Cyber Essentials Plus - Mitigate risks and meet GDPR requirements
By George Ralph, RFA – Risk is part of everyday life for firms in the private equity sector and goes way beyond volatile markets and unpredictable cash flows. Firms must deal with the risks associated with the use of technology, in both the private equity firm and its portfolio companies.
If the infrastructure or systems fail to meet expectations, if they cost more to operate, are unreliable and do not work well, they bring uncertainties and pose significant technology risk. There is also risk associated with the use of third party suppliers, as many firms routinely engage third parties to perform administration or HR services. Outsourcing can bring efficiencies and give a competitive edge, but doing so can increase a firm’s exposure to risk and the ultimate responsibility still lies with the private equity firm. Add to this, the forthcoming GDPR regulations, fragile reputations and the ever present threat of misconduct or fraudulent activity, and firms have a lot of risks to mitigate.
In addition to the risks above, cybersecurity threats are also part of everyday life and pose a huge threat. Cyber threats might be coming from employees making errors, falling prey to phishing attacks, or deliberately acting maliciously. Threats can come externally or via third parties, and are ever present. In addition, under GDPR, firms can be prosecuted if customer data is breached, and they are found to be not adequately protected. But are firms doing enough to mitigate cybersecurity risks? According to the Ipsos Mori Cyber Security Breaches Survey published in April 2017 only 33 per cent of senior managers surveyed have a formal policy which covers cybersecurity risks and only 11 per cent have a cyber security incident management plan in place. If you decide to make a plan, this should include detailed infrastructure mapping, with weaknesses highlighted and mitigated against with appropriate tools. Where outsourced services meet in house, ensure these are not weak spots. The same survey results report that 19 per cent of respondents are worried about their suppliers’ cybersecurity, but only 13 per cent require suppliers to adhere to specific cybersecurity standards or best practice.
I’m pleased to say that RFA is fully certified as an IASME Certification Body, which means that we are trained and licensed to certify against both the Government's Cyber Essentials Plus Scheme and the IASME governance standard. As GDPR expert auditors we offer consultancy services can help our customers to achieve a robust governance system and adequately protected data, which meets GDPR regulations. We provide guidance on developing a risk strategy, and staff training policy, we advise on how to implement the right security hardware and software infrastructure and on implementing a well-trained cyber incident response team.
For smaller firms, cybersecurity risk management can feel like a huge task, but there are a few foolproof steps that you can take:
Certification to Cyber Essentials and Cyber Essentials Plus is a great first step and can mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber-attacks, for peace of mind and for GDPR compliance. RFA can assess and certify private equity firms for Cyber Essentials and the next level, Cyber Essentials Plus.
Run a supply chain audit to ensure that all third parties that work the firm are compliant. Individual accountability could mean that ignorance is not an option if one of your systems is not compliant, or secure.
Lastly, embed risk management into the fabric of the business. Include cybersecurity in employee induction training, refresh employees regularly, and keep it on the agenda at board meetings.