KPMG's digital experts, Matej Jurkic and Teijo Peltoniemi, discuss cyber security, regulation and risk.
It’s easy to forget how cyber and information security have helped the global economy and improved our lives. Legend has it that the first online transaction, powered and protected by encryption technology, occurred in August 1994 when Sting’s “Ten Summoner’s Tales” album was sold on the “NetMarket” website.
With a string of other businesses, this online retailer is one of the biggest global retailers to date. The moral of the story? Without the means to secure on-line transaction systems, there would be no on-line transaction systems at all. We would still queue in a bank to pay a bill, go to a brick and mortar bookstore with limited inventory and opening hours, and not even dream of streaming movies or music.
The challenge - how do we keep up in this fast-paced world? With Sting quietly playing in the background, let’s examine this in more detail.
Many are under the impression cyber security hinders innovation. However, we’re constantly innovating technology, developing new means of communication, implementing new concepts and improving our lives. The issue arises when cyber security is an afterthought, or all too often, forgotten. Frequent use of insecure communication protocols, ignoring employee and family cyber security awareness, using a variety of Internet of Things are all factors, which expose our personal and business lives.
In the Funds arena; investors, managers and promoters are rapidly increasing their scrutiny in this area. Further more, there is the recent regulator interest from the FCA, JFSC and The New York Regulator to consider. Due to a growing focus in this area, investors and clients are beginning to ask questions about cyber security controls. They are inquiring with administrators about ISO27001 certification or SOC 2 reporting attestation. When not insisting on certification or attestation, companies are now enquiring about what technology, cultural and physical controls are in place.
Many organisations have realised that a certification or an attestation will save time and money during due diligence and audits. It’s also there to provide a competitive advantage, whilst demonstrating their house is in order.
However, this is just half of the story. There is a parallel track on this Sting CD, which is playing the EU GDPR regulation. In force from May 2018 this is the ‘b’ side. And of course, GDPR and cyber security are actually two notes from the same tune, the former being a legal requirement and the latter enabling it. Therefore, GDPR and cyber security need to be considered in tandem. Due to personal identifiable information, local regulations are just around the corner. With Emma Martins, the Channel Islands Information Commissioner, due to release draft legislation this summer, and the EU legislation itself being extraterritorial, now is the time to ask yourself how is your business addressing this convergence of themes?
Another element of the upcoming European cyber compliance framework is the directive for network and information security (NIS). This introduces wider reporting obligations to critical infrastructure, including some financial services providers and digital service providers. The directive aims at bringing all member countries to a sufficient level of cyber security through establishing a cyber security strategy and national bodies relating to cyber incident response. It also seeks to improve information sharing between member countries. Given the extraterritorial nature of cyber crime we should follow closely and participate in relevant forums to ensure we can benefit from this joint initiative.
Whilst at first glance this appears yet another chapter in the avalanche of regulation, it is rather an opportunity. We should keep in mind that it was cyber security that enabled the legendary on-line sale of Sting’s album and will enable international data flows and global business to thrive. Only organisations that take care of cyber security will run sustainable business. In the same way, cyber security contributes to a sustainable society.
There are a few options ahead of us – for example, you can take the risk based approach, and consider costs, benefits, threats surrounding us, our weaknesses and potential impacts and choose the level of security we need. Remembering that nothing is ever 100% secure.
On the other hand, we could choose “security by design”, which takes much more time and effort to implement but also helps us to achieve higher standards of security in everything we do. Identifying cyber and privacy risks and including relevant security controls to mitigate these risks is a much more cost-efficient solution - if done consistently from the beginning of the project rather than trying to add a bolt onto an end-product.
Whichever road we choose will be long and winding, but we should not lose sight of the ultimate goal, and the bigger picture: having cyber security inherent in different lines of life, beginning with individuals, families, schools, universities, businesses, governments and regulators.
We don’t want to ruin our individual privacy nor our business confidentiality forever. Trust is probably the most important piece in the business puzzle and we should try not to lose it.
© 2019 KPMG Channel Islands Limited, a Channel Islands Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.