This document discusses cyber resilience and third party risks in financial services. It focuses on three areas: 1) Measurement - obtaining independent and timely data on suppliers' cyber posture compared to peers. 2) Mitigation - engaging suppliers to identify exploitable vulnerabilities to reduce risks. 3) Management - implementing governance dashboards to show executives how the firm compares to competitors on issues like breach response capability. Throughout, it provides examples of suppliers that have been breached and emphasizes the importance of continuously monitoring key suppliers' cybersecurity.
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threats—without adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/35YJ5W9
Find out the SOC Cyber Security at Steppa. Our SOC contains several capabilities like process and break down any PC translated information, assess and distinguish suspicious and maicious web and system activities, visualize and monitor all threats in real time.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Convince your board - cyber attack prevention is better than cureDave James
The business case for cyber attack prevention for organisations concerned about the rise in cyber crime and the risk to their data. Includes cyber security tips and resources.
Privacy & Security in Feb 2020: new Fintech regulations on Cyber Security at ...Kevin Duffey
Presented to an expert audience at the PrivSec Congress in London on 4th Feb 2020, this presentation uses PayPal & Travelex as topical examples, showing why cyber security of private data processed by suppliers is an increasing concern of Financial Regulators.
And then it demonstrates what your peers are doing to comply with those new regulations.
Let’s work together to mitigate risks.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threats—without adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/35YJ5W9
Find out the SOC Cyber Security at Steppa. Our SOC contains several capabilities like process and break down any PC translated information, assess and distinguish suspicious and maicious web and system activities, visualize and monitor all threats in real time.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Convince your board - cyber attack prevention is better than cureDave James
The business case for cyber attack prevention for organisations concerned about the rise in cyber crime and the risk to their data. Includes cyber security tips and resources.
Privacy & Security in Feb 2020: new Fintech regulations on Cyber Security at ...Kevin Duffey
Presented to an expert audience at the PrivSec Congress in London on 4th Feb 2020, this presentation uses PayPal & Travelex as topical examples, showing why cyber security of private data processed by suppliers is an increasing concern of Financial Regulators.
And then it demonstrates what your peers are doing to comply with those new regulations.
Let’s work together to mitigate risks.
This presentation covers the current and future exposures that construction-related firms face related to cyber incidents. In addition, it covers how insurance carriers view underwriting cyber risks in the current market. Finally, the presentation provides an overview on how firms can prevent and repsond to cyber incidents.
With cybercrime (like denial of service, malware, phishing, and SQL injection) looming large in our digitized world, penetration testing - and code and application level security testing (SAST and DAST) - are essential for organizations to identify security loopholes in applications and beyond. We provide a guide to the salient standards and techniques for full-spectrum testing to safeguard your data - and reputation.
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them.
Viewers will learn:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
About the Presenter:
Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention
The Canadian business landscape walks a cybersecurity tightrope. Evolving threats like ransomware and sophisticated phishing campaigns lurk, coupled with industry-specific risks targeting vulnerabilities in healthcare, finance, and critical infrastructure. The tightrope narrows further with stringent regulations like PIPEDA and GDPR demanding robust data protection.
Remember, cybersecurity is an ongoing journey, not a destination. Our comprehensive cybersecurity solutions can be your trusted partner, providing:
Don't wait for a cyberattack to disrupt your business. Navigate the Canadian cybersecurity tightrope with confidence. Contact us today and let's build a secure future for your organization.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
95% of cybersecurity breaches are due to human error. That’s what Cybint’s facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
• The most recent attacks such as the supply chain attacks
• Trends, and statistics
• The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
• How to improve your organization’s cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is “patch and update.”
Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.
Who is the next target proactive approaches to data securityUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
The frequency and impact of cyber attacks have escalated cybersecurity to the top of Board agendas. Institutions are no longer asking if they are vulnerable to cyber attacks. Instead, the focus has shifted to how the attack might be executed, risks and impact. Most importantly, their organisational readiness and resilience to such threats.
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
Old security approaches are based on finding malware and data leaks. This is like "boiling the ocean," since you are “patching” all possible data paths and data stores, and you may not even find a trace of an attack. New security approaches assume that you are under attack and focus instead on protecting the data itself, even in computer memory (the “target” for a growing number of attacks). This session discusses what companies can do now to prevent what happened to Target and others processing PII, PHI and PCI data. The Oracle Big Data Appliance is a critical part of the solution.
Here is how the cyber security helps to make our online information secure. Also check out Principale of Cyber security confidentiality, Integrity & Availibilty
We've summarised the key findings from 100 cyber security surveys. We choose the best of these each month to discus with our customers, to guide & accelerate their cyber resilience journey.
Slides used in VIP Customer Forums hosted by Cyber Rescue Alliance, for individual thought leaders.
These slides supported discussion about where Third Party Risk Management needs to go in the months and years ahead, in the face of dynamic cyber threats.
Ensuring Cyber Resilience in the Finance SectorKevin Duffey
Presented at the prestigious Operational Resilience, Outsourcing & Third Party Risk conference in London on 22-23 Nov 2022.
Provides data on Ransomware, Cyber Insurance, DDoS and other fast developing aspects of cyber resilience. Focusses on 3rd Party and 4th Party challenges & opportunities to measure & mitigate risks.
Breaches Anticipated in 2022 as Cyber Security Posture so LowKevin Duffey
Sample of over 500 breaches anticipated by SecurityScorecard, as cyber security posture was so low before the ransomware gang or other cyber attack succeeded.
For daily insights follow Cyber Rescue at https://www.linkedin.com/company/cyber-rescue-alliance/posts/
Cyber Insurance - Best Insights of June 2022.pptxKevin Duffey
Cyber Insurance: best insights of June 2022 to help firms improve their cyber resilience against ransomware and other cyber attacks for operational resilience and business continuity.
Best Cyber Risk Insights from 100 reports published in year to March 2022Kevin Duffey
March 2022: includes Budgets, Salaries, Certifications, Ransoms Paid, Business Losses, emerging Threats and how to Respond to cyber attack. Download and share, because every graph in the the pdf is hyperlinked to a detailed report.
Breaches Anticipated - because firms have weak cyber security visible to hac...Kevin Duffey
March 2022: This document lists hundreds of firms that had a low cyber risk score on SecurityScorecard, for months before they were breached, often by ransomware gangs. If you're responsible for your firm's security, operational resilience or cyber insurance, it's well worth five minutes.
Breaches anticipated in 2021 - Published 14th Jjune 2021Kevin Duffey
New report shows 92 breaches anticipated at firms with weaker cyber security posture than their peers.
So forward this report to your colleagues now, and ask: "which of our Suppliers is most likely to be breached today?"
If your colleagues can't give you graphs like these, just send an email to Assistance@CyberRescue.co.uk and we'll give you a complementary report, to help you measure and manage cyber risk across your supply chain.
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Kevin Duffey
Chief Risk Officers and CISOs from 25 of our customers & friends debated their SMART objectives for 2020. Here's the results, showing who to involve and how to report progress on cyber risk across 3rd parties during 2020.
Keynote at Operational Resilience summit - Financial Services - 18th Nov 2019Kevin Duffey
Opening keynote presentation at Operational Resilience in Financial Services summit, with Freshfields, UK Finance and City & Financial Global. Focus on measuring cyber risk at suppliers to mitigate harm.
London First - cyber attack simulation - 22nd May 2018Kevin Duffey
London First is an association of prestigious companies, working together to make London the best place in the world for business. Cyber Resilience is part of that work, so senior executives were taken through this interactive simulation.
Cyber Attack Simulation for 450 ExecutivesKevin Duffey
Cyber Attack Simulation for 450 Executives at the Finance Malta conference, in May 2018. Will your Board Directors also disagree on how to respond to a Breach?
Cyber attack response from the CEO perspective - Tallinn Estonia - Short Simu...Kevin Duffey
Estonia is famously a leader in digital and cyber technology. This short simulation was presented to Estonian executives, experts and government representatives. It is a very short version of the sort of executive simulation we run for large enterprises across Europe. Follow us at - https://www.linkedin.com/company/cyber-rescue-alliance/
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Unveiling the Secrets How Does Generative AI Work.pdfSam H
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Attending a job Interview for B1 and B2 Englsih learnersErika906060
It is a sample of an interview for a business english class for pre-intermediate and intermediate english students with emphasis on the speking ability.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
2. Measurement, Mitigation & Management of Cyber Risk
should be as objective, timely & dynamic as for Market Risk
3. 1. Measurement: obtain independent, objective, & timely
data on the cyber posture of your material suppliers, vs peers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: European IT services group Sopra Steria hit by Ransomware.
Supplier to HSBC, RBS, Bank of China and Crédit Agricole says it is "working hard for a return to
normal”
The firm issued a terse statement confirming a cyberattack on its IT network on 20th October.
4. 2. Mitigation: engage your material Suppliers to show
what hackers can exploit, to reduce risks across suppliers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Microsoft
Finastra
Equifax
HIS Markit
5. 3. Management: implement Governance dashboards that
show Execs how your firm compares with your competitors
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Breach Response
Capability Maturity
6. Today’s Cyber Environment
“The NCSC handled over 3x as many ransomware incidents as last year”
3rd November Highlights of the year for UK’s National Cyber Security Centre
7. Example:
Ransomware hitting supplier of Covid vaccine
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: Covid-19 vaccine manufacturing delayed by ransomware
Drug production by generics firm Dr Reddy “briefly” delayed by ransomware in USA, India, Russia &
UK
Dr. Reddy’s Laboratories isolated all data centres
and stopped some production, according to media reports on Friday, 23rd October.
8. COVID-19 Vaccine delayed by Ransomware attack in October
Astra Zeneca’s supplier of clinical trials, IQVIA, was hit when its supplier ERT was breached
On 4th October 2020, the New York Times reported that Astra Zeneca’s
supplier of clinical trials, IQVIA, had been impacted when its software supplier
ERT was breached by Ransomware. This graph shows IQVIA’s own failing
score on Patching Cadence over the months before the breach.
This graph shows ERT’s failing
score on Network Security over
the months before the breach.
9. Fiona van Echelpoel
Deputy Director General, European Central Bank, October 2020
During Covid19…
“The Covid-19
outbreak brought
ransomware attacks,
culminating in the
death of a patient
due to an attack on a
hospital.
“Ransomware
attacks have
tripled.”
11. Special Advisory from US Treasury Department:
“the severity & sophistication
of ransomware continues to rise”
12. Special Advisory from US Treasury Department:
“paying ransom may contravene US law,
including the Trading with the Enemy Act"
13. During Covid19…
“significant cyber
events have
impacted 3rd
party providers,
which highlights the
importance of
understanding the
operational
resilience of
key 3rd party
suppliers."
Nick Strange
Supervisory Risk Specialist, Bank of England, Oct 2020
14. Question for Delegates
What are the key 3rd party suppliers to the
UK’s Finance Sector, that either:
• have been breached in 2020, or
• you worry might be breached in 2021?
15. Question for Delegates
What are the key 3rd party suppliers to the
UK’s Finance Sector, that either:
• have been breached in 2020, or
• you worry might be breached in 2021?
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
17. Jan 2020: these banks hurt by Ransomware
The Ransomware hit their supplier, Travelex
18. Jan 2020: these banks hurt by Ransomware
The Ransomware hit their supplier, Travelex
19. Online, real-time reporting before breach
CurrencyFair
Transfast
Torfx
One World
MoneyCorp
PayPal
Travelex
Impact tolerances at a dozen UK Banks were breached in Jan 2020,
as their travel money provider Travelex was breached by cyber attack.
Travelex had said it “conforms to ISO27001” & has “robust data privacy”.
Leading CROs had the facts graphed above, before the breach. 19
Travelex was breached after a year of worse cyber posture than peers
20.
21. Application
Security
Vs peers
Network
Security
Vs peers
Patching
Cadence
Vs peers
Finastra breached “while we
focused on emergency plans for
operating under Covid-19”
- CEO statement
Finastra’s security team had
pushed to fix known security
issues but were “over-ruled
by senior managers”
- Bloomberg
Leading CROs had real-time facts
before the breach.
Breach happened in March 2020
while “focused… on Covid-19”
21
Online, real-time reporting before breach
23. October 2020
37% are increasing
spend on Data Security
53% of those expect
their bigger spend on
security to outlast Covid
How suppliers are changing under Covid
The Good News
24. Published October 20202: survey of 330 organisations
How suppliers are changing under Covid
The Bad News
24% are decreasing spend on Data Security
Do you know which of your suppliers are doing that?
25. #1: = Supply Chains
October 2nd, 2020
So no surprise that Supply Chains are now focus
27. Engaging Key Colleagues is right start
Barrie Millett, Group Head of Operational Resilience, Wesleyan Group
27
March 8th, 2019
28. Engaging Key Colleagues is right start
Barrie Millett, Group Head of Operational Resilience, Wesleyan Group
March 8th, 2019
Equifax Used What their Internal Auditors Called
an ‘Honor System’ for Patching Vulnerabilities.
“Equifax had no formalized method of validating the successful installation
of patches. Audit referred to this approach as an ‘honor system’in which the
IT team would notify the security team once patches were complete.”
32. Example Dashboards for Cyber Resilience
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
33. Question for Delegates
If you want to try the Cyber Risk
measurement Dashboards, write
your name.
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
36. The PRA Paper: context
36
Operational Resilience - Key Concepts
Operational Resilience is the ability to prevent, adapt, respond to, recover and learn from operational disruptions.
37. The PRA Paper: content
37
Responses are
requested by
October 2020
This CP is
relevant to
almost all UK
Firms
Complete
Outsourcing
Register by 31
Dec 2021
Builds on EBA &
EIOPA
Guidelines +
TSC reports
Proposals in SS
summarised:
Definitions &
Scope.
Proportionality,
Governance,
Record Keeping,
Materiality.
Due Diligence,
Agreements,
Data Security,
Info Rights.
Sub-Outsourcing
Business
Continuity &
Exit Plans
Systemic Risks
The PRA’s Duty
to Consult
PRA’s Objectives
Regulatory
Principles
Treasury Goals
1. Intro:
Set expectations
on Outsourcing
& 3rd Party Risk
This SSxx/20
Complements SS
on Operational
Resilence
4. Governance:
Robust info for
Board oversight
& challenge
Required
Contents of
Policy & of
Record Keeping
3. Proportionality:
Firms below
Category Two
can outsource IA
2. Definitions
A 3rd Party has
contract to
provide service
5. Pre Outsource:
Materiality (vs
Threshold
Conditions)
Automatically
Material if 3rd
Party could
impact TCs/FRs
Consider…
IT & cyber
security controls
+ breach impact
6. Agreements
Set… minimum
cybersecurity
requirements
Ongoing monitor
of effectiveness
of supplier’s
security controls
9. Sub-Outsourcing
At minimum,
monitor key sub-
outsourcing
providers.
10. Continuity
Consider
deliberate
cyber-attack.
Stressed Exits.
Governance
and Testing of
Plans
Contingency
Plan best
practices, eg
Step In Rights
Appendix
Guidance on
Outsourcing
Register.
8. Audit Rights
Online, real-time
reporting tools
are strongly
encouraged.
7. Data Security
Implement
protection of
outsourced data
38. The PRA Paper: content
38
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
The second two-thirds of the Consultation Paper is the draft
Supervisory Statement to be published in 2021 after consultation.
39. The PRA Paper: content
39
The first third of the Consultation Paper provides context and
commentary for the draft Supervisory Statement that follows.
The second two-thirds of the Consultation Paper is the draft
Supervisory Statement to be published in 2021 after consultation.
40. 21
Bank of England PRA Consultation Paper
on 3rd Party (Cyber) Risk Management
41. 41
GDPR, Article 32
“Taking into account the state
of the art…
… Controllers must have a
process for regularly testing,
assessing & evaluating the
technical measures for
security at information
processors.”
Only leading firms are obeying existing law
42. Equinix Breached, after a year of poor cyber security
Sept 2020: Equinix - leading data centre provider - breached
Operating in 25 countries, Equinix was reported to have paid ransom on 16th Sept 2020
Marcus Evans delegates have an advantage, as you’re are entitled to
online, real-time reporting on all suppliers for 100 days.
Email: Assistance@CyberRescue.co.uk with subject line “Cyber Resilience”
43. Marcus Evans delegates have an advantage, as you’re are entitled to
online, real-time reporting on all suppliers for 100 days.
Email: Assistance@CyberRescue.co.uk with subject line “Cyber Resilience”
Oct 2020: European IT services group Sopra Steria hit by Ransomware.
Supplier to HSBC, RBS, Bank of China and Crédit Agricole says it is "working hard for a return to
normal”
The firm issued a terse statement confirming a cyberattack on its IT network on 20th October.
44. Question for Delegates
What are the job titles of colleagues
who share some responsibility for
cyber resilience?
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
46. Answers from previous Delegates
46
CEO COO 3rd Party Oversight Provider Chair Risk Committee Product Commercial
CFO CRO
Compliance /
Financial Crime
Operational Resilience Contracts Procurement
CIO CTO Business + Operations Operational Risk DPO Supplier Relationship
CISO Auditor Communications Business Continuity Legal Project Manager
47. Answers from previous Delegates
11 people should be in your team, said Caleidoscope, See2020 & ScreamCastle.
Project Tango suggested 12 individuals, while Hawkeye said 8 individuals.
The 11 job titles that most experts thought should be in the Project Team were:
CRO; COO; CISO; CTO; DPO; Legal; Procurement/Contracts; Project Manager.
Operational Resilience; 3rd Party Oversight Provider; Communications.
48. Set your SMART goals for calendar 2021,
for Operational Resilience project on cyber risk across your supply chain
48
51. Categorisation: Suppliers are “material” if their
failure might challenge your firm’s “safety & soundness”
Key
(30%)
Material
(10%)
Transactional
(40%)
Strategic
(20%)
More difficult to exit from the relationship
Supplyingessentialservices
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
52. Categorisation: Suppliers are “material” if their
failure might challenge your firm’s “safety & soundness”
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
53. CQUEST is based on our favourite, NIST
CQUEST consists of multiple-choice questions:
• It is based on the 5 pillars of NIST
• It adds a “Governance” section, for a total of 48 questions
• In our online implementation below, external evidence is
provided to score questions like “do you patch appropriately?”
Cyber resilience assessment from PRA & FCA
53
54. CQUEST
CQUEST consists of multiple-choice questions covering all aspects of cyber resilience, such as:
• Does the firm have a board-approved cyber security strategy?
• How does it identify and protect its critical assets?
• How does it detect and respond to an incident, recover and learn from the experience?
Cyber resilience assessment from PRA & FCA
54
55. Continuous Monitoring of our key suppliers
Sending your Self Attestation Questionnaire – automated workflows
55
56. Continuous Monitoring of our key suppliers
Marking your Self Attestation Questionnaire – automated workflows
56
57. 1. Measurement: obtain independent, objective, & timely
data on the cyber posture of your material suppliers, vs peers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Oct 2020: Serious cyber attack suffered by Hackney Council
UK’s National Cyber Security Centre (part of GCHQ) called in by North London local government
After months of having cyber security that was worse than at other councils , many
of the services and IT systems of Hackney Council were disrupted, on 13th October.
In March 2020, as remote-working began,
cyber security posture at Hackney fell badly.
58. 2. Mitigation: engage your material Suppliers to show
what hackers can exploit, to reduce risks across suppliers
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Microsoft
Finastra
Equifax
HIS Markit
59. 3. Management: implement Governance dashboards that
show Execs how your firm compares with your competitors
Email Assistance@CyberRescue.co.uk with subject line “Cyber Resilience” for 100 days of online, real-time
reporting on all your suppliers, as a benefit of participating in this Marcus Evans conference.
Breach Response
Capability Maturity
Cyber Attacks threaten operational resilience & reputation.
So Chief Risk Officers need timely and objective insights, to drive evidence-based discussions in the Boardroom.
Today is an opportunity to to share insights with our peers.
Today we look at: Implementing the PRA paper on 3rd Party Risk Management, focussing on online reports of Cyber Risk in Outsourcing Register.
We include lessons from the Travelex breach, and a live demonstration of the new kind of “online, real-time reporting tools” that are “strongly encouraged” in PRA paper of 5th Dec 2020.
Here’s Richard F. Smith, the former CEO of Equifax, testifying before the US Senate about his response to the Equifax breach.
There’s emotion in his face, but beyond that emotion, there’s a specific lesson in the report the Senate then published.
Here’s the Senate report. It was published earlier this year.
It went to the root cause of why Equifax suffered ”a devastating data breach.”
The reason they weren’t safe was because they weren’t measuring how safe they were.
Instead of measuring, instead of relying on objective, external and timely data about their cyber resilience, Equifax relied on “honor.”
Here’s what the Seate investigation said:
Equifax used what their own Internal Auditors called an ‘Honor System’ for patching vulnerabilities.
The Senate report made clear: “Equifax had no formalized method of validating the successful installation of patches.”
They simply trusted their IT team, who were often external contractors.
Trust is good. But verification is better!
The second line, and indeed the third line of defence failed at Equifax. Catastrophically.
Think about it. What does an “honor system” of cyber risk management look like?
It looks like this… .
… at first.
Then this… .
Then this… .
Then this.
As Chief Risk Officers, as heads of Operational Resilience, as second and even third line defence against cyber attacks, we must do better than this.
We must trust, but also verify.
So we need to bring our own data about cyber hygiene to discussions with colleagues and suppliers.
I agree with Kevin O’Rourke, that we need to drive evidence based discussions based on external, objective data.
No dashboard is ever complete, but having a dashboard drives the conversations that lead to action.
What gets measured gets managed.
We’ve just started using the automated workflows that come with the dashboard, to
- send our bespoke questionnaire
- to all the key individuals
- as frequently as we need
- with automated reminders and scoring
This is a preview of the new Bank of England, PRA/FCA questionnaire, CQUEST in the platform.
For all of the 48 questions, we and our suppliers can just indicate on the left, the level of maturity we have against that particular control.
A for a high maturity. D for a low maturity.
But the fabulous thing is that the questionnaire provides external measurement to supplement the self-reported score.
I won’t go into the detail now, but the point is that it’s possible to move to evidenced-based discussion, relying on objective measurement rather than just an honor system.
We’re all on a journey to improve operational resilience, so let me hand back to Kevin Duffey, to drive our conversation forward.
Cyber Attacks threaten operational resilience & reputation.
So Chief Risk Officers need timely and objective insights, to drive evidence-based discussions in the Boardroom.
Today is an opportunity to to share insights with our peers.
Today we look at: Implementing the PRA paper on 3rd Party Risk Management, focussing on online reports of Cyber Risk in Outsourcing Register.
We include lessons from the Travelex breach, and a live demonstration of the new kind of “online, real-time reporting tools” that are “strongly encouraged” in PRA paper of 5th Dec 2020.