Date post: | 25-Jul-2016 |
Category: |
Documents |
Upload: | elaine-okeeffe |
View: | 215 times |
Download: | 1 times |
1
Cyber Security for the Funds Industry @mhclawyers Wednesday, 13 January 2016
3
Fionán Breathnach Partner, Head of Investment Funds Topic – Cyber Security and the Central Bank
Jeanne Kelly Partner, Commercial Topic – Cyber Security Management Strategies Oisín Tobin Senior Associate, Technology, Media & Communications Topic – Cyber Risk: Questions to Ask
Speakers and topics
Themed Inspections
5
• One of the Central Bank’s Enforcement Priorities for 2015
• Themed Inspections during April – June 2015
• Fund Service Providers, Stockbrokers & Investment Firms
• Funds not inspected
• Resulted in two items of correspondence to industry:
an email of 15 July 2015
Dear CEO Letter of 22 September 2015
Email of 15 July 2015
6
• Not publicly disseminated
• Sent to Fund Service Providers, Stockbrokers and Investment Firms
• Reminder that firms must have robust cyber security procedures, to
include:
call-back procedure for redemptions
security questions to verify client
document the call-back
audio recording of the call
verify authenticity where payment to 3rd party bank account is
requested
Dear CEO Letter 22 September 2015
7
• “…appropriate levels of security are required to be in place…”
• “…it is the board’s responsibility…”
• “…the board should develop a culture of security and resilience…”
• “Examples of best practice are set out in Appendix A”
• “Firms may find the questionnaire attached at Appendix B useful
when carrying out a self-assessment…”
8
• Sent to Fund Service Providers, Stockbrokers, Investment Firms
and Funds
• “….where there is non-compliance….the Central Bank will have
regard to these recommendations….”
• Likely to form part of standard regulatory cycle of reviews
• Questionnaire may be required to be completed as part of such
reviews
• Recommendations only
• However, various regulatory requirements to have procedures
designed to ensure that all applicable risks can be identified,
monitored and managed at all times.
Status of Dear CEO Letter
9
• Standing board agenda item
• Fund directors requesting service providers to present on cyber
security
• Gap analysis against Central Bank recommendations
• Questionnaire being considered and completed
• Varying approaches to call-back procedure (email of 15 July)
What we are seeing
10
Cyber Security Strategies for the Funds Industry
Jeanne Kelly Partner Technology, Media & Communications
1. Education/awareness
2. Accountability (turnover fines anyone?)
3. Action (update documents, stress-test your systems)
4. Risk management/insurance
5. Multiple regulators
11
Cyber Security Strategies for the Funds Industry
Education/awareness
• Key is knowing your risks
• Know your data sets and which are most at risk, and why
• Know your history of regulator interaction
• Know your exposure to third party default
• Have best-in-class policies and contracts
• Several regulators
• When is the last time your teams had specialized cyber-security
training?
12
Action
• Do you know who to do if a data breach occurs?
• How would you handle a whistle-blower in this area ?
• Could you verify effectiveness of your compliance programs?
• Is all of this left to your IT personnel/DPO? (“CIO?”)
• Are you truly audit-ready?
• How much of the Central Bank’s Best Practice Guide requires
changes to implement, in your organisation?
• Resources?
13
Key Take-aways
1. Know the cyber risks your operations are most exposed to
2. Manage those risks, insurance/contracts/vendor selection
3. Ensure your executive staff are supported in this (= resourced)
4. Lead from the top, and learn this language fluently, or hire!
5. Support training +testing and be an advocate for data integrity
6. Board packs need to address the issue, “comprehensively”
7. Where is your contingency plan? Written data destruction policy?
Incident response policy?
14
Q 1: Are we being transparent?
Must be obtained “fairly”
→ Must be transparent about reason the data is being
collected and purpose for which the data will be used.
→ Data must not then be put to a further “incompatible”
use
Practical Lesson:
→ Work out in advance why the data is needed
→ State this purpose in the Privacy Policy
→ Remember that permitted uses are defined by
disclosures made
16
Q 2: Do we have consent?
Usually (but not always) required
→ If non sensitive: can be implied consent
→ If sensitive: explicit consent
Practical Lesson:
→ Have a privacy policy
→ Build “consent event” into the new customer experience
→ [If online] consider “in line”/ contextual explanations
17
Q. 3: How long are we retaining data for?
Personal data can only be stored for as long as is
necessary
→ DPC takes an “evidence based approach”
→ No retention “just in case”
Practical Lesson:
→ Have clear retention/ deletion policies
→ Build into the code
18
Q. 4: Are we collecting unnecessary data?
Data should only be collected if necessary
→ PR risks
Practical Lesson:
→ Identify necessary data/permissions
→ Only ask for that (apps)
→ Delete unnecessary data
19
Q. 5: Are we keeping the data secure?
Must have „appropriate security measures‟
→ State of technology
→ Cost of implementation
→ Nature of data and potential harm if a breach occurs
If subcontracting?
→ impose equivalent obligations via contract
Practical Lesson
→ Deploy appropriate resources to security
→ Manage outsourcing carefully
20
Q.6: Are we giving the data to third parties?
→ Are they controllers or processors?
→ i.e. on whose behalf will they use the data?
→ If controllers: likely need consent
→ If processors: special written contract terms required
→ (Administrators are processors)
→ Practical Lesson
→ Carefully review disclosures of data
→ Make sure legal requirements (disclosures, contracts)
are dealt with
21
Q. 7: Is the data leaving Europe?
Within EEA – no issue
If outside EEA:
→ Ok if approved country, e.g. Canada
→ otherwise safeguards are required
Key safeguards
→ Model Contractual Clauses
Practical Lesson:
→ Know where your data is going!
→ Deploy the safeguards where required
22
Key Takeaways
Data protection rules impose restrictions on funds
Dealing with these is not just a legal issue
Funds can engage third parties to practically discharge these
obligations, but the risk remains with the fund
25
Thank you For any queries on upcoming events, please contact [email protected] @mhclawyers
26
Fionán Breathnach
Partner
Head of Investment Funds
Mason Hayes & Curran
t: +353 1 614 5080
m: + 353 86 172 3740
@mhclawyers
Contact Details
27
Jeanne Kelly
Partner
Mason Hayes & Curran
t: +353 1 614 5088
m: + 353 86 2382199
@mhclawyers
Contact Details
28
Contact Details
Oisín Tobin
Senior Associate
Mason Hayes & Curran
t: +353 1 614 5270
m: + 353 86 021 5362
@mhclawyers