“Any CEO who really understands risk knows that cyber is possibly the most unpredictable risk there is. It’s more unpredictable than a flood or a tornado” – Malcom Marshall, KPMG Global Head of Cyber Security
One of the main measures to prevent cyber risk lies in the regulations implemented by authorities. The number of compliance rules increase and tighten globally, shaping cyber security regulation both internally in the organisations and globally on the cyber security market. With the increasing number of regulations issued, organisations must keep pace with the rapid legal change to stay compliant. Here are a few examples of new regulations to pay attention to.
Cyber security law in China
However, a Cloud Security Alliance survey reported that over 70% of companies cited security concerns as the top challenge preventing them from adopting cloud projects in 2015. This is reflected particularly in the financial services industry, with security concerns being the most significant barrier holding back cloud adoption. Confidentiality of the data and control of the data are ranked as the top two concerns by financial institutions (Cloud Adoptions Practices & Priorities Survey Report, 2015). Given the numerous benefits cloud computing provides to the business, how could concerns of cloud security be addressed to help maximise cloud adoption and potential?
When? Passed on 7 November 2016 and enforced on 1 June 2017.
Who? China’s Standing Committee of the 12th National People’s Congress.
Why? Since Edward Snowden’s revelations, Beijing has put large efforts to manage the internet within China’s border.
What is it? The law implements strict data surveillance and storage for firms working in China. It also forbids online service providers from collecting and selling users’ personal information. It reinforces users’ rights by giving them the right to have their information deleted in cases of abuse. Network operators and security requirements are well defined, most of the larger financial institutions may then become “network operators”.
One of the key measures: Article 37 of the cyber security law establishes restrictions on moving data beyond the mainland and strict rules to follow when it is necessary for data to be outside the mainland for business requirements.
Quote: “The message is clear that the government will encourage more domestic development of technology, and that it now sees privacy and cyber security as vital national concerns,” Xun Yang, a lawyer at Simmons & Simmons in Shanghai (from Financial Times).
Hong Kong SFC’s consultation for internet broker
When? Released 8 May 2017 for a 2-month consultation.
Who? The Securities and Futures Commission (SFC) of Hong Kong.
Why? The consultation follows a thematic review started last year of the cyber resilience on internet brokers about cyber and hacking risks.
What is it? HK SFC launched a two-month consultation on proposals to reduce and mitigate hacking risks associated with internet trading. New guidelines coming from the proposals define cyber security requirements for internet brokers and explain expected standards of cyber security controls.
One of the key measures: Two-factor authentication for clients’ system login and prompt notification to clients of certain activities in their internet trading accounts.
Quote: “Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong. Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls.” – Ashley Alder, the SFC’s Chief Executive Officer.
Amendments to the Computer Misuse and Cyber Security Act (CMCA) in Singapore
Who? Singapore Parliament passed proposed changes.
Why? Anticipating the Cyber Security Act in Singapore that should be issued in 2017 that will clarify the missions of the Singapore’s Cyber Security Agency (CSA) created last year among other cyber security measures.
What is it? It makes a crime of using personal data obtained via an act in breach of the CMCA.
One of the key measures: Section 8A gives the prosecution more power to tackle cybercrime. For example, when it comes to prove a person’s knowledge that the information was obtained in breach of the CMCA, the prosecution does not have to prove the particulars of the contravention, such as who carried out the contravention and when it took place.
Quote: “The amendments to the CMCA help strengthen our response to cybercrime. The threats have so far been under control, but they lurk in many dark corners of cyberspace.” – Lee Senior Minister of State for Home Affairs.
Europe’s General Data Protection Regulation (GDPR)
When? It will come into effect on 25th May 2018.
Who? Created by the European Commission and it applies to all organisations that process the data of EU residents.
Why? Related to the increasing number of data breaches in recent years.
What is it? It aims at harmonising data protection regulation framework in the EU and to give citizens back the control of their personal data. It inserts rules governing the free movement of personal data within and outside the EU and introduces strict rules hosting and ‘processing’ data worldwide.
One of the key measures: “The right to be forgotten” means that individuals now have the right to request that a business delete their data if deemed unnecessary or inaccurate.
Quote: “The reform will allow people to regain control of their personal data.” – Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality.
The Cyber Security Regulations in New York
When? Issued on February 16, 2017, the final regulations took effect March 1, 2017, with required compliance 180 days thereafter (August 28, 2017).
Who? Regulation issued by the New York Department of Financial Services (NYDFS).
Why? Given ongoing increase of cyber attacks targeting the financial services industry.
What is it? New cyber security obligations mainly apply to banks, insurance firms and financial institutions operating in New York and impose to establish and maintain a cyber security program that aims to protect the financial services sector and their consumers from cyber risk.
One of the key measures: The rules require any entity to have a designated and qualified individual who is responsible for overseeing and implementing the cyber security program and enforcing cyber security policies and procedures (Chief Information Security Officer and Training).
Quote: “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.” – New York Governor Andrew Cuomo.
Digital Security Perfected – APrivacy Ltd. is an award-winning company which combines military-grade data security with a seamless user experience on any platform, any device, anywhere. APrivacy Ltd.’s enabling technology now allows the financial services industry to confidently communicate with clients using their favourite channels leading to increased revenues and reduced costs while meeting the strictest regulatory requirements.