Programme
GDPR – Ben Travers, Stephens Scown LLP
GDPR tools – Russell Cosway, Gydeline
Cyber Essentials / IASME accreditation –
Richard Wilding, PKF Francis Clark
Cyber insurance – Jonathan Cox, Paveys
• Date/Who/DPO
• Process Name/Purpose
• Legal Basis
• Data Source/Locations
• Who is impacted?
• Description
• How is data deleted?
• What risks/mitigations
• Date of review
Data Protection Impact Assessment (DPIA)
What does Gydeline do?
• Checks for compliance against every word of the regulation
• Enables proof of accountability
• Changes as the regulation changes
• Identifies specific actions
• Makes GDPR simpler to understand
Links
• gydeline.com/dpia
• gydeline.com/datamap
FCDEC2017 – 25% discount on lifetime of subscription
20
Why PKF Francis Clark
• Trusted advisers – experienced auditors
• We offer assurance not consultancy
Offer assurance to set well known standards
approved by Government and NCSC
Cyber Essentials and IASME are constantly
updated and monitored for quality control
• Some additional services can be offered
www.website.com
General Data Protection Regulations 2018
• GDPR has 2 main sides to it
• The two main areas of GDPR that
organisations need to look at
Data subject rights and the need for
‘informed consent’
Good standards of information security
• Cyber Essentials is a great first step
• IASME demonstrates a wider governance
system for data controls
Cyber Essentials
• Self-assessment questionnaire for the company to complete
• Covers 5 key areas/71 questions
• We provide upfront assistance (1 days needed) to support how to complete and progress
• It is submitted via a secure portal for us to assess
• Basic vulnerability scan performed
• Assessor feedback provided
• Once successful can use the Cyber Essentials logo for 12m
• Limited insurance provided/can help reduce further cyber insurance
Cyber Essentials PLUS
• We audit and test the 5 key control areas
• Includes detailed vulnerability and limited penetration
testing
• A report is then issued
• Once successful can use the Cyber Essentials PLUS
logo for 12m
• Can help to reduce cyber insurance further
IASME (Information Assurance for Small and Medium Enterprises)
• IASME – two levels standard and gold
• 180 questions (including those in Cyber Essentials)
• Includes GDPR specific questions
• Akin to ISO27001
• A report is then issued
• Once successful can use the IASME logo for 12m
25
Next steps
• See brochure in pack
• Complete form
• Chat with us after this event
• Contact your PKF Francis Clark adviser or
e-mail: [email protected]
Disclaimer & copyright
c) copyright PKF Francis Clark, 2017
You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or otherwise circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided by PKF Francis Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without limitation, the conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark. These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark. The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours to ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the materials and /or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF Francis Clark are up-to-date or error or omission-free. Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current law and related regulations on the re-use of Crown copyright extracts in England and Wales.These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a copy of which is available on request.Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential loss or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or otherwise, including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for fraud, for death or personal injury caused by our negligence, or for any other liability is not excluded or limited.
PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with registered number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is available for inspection and at www.pkf-francisclark.co.uk. The term ‘Partner’ is used to refer to a member of Francis Clark LLP or to an employee. Registered to carry on audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal activity of non-contentious probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency practitioners are licensed in the UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative Receiver acts only as agent of the insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does not accept responsibility or liability for the actions or inactions on the part of any other individual member firm or firms.
Insurance Cover – Cyber &/or Crime
The Threats
Why Do Businesses Need Cyber Insurance?
Claims
Reducing risk
Q&A
Cyber &/or Crime
Cyber Liability Insurance provides
businesses with protection against financial
loss resulting from the loss of personal
and/or corporate data.
Cover addresses the first and third-party
risks ranging from the loss of a single laptop
or file to the hacking of a companies
website or network.
Security
Breach
Data
Breach
Operational
failure
Main policy triggers:
Crime Insurance provides businesses with protection against financial loss
resulting from criminal or fraudulent taking, obtaining or appropriation of money,
securities, funds or property.
The ThreatsTH
REATS
NEGLIGENT EMPLOEE
Send wrong data
Loss of hardware (mobile theft)
Victim of Phishing, Vishing
OUTSIDERS
Denial of Service
Theft of Data
Hactivism
Crime Syndicate
Denial of Service
Theft of Data
Government Agencies Industrial Espionage
Denial of Service
Malware
Extortion
Shut Down Infrastructure
Advanced Persistent Threats
Credit / Banking details
Government ID
Personally Identifiable Info
Protected Health Info
Corporate Information
SOCIAL NETWORKING
ROGUE EMPLOYEEPhysical Theft
Steal Data
Competitive advantage
Sell to criminals
Extortion
VENDORS
Cloud
Data Centers
Outside Providers
Network Interruption
Theft of Data due to Security Failures
Unauthorized Access of Data
Loss of Data
Network Interruption
Physical Theft of Servers
Theft of Data due to Security Failure
Network Interruption
Backdoor Intrusion
Employees
Negligent Employees
Rogue Employees
It’s all about Balance Sheet Protection….
• First Response Costs
• TP Liability
• Fines
• Loss of Revenue
• Brand / Reputational Damage
• Loss of Intellectual Property
• Contractual Liability
• Share Price
Cyber claims received by AIG EMEA (2013-
2016)
By industry
* Construction, Food & Beverage, Information Services, Other Services, Transportation,
Agriculture & Fisheries, Energy and Real Estate
Claims Examples
Cloud Service
provider accidentally
de commissioned live
server (PI claim?)
Confidential Waste
Bins stolen
Older server
handed to bogus
courier
Legal papers
(EPL issues) sent
to wrong person
Details of delayed
products and refund
option sent to 250
people in error
IT consultant
providing HR
services
attempted hack
Insurance brokers
Krypto locked
Claims Examples
A fraudster hacked into the company’s email system to gain information
about its organisational structure. During telephone calls with a member
of staff in the finance department the fraudster mimicked the voice of the
company CEO. It was strongly suspected that the fraudsters listened to
his voice on a webcast and had practiced it to perfection.
The requested payments were supposedly for a confidential acquisition
that only senior management knew about and the fraudster provided
forged invoices containing forged signatures to the member of staff
contacted.
Hacking & Impersonation
Reducing the risk to your business• Ensure your software is up to date and that you have the latest anti-virus software
installed as updates are released frequently to help combat the most recent cyber
threats.
• Staff training is essential. Educate your employees on how to recognise suspicious
emails and browse the internet safely. Cyber awareness should be included in part of
your induction process and revisited in regular refresher sessions.
• Ensure you have an incident response plan in place which you can call upon in the
event of a breach or interruption. This should include technical measures that enable
the recovery of systems, operations and data, and a communication strategy if
necessary.
• If you are looking for additional advice and guidance on prevention, we would
recommend the Cyber Essentials website, a government-backed cyber security
certification scheme that sets out a good baseline of security suitable for all
organisations across all sectors.
Reducing Risk
Identify Analyse Control Transfer