December 2017

Cyber security breakfast

briefing

Richard Wilding, Head of Cyber Services

Chair’s welcome

Housekeeping

@pkfFrancisClark

#CyberSecurity17

Programme

GDPR – Ben Travers, Stephens Scown LLP

GDPR tools – Russell Cosway, Gydeline

Cyber Essentials / IASME accreditation –

Richard Wilding, PKF Francis Clark

Cyber insurance – Jonathan Cox, Paveys

Ben Travers, Stephens Scown

GDPR

GDPR ToolsRussell Cosway – December 2017

Tools landscape . . .

• Date/Who/DPO

• Process Name/Purpose

• Legal Basis

• Data Source/Locations

• Who is impacted?

• Description

• How is data deleted?

• What risks/mitigations

• Date of review

Data Protection Impact Assessment (DPIA)

What does Gydeline do?

• Checks for compliance against every word of the regulation

• Enables proof of accountability

• Changes as the regulation changes

• Identifies specific actions

• Makes GDPR simpler to understand

Links

• gydeline.com/dpia

• gydeline.com/datamap

FCDEC2017 – 25% discount on lifetime of subscription

Endwww.gydeline.comhello@gydeline.com

Richard Wilding, Head of Cyber Services

Cyber Essentials / IASME

accreditation

20

Why PKF Francis Clark

• Trusted advisers – experienced auditors

• We offer assurance not consultancy

Offer assurance to set well known standards

approved by Government and NCSC

Cyber Essentials and IASME are constantly

updated and monitored for quality control

• Some additional services can be offered

www.website.com

General Data Protection Regulations 2018

• GDPR has 2 main sides to it

• The two main areas of GDPR that

organisations need to look at

Data subject rights and the need for

‘informed consent’

Good standards of information security

• Cyber Essentials is a great first step

• IASME demonstrates a wider governance

system for data controls

Cyber Essentials

• Self-assessment questionnaire for the company to complete

• Covers 5 key areas/71 questions

• We provide upfront assistance (1 days needed) to support how to complete and progress

• It is submitted via a secure portal for us to assess

• Basic vulnerability scan performed

• Assessor feedback provided

• Once successful can use the Cyber Essentials logo for 12m

• Limited insurance provided/can help reduce further cyber insurance

Cyber Essentials PLUS

• We audit and test the 5 key control areas

• Includes detailed vulnerability and limited penetration

testing

• A report is then issued

• Once successful can use the Cyber Essentials PLUS

logo for 12m

• Can help to reduce cyber insurance further

IASME (Information Assurance for Small and Medium Enterprises)

• IASME – two levels standard and gold

• 180 questions (including those in Cyber Essentials)

• Includes GDPR specific questions

• Akin to ISO27001

• A report is then issued

• Once successful can use the IASME logo for 12m

25

Next steps

• See brochure in pack

• Complete form

• Chat with us after this event

• Contact your PKF Francis Clark adviser or

e-mail: cyber@pkf-francislark.co.uk

Disclaimer & copyright

c) copyright PKF Francis Clark, 2017

You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or otherwise circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided by PKF Francis Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without limitation, the conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark. These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark. The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours to ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the materials and /or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF Francis Clark are up-to-date or error or omission-free. Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current law and related regulations on the re-use of Crown copyright extracts in England and Wales.These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a copy of which is available on request.Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential loss or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or otherwise, including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for fraud, for death or personal injury caused by our negligence, or for any other liability is not excluded or limited.

PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with registered number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is available for inspection and at www.pkf-francisclark.co.uk. The term ‘Partner’ is used to refer to a member of Francis Clark LLP or to an employee. Registered to carry on audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal activity of non-contentious probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency practitioners are licensed in the UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative Receiver acts only as agent of the insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does not accept responsibility or liability for the actions or inactions on the part of any other individual member firm or firms.

Insurance Aspects of Cyber

Insurance Cover – Cyber &/or Crime

The Threats

Why Do Businesses Need Cyber Insurance?

Claims

Reducing risk

Q&A

Cyber &/or Crime

Cyber Liability Insurance provides

businesses with protection against financial

loss resulting from the loss of personal

and/or corporate data.

Cover addresses the first and third-party

risks ranging from the loss of a single laptop

or file to the hacking of a companies

website or network.

Security

Breach

Data

Breach

Operational

failure

Main policy triggers:

Crime Insurance provides businesses with protection against financial loss

resulting from criminal or fraudulent taking, obtaining or appropriation of money,

securities, funds or property.

The ThreatsTH

REATS

NEGLIGENT EMPLOEE

Send wrong data

Loss of hardware (mobile theft)

Victim of Phishing, Vishing

OUTSIDERS

Denial of Service

Theft of Data

Hactivism

Crime Syndicate

Denial of Service

Theft of Data

Government Agencies Industrial Espionage

Denial of Service

Malware

Extortion

Shut Down Infrastructure

Advanced Persistent Threats

Credit / Banking details

Government ID

Personally Identifiable Info

Protected Health Info

Corporate Information

SOCIAL NETWORKING

Twitter

Facebook

LinkedIn

ROGUE EMPLOYEEPhysical Theft

Steal Data

Competitive advantage

Sell to criminals

Extortion

VENDORS

Cloud

Data Centers

Outside Providers

Network Interruption

Theft of Data due to Security Failures

Unauthorized Access of Data

Loss of Data

Network Interruption

Physical Theft of Servers

Theft of Data due to Security Failure

Network Interruption

Backdoor Intrusion

Employees

Negligent Employees

Rogue Employees

It’s all about Balance Sheet Protection….

• First Response Costs

• TP Liability

• Fines

• Loss of Revenue

• Brand / Reputational Damage

• Loss of Intellectual Property

• Contractual Liability

• Share Price

Cyber claims received by AIG EMEA (2013-

2016)

By industry

* Construction, Food & Beverage, Information Services, Other Services, Transportation,

Agriculture & Fisheries, Energy and Real Estate

By type

Cyber claims received by AIG EMEA (2013-

2016)

Claims Examples

Cloud Service

provider accidentally

de commissioned live

server (PI claim?)

Confidential Waste

Bins stolen

Older server

handed to bogus

courier

Legal papers

(EPL issues) sent

to wrong person

Details of delayed

products and refund

option sent to 250

people in error

IT consultant

providing HR

services

attempted hack

Insurance brokers

Krypto locked

Claims Examples

A fraudster hacked into the company’s email system to gain information

about its organisational structure. During telephone calls with a member

of staff in the finance department the fraudster mimicked the voice of the

company CEO. It was strongly suspected that the fraudsters listened to

his voice on a webcast and had practiced it to perfection.

The requested payments were supposedly for a confidential acquisition

that only senior management knew about and the fraudster provided

forged invoices containing forged signatures to the member of staff

contacted.

Hacking & Impersonation

Reducing the risk to your business• Ensure your software is up to date and that you have the latest anti-virus software

installed as updates are released frequently to help combat the most recent cyber

threats.

• Staff training is essential. Educate your employees on how to recognise suspicious

emails and browse the internet safely. Cyber awareness should be included in part of

your induction process and revisited in regular refresher sessions.

• Ensure you have an incident response plan in place which you can call upon in the

event of a breach or interruption. This should include technical measures that enable

the recovery of systems, operations and data, and a communication strategy if

necessary.

• If you are looking for additional advice and guidance on prevention, we would

recommend the Cyber Essentials website, a government-backed cyber security

certification scheme that sets out a good baseline of security suitable for all

organisations across all sectors.

Reducing Risk

Identify Analyse Control Transfer

Any Questions?

Richard Wilding, Head of Cyber Services

Chair’s close