Emerging Cyber Security Threats and Data Protection

Nanda Mohan Shenoy DCAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer

Director

1

Agenda

• Overview

• Protection

• Emerging Regulations on Data Protection

• Cyber Liability Insurance

• Question & Answers

2

Agenda

• Overview

• Protection

• Emerging Regulations on Data Protection

• Cyber Liability Insurance

• Question & Answers

3

India’s Rank in GCI (195 Countries)

23

4

GCI Parameters

5

GCI Report

6

Insurance

7

Ransomware- Statistics

• A company is hit with ransomwareevery 40 seconds

• 6 in 10 malware payloads were ransomware in Q1 2017.

• There were 4.3x new ransomwarevariants in Q1 2017 than in Q1 2016

• 15% or more of businesses in the top 10 industry sectors have been attacked.

• 1 in 4 businesses hit with ransomware have 1,000 employees or more

• 71% of companies targeted by ransomware attacks have been infected

Source: https://blog.barkly.com/ransonware-statistics-2017

8

Data Breach

9

Fish Tank Attack on a Casino

in USA

Financial Impact

10

India Statistics

13,08349,4552015

9,50044,6792014

16,46850,3622016

NA27,4822017 (H1)

FYCY

11

Cyber Crime

State & UT

Metropolitan Cities > 2 Mio Population

12

Trend

13

Emergence of Cyber Threat

• Cloud

• Mobile Applications

• Internet

• Third party beyond boundaries

• Email

–Biggest source

–Research by IBM reveals that 59% of ransomware attacks originate with phishing emails and a remarkable 91% of all malware is delivered by email

14

Agenda

• Overview

• Protection Strategy

• Emerging Regulations on Data Protection

• Cyber Liability Insurance

• Question & Answers

15

Protection Strategy

Unconventional Thinking required for

protection

• Technology

–Deception Technologies

– IPF,DKIM,DMARC

• Human Control

• Cyber Drills

16

Agenda

• Overview

• Protective Technology

• Data Protection

• Cyber Liability Insurance

• Question & Answers

17

Data Classification

• From Organisational perspective

– PII or SPDI*

• Customers

• Employees

– Audit Logs (like his login and transaction details)

– Organisation Data

• Financial

• Vendors

* There are regulatory requirements for protection of these data

18

PII or SPDI

(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

19

What Constitutes SPDI ?

(i) Password

(ii) Financial information such as bank account, credit card, debit card or other paymentment details

(iii) Physical, physiological and mental health condition

(iv) Sexual orientation

(v) Medical records and history

(vi) Biometric information– Finger prints

– Eye retina and irises

– Voice patterns

– Facial patterns

– Hand measurement

– DNA

Rules &

Regulatio

ns

20

Sec-43 A

• Where a body corporate, possessing,

dealing or handling any sensitive personal

data or information in a computer resource

which it owns, controls or operates, is

negligent in implementing and maintaining

reasonable security practices and

procedures and thereby causes wrongful loss

or wrongful gain to any person, such body

corporate shall be liable to pay damages by

way of compensation, to the person so

affected. (Change vide ITAA 2008)

21

Talk of the Town

• Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

–Data processing;

–Consent;

–Data subject rights;

–Non-compliance with DPR order; and

–Transfer of data to third party

22

Data Protection Framework-India

• Committee of Experts under the

Chairmanship of Justice B N Srikrishna,

Former Judge, Supreme Court of India, to

identify key data protection issues in India

and recommend methods of addressing

them.

• Released for Public Comments on 27th

Nov 2017

• 243 pages

23

Contents

• Part-I Context Setting

• Part-II Scope and exemptions

–Ch3- What is personal Data?

–Ch4- SPDI

–Ch5- What is processing?

• Part-III Grounds of Processing

Cross reference to GDPR

24

New Trends in Data Protection

• Tokenisation

–PCI

–Aadhaar Data

• Data Vault

25

Tokenisation

26

Information Security Governance for

Data Protection

• Board Level review of the policies

• Legal requirement mapping and review

• Budgetary allocations

27

Agenda

• Overview

• Protective Technology

• Data Protection

• Cyber Liability Insurance

• Question & Answers

28

Transfer of Risk

• Most of the Cyber Risks can be

transferred through Liability Insurance

• Bajaj Allianz has launched a policy for

Individuals as well recently

29

Companies Offering Cyber LiabilitySrl

No

Insurance Company

Name

Product Name UIN

1 Bajaj Allainz BAJAJ ALLIANZ CYBER PROTECT

PREMIUM -DIGITAL BUSINESS

AND DATA PROTECTION

INSURANCE

BAL-LI-P15-11-

V01-15-16

2 HDFC ERGO HDFC ERGO CYBER

SECURITY INSURANCE

POLICY

IRDAN125P0005-

VO1-2011-12

4 Tata AIG CyberRisk Protector Insurance IRDAN108P0

003V0120

1314

5 Universal Sompo* Cyber Security Insurance USG-LI-P13-

103-V01-

12-13

30

Types of Losses Insured

31

Third Party

First Party

Services/Expenses

Exclusions

Similar to Own Damage

and Third Party Damage

in Motor Insurance

nmds@bestfitsolutions.in, 09820409261

������

���ந�றி

ध�यवाद

32