Cyber Security

Navigating the Cyber Landscape

Investors and regulators expect firms to pay close attention to Cybersecurity. Identifying potential vulnerabilities within your firms workflow is a key step in being prepared for any Cybersecurity threat.

An evolving multi-jurisdictional landscape:  

EU: General Data Protection Regulation (GDPR)

• Due May 2018

• Strengthen data protection for EU individuals

• EU data export controls

• Applicable to non-EU organisations if data applicable to EU residents

UK Cyber Legislation

• Data Protection Act (DPA) 1998

• Disclosure & Transparency Rules

• UK Corporate Governance Code

• Computer Misuse Act 1990

• Cyber Essentials Scheme 2014

• FCA Handbook

Central Bank of Ireland Guidance

• Written Information Security Policy

• Data Classification

• Incident Response Plan

• Risk Assessments

• Vulnerability Scanning

• Staff Training

• Vendor Due Diligence

US Cyber Security Regulation

• NY State Department Section 500 (Jan 2017)

• CFTC approved NFA Interpretive Notice Rules 2-9, 2-36 and 2-49

• SEC 2015 Cyber Security Examination Risk Alert

• DFS 1st March 2017 Cyber security regulation (with explicit timelines for covered entities)

Cross geographic regulatory themes combined with security best practice:

  • Responsibility & Accountability: Designated person(s), i.e. board accountability with delegation to data officer(s) or CISO(s); policy and procedural documentation and enforcement; staff training; third party due diligence; need to demonstrate ‘due care’; and, record keeping
  • Impact Assessments: Periodic and ongoing assessment of threats and controls
  • Data & Consent Management: Data collection minimization; data risk categorization; data portability; explicit consent management; right-to-erase; and, data retention
  • Breach reporting: audit logging; enforcement of transparent and timely breach reporting; and, incident response planning
  • Sanctions: Reputational and financial risk inclusive of fines, penalties and personal liability
  • Technology implications: Data encryption and anonymization; user access controls; multi-factor authentication; and, application security

We have extensive, proven cyber capabilities

 TGP is unique in our ability to help firms manage cybersecurity risk at every stage of preparedness: identifying vulnerabilities and readiness through a comprehensive gap analysis; implementing best practices to avoid compromise; and recovering from cybersecurity attacks. Investors are increasingly focused on cybersecurity preparedness, and global regulators have communicated that cybersecurity will be a priority focus going forward. TGP can help your firm satisfy growing investor and regulatory expectations about cybersecurity. 

Our Cybersecurity and Privacy Services team consist of highly specialised financial services, IT and legal professionals with extensive experience and solutions in key areas, including:

• Cybersecurity and Privacy Health-Checks y Governance, Risk and Compliance

• Cyber Crime and Data Privacy

• Business Resilience

• Third Party Assurance

• Payment Security

• Technology Security

•  Identity and Access Management

•  Post Incident Forensic Analysis

Examples of how we can help

Our team of experts bring a wealth of experience from all financial services industry sectors and can help your organisation to:

  • Assess the effectiveness of your current systems, controls and processes, identifying key risks and creating a roadmap that puts you on the path to achieving strong assurance for all stakeholders
  • Identify key systems at risk of attack or exploitation and help you implement changes to minimise the disruption to your business in the event of an attack, through reduced detection time and increased effective response capabilities
  • Forensic post incidence response analysis services, compliant with legal data security and privacy requirements
  • Review of third party and key partners’ security arrangements and provide an accurate representation of the assurance that can be placed on them – as well as providing pre-selection reviews before any engagement with new suppliers/providers
  • Ensure that your systems and services comply with industry, regulatory and legal standards – including preparing non- European companies for entry into the EU marketplace
  • Design of multi-year on-going programmes that will not only maintain but develop the maturity and effectiveness of your cybersecurity and privacy systems
  • An end-to-end Cybersecurity and Privacy Health-Check, inclusive of a Written Information Security Policy (WISP) and an Incident Response Plan (IRP)