Q3 2019
www.wealthandfinance-news.com 12 Wealth & Finance International - Q3 2019 Securing Internal Systems Now that the General Data Protection Regulation (GDPR) has come into force, organisations have become conscious of the significant legal requirements imposed by GDPR and the business risks posed by cyber security breaches. Many have begun to devote substantial resources to identifying and eliminating internal vulnerabilities and to mitigating their exposure resulting from potential cyber security incidents, or non- compliance of GDPR. Organisations are beginning to address cyber security and privacy risk management from multiple angles including; investing in robust IT security systems, conducting employee security awareness training, considering the purchase of cyber security-related insurance policies and developing a data breach response plan to make sure that they can meet the 72 hours data breach notification of GDPR. Third Party Risk An important, but sometimes overlooked element of that process is third-party risk assessments or data processor risk management. Under GDPR, organisations when asked are legally bound to provide assurance to the regulator that these third-party service providers are compliant with the new regulations by having good cyber security and privacy controls in place. As we have seen from many breaches, a company’s security is only as strong as the cyber security of its GDPR third-party party risk assessment service providers. These are the key issues which organisations must consider mitigating their cyber security data privacy risk from third-party service providers. Take Stock of Existing Vendor Relationships Does your organisation store information in the cloud? Do you use a vendor to host your website? These are important questions to consider; the first step for organisations is to ensure that you have Organisations are increasingly aware that they should take their own cyber security and compliance requirements seriously. However, what security measures are in place for their third parties? AJ Thompson, CCO of Northdoor plc explores the issue in more detail. Checklist For Third Party Risk: Key Considerations For Businesses To Safeguard Their Data a complete understanding of who has access to what data. These days most, if not all organisations provide some kind of data or systems access to at least some third-party providers, whether the vendor be a payroll services provider, a business consultant, a data storage provider, a printing services provider, a payment processor, a lawyer, an IT support provider or even the company providing facilities management for your building. This is a requirement of any third-party risk management assurance program. As well as understanding who these providers are and what information you exchange with them, whether it has been classified as personal data or not, under GDPR you also need to be clear on who is the data controller or processor in each relationship. This will help you both to understand which part of the GDPR needs to be complied with. Limit Access and Segregate Data Although it may be necessary to share some data or systems with outside service providers, such access should be on a need-to-know basis in order to meet the data minimisation principle within GDPR. One well-publicised and very costly credit card data breach experienced by Target Inc began with the theft of credentials granted to the company that managed Target’s Air conditioning, Fazio Mechanical Services. The attackers infected the vendor with general purpose malware through an email phishing campaign. While many lessons can be gleaned from Target’s misfortune, one of the most obvious is that the compromise of an air conditioning vendor’s credentials should never have led to the compromise of a company’s payment system data. This could have been easily mitigated by segregating the Air conditioning network from the company’s payment card systems network. Fazio Mechanical Services could also have helped reduce its risk to phishing attacks by running regular cyber security awareness training for its staff. Review existing Contracts A written contract will serve as a crucial foundation for a relationship with third-party service providers. Indeed, under GDPR, data processor activities must be governed by a binding contract with regard to the controller. Your organisation should review existing vendor contracts with an eye towards mitigating cyber security risk. There are a number of contractual protections which can help to manage such risk: • Consider extending your own security polices to service providers. Contracts can include provisions requiring providers to comply with specified cyber security procedures and technical controls. It would also help if they were built around a recognised security framework like NIST, BS 27001 or CIS top 20 security controls. • Consider requiring the vendor to make representations or warranties regarding its cyber security practices or authorising your organisation to conduct audits regarding the vendor’s ability to meet and sustain your security expectations. • Require that the service provider implements timely notification of any security incidents that it experiences. Such a provision might also define your organisation’s rights to control any responses or disclosures to third parties in the event of an incident. • Employ good security controls and limit downstream transfers of your data, specifically personal data under GDPR. • Require the vendor to destroy copies of your data in the manner you specify on termination of the relationship.
Made with FlippingBook
RkJQdWJsaXNoZXIy NTY1MjM3