#GDPR #cybercrime #cybersecurity #magiccircle #zerodayattack #cyberinsurance #iso27001 #iso27002 #cobit #marriot #databreach
I recently met with a consultant who matches founders with funders. She set me an interesting challenge: “what can you tell me about regulations that don’t yet exist?”
It’s a question that everyone in the Compliance community should be thinking about. We are so focussed on the here and now and getting through the current raft of regulation that the chance to plan for what’s coming in the future is often missed. In particular, those regulations which will help ensure a safe and secure financial services ecosystem. An simple way to look at this is to consider where we know there are heightened concerns in the industry e.g. cyber security and cryptocurrency trading.
Taking the GDPR (General Data Protection Regulation) as the example -in the years leading up to it, many other events came first such as the:
EU Data Protection Directive of 1995 (we’ll talk in another blog about the difference between a Directive and a Regulation); and
revised UK Data Protection Act of 1998 (after which point most other EU members created their own versions of the same).
However, it wasn’t until 2012 that the proposal for GDPR was first released and then of course, in May 2018 it was finally issued. Interspersed throughout this journey to GDPR were a number of proposals, conferences and discussion papers on the topic. It’s clear that the increased need for data protection regulation was directly correlated with the growth of computer usage and the way in which personally identifiable data has been collected by the large tech firms (you know who).
So, if we cast our minds back in this manner it’s quite easy to identify which areas of concern currently are likely to go in the same direction i.e. result in a regulation. I’ve already mentioned the two that we’re interested in above and will first about cyber security.
Why is this important?
Cyber security is quite interesting given the inherent link to confidence. Imagine if you will, you are a Magic Circle law firm and you hold pre-public domain information about some of your blue-chip clients that can move the markets e.g. information on a pending merger. We now know that hacking is no longer the domain of individual techie-geeks but much more organised and well established collectives often backed by governments as well as criminal organisations. If an impactful and successful zero-day attack was made known to the public, this can result in the type of reputational damage that not only forces your current clients to reconsider doing business with you but also, drastically reduce your ability to gain new clients. So, cyber security is massively important not just from a consumer standpoint but also from a commercial perspective.
What’s driving the need?
Diving the need for regulation is the increased rate at which hackers are improving their methods and data is being stolen. Only as recently as yesterday, have we come to learn that the Marriot hotel group has been victim to what’s probably the largest data protection breach of all time (500 million customers over an elapsed period of 4 years). The topic of cyber security is a lot more apparent in the general news and we know that both firms and individuals are taking up insurance like never before (CyberInsurance estimated to be underwritten to the tune of $7.5bio by 2020 in the US alone).
What happens next?
We can see the need for more stringent regulation coming this way soon. I say stringent because regulations are potting around however, the cyber experts we speak to don’t believe they go far enough. E.g. the US regulations tend to be focussed on operations and strategy whereas, in the EU the focus is on companies wanting to do business there. For us, this means defining information security standards and control frameworks and having them implemented from the infrastructure level down to the code level as well as, embedding a solid culture of cyber security risk management. There are good standards out there such as ISO 27001/2 and frameworks such as COBIT 5 however, these aren’t enforced rather, they are adopted by organisations voluntarily and usually only in part.
How can we help?
Through our services and platform we can provide a framework through which your cybersecurity controls can be defined, measured and improved on an ongoing basis. This would not only provide confidence to your board and senior management today but give you a head start ahead of a would-be regulation. Contact us to learn more.
As ever, likes and shares are much appreciated!
Compliance as a Service Ltd.