ii congreso sobre ciberseguridad y seguros - … · apertura: situación de la ciberseguridad en...
TRANSCRIPT
Apertura:Situación de la
Ciberseguridad en Seguros.El impacto normativo de GDPR.
Presentación del Estudio de ICEA.
Marcial Fernández Amorós
Fuente: City A.M.
Cybersecurity is no longer seen as a technology risk but rather as
a business-critical financial risk
Nos enfrentamos a profesionales dispuestos a invertir mucho
McAfee: Net Losses: Estimating the Global Cost of Cybercrime. Junio 2014 pwc: Global Economic Crime Survey 2016
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years
TIME UNTIL GDPR ENFORCEMENTUTC
400:02:47:55Days Hrs Mins Secs
• Nueva ley para reemplazar a la LOPD • Guías de la AEPD para la implantación• Análisis de riesgos• Evaluación de impacto• Medidas y procedimientos de seguridad que aseguren el
cumplimiento de los requerimientos
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.nothaving sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Privacy by Design
Mandatory data inventorying and record
The right to be forgotten, which allows individuals to request that their personal data be erased
Routine privacy impact assessments
Mandatory data protection officers (DPOs)
pág. 20
Presupuesto
Security Spending as a Percentage of IT Spending
Source: Gartner (August 2016) Nota: en el estudio de TI, las entidades participantes reportan un porcentaje del 2,3%
Fuente: City A.M.
Cybersecurity is no longer seen as a technology risk but rather as
a business-critical financial risk