People are running around thinking about new regulation, and one that is coming just over a year away is the EU’s General Data Protection Regulation (GDPR). Whilst GDPR won’t apply directly in Guernsey the third country provisions in the EU regulation means that Guernsey (and other third countries) will need to implement new data protection legislation to become “equivalent” and continue dealing with customers within the EU.
What is Cyber-Security?
Cyber-security is a collection of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorised access. Elements of cyber-security include:
- Application security
- Information security
- Network security
- Disaster recovery / business continuity planning
- Operational security
- End-user education
A significant problem in cyber-security is the constantly evolving nature of security risks.
Why worry about Cyber-Security?
There are a number of reasons to be concerned about Cyber-Security.
Data Protection legislation will require disclosure of all breaches to the Office of the Data Protection Commissioner. If your systems (and therefore client data) are compromised this will be a breach. Fines for data protection breaches are going to increase significantly, however mitigating factors will include the amount of work a business has done to proactively try to limit the opportunity for cyber-crime.
The Guernsey Financial Services Commission (GFSC) has also issued regulatory guidance on Cyber-Security. This highlights the fact that incidents involving data loss, financial loss or denial of service must be reported to the GFSC. Cyber-Security is a key operational risk consideration, and furthermore depending on whether client data is compromised a business runs the risk of having to report to two regulators.
Another important reason is the need to disclose data protection breaches to affected clients – they need to know that their data has been compromised. Client confidence can take years to build, yet can take minutes to shatter. Do you want yours to be the business with its name in the news for significant loss of client data?
What do we do next?
Cyber-Security should form a part of any Information Security and Data Protection Policy and needs to be reviewed on a regular basis. It’s not just a consideration for the IT department as (within a financial services business) the compliance department will need to be involved in the arrangements being put in place and ensure that they comply with regulatory requirements. Importantly, the board of directors should be aware of both the threat of cyber-crime and the measures being put in place to combat it.
By: Christopher Jehan, Midshore Updates