GDPR and CyberSecurity
By far the biggest trend I have seen in finance sector over the last few years has been a relentless drive towards new and more onerous regulation. This is a trend that will only accelerate. No sooner had we tackled our MiFID II project, when we had to push our GDPR project into top gear. MiFIDIII anyone?1
Data Governance
GDPR mandates good data governance by default. In order to comply with the regulation, you will have conduct a root to branch data audit in order to create a data register2. With this, you can categorize your data, assess the risks and update your risk register3. Without it, how can you possibly expect to meet the regulatory requirements for:
- Right of access
- Right to erasure
- Consent
- Reporting data breaches within 72 hours
How does that relate to Cyber?
This last point is an interesting one. Be honest, how many of you can say with any level of confidence that you can:
- tell when you have had a data breach;
- identify who instigated the data breach;
- identify what has been compromised;
- produce a detailed report to a regulator within 72 hours
If you do not have the tech tools in your arsenal to meet these requirements, GDPR gives you the perfect excuse to go cap-in-hand to the board to get the budget you will need.
Risk mitigation should be a significant business driver at the board level. The fines under GDPR are potentially eye watering, so you have to convince the board that data movement is now their number one risk. Good luck to you, because the stats are shocking. According to the 2016 Ponemon Study on Malware Detection and Prevention:
Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and necessary information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need-to-know basis (36 percent of respondents) or never (34 percent of respondents).
Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.
If you can win the argument and manage to get systems in place that monitor data movement, your CyberSecurity posture will be all the better for it. Knowing where your data is, what it is, and who is accessing it, is most of the battle. The classic CyberSecurity approach of protecting the boundaries and endpoints, no longer cuts the mustard (if it ever did.)