Simplified Cyber Security
Simplified Cyber Security
Simplified Cyber Security

2018 – The Year of Cyber Security Regulations

A new year signifies a new dawn but in the cyber world that may not be necessarily true.  In the previous year we’ve witnessed massive data breaches that impacted both government and private entities e.g. Equifax, Uber, Deloitte and not forgetting Kenya’s Election Management System hacking allegation.  Ransomware attacks were also a major concern for majority of the organizations after the May WannaCry attack.

I want to be optimistic for 2018 but given the trend it will even get worse!

2018 is an interesting year in the cyber world given that several regulations are coming into effect.  Governments and regulators are acknowledging the impact data breaches cause to an industry and the economy hence the need to step in to restore trust & confidence.

GDPR (General Data Protection Regulation)

Enforcement Date: 25th May 2018

GDPR specifies how customer data is to be used and protected.  It aims to primarily give control back to citizens and residents over their personal data.  The regulation applies to everyone (data controllers and processors) who are involved in processing of EU citizens data regardless whether the organization is based in EU.

GDPR will likely become the de facto Data Protection Standard globally given its scope.  Any business entity with/processes data of any individual living in EU will need to comply.  The guidelines have a huge impact on Tech giants (Google, Facebook, Microsoft etc) that have customers in EU.  We can expect some conflicts and legal tussles from the companies given that some of the GDPR requirements conflict with their missions.  Some of the GDPR requirements that we may expect contention include Right to Access, Right to be forgotten and the 72 hours Breach notification.

EU companies will also require third party to comply especially where the 3rd party is processing data for the company.  The main goal is to minimize 3rd party risk and non-compliance will be regarded as high risk profile.   So if you are a company based in Nairobi, Lagos, Sydney or Seattle you need to compliant with GDPR to do business with EU companies.

Consider below to guide on whether your business needs to comply

  1. Is your company based in EU?
  2. Do you handle data concerning EU-based citizens?
  3. Does your company do any kind of business with companies where 1 and/or 2 is applicable?

If you answer is YES, to any of the above, GDPR compliance is MUST for your company.

Investments and Mergers & Acquisition will get more scrutiny especially where investors are based in EU.  Evidence of compliance will be a requirement before an EU investor pumps in funds into a company regardless of its geographical location.

Non-compliance to GDPR comes at cost and a heavy one for that matter.  Penalties for non-compliance of key provisions include a fine in the amount that is up to the greater of €20 million or 4% of global annual turnover in the prior year.  Majority of organizations will want to be in compliance but given that data breaches are inevitable despite the best efforts it will be prudent for organizations to take up cyber insurance cover that provides regulatory compliance.

EU parliament adopted the regulation on 27th April 2016 and gave a 2 year transition period which elapses on 25th May 2018.

IATA PCI DSS Compliance

Enforcement Date:  31st March 2018

Cyber security has become an elevated risk especially in the airline industry.  Airline is a complex business with countless entry points and interfaces that make it vulnerable to cyber crime.  In addition airlines hold large amounts of personal data including credit card details.  If this data is compromised or used inappropriately the airline could be exposed legal suits that have an impact on its reputation.  To mitigate the risk airlines have demanded that IATA support their own internal compliance by making Billing and Settlement Plan (BSP) card sales channel PCI DSS complaint.  Compliance is aimed to restore confidence and provide assurance to cardholders that their sensitive data is secured and protected against cyber criminals.

The regulation will have a global effect given all IATA accredited Travel agents MUST become PCI DSS Compliant regardless whether they process payment cards.  Travel Agents that don’t process payment cards will need to fill The Self-Assessment Questionnaires (SAQ) and submit it as an Attestation of Compliance (AoC) to IATA.

In the Kenya’s tourist market European visitors account for the largest position hence Travel Agents that process their data will need to be compliance with PCI DSS as well as GDPR.


NYDFS Cyber Security Regulations

The New York Department of Financial Services (DFS) enacted new cyber security requirements on all covered financial institutions.  Banks, insurance companies and other financial service institutions regulated by DFS are required to have a cyber security program designed to protect consumers private data, a written policy/policies that are approved by board or senior officer, a CISO to help protect data & systems and controls and plans in place to help ensure safety and soundness of New York’s Financial service industry.  The regulation came into effect on 28th August 2017 however there are other timelines for 2018.

Feb 15th 2018 – The Chairperson of the Board (or a senior officer) is required to submit its first certification to the NYDFS as to compliance with regulations.

March 1st 2018 – Covered entity must have submitted to the Board the CISO’s report on the covered company’s cyber security program including cyber security assessment.

Sept 3rd 2018 – Entity must have built its cyber security program.

Other states are likely to follow suit given cyber losses that financial intuitions have to deal with from cyber crime.

CBK Guidance Note on Cyber Security

Similar to NYDFS Cyber Security Regulation, the CBK released the Guidance note in August where all institutions who are regulated by CBK should have submitted their Cyber Security policies, strategies and frameworks by Nov 30th 2017.  2018 will be a busy year for the regulator as they review submitted documents and probably develop a regulation based on the reviews done.   Other East Africa regulators will be keenly following as they plan to develop similar regulations.

In Australia, the Mandatory Data Breach Notification Regime will be effective as of 23rd Feb 2018.  Organizations will be required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals “as soon as practicable” if it becomes aware there are “reasonable grounds” to believe an eligible data breach has occurred.

 2018 will definitely be interesting one as organizations meet compliance as well the regulator monitors compliance.

Happy New Year to the ‘Year of Cyber Security Regulations’.

Leave a Reply

Your email address will not be published. Required fields are marked *

2018 © Villbo Group Limited.