Cyber Risk and Compliance are now enshrined in law. Understanding your exposures is the frst step to mitigating them. Outsourcing is one solution.
Previously, PCI DSS has been a contractual obligation rather than a legal requirement. Organisations have to ensure that their systems and processes now comply with law or face ever increasing penalties, not just contractually, but now also from both the ICO as well as potential group actions from affected customers or staff.
Managing cyber risk and compliance obligations is an increasingly complex and expensive endeavor, and getting it wrong can lead to substantial fnancial and reputational damage.
The challenge
Our client is a private members’ club that holds large amounts of personal information and takes lots of card payments via multiple acceptance channels across locations all around the world.
They had a challenge in assuring investors and members that they were ‘doing the right thing’ and were compliant with the new Data Protection Act and as part of that also achieving PCI Compliance, across all acceptance channels spanning their entire global operations.
In achieving this they faced three main challenges:
- Understanding what Data Protection/GDPR means and how and where it applies
- Understanding their cyber risk profle and how much security was appropriate
- Understanding what PCI DSS Compliance means and how and where it applies
What risks do we face?
It is diffcult for most organisations to evaluate exactly where their cyber risks lie, and what those risks mean from a fnancial point of view. It is even harder to ensure that these are explained to senior management in clear, simple, actionable terms.
- How do we manage this day by day?
- How compliant should we be?
- Where does GDPR apply?
- What does PCI DSS mean for us?
From objective to solution
The objective was to create a plan and implement a programme of work to enable the board to give assurance that, a) they were doing the right thing, and b) were managing cyber risk and compliance to Data Protection/GDPR as well as PCI DSS.
Blackfoot’s Cyber Assure managed service is designed to take the problem away from the client, leaving them safe in the knowledge that, as partners, we will ensure that cyber risks are minimized and systems and processes are de-risked making compliance quicker and easier.
Working with the client in a partnership, with intimate knowledge of the organisation’s structures, Blackfoot will work to identify and minimize cyber risks, giving clients the comfort they need that experts are taking care of it.
After initial conversations with the client, so that we gained an understanding of what was and wasn’t important to them, we conducted an organisation-wide cyber risk assessment.
This gave the organisation a starting point and a clear, simple, and consistent picture of different cyber risks and the potential impacts they could have on the business.
These included risks to confdentiality of personal and fnancial information, the integrity of information held by the business, the availability of critical systems, and the authority to process personal data.
Once we had agreed a Cyber Risk treatment programme, we split the work into logical steps.
We started with raising the maturity of cyber governance by holding executive briefngs and then implemented regular governance and progress meetings with senior stakeholders: this enabled buyin across the business, ensuring quick adoption of the programme.
The programme of work was then ordered according to risk, ensuring the quickest reduction in risk over time. It covered a number of areas including:
GDPR
We conducted an organisation-wide GDPR assessment. This revealed all the gaps in compliance and after conducting Privacy Impact Assessments we were able to risk-base the order of treatment, ensuring the risks were reduced as quickly as they could be.
We helped reduce the scope of GDPR through altering processes which resulted in the client processing less Personal Data, leading to a halving of systems processing personal data, signifcantly reducing both the time and costs of compliance.
As the fnal part of the GDPR assessment process we looked at the required cyber security controls and appropriate levels of maturity to ensure suffcient accountability measures, again based on the earlier work we had carried out we had calculated their appropriate levels, based on the risks they posed.
Payment Acceptance Risk
With payments, we started with simplifying the global acquiring contracts and looking at better card processing processes to minimize the PCI DSS scope per acceptance channel.
Once we had agreed with the client the changes to certain processes and the altering of current practices, we had an agreed scope per acceptance channel.
We also helped advise on tokenization and digital wallets for member card payments, reducing the amount of payments taken by 70% and therefore the potential impact of a card data breach.
Cyber Work Programme
- Taking a holistic approach we merged all Data Protection, Cyber Risk and PCI DSS requirements and implemented the following activities:
- Implemented Information Security Policies and Procedures, which were mapped for all risk and compliance requirements. This ensured that staff only had to deal with a single change in the way they worked.
- To ensure staff understood why we were asking them to change their daily processes and adding more documentation to certain daily tasks we implemented our award-winning SAT across all 4,500 staff, giving staff the understanding of why the organisation was asking for everyone to pull together and keep staff and member data safe and protected. As part of this we conduct regular phishing tests to highlight staff who needed ongoing training.
- We trained their incident response team and have regular ‘dry runs’ scheduled to keep them up to date and well versed should a major cyber incident occur, reducing the potential impact of any cyber attack.
- We have designed a gradually increasing testing schedule, allowing relevant staff and partners to improve patching of systems and secure coding of applications. The frst year we have conducted internal vulnerability scanning and external penetration testing, setting a baseline for year 2 and 3 BAU testing of systems and applications on a regular basis.
-
As a dynamic organisation there are lots of new initiatives, most reliant upon digital and technology. To that effect we have assisted project management in implementing privacy and security by design for all new systems and applications.
-
As supply chain risks are growing we have focused on assessing their supply chain for cyber risks and compliance issues. We helped risk rate the entire supply chain and then implemented a cyber supply assurance programme dealing with the most risky suppliers.
Impressive Results
By investing in the Blackfoot managed service, the client has achieved the following in under a year.
- Cyber governance function in place with measurable KRIs and KPIs
- GDPR framework implemented with building Accountability Measures Payment risk and PCI
- Streamlined acquiring from multiple to a single acquiring contract
-
Reduced time to PCI compliance from three years to 14 months
-
Saved client over £2 million in capex and £300k in annual op ex.
-
Reduced the volume of card payments by over 70% through the introduction of tokenization and digital wallets for members
-
Reduced and implemented acceptance channel controls as follows:
-
eCommerce from SAQ D to SAQ A
-
Face to Face from SAQ D to SAQ
-
P2PECNP from SAQ CVT to SAQP2PE
-
With the board now receiving regular updates on progress they now have the confdence to go back to both members and investors and give them the assurance that they are doing the right thing. That they are minimizing Cyber Risk in the organization by both complying with GDPR globally – as the highest international standard for protecting member and staff data – as well as now being PCI compliant and reducing the risk of card processing breaches as we’ve recently seen.