Cyber Insurance and compliance with the GDPR

By 22 June, 2018 No Comments
Cibersecurity and compliance of GDPR

Red Seguridad (Magazine) / Opinion / Second Trimester 2018 / June / Pag, 57

José Luis Juárez // IT Security Consultant at vintegrisTECH

Surfing the net aimlessly, I found a short by Keiichi Matsuda, a specialist in augmented reality and interface design & usability, about hyperreality and its consequences. The video made me think a lot about the point we are at and the tremendous progress we need to achieve in the coming years concerning personal information, its value, how to manage it and how to protect it.

Needless to say, even when the video is fiction, it is very close to the life cycle of information today. However, before reaching that point, we must culminate others to facilitate their arrival. At present, one of the main challenges is to have the adequate means to carry out information management with guarantees.

According to the 2017 report of the State Attorney General’s Office, the judicial procedures related to scam crimes accounted for the largest group of recorded cybercrimes, 61 per cent, and totalled 4,930. This figure, although it may seem reasonable due to the drastic reduction to previous years (19% and 22% compared to the statistics of 2016 and 2015, respectively), denotes that our information is not adequately treated and protected, so we have much work ahead of us.

With the application of the General Data Protection Regulation (GDPR) since May 25th of this year, new fines of up to 20 million euros can be imposed on companies that do not observe certain standards; such as, the disappearance of the tacit consent at the time of data collection. Now more than ever it is necessary to have tools that facilitate and guarantee compliance with the said norm.

Cyber Insurances

In this sense, cyber insurance is a good tool if we focus on the requirements of contracting and guaranteeing coverage. For their contract, for example, insurers demand compliance with a series of security measures that demonstrate certain maturity and responsibility in the management to mitigate the risks. This obliges organisations wishing to hire them to adopt protection measures and incident management procedures for legal compliance. Otherwise, cyber insurance is not granted.

As indicated by the National Institute of Cybersecurity (Incibe), the basic responsibilities and regulatory procedures are considered as basic coverages; the defence, damages and regulatory fines; the own damages and the economic loss; and crisis management and expenses paid to experts.

The previous points are a condensed summary of the complete list in which each point has more developed themes applied according to the needs of each case, all agreeing on the protection of the information and its proper treatment, both avoiding an incident and address it once it has been caused.

It should be noted, as is usual, that insurance companies reserve the right not to attend certain claims, what we generally call exclusions and that some are dishonest, fraudulent and deliberate acts on the part of the insured; personal or material damages; responsibilities assumed by contract or agreement; previous claims and previous litigation and incidents that had occurred prior to the effective date of the contract; infringement of trade secrets and patents; and, in some cases, war and terrorism.

From all of the above it is clear that, even if a policy can help mitigate the impact of an incident, it is crucial that companies become aware of digital risks and invest in prevention. Likewise, they must assume the great responsibility that the new law grants them and the cost of their non-compliance. Besides, there is a risk as much or more significant than economic losses and sanctions: the loss of reputation, something that an organisation takes many years to build and that can be difficult to amend.

In fact, one of the great paradigms that we can find in this area is that a large part of cybersecurity incidents have a human origin, while many managers consider IT security a purely technological issue. A PwC study confirms: “50 per cent of managers see cybersecurity as a technological problem, not a business problem when in reality only 10 per cent of incidents are caused by technology, while the rest comes from the hand of human behaviour. ”

Mentality change

This complex environment demands a radical shift in mentality on the part of those responsible in corporations, which should put more focus on the increasingly thin line between the business area and the technology used to generate it. To facilitate this task, Víntegris has nebulaSUITE, which encompasses the essential services for the integral protection of digital identity. This suite of technologies allows the following:

# Manage digital identities. Create digital certificates that act as identification numbers for people and devices. Thanks to its own certification authority, it is capable of issuing and managing its own digital certificates.

# Control access to the activities of the organisation. Authenticate users and control their access through adaptive multi-factor authentication (MFA), with the ability to choose the most appropriate method for each user at any time and to quickly adapt the entire environment in each case.

# Accelerate signature processes since it allows employees and clients to sign documents using digital certificates and/or handwritten signatures, all being protected by encryption to obtain the highest level of trust. The system allows managing even workflows to make legal procedures easier, within the appropriate legal framework.

Added to this are the capabilities provided by the cloud, such as having global access to these services almost instantaneously, obtaining comprehensive coverage on issues such as:

  1. Digital identity for both users and devices with qualified digital certificates.
  2. Centralized control of digital certificates with the certificate management platform.
  3. Personalized and straightforward workflows that allow the approval of documents, transactions and processes for one or multiple signatories.
  4. Verification of digital transactions for the benefit of citizens and companies of the European Union, according to the European regulation eIDAS 910/2014.
  5. Authentication and control over access to the company and its resources.

In short, having these functionalities will make it easier for companies to implement the mandatory measures of the new GDPR.

Original article in Spanish