Address Cybersecurity, Data Privacy, Business Continuity, IT and Vendor Risks in a Unified way with GRACE
Cybersecurity Risks have escalated in organizations specially in financial institutions. Ransomware, Account take overs, ID theft, hacking and misuse of valuable customer information have been on the rise from work-from-home, geo political and changes in technology. Data privacy regulations to prevent misuse of customer information, 72 hour reporting to regulators for incidents of material loss of customer data, and regulatory examinations of Cybersecurity processes of firms are on the rise.
Material incidents can also lead to increase and at times denial of cyber insurance if the proper processes are not in place. Each material incident response, management and prevention can become very costly with need to deploy cybersecurity specialists, e-discovery specialists and lawyers for determining the extent of damage. Regulatory fines, Payments for class action lawsuits and Reputation Loss could also be bad outcomes of such incidents.
Organizations have to establish the policies and procedures, keep up-to-date inventory of internal data, as well as those with outsourced vendors, the protections in place for Personally Identifiable data, including in data backups, protection of all infrastructure including physical security, continuous monitoring and issue reporting for accesses, and vulnerabilities for early reporting and prevention, vendor due diligence, incident response planning and proper incident management, security training of all staff, business continuity management as well as data privacy regulatory compliance are part of today's IT Infrastructure in each organization
Mapping your organization's processes against best practice frameworks like NIST, ISO, COBIT, being in compliance with SoC2, PCI-DSS, HIPAA, CMMC as needed by your business, identifying gaps in your control processes and implementing the changes needed, are important to establish and stay on top of risks in Cybersecurity, Data Privacy, Vendor Risk and Business Continuity for your organization.
IT systems have become the backbone of all operations in companies and hold the repository of all critical information about customers including their names, addresses , SSN, phone nos, emails, bank accounts etc. A single hack into the systems can yield the bad elements access to this very important information that can be misused blatantly. Outsourcing of processing, client Information in multiple systems and lack of proper protection in vendor operations can be disastrous.
Misuse of client information for target marketing and other activities have taken away control of client information from the clients and have put them in the hands organizations that could sell the information without the consent of the client. Having such large scale personal information has created huge vulnerabilities to cyber attacks and compromise of critical client information.
Client Data Protection - Top of Regulator's Mind
Regulators have responded by defining rules and examination priorities around cyber security and privacy and protection of client data as their highest priority. Large fines for violations have been defined by Regulations like GDPR, California Privacy Act, Colorado Privacy Act, Connecticut Privacy Act and others to ensure that businesses are obligated to protect client information.
Regulators expect organizations to keep track of all the client data whether they be within the organization or with outsourced entities, ensure protection of this data against security violations and misuse. They also expect you to take client’s consent and establish the lawful basis for the collection and use of the data. Regulators expect you to have a central repository of client information that is being managed across the organization, identify the security management in place and ensure that client consent of information is being taken. Clients requests for erasure of their information as well as Opt-Out have to be honored.
GRACE Can Help You Track and Manage IT Risks
GRACE IT Risk management has been specifically built to help you set up your Cybersecurity processes and controls as defined by best practices like NIST, CMMC, ISO, COBIT, ITIL and certification needs for SoC2, HIPAA, PCI-DSS and others that organizations have to put in place.
It helps you setup and manage IT policies and procedures and keep them updated. Controls monitoring processes to gather controls data on a scheduled basis and identifying issues can help identify risks as early as they happen.
GRACE can help you build and keep updated, Asset inventory of all the systems, network and other infrastructure and record the personally identifiable data (PII) as well as understand the security posture like encryption, anonymization, data at rest, data in transit over each of them.
Conducting Risk Assessments helps identify process and control gaps, issues and risks in implementations and manage their mitigation.
Incidents happen from internal failure and external threats and organizations need to have a proper Incident Response Plan and Business Continuity Plan with clearly assigned roles and responsibilities. Periodic drills to ensure that the plans work and failures can be handled in an organized manner with least impact on customers and services are important. Incident Management and tasks associated with incident recovery must be done properly and taken to conclusion. Incidents of material nature are now required to be reported to regulators within the stipulated no of hours, leading to examinations, e-discovery, large legal expenses and at times class action lawsuits. It is important that incidents be tracked for their severity and frequency of occurrence to prevent vulnerabilities from repeating.
California Consumer Privacy Act (CCPA) Expectations
The California Consumer Privacy Act (CCPA), was unanimously passed by California lawmakers and signed into law by the Governor on June 28th, 2018 and has to be implemented by all organizations that provide services to California Consumers from Jan 1 2020.
It gives California consumers unprecedented personal data protections and possibly sets the tone for similar legislation in other states.
It offers new and wide ranging privacy rights for California residents, including a right to be informed about personal data collected by a business and rights to access and delete that information, a right to prevent personal information from being sold to third parties, and a right to data portability. The law applies to all businesses that collect or use this personal information, not just those companies in California. The California Attorney General may bring actions for civil penalties of up to $7,500 per violation and there is a limited private right of action for individual victims of data breaches for penalties ranging between $100-750 per violation.
Companies are mandated to develop and implement data policies, procedures and data governance processes to address
What personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold
The Right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in)
The Right to have a business delete their personal information, with some exceptions
The Right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and is one of the most significant overhaul to data protection laws in a generation. It applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe. Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime
Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, up to 20 million Euros or 4 % of worldwide annual turnover (revenue), whichever is higher.
Companies are mandated to develop and implement data governance, protection and privacy of client information including where data is managed by outsourced third parties. All breaches have to be reported within to the regulators within 72 hours.
GRACE for Integrated IT and Vendor Risk management to address Cybersecurity, Business Continuity and Data Privacy Regulations
Protect your client data comprehensively whether it is within your organization or with vendors
Manage IT Policies and Procedures
GRACE Helps you create comprehensive Policies and Procedures for IT Risk identification and management for all the lines of Businesses of the organization.
Manage detailed reviews and comments by all related departments including legal, compliance, client management and other groups on how client management is gathered and being managed.
Ensure all comments are incorporated and release the policy or procedure
GRACE Helps you create and manage your vendor Database of vendor locations, contact persons, SLAs and Contract documents. You can conduct vendor due diligences and Risk Assessments to identify security management risks in their processes and manage and monitor their mitigation.
Vendor Risk Profile can be generated based on the no of risks seen so organization can take early corrective action. Periodic Monitoring Calendar and follow up items and recording of findings identify issues early and show trends
Vendor Dashboard helps you monitor issues and risks and view trends
Conduct Controls Monitoring
Set up and Assign Responsibilities for IT Controls Monitoring
Receive Controls Monitoring Reports Online
Monitor Issues reported by Controls Monitoring and identify issues early.
Map IT Processes to IT Standard Frameworks
GRACE offers IT Frameworks information from NIST, ITIL, COBIT to allow organizations to benchmark their controls against the expectations of the frameworks
Client Consent Information Management
All systems that process client information should have consent from the client for the legal purpose of using the data as well their consent to share the data with other third parties where needed.
Clients also have the right to request to be forgotten. Organizations have to provide functions for the client data to be removed from all of their systems on such requests
Tracking of consent as well as the requests are an important part of the requirements of GDPR. Data from the systems and the vendors can be gathered on GRACE to monitor the status of client consent management
Forms are available for Online reporting of Incidents as soon as they happen. This enables the organization to react quickly to any breaches and other incidents and contain the damage.
Incident management includes various tasks that have to be undertaken to intimate various entities, assess the damage and take quick corrective action for client management. Incident reporting to authorities is also part of the process.
GRACE provides functions for status reporting and monitoring of various tasks needed for incident management to bring it to closure.
The Incident Dashboard is a powerful tool to see the frequency of incidents, severity and understand your vulnerabilities across internal systems and vendor systems and prevent future happenings
Conduct IT Risk Assessments
GRACE can help you set up and use standardized checklists for periodic risk assessments for IT Risk within the organization as well as within vendor organizations. You can set up Calendars for assessments and receive alerts . You can send out Risk Assessment Questionnaires Online and use Survey like function to collect information from within the organization as well as from vendors.
On site inspection can also be conducted using the risk questionaires. Findings from risk assessments will allow organizations identify risks, classify them, score them and manage their mitigation by assigning responsibilities.Findings from Risk Assessments could also refine policies and procedures and lead to enhanced training, re-attestation and other processes as mitigation.
The Risk assessment dashboard that can help track status of assessments, findings and mitigation task status
All staff can be sent standard templates for attestation periodically, to remind them to follow the Privacy Procedures.
Staff will receive alerts from the system and will get their particular forms and can attest them online. Reminders will be sent if they are not attested within the given timeline.
Attestation dashboard will provide information
Ensure that all staff are sent the latest IT management policy / procedures for them to read and attest online.This ensures that the latest procedures for ensuring IT security are well understood by staff. Periodic attestation can help staff be reminded of the correct procedures for IT management.
GRACE can set up Attestation templates, as well as Attestation calendars for the staff / groups of staff can be included.
Emails can be received to alert them about the attestation. and reminders can be sent.
Attestation dashboard will allow the organization to see how many people are pending attestation and ensure all of them go thru the attestation process.
GRACE offers multiple dashboard that are specialized for each area including Policy and Procedure Dashboard, Risk Assessment Dashboard, IT Risk Dashboard, Incident Dashboard, Attestation Dashboard, Training Dashboard etc. Access Rights can be turned on or off to each of the dashboards
Each dashboard will present the overall information, charts, trends, reports and queries and will allow Slice and dice & deep drill down on all information gathered and status of approval.Issues, risk and mitigation management and trends with graphics and reports will enable action to be taken.Reports can be queried for user defined criteria, printed and exported to Excel / PDF formats
The Great Value You Get from Using GRACE IT Risk Management
Manage your Data Privacy and IT Risk management comprehensively
Keeps track of your infrastructure
Keeps track of your IT Infrastructure and the cybersecurity protection in place for your client data
Risk Management becomes online and real time
With an integrated web based access anytime anywhere, so risks can be addressed as quickly as they happen to reduce the costs of mitigation
Ensure Policies are being followed
Ensures IT Policies and Procedures are in place and your staff knows about the procedures to be followed
Regulatory examinations can be handled with confidence
Centralized and visible risk management processes means regulatory examinations can be handled with confidence
Manage the risks with your Outsourced Vendors
Keeps track of your outsourced vendors to ensure that they have cybersecurity protections in place for your data
Identify Vulnerabilities Early
Helps you conduct periodic risk assessments to ensure Privacy of Customer Information and identify vulnerabilities early
Organization Ownership of Data
Organizations suffer when key risk and compliance staff leaves. The information is scattered if maintained solely by individuals and are lying on disks in various forms. GRACE becomes the single central repository of documents, data and processes enabling continuity even when key people leave the organization
Ensure Security, Business Continuity / Disaster Recovery processes
Helps ensure Business Continuity / Disaster Recovery processes within and across your vendors so you are not left vulnerable
Manage Incidents as soon as they happen
Helps you track and manage incidents to take corrective action and prevent future events
Easy to Integrate and Customize
GRACE offers easy integration with organizational source systems to enhance the functionality and extend it at low costs. This is a great benefit for end users who can bring in all the relevant data into a single system through automated process allowing them to focus on risk management and compliance instead of data gathering
Integrates easily with tools to help you manage your infrastructure safely
Enormous Cost Savings
Enormous costs savings in early mitigation, avoids regulatory fines, legal costs, reputation risks and empowers the organization in its ability to manage risks.
Helps you manage your Regulatory Examination
Helps you manage books and records for regulatory examinations
Complete Source of information : https://www.klgates.com/SEC-Proposes-Cybersecurity-Risk-Management-Rules-for-Investment-Advisers-and-Funds-3-9-2022. All Language quoted and attributed to the article On 9 February 2022, the U.S....
All information Quoted from the article https://us.eversheds-sutherland.com/NewsCommentary/Press-Releases/249220/Annual-Eversheds-Sutherland-Analysis-of-FINRA-Disciplinary-Actions-Shows-Huge-Surge-in-Financial-Sanctions?utm_source=vuture&utm_medium=email&utm_campaign=vuture-emails March 8, 2022 Eversheds Sutherland has completed its annual study of the disciplinary actions reported...
https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-fall-2021.pdf All information here is quoted from the article. Please refer to it from the complete article The OCC is...
Key Highlights from the OCC’s Risk Alert on Dec 12th 2021 https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-fall-2021.pdf All information quoted here is from the OCC...
https://www.sec.gov/files/exams-registered-investment-company-risk-alert.pdf SEC Risk Alert of October 26, 2021 Observations from Examinations in the Registered Investment Company Initiatives* All notes below...
https://www.linkedin.com/posts/la-meer-associates_empower-your-organization-to-comply-activity-6727625980141281280-9sl4 Please join us for a webinar on “Empower Your Organization to Comply” on Nov 12th 2020 at 11 am...