Financial sector cyber-related laws are a bellwether, says Deloitte

What is happening in the financial sector is relevant to everyone, according to Deloitte partners Stephen Bonner and Nick Seaver.

“We think financial services is the canary in the coalmine,” Bonner told delegates at the 2018 IISP Congress in London.

“We see that whatever regulation starts in financial services ends up being copied in other industries,” he said. “So what we see starting to be developed in financial services around the management of cyber risk, we expect to see implemented in other industries.”

Although it is fairly well understood that financial institutions can lose data, Seaver said that in the past two years there has been a growing focus on data integrity and data availability.

“As a result, financial services firms have been struggling this past year with things like the encryption of sensitive data at rest due to regulatory pressure,” he said.

Other areas of concern and debate in the past year have included how to create and maintain a cyber security culture to support IT controls, identifying key data assets, breach reporting and recovery plans, he said.

“Breach reporting is becoming increasingly complex, especially with most regulators expecting breaches to be reported, once discovered, within a fairly short timeframe,” said Seaver. “One financial sector regulation in Singapore requires notification within just one hour of discovery.

“There are also increasing regulatory requirements for financial institutions to be able to recover their core systems within timeframes that are nearly impossible.”

Looking ahead, Seaver said organisations should note the increased focus in financial sector regulations around penetration testing and red teaming, having adequate resources to recover from cyber attacks, business continuity capabilities, the ability to quantify and mitigate cyber risks, back-up capabilities to avoid ransomware attacks, and being able to demonstrate adequate cyber security skills.

The obvious “biggie” for 2018, said Bonner, is the EU’s General Data Protection Regulation (GDPR). “And while there has been a lot of focus on the compliance deadline of 25 May, there are things that need to be done after that,” he said.

Many organisations have concentrated on manual solutions and other quick-fix options to be in a “good position” for the compliance deadline, said Bonner. “But there isn’t necessarily an adequate level of preparation for achieving a sustainable, long-term view,” he added.

Three key areas are likely to attract the attention of the regulator, said Bonner – crises, complaints and crusaders.

“So if you have a massive data breach or accidentally sell 87 million people’s data, then the regulator is going to pay attention,” he said.

“While it is generally not possible to control when you have a crisis, quite often the cause of these crises is a cyber security incident, so it is worth information security teams in organisations engaging with the privacy teams to help understand where the organisation’s core risks lie, so they can prepare for these crises. A good response makes a huge difference.”

Another thing that “absolutely attracts regulator attention”, said Bonner, is “pockets of complaints”, because even if the regulator does not have the resources to follow up on every single isolated complaint, if there are several customer complaints about a single organisation, the regulator will pay attention.

“The lack of resources means that regulators will draw conclusions based on the nature and volume of the complaints,” he said. “So it could be by chance that a couple of entirely separate parts of your organisation have an issue that gets escalated to the regulator, but the conclusion will be that the organisation has a systemic problem. So making sure you can manage complaints well is very important.”

Two of the most likely drivers of complaints, and therefore areas that organisations need to focus on, are poorly handled data subject access requests and unsolicited emails and texts, said Bonner.

“In this context, security professionals can help the privacy team by helping them to know where to look for the personal data needed for subject access requests,” he said. “Helping shorten the time it takes to respond will reduce the likelihood of complaints.”

Information security professionals also have a role in helping organisations to ensure they are not spamming customers and that communications teams within organisations are following best practices, he said.

Thirdly, said Bonner, organisations need to understand that there are “crusaders” who are dedicated to finding and highlighting privacy issues.

“This means those parts of your privacy programme that are exposed externally, such as privacy notices, and privacy policies need to be updated and reviewed constantly to ensure that all the advice they contain is accurate, so your organisation does not appear among the worst organisations in any privacy policy league tables,” he said.

Again, security professionals have a role to play because they should have a good inventory of their organisation’s external-facing websites, said Bonner. “Security teams typically scan external-facing websites for security risks, and may be able to extend that to identify privacy notices to ensure they are being kept up to date and that any outdated ones are removed.”