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Emerging Data Protection regulations in Africa. Christophe Fichet

Emerging Data Protection regulations in Africa. Christophe Fichet Emerging Data Protection regulations in Africa Christophe Fichet 19 May 2015 Topics Development of data protection laws in Africa Key expectations over the next year Data Protection landscape African organizations

More information

IoD Big Picture Spring 2013

IoD Big Picture Spring 2013 IoD Big Picture Spring 2013 SNAPSHOT Cyber security is a corporate-level risk that all boards, in both the private and public sectors, need to own directly. The cyber threat applies to all, regardless

More information

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015 CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION Presented by Sophie More O Ferrall 9 February 2015 DATA SECURITY LEGAL REQUIREMENTS SECTOR SPECIFIC ISSUES INTERNATIONAL TRANSFERS DATA SECURITY

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

Changes to Consumer Credit Regulation

Changes to Consumer Credit Regulation A Guide for Motor Dealers Introduction Motor Dealers are invariably also credit brokers and are currently required to be licensed by the Office of Fair Trading (OFT) for (at least) their credit broking

More information

Financial Services Tax Breakfast Briefings

Financial Services Tax Breakfast Briefings Financial Services Tax Breakfast Briefings Current Tax Issues on Debt Funds and Shadow Banking Nick Cronkshaw Mark Sheiham 17 December 2014 Introduction What we re going to cover Background - growth and

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit 2014 Welcome to our third annual review of the IT hot topics facing Internal Audit functions within

More information

ISO27032 Guidelines for Cyber Security

ISO27032 Guidelines for Cyber Security ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance

More information

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES OF THE PROPOSED CYBERCRIME DIRECTIVE? Dr Mark Abell, Graeme Payne and Joseph Jackson, Bird & Bird, London, UK Cybersecurity is arguably receiving more

More information

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security Enterprise Security Governance Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security Governance and Organisational Model Risk Mgmt & Reporting Digital Risk & Security

More information

Personal Data (Privacy) (Amendment) Ordinance 2012 - Use and Sale of Personal Data for Direct Marketing.

Personal Data (Privacy) (Amendment) Ordinance 2012 - Use and Sale of Personal Data for Direct Marketing. July 2012 Personal Data (Privacy) (Amendment) Ordinance 2012 - Use and Sale of Personal Data for Direct Marketing. Contents Introduction On 27 June 2012, Hong Kong s Legislative Council ( LegCo ) passed

More information

COMMISSION REGULATION (EU) No /.. of XXX

COMMISSION REGULATION (EU) No /.. of XXX EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they

More information

CYBER-ATTACKS THE GLOBAL RESPONSE

CYBER-ATTACKS THE GLOBAL RESPONSE R E P R I N T CYBER-ATTACKS THE GLOBAL RESPONSE REPRINTED FROM: Risk, Governance & Compliance for Financial Institutions 2015 RISK GOVERNANCE & COMPLIANCE for F I N A N C I A L INSTITUTIONS 2 0 1 5 Visit

More information

HOW TO MANAGE A DATA BREACH

HOW TO MANAGE A DATA BREACH MANAGING COMPLIANCE RISK IN A RAPIDLY CHANGING ENVIRONMENT HOW TO MANAGE A DATA BREACH FRIDAY 17 JUNE 2016 1 2 What is a data breach? Unauthorised disclosure Inappropriate access Loss Destruction Alteration

More information

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Pensions Data protection and pensions Briefing January 2016 Trustees

More information

Ancillary Services affected by MiFID II - impact on AIFMs and UCITS management companies

Ancillary Services affected by MiFID II - impact on AIFMs and UCITS management companies Ancillary Services affected by MiFID II - impact on AIFMs and UCITS management companies Summary of how MiFID II will apply to EU managers regulated under AIFMD and the UCITS Directive In the context of

More information

Algorithmic and High- Frequency Trading

Algorithmic and High- Frequency Trading MiFID 2/MiFIR What, When, Who and How? Algorithmic and High- Frequency Trading June 2015 What does MiFID currently do? Are these provisions currently in MiFID? No. What are the key differences between

More information

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing

More information

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone: Company or Trading Name: Address: Post Code: Telephone: E-mail: Website: Date Business Established Number of Employees Do you have a Chief Privacy Officer (or Chief Information Officer) who is assigned

More information

Trade and commodity finance: recent developments and issues. Omar Al-Ali and John Sayers

Trade and commodity finance: recent developments and issues. Omar Al-Ali and John Sayers Trade and commodity finance: recent developments and issues Omar Al-Ali and John Sayers 07 & 08 October 2015 Team and experience 1 / B_LIVE_EMEA1:2816398v1 Team John Sayers General Experience John is a

More information