senior management awareness presetnation
TRANSCRIPT
Emerging Cyber Security Threats and Data Protection
Nanda Mohan Shenoy DCAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer
Director
1
Agenda
• Overview
• Protection
• Emerging Regulations on Data Protection
• Cyber Liability Insurance
• Question & Answers
2
Agenda
• Overview
• Protection
• Emerging Regulations on Data Protection
• Cyber Liability Insurance
• Question & Answers
3
India’s Rank in GCI (195 Countries)
23
4
GCI Parameters
5
GCI Report
6
Insurance
7
Ransomware- Statistics
• A company is hit with ransomwareevery 40 seconds
• 6 in 10 malware payloads were ransomware in Q1 2017.
• There were 4.3x new ransomwarevariants in Q1 2017 than in Q1 2016
• 15% or more of businesses in the top 10 industry sectors have been attacked.
• 1 in 4 businesses hit with ransomware have 1,000 employees or more
• 71% of companies targeted by ransomware attacks have been infected
Source: https://blog.barkly.com/ransonware-statistics-2017
8
Data Breach
9
Fish Tank Attack on a Casino
in USA
Financial Impact
10
India Statistics
13,08349,4552015
9,50044,6792014
16,46850,3622016
NA27,4822017 (H1)
FYCY
11
Cyber Crime
State & UT
Metropolitan Cities > 2 Mio Population
12
Trend
13
Emergence of Cyber Threat
• Cloud
• Mobile Applications
• Internet
• Third party beyond boundaries
–Biggest source
–Research by IBM reveals that 59% of ransomware attacks originate with phishing emails and a remarkable 91% of all malware is delivered by email
14
Agenda
• Overview
• Protection Strategy
• Emerging Regulations on Data Protection
• Cyber Liability Insurance
• Question & Answers
15
Protection Strategy
Unconventional Thinking required for
protection
• Technology
–Deception Technologies
– IPF,DKIM,DMARC
• Human Control
• Cyber Drills
16
Agenda
• Overview
• Protective Technology
• Data Protection
• Cyber Liability Insurance
• Question & Answers
17
Data Classification
• From Organisational perspective
– PII or SPDI*
• Customers
• Employees
– Audit Logs (like his login and transaction details)
– Organisation Data
• Financial
• Vendors
* There are regulatory requirements for protection of these data
18
PII or SPDI
(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
19
What Constitutes SPDI ?
(i) Password
(ii) Financial information such as bank account, credit card, debit card or other paymentment details
(iii) Physical, physiological and mental health condition
(iv) Sexual orientation
(v) Medical records and history
(vi) Biometric information– Finger prints
– Eye retina and irises
– Voice patterns
– Facial patterns
– Hand measurement
– DNA
Rules &
Regulatio
ns
20
Sec-43 A
• Where a body corporate, possessing,
dealing or handling any sensitive personal
data or information in a computer resource
which it owns, controls or operates, is
negligent in implementing and maintaining
reasonable security practices and
procedures and thereby causes wrongful loss
or wrongful gain to any person, such body
corporate shall be liable to pay damages by
way of compensation, to the person so
affected. (Change vide ITAA 2008)
21
Talk of the Town
• Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
–Data processing;
–Consent;
–Data subject rights;
–Non-compliance with DPR order; and
–Transfer of data to third party
22
Data Protection Framework-India
• Committee of Experts under the
Chairmanship of Justice B N Srikrishna,
Former Judge, Supreme Court of India, to
identify key data protection issues in India
and recommend methods of addressing
them.
• Released for Public Comments on 27th
Nov 2017
• 243 pages
23
Contents
• Part-I Context Setting
• Part-II Scope and exemptions
–Ch3- What is personal Data?
–Ch4- SPDI
–Ch5- What is processing?
• Part-III Grounds of Processing
Cross reference to GDPR
24
New Trends in Data Protection
• Tokenisation
–PCI
–Aadhaar Data
• Data Vault
25
Tokenisation
26
Information Security Governance for
Data Protection
• Board Level review of the policies
• Legal requirement mapping and review
• Budgetary allocations
27
Agenda
• Overview
• Protective Technology
• Data Protection
• Cyber Liability Insurance
• Question & Answers
28
Transfer of Risk
• Most of the Cyber Risks can be
transferred through Liability Insurance
• Bajaj Allianz has launched a policy for
Individuals as well recently
29
Companies Offering Cyber LiabilitySrl
No
Insurance Company
Name
Product Name UIN
1 Bajaj Allainz BAJAJ ALLIANZ CYBER PROTECT
PREMIUM -DIGITAL BUSINESS
AND DATA PROTECTION
INSURANCE
BAL-LI-P15-11-
V01-15-16
2 HDFC ERGO HDFC ERGO CYBER
SECURITY INSURANCE
POLICY
IRDAN125P0005-
VO1-2011-12
4 Tata AIG CyberRisk Protector Insurance IRDAN108P0
003V0120
1314
5 Universal Sompo* Cyber Security Insurance USG-LI-P13-
103-V01-
12-13
30
Types of Losses Insured
31
Third Party
First Party
Services/Expenses
Exclusions
Similar to Own Damage
and Third Party Damage
in Motor Insurance