Presented to an expert audience at the PrivSec Congress in London on 4th Feb 2020, this presentation uses PayPal & Travelex as topical examples, showing why cyber security of private data processed by suppliers is an increasing concern of Financial Regulators.
And then it demonstrates what your peers are doing to comply with those new regulations.
Let’s work together to mitigate risks.
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
Privacy & Security in Feb 2020: new Fintech regulations on Cyber Security at Suppliers
1.
2. For High Definition version of these slides
including video, email Kevin.Duffey@CyberRescue.co.uk
First presented: 4th Feb 2020
3. How Private Data gets Processed
2Source: https://rebecca-ricks.com/paypal-data/
This presentation uses PayPal & Travelex as
topical examples, showing why cyber security
of private data processed by suppliers is an
increasing concern of Financial Regulators.
And then it demonstrates what your peers are
doing to comply with those new regulations.
Let’s work together to mitigate risks.
4.
5. Some firms that share a supplier
3
Some firms that share a supplier,
Travelex (owned by Finablr)
10. Was Travelex’s PrivSec < average?
8
Here’s how Finablr described their cyber resilience:
“The Group has a robust data privacy framework.”
“Cybersecurity is a key to the Group’s risk management.”
“The Group conforms to global security standards including ISO27001 and
PCI data security certification.”
“The Group has business continuity plans in place to deal with contingencies
across its critical systems, and the plans are tested at least annually.”
Here’s how Finablr described their cyber resilience:
“The Group has a robust data privacy framework.”
“Cybersecurity is a key to the Group’s risk management.”
“The Group conforms to global security standards including ISO27001 and
PCI data security certification.”
“The Group has business continuity plans in place to deal with contingencies
across its critical systems, and the plans are tested at least annually.”
11. Fifty five of the seventy expert delegates on 4th Feb 2020,
gave their answer to the question:
Was PrivSec at Travelex worse than av before 31/12/19?
Result: only 4% of delegates
“knew” Travelex’s posture
before 31/12/19. Why?
12. 10
On 4th Feb 2020, the availability breach at Travelex was
still impacting customers at many of the banks they
supply online travel money services to, like this one.
13. On 4th Feb 2020, the availability breach at Travelex was
still impacting customers at many of the banks they
supply online travel money services to, like this one.
14. Yes: their PrivSec was < average
11
Travelex suffered an availability breach, but denied a confidentiality breach in Jan 2020.
View the online, real time version of the above, plus details, by emailing Lewis.Varga@CyberRescue.co.uk
https://platform.securityscorecard.io/#/compare?chartHistoryPeriod=year&companies=currencyfair.com%2Ctransfast.com%2Ctorfx.com%2Cworldremit.com%2Cmoneycorp.com%2Cpaypal.com%2Ctravelex.co.uk
15. WHO should have known Travelex’s PrivSec was worse
than average, before 31/12/19
Result: 72% say
bank CROs should
know when their
suppliers have
poor PrivSec.
16. GDPR: Lloyds Bank should have known
13
“Taking into account the state
of the art…
… Controllers must have a
process for regularly assessing
technical and organisational
measures for security at
information processors.”
GDPR (Article 32)
“Taking into account the state
of the art…
17. 14
“Entities should review third parties on an ongoing
basis to manage their cyber risks.
“Entities should include critical third parties when
they exercise their cyber incident response plans.”
Regulators want Lloyds Bank to know,
about supplier & third party cyber risks
“What are your expectations of suppliers' security?”
“How much will you pay extra to a secure supplier?”
To view the full report, click on each image.
18. 15
July 2018 Feb 2019 July 2019 Dec 2019
To view the full report, click on each image.
Regulators want Lloyds Bank to know,
about supplier & third party cyber risks
19.
20. 17
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
To view the full report, click on each image.
21. 18
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
To view the full report, click on each image.
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
22. 19
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
The second two-thirds of the Consultation Paper is the draft
Supervisory Statement to be published in 2020 after consultation.
To view the full report, click on each image.
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
23. 20
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
24. 21
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
25. Do you monitor security at important Suppliers in real-time?
Result: 11%
already do what
PRA “strongly
encourages”