How can Compliance Keep up with Fast-Moving FinTech?

New technologies have revolutionised how we do business, find love, travel and shop. And more recently, the digital age has shaken up the worlds of finance and banking.

But as people move to innovative banking and saving formats, how can regulators protect the public while also providing a level playing field for established banks and new entrants alike?

And how can the new breed of FinTech companies adhere to regulations without being crippled by the administrative overload?

Before we try to answer these questions, let’s define FinTech.

What is FinTech?

In brief, FinTech is the application of new operating models and software solutions to traditional financial services.

In reality, FinTech means many different things. FinTech includes mobile apps, cryptocurrencies, blockchain, peer-to-peer lending and flexible investment platforms. FinTech firms are often new startups founded by technical experts with the skills to bring bold new ideas to life.

While FinTech startups move quickly and attract bright young developers, they may not have the resources and customer base to capitalise on the promise of their inventions. This has led to a number of partnerships (and buyouts) of FinTech startups by established banking giants, meaning that some of the innovators are now underpinned by the very ancestors they sought to disrupt.

The FinTech regulation puzzle

One challenge for FinTech companies is the weight of regulation.

Starting a new financial service company can be immensely challenging, because of the huge number of laws that protect consumers and governments from bad banking practices. While the current regulatory landscape has emerged over many years, giving banks plenty of time to comply, new entrants must meet all the regulatory requirements from day one – something that can become a financial drain when income is minimal.

Consequently, FinTech startups and their supporters advocate for a light-touch approach to regulation so that they can find their feet and bring customers new ways to bank, borrow, invest and save.

On the other side of the coin, regulators want to give FinTech startups the room to grow, while also protecting consumers, corporations and governments from unorthodox financial experiments.

Regulatory sandboxes

One approach to fostering innovation while protecting consumers is to create a regulatory sandbox – essentially an environment for testing new financial products and services under tight control by regulators.

In 2013 the UK’s Financial Conduct Authority (FCA) created a regulatory sandbox for FinTech startups in their London headquarters. This gave startups a chance to develop their ideas without the usual degree of red tape and compliance challenges.

Compliance and FCA training from VinciWorks

VinciWorks provides a wide range of corporate eLearning solutions, including a suite dedicated to compliance and a selection of FCA training modules. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation.

NotPetya: The World’s Worst Cyber Attack

Last year was a bad time for data security, but a great time for digital criminals. In the midst of the thousands of hacks, leaks, exploits and phishing attempts, a group of Russian military hackers unleashed a virulent worm that would cause untold disruption and cost companies around the world billions in lost revenues and repair costs.

While nobody has claimed responsibility for the NotPetya virus, it has been traced back to a group of Russian military hackers who were trying to wreak havoc in the Ukraine – and send a warning to companies that dare to do business with Russia’s enemy.

The virus originated in the Ukraine, after Russian hackers gained access to the servers of Linkos Group, a company that produces a popular accounting program called MeDoc. Having gained access, the hacking group, known as Sandworm, was able to infect the MeDoc update server, which then allowed them access to the thousands of PCs around the world that have MeDoc installed.

NotPetya spread rapidly. It relied on two exploits working in partnership to sidestep defences, infect computers and spread to the next host. Eternal Blue, a tool created by the US National Security Agency, but stolen during a breach earlier in the year, was combined with Mimikatz, a script created by a French researcher to demonstrate that Windows was leaving users’ passwords in memory. Using these two exploits, the virus could leapfrog from machine to machine in a matter of hours.

Maersk goes dark

On 27 June, computer screens at Maersk headquarters began to go black. Some displayed messages asking for a ransom to be paid in bitcoin; others simply stated that the machine was being repaired, and should not be turned off. Whatever the message, the machine was frozen and unusable.

Maersk, a global shipping company, was completely stricken by the virus: so many computers were infected, so rapidly, that the company was unable to take new orders or manage their vast shipping fleet. Even the IT security team was unable to work. Servers, computers, routers and desk phones were all brought down by the virus.

Around the world, 17 of Maersk’s 76 freight terminals were disrupted by the virus. Without computers, nobody could do anything. Freight could not be received, loaded or dispatched. The contents of containers was unknown and new bookings could not be taken. Ports in Los Angeles, Rotterdam and Mumbai were reduced to parking garages. It was a catastrophic failure of shipping IT – and the costs are estimated to be astronomical.

Billions in lost earnings

Ultimately, NotPetya would cause an estimated $10 billion in damage, crippling multinational companies including TNT Express, Mondelez, Reckitt Benckiser, Rosneft and Merck.

At Maersk, recovering from the attack involved a frantic effort to restore core machines and then gradually wipe and restore individual machines. In just 10 days the company managed to rebuild its network of 4,000 servers and 45,000 PCs – though a complete recovery took many months.

While NotPetya was a fiendishly clever virus, it did rely on Maersk (and other victims) having unpatched machines – something that could have been avoided. Maersk has since changed its approach to digital security and is investing widely in security systems and processes. Employees report that requests for spending on digital security are being approved without delay; a contrast to their prior reticence to invest in digital protection.

Why do so many companies have to learn digital security lessons the hard way?

Find out more about Cyber Security eLearning.

Currys PC World Data Breach

Currys PC World is the latest in a long line of corporations to suffer a large-scale data breach, but the positive news to take from the story is the swiftness and clarity of their response. One of our colleagues, as a Currys PC World customer, received an email explaining the loss of data, what was involved, and what he should do to protect himself from fraud.

The message was comprehensive and apologetic – and suggests that British businesses are finally learning how to respond to these kinds of cyber crimes.

The recent news from Currys PC World came in two waves; at first, they believed that 1.2 million customers were affected, although no payment card information was involved. Several weeks later the electronics giant had to report that the scale of the problem was far larger. After an internal investigation they put the number of customers affected at 10 million.

Currys PC World reports that none of their customers has been directly defrauded in the immediate aftermath of the data breach. But we know from previous hacks that customer data is rarely used in isolation; instead, this kind of information is used as bait in phishing attacks. With customer data in their hands, fraudsters can dupe people into handing over more information which then gives them access to bank accounts, payment cards and online stores.

So, the true impact of this kind of data breach is unlikely to be immediately obvious – and people who are defrauded six or nine months from now may never know that their loss originated with lax security at Currys PC World.

Alex Neill of Which? commented on the incident: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.”

The letter from Currys PC World is commendably clear and direct: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.”

Currys PC World also laid out clear guidance for their customers on how to minimise the risk of fraud:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.

Although the value of Currys PC World shares fell after news of the initial data breach was revealed, markets reacted less extremely to the second wave of news, with shares actually rising slightly. This may reflect a degree of breach fatigue – or a belief that the high street’s last electronics retailer has already paid the price for its security failure.

Are data breaches an inevitable part of a society that lives and trades online? Or will businesses eventually find systems and processes to outfox the data bandits?

Worried about data breaches? Find out more about Data Protection eLearning from VinciWorks.

Ticketmaster Data Breach: did they act quickly enough?

Data breaches are nothing new.

What has changed recently is the regulations surrounding personal data.

Under the General Data Protection Regulation (GDPR), companies must notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach.

In the case of Ticketmaster’s recent breach, questions remain about whether they reported the loss of data affecting 40,000 customers quickly enough.

Ticketmaster lost the customer data because of a third-party application designed to help them manage customer support requests. The Inbenta software was infected with malware and was passing customer data to a third-party, who then used the information to help them make fraudulent payments.

Ticketmaster claims that up to 40,000 UK customers may have had their data stolen. Customers in the US were not affected in the incident. Ticketmaster is offering customers a 12-month identity monitoring service to help prevent further frauds from occurring.

One of the problems with a data breach of this kind is the avalanche of follow-up crimes that typically occur – not always relying on the actual data lost. This is because criminals use the confusion and concern caused by a major data loss incident to dupe customers into changing passwords – on dummy websites that they control. Ticketmaster is urging customers to only visit genuine Ticketmaster websites on recognised addresses.

Brooks Wallace, cyber-security specialist from Trusted Knight commented: “After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out,” said Brooks Wallace from the cyber-security specialist Trusted Knight. “If you receive any emails purporting to be from Ticketmaster asking for any personal information, discard them. If you need to contact Ticketmaster, type the website address into your browser and log-in that way.”

Questions about the timing of Ticketmaster’s notification surfaced after Monzo, the online bank, reported that they had uncovered evidence that Ticketmaster may have been breached in early April – something they passed on to authorities and to Ticketmaster. Monzo’s discovery followed customer reports of fraudulent transactions. The security team at Monzo analysed the accounts of approximately 50 customers who had all been the victim of fraud and found a pattern: 70% of the affected customers had recently bought tickets from Ticketmaster. Only 0.8% of their entire customer base had used Ticketmaster.

The question that the ICO may want answered is why it took months for Ticketmaster to confirm that a breach had taken place? Was the breach carefully concealed by hackers? Or did Ticketmaster hope to limit the scope of scandal?

Read more about Information Security eLearning from VinciWoks.

PCI DSS Compliance Reduces the Risk of Data Breaches

The payment card industry data security standard (PCI DSS) is designed to protect consumers by encouraging businesses to do more to protect payment card details. A recent survey by US Internet giant Verizon found that compliance with PCI DSS can be a powerful force in fighting cyber-crime – but many organisations struggle to maintain full compliance with the standard.

Speaking to Computer Weekly, Verizon’s head of advisory services Gabriel Leperlier commented: “Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach.” This is a remarkable finding. Why are so few organisations struggling to comply with the standard?

Firstly, it helps to examine the 12 requirements of PCI DSS:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

In addition to these 12 requirements, digital security teams must contend with changing technology, workplaces that are riddled with web-connected devices, malicious employees and a host of determined hackers, criminals and foreign agents – who are all working day and night to access a company’s valuable data.

As Leperlier puts it: “Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees, so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them.”

Achieving and maintaining PCI DSS compliance does not guarantee that you won’t be hacked – but failing to maintain compliance is a sure-fire way to attract the attention of hackers and criminals. After all, dropping the ball on PCI DSS compliance effectively means you’re making life easier for anyone who wants to steal your data.

There are many examples of companies that have paid a heavy price for data breaches that could have been prevented by complete compliance with PCI DSS. For example, US retail giant Home Depot agreed to pay at least $19.5 million to consumers harmed by a data breach in 2014. The breach occurred because Home Depot used inadequate security software and weak data protection policies. Under PCI DSS, companies are required to conduct vulnerability scans – something that was not carried out fully at Home Depot.

PCI DSS compliance may be difficult to achieve and maintain, but it seems the costs of dealing with a major data breach are likely to be far higher than the price of meeting the 12 requirements outlined above.

Have you Taken the Social Media Challenge Yet?

We’re very pleased to announce the arrival of our latest compliance course: The Using Social Media Challenge.

Written and directed by our talented development team, the course combines a refreshing mix of story-telling, gamification, and immersive eLearning to offer learners an interactive video experience that’s sure to wow!

Fresh, fun, and informative, The Using Social Media Challenge is designed to raise awareness about hacking threats on Social Media.

To take the challenge, users must take on self-confessed cyber-criminal, John (and his fiendish team of hacking experts), and prevent him from accessing their data and infecting their computer by making the right choices whilst using social media. Each time learners thwart John’s efforts successfully, they will be rewarded with a shield. Making the wrong choices, though, will result in a win for the cybercrime syndicate and a ‘virus’ for the unsuspecting victim.

How many shields will you collect?

View a trailer for The Using Social Media Challenge:

Yes, There’s Still Time to Protect your Data Under GDPR

Recent suggests that almost half of UK businesses are preparing to receive non-compliance penalties, with many owners having already set aside funds in anticipation of a fine.

The research (conducted by data privacy firm, Ensighten) highlights a worrying amount of unpreparedness surrounding the new legislation and the additional responsibilities it will bring for organisations who wish to process and store personal data. CEO of Ensighten, Ian Woolley, comments that business owners are ‘aware, but still uncertain’ about GDPR, with 61% of survey respondents indicating they would like an extension of the deadline if one became available.

At What Cost?

A lot has been made of the potential penalties for non-compliance with GDPR. The shock value of The Information Commissioner’s Office (ICO)’s power to fine up to £17m, or 4% of annual turnover (whichever is higher) makes for eye-catching news articles indeed. However, organisations would do well to maintain a level-head on the matter and remember that their compliance efforts and behaviour will be taken into consideration when it comes to any fines incurred.

In this sense, it is important for companies to work on implementing a culture of data protection as standard – and as an ongoing commitment – rather than viewing GDPR as simply a box-ticking exercise with a ticking time-bomb attached.

How can VinciWorks Help?

The good news is that organisations still have time to educate their employees about the new legislation and what it will mean for data processors, subjects, and controllers at a practical, day-to-day level.

As firm believers that prevention is better than the cure, VinciWorks offer a range of GDPR eLearning courses, spanning from introductory modules to more comprehensive courses, and also includes microlearning courses to cover specific GDPR clauses that your employees may find tricky.

Specially developed to get organisations GDPR-ready, our comprehensive eLearning course, Protecting Data, offers a detailed yet accessible approach to GDPR legislation. Developed alongside subject experts, the course gives particular focus to the principles, rights, and obligations of GDPR, and offers learners the opportunity to test their knowledge by asking them to deal with realistic potential data-breaches.

To find out more, simply get in touch via the form below. It’s never too late to start your compliance journey.

Social Media Data Scandal: Who’s in Control of your Data?

Facebook and Cambridge Analytica recently found themselves at the centre of a sensational dispute over the collection and use of personal data (in this case, information about users’ political alignment; data that’s known as ‘sensitive’ personal data under new GDPR legislation).

It all began with a ‘Personality Quiz’ app designed – and one can assume, approved – for use on the social networking site as a fun way to pass the time and connect with friends. As was common at the time, the app was also developed to harvest personal data of the user and, if reports are true, that of their unconsenting friends’ list.

According to reports, the personal data was then sold to Cambridge Analytica and used to psychologically profile users so that targeted advertisements and political spin/smear campaigns could be delivered straight to their profile pages and newsfeeds. A shocking allegation of invasion of privacy and political bias that has authorities on both sides of the pond enraged.

It’s worth noting that Facebook has since changed the amount of data that app-developers can scrape in this way and removed the app, demanding all its information be deleted.

Cambridge Analytica claims that it never used the data, and deleted it when Facebook told it to.

So, what can we take from the events?

It’s true that most users of social networking sites have no idea how much the platform actually knows about them (and their list of contacts). Remember, advertisers buying space on such networks are paying for your attention, and that attention is intensely targeted by the personal and sensitive data we’re almost all guilty of over-sharing online. The question left in the aftermath of such a scandal is this: with whom does the burden of data protection lie, the user or the platform?

Whilst admitting that mistakes were made and listing the more stringent measures he would implement to protect users’ data, Zuckerberg’s proposed solutions include a tool to empower users to control their own data on the site, e.g., which apps they allow to access their profile information and for how long.

Indeed, if we were to find a silver-lining here, it would be the empowerment and the raised level of awareness amongst social network users who have been following the story. Knowledge, as ever, is the key to prevention.

As GDPR legislation came into force in May 2018, individuals will have ever-more control over their personal data as well as increased access to it, a directive which is highlighted in Zuckerberg’s promise to ‘provide an easy way to revoke’ data-access permissions.

Looking to raise awareness about using social media, data protection, or GDPR? Visit our Compliance page to see our full range of courses.

GDPR: 34% Planning to Exercise Right to be Forgotten

Research by media agency the7stars has found widespread interest in the new ‘right to be forgotten’ provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.

But what exactly is the right to be forgotten, and how might this impact organisations in the UK?

The right to erasure

This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.

There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.

When the right to erasure applies

As an individual, you can usually request the deletion of your data when:

  • Your personal data is no longer required for the purpose it was collected for
  • You withdraw consent
  • You object to having your data processed (assuming there is no overriding legitimate reason for processing)
  • Your data was unlawfully processed
  • Your data must be erased to comply with a legal obligation.

When organisations can decline requests

There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.

Legitimate reasons for refusing to comply:

  • To protect the public interest, or in the interest of public health
  • To exercise your right of freedom of expression
  • Archiving for public interest, historical, scientific or statistical purposes
  • Exercising or defending legal claims
  • To comply with a legal obligation, exercising official authority or to perform a public interest task.

Deleting third-party data

While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.

The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.

GDPR training from VinciWorks

If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.