Cyber security – is your board protected?
In a direct response to security threats, Waystone has established a dedicated Cyber Security Solution. We are now able to offer our clients a best-in-class cyber security offering. We know that board members are not cyber security experts, and we are able to offer them the assistance they need to meet their current obligations.
Waystone Group Company
With over 75 years of combined Information Security and Data Protection experience, Waystone currently offers trusted advisory services to C-Suite and board level, with a focus on cyber, information security and data protection issues. Waystone services are focused on helping clients assess information security threats, identify weaknesses, prevent cybercrime, implement a sustainable and pragmatic programme of Information Security improvements and embed a security culture within an organisation. Waystone was one of the first companies in Ireland to receive ISO 27701, the international standard for privacy information management in relation to GDPR and the Data Protection Act.
Setting the Standard in Data Protection
Working alongside large corporate organisations and within the public sector, Waystone has been pivotal over the past year in the work it has carried out with Ireland’s HSE, on the acceptance of the Irish COVID Tracker app. Waystone’s role focused on data protection and cyber security with its work on the project being recognised as an InfoSec first within the industry. The high take-up rate of the app, that is largely recognised globally as the gold standard, is a reflection of industry and public confidence in the information security and data protection work carried out by Waystone.
How to Tackle the Rise in Cybercrime
To find out more about Waystone and its Cyber Security Offering and to hear more from our cyber security professionals, watch our webinar. Our experts discuss the reasons for, and implications of, an increase in cybercrime, our response to it and our best-in-class service offering.
Cyber Security Webinar Participants:
- Conor Flynn, Chief Information Security Officer, Waystone
- Sinéad McDonald, Director – Data Protection, Waysotne
- Jason Poonoosamy, Deputy Chief Executive Officer, Waystone
Jason: My name is Jason Poonoosamy. I’m deputy CEO with Waystone. Thank you for joining us today. And we’re here to discuss both cybersecurity and the related issue of data protection, particularly as they relate to Irish fund boards. With me are Conor and Sinead from the Compliance Services Division within Waystone, and I’ll hand over to Conor and Sinead to introduce themselves.
Conor: Good morning, and thank you, Jason, for that. My name is Conor Flynn. I’ve worked in the information security business for the last 30 years or so, and I founded ISAS in 2011. And in 2021 in April, as Jason mentioned, we came together with three other companies to form Waystone Compliance Services. And I’m now Chief Information Security Officer with Waystone.
Over the years, I’ve been a cyber advisor to key government departments, state bodies, and then in the private sector with financial services companies. And we’ve had a strong focus in the regulated environment with startups in both the fintech and the RegTech sector. I’m going to hand over to Sinead now to introduce herself.
Sinead: Hi, my name is Sinead MacDonald. I joined ISAS in 2017, just before GDPR came into force. I have a background in law, regulation, and in the financial services sector. I worked for 17 years in a multinational, and it’s nice to see some of my colleagues who are attending here today. It’s good to see them.
Currently, I act as a data protection officer for a number of public sector clients that we have and also in the fintech sector, as well as social media and a political party. We offer DPO as a service and we also offer data protection services.
Jason: Thanks very much, Sinead. So, as I mentioned, we’re here to discuss cybersecurity and data protection issues as they relate specifically to fund boards. Now, based on the discussions that we’ve had with independent directors, investment managers, and the funds community in general, it seems that there’s a very specialist requirement for cybersecurity and data protection, and it doesn’t just, or it can’t just fall within the standard due diligence anymore.
The Impact of Cybersecurity on the Financial and Funds Industries
So, Conor and Sinead, before we get into that, maybe just in terms of context, could you give us a few examples of how cybersecurity has affected the financial industry and the fund industry in particular?
M.J. Brunner Ransomware Attack
Sinead: Sure, I might start here, Jason. So, in a recent report by the European Commission, they have indicated that the incidence of cybersecurity events has increased by 38% since the start of the pandemic. And for the audience here today, probably the most notable one and the one that was publicized the most was the one in April 2020 of M. J. Brunner, a U.S.-based service provider to a number of investment managers and advisors. And they were the victim of a ransomware attack, and when they failed to pay the ransom, the hackers disclosed a lot of company data, including the personal data of investors online.
Because personal data was involved, the personal data of investors, a number of organizations had to report the incident to the Data Protection Commission here in Ireland and to follow through on that report and to keep the Data Protection Commission up to speed on the investigation and any mitigating factors that were put in place to prevent this happening again.
CNA Financial’s $40 Million Ransom Payment
Conor: I think I’m going to highlight again some further examples of the scourge that we are now dealing with at a global level called ransomware that Sinead touched on there, and it has touched so many parts of society. But in the financial services sector, we also saw this year that a company called CNA Financial, they were hit with ransomware and they ended up paying the ransom of $40 million because their systems were so badly compromised and they did not have the resilience and the ability to recover from an incident in place and they couldn’t meet their customer service level requirements. So, they ended up having to pay this $40 million ransom to get themselves back online.
Impact of Ransomware on the Irish Health Service Executive
We’ve also seen the ransomware outbreak that happened within the Health Service Executive in Ireland. That has touched everybody’s lives who are living here in Ireland and the impact is still being felt, no more so than when it comes to the state’s purses when we are looking at a final bill probably in excess of €750 million based on current estimates and possibly up to a billion euro. So, from a tangible event perspective, this is the kind of thing that we are very, very concerned about, and this is the sort of cyber breaches that are devastating organizations across the globe.
Regulatory Responses to Cybersecurity
Jason: Okay. So, it’s obviously a very real threat to the community in general and to fund boards as well. In terms of the regulatory response and regulatory drivers behind the whole…dealing with cybersecurity and the data protection aspect of it, Conor, could you give us a bit of flavor as to what the Central Bank is saying?
Conor: Yeah. So, I think the Central Bank, like many of the regulators across the globe and particularly what we’re focused on here in Europe and Ireland are looking at is the risks and the management of the cyber environment from a funds perspective and the service providers operating in that area. And over the last couple of years, I mean, starting in 2016, we had a strong focus and guidance from the Central Bank. In 2019, we had the thematic letters that were sent to the CEOs of the people who are operating in the fund area and the financial services area with regard to their preparedness and the thematic inspections in the areas that they focused on.
And more recently, we’ve seen the consultation papers that have been issued by the CBI. And if we look at a couple of those, in particular, I mean, the two that really spring out to us at the moment from a cyber perspective are CP138 and CP140. And the CP138 is very focused on outsourcing. And we’re looking at what the Central Bank are trying to do is get organizations to focus on the risk areas that they have. And then in CP140, we’ve got the whole area of operational resilience. So again, what we’re trying to do is bring a focus upon these specific points. And CP140, again, it is currently a consultation paper. It will likely become guidance, and there are some very specific guidelines within those.
Guidelines for Cybersecurity Resilience
Guideline 9: Demonstrating Resilience Strategies
Guideline 9 talks about the resilience strategies that a fund and a service provider must be able to demonstrate and they must have evidence of it. And this resilience comes back to the points we mentioned with regard to the breaches like we talked about with M.J. Brunner, with CNA Financial, and the HSE outside of financial services. That resilience is key.
Guideline 12: Incident Management Strategy
But then when something does go wrong, Guideline 12 speaks about the incident management strategy. And a lot of value that’s put in an organization today is how it deals with an incident when it occurs. And this is going to be one of the key things because we do have to expect that there will be some. We’ll do our very best to make sure there isn’t any, but how you deal with it when it does occur.
Guideline 14: Learning from Cyber Incidents
And Guideline 14 follows on from that very clearly. It says that, well, having had an incident and having dealt with it, what were the lessons learned? How can you improve your process? How can you improve your resilience and make sure that if something else happens again in the future you will deal with it better?
These are some examples of where the CBI…and we’re seeing other regulators, we’re seeing the Digital Operational Resilience Act, and I know Sinead is going to touch on that, but there are other areas in more detail that is becoming a very complex area for the regulator to deal with.
International Regulatory Requirements and Guidance
Jason: Okay. And Sinead, from an international perspective there, what are we seeing in terms of regulatory requirements and guidance?
European Digital Operational Resilience Act Proposal
Sinead: I think, as Conor mentioned, the keyword is “resilience”. It’s mentioned in the UK, the FSA’s and the PRA’s guidelines on operational resilience that they published in March of this year. The Principles for Operation Resilience was published in April of this year. And in the U.S., across the Atlantic, they’re talking about sound practices to strengthen operation resilience. From a European perspective, what we’re looking at now is the Digital Operational Resilience Act. It is a proposal from the European Commission. It forms part of their wider digital financial strategy, and it seeks to create a harmonized approach across the EU, including regulators and the financial services industry.
And the pillars within that proposal are risk management and governance. They are operation resilience testing, supply chain management, incident reporting and information sharing, audit access, and retrospective analysis.
And while this is still a proposal, again, from the Commission, and has to go through the whole European process with the parliament and with the Council, it is expected to become law in 2022. And it was referred to by the Central Bank in their CP140. So, resilience is a theme that is not going away.
Jason: Okay. And that’s interesting because it seems to be a case that the regulators, both here and abroad, are looking at how it can be done specifically, so rather than looking at it within the context of traditional operational due diligence, have carved out and are focusing on both cyber and data protection very specifically.
Challenges for Fund Boards in Translating Guidelines
So, Conor, I guess the challenge here is figuring out exactly how to translate these principles and this guidance to specific requirements for fund boards. So, what do you see as being able to address that challenge? And what are some of the difficulties potentially around implementation?
Conor: I think the challenge for a board is where they’ve engaged with a service provider and the service provider is equally aware of the regulations, but how are they demonstrating to the board that they are actually complying, and they are protecting the board in terms of meeting the obligations and the items that have been listed in the regulation?
And I mentioned some specific items, you know, what’s happening within CP138, for instance, with regard to outsourcing. An example there is risk assessment, what management controls are being put in place with regard to sensitive data, and the management of it and the availability of it. And it’s very difficult for board members to look at technical reports that are being presented to them by the service provider saying, “Oh, we have this covered, we have that covered.”
And so, I think there is a lack of consistency in the type of reporting, which is making it very difficult for directors to meet their obligations because ultimately the responsibility is with the board to make sure that there is compliance with the guidelines and the regulations. And how they assess their service providers is the real measure.
Jason: Okay. So very much when we’re talking about good governance by Irish fund boards, if I understand you correctly, what we’re saying is that we need to ensure that there’s good governance of obviously all the service providers, that there’s consistent governance and a consistent standard by which we can aggregate and compare those service providers, and also by assisting in terms of, you know, a lot of the technical aspects around cybersecurity as well.
Conor: Absolutely. And you mentioned a word there, it is technical, and it is specific, and it requires expertise. And the board representative, the directors that are sitting on the boards, they have to be able to make risk-based decisions based on information that is presented to them about the investor strategies and the direction that they’re going and make those sorts of decisions. But they have to be presented with information that they can interpret, that is in plain English, and that will help them make those decisions, and that the information that they’re looking at and assessing must be consistent across all the different service providers.
If you’ve got service provider 1 providing a high-level executive 2-page summary and service provider 3 is providing a 1,000-page very detailed technical report output, there are 2 very different things to make decisions on. And I think it’s quite akin to the role of the MLRO and the technical expertise that is required in terms of advising a board with regard to decisions.
The Role of MLROs
Jason: Okay. So, you touched on the MLRO there, and obviously, the MLRO is a dedicated function that serves the fund board and helps the directors in terms of their governance of the board. It seems that… Is it fair to say that you’re suggesting something similar is emerging within the cybersecurity space?
Conor: I think so, Jason, because I think the board needs plain English. It must be consistent information with regard to all the different service providers, and it needs… That information that is gathered from them, there needs to be a lot of it. It needs to be technical in its nature, but it needs to be interpreted then by what we are proposing. And what our customers have actually been asking us for is what we call the cyber officer. It is the role that will be able to advise the directors of the fund on the performance from a cyber perspective of each of the different service providers to that fund and show them performance over time.
But the important thing is there’ll be a consistent level of reporting is what we are proposing in this role to the board, that the board can take assurance from the assessments that are being carried out and the depth of those assessments and the granularity of them, but that we will surface up then a very easy, straightforward to interpret, and a solid artifact to be part of the board paper pack.
The Intersection of Data Protection and Cybersecurity
Jason: Okay. That’s a really interesting concept. And I guess, Sinead, what we’d be interested in hearing is how the data protection element of that feeds into the cybersecurity aspect, because obviously, you know, cybersecurity is around the issue and the risk of your data being compromised. So how do you see data protection fitting in with cybersecurity?
Sinead: So yes, there is an overlap when it comes to security. One of the GDPR principles deals with integrity and confidentiality. And it says that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized and unlawful processing using what is known in GDPR as technical and organizational measures. And it’s these technical and organizational measures that are the measures through which information security controls are implemented. And that’s where the overlap is.
And now from a fund’s perspective, data protection is a key consideration in the whole area of AML. And this is illustrated when you look at the latest European parliament proposals in the fight against money laundering and terrorist financing. As you will be aware, this legislative package includes two directives and two regulations with the idea of a harmonized, increased effectiveness, and enhanced supervision in the area of AML.
And what the European Data Protection Supervisor has said is that there are certain areas of concern and certain areas that they would like to be included or not to be included as the case may be. And there we’re looking at the package should identify specific categories of personal data that must be processed and not left to technical standards. The conditions and the limits for processing special category data and criminal conditions and offenses should be set out. There should be no requirement for the processing of certain personal categories of special categories of personal data. And they must always have this idea of necessity and proportionality, which is a theme in data protection in relation to the access to the information required for AML checks.
So, this is where it is very evident that more data protection is going to come into the fund sphere and also where that interaction is from a cybersecurity perspective.
Acceptable Levels of Cybersecurity Risk
Jason: All right then. So, with all of that in mind, we’re just scrolling through some of the questions that have come in here, and there are some excellent ones and very practical. The first one is, you can’t eliminate all cybersecurity risk, but what is an acceptable level of risk? So, Conor, I might pass that one to you.
Conor: Okay. So, I think one of the very first things we want to talk about is how you assess risk. And one of the things that we have to be very careful of is that compliance with regulation or legislation is not a risk-based decision. It is mandatory. It is the requirement under law that you will follow the guidance and follow the specific regulation where it is laid out as such. Where the risk assessment piece comes into it is with regard to the risk appetite of a board with regard to the approach that they are taking with regard to investment risk. There are lots of types of risks that a board needs to be able to make decisions upon.
But from a cyber perspective, what is very important for the risk appetite and assessing risk is the consistency and the accuracy of the information upon which the scoring… I mean, a lot of people would still rely upon the traditional… The impact by likelihood multiplication of score is the way you come up with a risk score. And then the board might say, “Well, our appetite is nothing above a 20 where you’ve got a 5 by 5 matrix. And something like that might be one way you go to it.
But to come up with that impact by likelihood, you have to have solid information. It must be consistent when you’re applying that risk analysis methodology then across multiple different service providers so that you’re not favoring one over another by looking at different quality of reports that are being presented. And again, that’s where we feel the cyber officer is going to be something that will assist boards because we will be able to assure them of the consistency of the information that is being provided in each of the service provider assistance, the assessments that have been provided. And that way they can make their risk-based decisions in line with their risk appetite.
Key Performance Indicators (KPIs) for Cybersecurity Reporting
Jason: Okay, very good. So, I guess that kind of leads into the next question. Again, it asks, what should a director look for by way of cybersecurity KPIs and in board pack?
Conor: And I think, Jason, that’s a really good question because it goes back to why are we coming up with a cyber officer role? And part of the issue was directors were looking at reports that were being presented to them. And it was down to each organization themselves who were supplying and generating the report to put in what they felt were the KPIs that were appropriate but probably were flattering as well, to be honest.
And there wasn’t a consistency across them. So how frequently am I doing penetration testing? When was my last information security breach? Have I done tabletop exercise testing for ransomware outbreaks? What’s my patching cycle? You could go through a multiplicity of KPIs, and you could start looking for people to present in their reports.
But we believe that the approach of carrying out the assessments and delivering this consistent dashboard or score under the cyber officer role will actually assist boards greatly with reducing the plethora and the breadth of KPIs that are inconsistent that are coming from different service providers.
Cyber Insurance for Irish Fund Boards
Jason: Okay, thanks for that, Conor. Sinead, we have a question here that is probably suited to you. It asks, is cyber insurance policy a requirement for Irish fund boards?
Sinead: Okay. Thanks, Jason. So, it’s not a requirement at the moment, but we do see in the future that it will start coming in. If you think about all of the regulatory developments that we spoke about earlier, it makes sense that it will be a requirement in the future.
Data Protection for Irish Fund Boards
Jason: So, then I guess the final question is around data protection. And is data protection something that a client should be worried about for an Irish fund board?
Sinead: I’m always going to say yes. So, data protection and the idea of a data protection officer, for example, if we just look at it in parallel with the cybersecurity officer. So, it is a regulatory role that was introduced and recognized in the GD… organization. So, the one that springs to mind is obviously in the public sector, all public sector bodies need a data protection officer.
In the fund space, there’s been a lot of debate about whether a fund itself needs a data protection officer. And I would say it hasn’t been settled. And there’s definitely a school of thought that says it does. But regardless of whether that is a data protection officer, in Waystone, we have a range of services that we can provide to clients. And it does go from that data protection officer right through to data protection advisory services. And we offer that today for our clients.
And that is where we have quarterly board reports on data protection, on the data protection practices of the service providers, if there is any data breaches that we need to explain and highlight to the board, if there’s been any data subject access requests, if there’s been any change in the record of processing activities.
Waystone’s Comprehensive Data Protection Services
So, we provide that whole gamut of services. And again, the idea is to give that board the overview of the compliance of their service providers of the fund and to provide assurance to the board that again, the obligations are being met.
Because, you know, data protection, it’s a bit boring. No one likes it as much as cyber, let’s be honest. Everyone just throws to this, “If you had put data protection on this invite, we wouldn’t have got half as many people.” But cyber is the key thing at the moment.
So, from a data protection perspective, there are still obligations on service providers, there’s still obligations on boards. So, what we do as part of our service is to explain that and to give assurance to the board that those obligations are being met. We also provide training, we provide incident assessment and reporting, and again, regular briefings for the fund on data protection, regulatory findings, and incidents.
And data protection, it’s not just that GDPR came in in 2018 and that is that. There have been numerous rulings from all of the European supervisory authorities and also from the European Court of Justice, and they have to be interpreted by someone that knows what they’re talking about. And also, what are the implications for the board in that regard?
So, I do see this as we’re expanding our service. We can, of course, be that data protection officer, but we can also provide those advisory services.
Concluding Remarks
Jason: Okay. Thanks very much, Sinead. And there’s an excellent summary there of the two services that both Conor and Sinead have been talking about, which directly address the requirements that have stemmed from the regulators and what market participants are looking for.
So firstly, I’d like to thank Conor and Sinead for joining us today and giving us insights into both the cybersecurity and data protection aspects. Thanks very much. We’d like to thank everybody for joining us today and for your questions. And needless to say, that if there are any follow-up comments or queries, please speak to either one of your panel members, myself, or your usual Waystone contact.
Sinead: Thank you.
Jason: Have a good day.
Conor: Thank you, Jason.