Bermuda and cyber risk management
An increasingly interconnected world has meant that, after decades of ‘flying under the radar’, there is now much greater transparency and knowledge globally of where Bermuda is, what we do and who makes use of the jurisdiction.
Geographical separation is no longer enough to protect privacy. Cyberspace ignores borders and holds all territories in its embrace. Clients, business partners and employees have heightened expectations of data protection. This includes legislation around obtaining proper consent and protection of personal information regardless of where it may be stored or managed.
It is very likely that Bermuda’s Personal Information Privacy Act will be operative in 2018. Organisations will be subject to regulation from other countries requiring them to notify its residents in the event of a breach. Furthermore, penalties for not doing so can be severe.
Under the EU Global Data Protection Rule (GDPR), for example, a data breach or abuse of consent can result in fines of up to 4 percent of global revenues. The recent Panama and Paradise Papers breaches underscore the importance of security for both the organisations and firms managing wealth, and for the clients they seek to protect.
Developing a good cyber strategy
The implementation of cybersecurity controls may be complicated and costly. Developing a good cyber strategy should include more than just technological controls.
It is important for decision-makers and management to understand the ways to implement an effective cybersecurity strategy and framework. Generally, the following aspects should be included:
1) Being secure: having risk-prioritised controls to defend information assets against known and emerging threats.
2) Being vigilant: having threat intelligence and situational awareness to anticipate and identify harmful behaviour.
3) Being resilient: being prepared and having the ability to recover from cyber incidents and minimise their impact.
Being secure
Being secure means leveraging your security strategy and improving your focus on having risk-prioritised controls that define protection across people, processes and technology. Attempting to build security without the core elements of a security programme is akin to building foundations on sand. Some key fundamentals to consider are:
- Vulnerability and configuration management;
- Mobile phone device management;
- Data encryption;
- Technical security controls; and
- Third-party management.
Being vigilant
Becoming vigilant allows organisations to detect and respond to malicious behaviour or identify emerging risks that require further monitoring or mitigating controls. It is not uncommon for organisations to encounter millions of security events monthly, each one serving as a potential indicator or an active attack. However, it is common for organisations to struggle to make sense of it all.
Leveraging external intelligence is equally as important as maximising internal metrics for the activity within your organisation. External intelligence can add context to internal alerts, ensures awareness of emerging risk, and can proactively protect critical assets. Insight including security trends, successes and challenges should be shared with peers and the community.
Managed security services continue to be a popular solution for organisations looking to implement mature security capabilities. Organisations should consider this solution if they have yet to make substantial investments in security information and event management systems, processes and dedicated security staff.
Being resilient
Becoming resilient involves establishing a crisis plan. A plan is essential and is a key element in proving defensibility in the wake of a breach. Before developing or enhancing a cyber plan it is important to take time to identify the type of cyber incidents your organisation is likely to experience. Plans are often too generic and miss key operating procedures.
With a list of incidents that are likely to be experienced, a properly developed plan can ensure threats are adequately managed. To start, develop standard operating procedures for a ransomware attack and data breach, and then introduce new operating procedures as your organisation matures. Plans should extend beyond technology teams, encompassing all stakeholders across the business.
Testing should be done at least once per year and include any external third-party providers. The devil is in the detail, and during an incident the stakes are high. This adds to the pressure to ensure the organisation is effective in responding and recovering from an incident.
Brett Henshilwood is a partner at Deloitte in Bermuda.
Kevvie Fowler is a partner (cyber risk) at Deloitte Canada.
