The implications of GDPR on cybersecurity
Next year sees the introduction of a comprehensive piece of European regulation that will overtly change the way that organisations handle, store and protect data. Known as the EU General Data Protection Regulation (GDPR), it arguably represents the most significant change in global privacy law in 20 years and will require fund managers to shore up their cybersecurity processes and procedures to avoid facing financial penalties.
GDPR is due to be implemented in May 2018 and places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. It is this `extraterritoriality' of GDPR that global fund managers really need to be aware of. Anyone marketing their fund(s) into Europe and who has existing EU investors will be required to comply with GDPR or face the consequences.
"During a recent trip to New York, what came up frequently was discussions over GDPR. Most were not aware of exactly what it is," comments George Ralph, Managing Director of RFA, a leading provider of IT solutions and advisory services to the financial services industry.
At the heart of GDPR is data protection. As such, it overlaps significantly with respect to managers maintaining a strong cyber posture to protect fund data, especially personally identifiable information on their investors. Both fund managers and their counterparties will need to ensure that all proper measures are being taken to protect that data, so that in the event of a cyber attack, they have a proper incident response plan in place to respond swiftly and mitigate the loss of said data.
"The big investment banks have been working through GDPR programmes for the last two years or more but other institutions – both traditional and alternative fund managers – may not have been focusing on it. The one-year-to-compliance deadline and increased media coverage of GDPR has led to focusing more on it," says Rohan Massey, Partner at Ropes & Gray, where he leads the firm's privacy and data security practice in Europe.
"We are receiving more calls from clients asking what they need to do to comply, and how do they get there. No organisation wants to be subject to a financial penalty, which could be as high as 4 per cent of one's annual turnover. Under the old regime (UK Data Protection Act of 1998) the risk was that if an entity breached its compliance obligations it alone got issued with a fine. Under the new regime, the power to level the fine extends to a much wider pool of economically linked undertakings. It is a sea change in the regulatory power that can be enforced."
Anyone who is a data processor – i.e. a fund administrator, a cloud provider – and not the data controller, is now partly liable for the controller's misuse of data. That will be the same for anyone who hosts CRM systems on behalf of the manager, risk consultants, etc.
Under GDPR, there are requirements for firms to have appropriate technical and organisational security measures. As Massey explains, there is a greater burden of documentary evidence on organisations "to show that they've been through a well thought-out process in assessment of their obligations relating to personal data, the types of data they hold, the sensitivity of that data and the volume of that data."
Not that a personal data breach will automatically result in the maximum penalty being levied; this is only likely to happen in the most egregious circumstances where a systemic failure to protect personal data has occurred.
"If a personal data breach occurs, it may mean that the regulator looks at how you've responded and decides you haven't done enough. If you can evidence that you did everything possible to mitigate the impact of the breach, you are likely to reduce the level of any penalty issued," adds Massey.
This is something that Ralph reaffirms: "Most of the examples I've seen and heard about under existing data protection regulation are that if you report a breach and tell the regulator what you are doing, and what steps you are taking to stop it from happening again, often they won't fine you. That said, there are a lot of things that the regulators are expecting firms to do under GDPR, such as the right for people to be forgotten. This poses some challenges: for example, how does a company keep track of data elements that have that person's name included?"
Chris Eaton is Senior Manager with KPMG (Bermuda) and the KPMG Islands Group Cyber Security Lead. Earlier this year, KPMG partnered with AIMA and the Managed Funds Association to determine how managers are responding to technology. The survey found that 60 per cent of managers are thinking first and foremost about data security.
Eaton believes that the impact of GDPR could have tremendous financial implications.
"Those organisations who fall within the scope of GDPR will face a potential fine of 4 per cent of global revenue. Therefore, managers will need to treat personally identifiable information carefully and have proper policies and procedures in place to protect it. I think GDPR will broadly raise the benchmark of the quality of cybersecurity controls because of the impact that this regulation could have on an organisation if they get it wrong," suggests Eaton.
If fund managers weren't already working hard to determine what their most sensitive data is, and ensuring that it is properly protected, they certainly will be as the GDPR deadline ticks down. Aside from any financial fines they could face in the event of a breach, of far greater material import would be the reputational impact.
"You could face a regulatory administrative penalty on one side, and a class action brought about by individuals – i.e. fund investors – on the other. So GDPR is a big deal, and becomes a central tenet of data management best practice in terms of ensuring the safety of sensitive data," states Massey.
To illustrate the `teeth' of this new regulation, consider the fact that when the Talk Talk cyber breach occurred in the UK in October 2015, affecting nearly 157,000 customers, they were fined a record GBP400,000 by the Information Commissioner's Office (ICO). This was just shy of the maximum GBP500,000 fine.
Under GDPR, if that attack happened again, they would face a potential penalty of EUR17 million.
There will be a two-tier approach to imposing penalties. The first tier relates to the data controllers. They are the ultimate custodians of their funds' data, and as such they will be subject to EUR20 million or 4 per cent of annual turnover – whichever is greater.
Article 5 of the regulation sets out basic rules on personal data processing, which apply to data controllers. One of those rules requires data controllers to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
The second tier relates to the data processors – the fund manager's counterparties such as their fund administrator. In the event of a serious breach, they would be subject to a penalty of up to EUR10 million or 2 per cent of annual turnover.
Data processors will be subject to Article 32, which requires them to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" of their personal data processing.
"It may be that the regulator does not consider a 4 per cent fine to be appropriate in all cases but that's not to say they wouldn't do so in the most extreme cases. While data processors need to be compliant, there's an obligation on the data controller to put in place contractual arrangements stating that all third parties will be compliant with their GDPR obligations. Regardless of whether it's a niche vendor or a large vendor, their obligations are the same," confirms Massey.
In many respects, with the cyber threat landscape fast evolving, regulations such as GDPR could be considered a positive development. It is at least forcing firms to pay close attention to data security and data management, which at the same time should make it harder for serious breaches to occur.
As the scale and sophistication of attacks grow, fund managers have to remain vigilant and try to put in place sufficient processes and policies to best protect their businesses and remain in compliance with GDPR. Ultimately, cybersecurity and GDPR are one and the same: the common denominator is data management.
"Fund managers need really good cybersecurity frameworks in terms of end-point protection – antivirus, malware tools, firewalls – and have to be careful as to the types of data that employees have permission to access," says Ralph, confirming that RFA has recently been certified by GCHQ to do GAP analysis on GDPR.
"It was an extension of our cybersecurity certification. We are fully certified as part of the IASME governance standard, which demonstrates that we have a robust governance system and can adequately protect personal data belonging to our customers," concludes Ralph.