1

Cyber Security for the Funds Industry @mhclawyers Wednesday, 13 January 2016

2

Welcome Fionán Breathnach Partner, Head of Investment Funds Mason Hayes & Curran

3

Fionán Breathnach Partner, Head of Investment Funds Topic – Cyber Security and the Central Bank

Jeanne Kelly Partner, Commercial Topic – Cyber Security Management Strategies Oisín Tobin Senior Associate, Technology, Media & Communications Topic – Cyber Risk: Questions to Ask

Speakers and topics

4

Cyber Security and the Central Bank

Fionán Breathnach Partner Mason Hayes & Curran

Themed Inspections

5

• One of the Central Bank’s Enforcement Priorities for 2015

• Themed Inspections during April – June 2015

• Fund Service Providers, Stockbrokers & Investment Firms

• Funds not inspected

• Resulted in two items of correspondence to industry:

an email of 15 July 2015

Dear CEO Letter of 22 September 2015

Email of 15 July 2015

6

• Not publicly disseminated

• Sent to Fund Service Providers, Stockbrokers and Investment Firms

• Reminder that firms must have robust cyber security procedures, to

include:

call-back procedure for redemptions

security questions to verify client

document the call-back

audio recording of the call

verify authenticity where payment to 3rd party bank account is

requested

Dear CEO Letter 22 September 2015

7

• “…appropriate levels of security are required to be in place…”

• “…it is the board’s responsibility…”

• “…the board should develop a culture of security and resilience…”

• “Examples of best practice are set out in Appendix A”

• “Firms may find the questionnaire attached at Appendix B useful

when carrying out a self-assessment…”

8

• Sent to Fund Service Providers, Stockbrokers, Investment Firms

and Funds

• “….where there is non-compliance….the Central Bank will have

regard to these recommendations….”

• Likely to form part of standard regulatory cycle of reviews

• Questionnaire may be required to be completed as part of such

reviews

• Recommendations only

• However, various regulatory requirements to have procedures

designed to ensure that all applicable risks can be identified,

monitored and managed at all times.

Status of Dear CEO Letter

9

• Standing board agenda item

• Fund directors requesting service providers to present on cyber

security

• Gap analysis against Central Bank recommendations

• Questionnaire being considered and completed

• Varying approaches to call-back procedure (email of 15 July)

What we are seeing

10

Cyber Security Strategies for the Funds Industry

Jeanne Kelly Partner Technology, Media & Communications

1. Education/awareness

2. Accountability (turnover fines anyone?)

3. Action (update documents, stress-test your systems)

4. Risk management/insurance

5. Multiple regulators

11

Cyber Security Strategies for the Funds Industry

Education/awareness

• Key is knowing your risks

• Know your data sets and which are most at risk, and why

• Know your history of regulator interaction

• Know your exposure to third party default

• Have best-in-class policies and contracts

• Several regulators

• When is the last time your teams had specialized cyber-security

training?

12

Action

• Do you know who to do if a data breach occurs?

• How would you handle a whistle-blower in this area ?

• Could you verify effectiveness of your compliance programs?

• Is all of this left to your IT personnel/DPO? (“CIO?”)

• Are you truly audit-ready?

• How much of the Central Bank’s Best Practice Guide requires

changes to implement, in your organisation?

• Resources?

13

Key Take-aways

1. Know the cyber risks your operations are most exposed to

2. Manage those risks, insurance/contracts/vendor selection

3. Ensure your executive staff are supported in this (= resourced)

4. Lead from the top, and learn this language fluently, or hire!

5. Support training +testing and be an advocate for data integrity

6. Board packs need to address the issue, “comprehensively”

7. Where is your contingency plan? Written data destruction policy?

Incident response policy?

14

15

Cyber Risk: Questions to Ask Oisín Tobin Senior Associate, Technology, Media & Communications

Q 1: Are we being transparent?

Must be obtained “fairly”

→ Must be transparent about reason the data is being

collected and purpose for which the data will be used.

→ Data must not then be put to a further “incompatible”

use

Practical Lesson:

→ Work out in advance why the data is needed

→ State this purpose in the Privacy Policy

→ Remember that permitted uses are defined by

disclosures made

16

Q 2: Do we have consent?

Usually (but not always) required

→ If non sensitive: can be implied consent

→ If sensitive: explicit consent

Practical Lesson:

→ Have a privacy policy

→ Build “consent event” into the new customer experience

→ [If online] consider “in line”/ contextual explanations

17

Q. 3: How long are we retaining data for?

Personal data can only be stored for as long as is

necessary

→ DPC takes an “evidence based approach”

→ No retention “just in case”

Practical Lesson:

→ Have clear retention/ deletion policies

→ Build into the code

18

Q. 4: Are we collecting unnecessary data?

Data should only be collected if necessary

→ PR risks

Practical Lesson:

→ Identify necessary data/permissions

→ Only ask for that (apps)

→ Delete unnecessary data

19

Q. 5: Are we keeping the data secure?

Must have „appropriate security measures‟

→ State of technology

→ Cost of implementation

→ Nature of data and potential harm if a breach occurs

If subcontracting?

→ impose equivalent obligations via contract

Practical Lesson

→ Deploy appropriate resources to security

→ Manage outsourcing carefully

20

Q.6: Are we giving the data to third parties?

→ Are they controllers or processors?

→ i.e. on whose behalf will they use the data?

→ If controllers: likely need consent

→ If processors: special written contract terms required

→ (Administrators are processors)

→ Practical Lesson

→ Carefully review disclosures of data

→ Make sure legal requirements (disclosures, contracts)

are dealt with

21

Q. 7: Is the data leaving Europe?

Within EEA – no issue

If outside EEA:

→ Ok if approved country, e.g. Canada

→ otherwise safeguards are required

Key safeguards

→ Model Contractual Clauses

Practical Lesson:

→ Know where your data is going!

→ Deploy the safeguards where required

22

Key Takeaways

Data protection rules impose restrictions on funds

Dealing with these is not just a legal issue

Funds can engage third parties to practically discharge these

obligations, but the risk remains with the fund

Q&A

24

25

Thank you For any queries on upcoming events, please contact events@mhc.ie @mhclawyers

26

Fionán Breathnach

Partner

Head of Investment Funds

Mason Hayes & Curran

t: +353 1 614 5080

m: + 353 86 172 3740

e: fbreathnach@mhc.ie

@mhclawyers

Contact Details

27

Jeanne Kelly

Partner

Mason Hayes & Curran

t: +353 1 614 5088

m: + 353 86 2382199

e: jkelly@mhc.ie

@mhclawyers

Contact Details

28

Contact Details

Oisín Tobin

Senior Associate

Mason Hayes & Curran

t: +353 1 614 5270

m: + 353 86 021 5362

e: otobin@mhc.ie

@mhclawyers