Cyber criminals have huge technical know-how. Far superior to most legitimate businesses. Businesses are often oblivious to the threat that results from their lack of cyber security. PKF Francis Clark invite you to a briefing where you will receive up to date information relating to the threats that all businesses face from cyber criminals. As well as our own Head of Cyber Services you will hear from a specialist insurer. With the new General Data Protection Regulations (GDPR) imminently upon us we will also have an expert available to demonstrate who you may achieve compliance.

1. December 2017
Cyber security breakfast
briefing

2. Glenn Nicol, Corporate Partner
Chair’s welcome

3. Housekeeping
@pkfFrancisClark
#CyberSecurity17

4. Programme
GDPR – Ben Travers, Stephens Scown LLP
GDPR tools – Russell Cosway, Gydeline
Cyber Essentials / IASME accreditation –
Richard Wilding, PKF Francis Clark
Cyber insurance – Jonathan Cox, Paveys

5. Ben Travers, Stephens Scown
GDPR

6. GDPR Tools
Russell Cosway – December 2017

12. Tools landscape . . .

13. • Date/Who/DPO
• Process Name/Purpose
• Legal Basis
• Data Source/Locations
• Who is impacted?
• Description
• How is data deleted?
• What risks/mitigations
• Date of review
Data Protection Impact Assessment (DPIA)

15. What does Gydeline do?
• Checks for compliance against every word of the regulation
• Enables proof of accountability
• Changes as the regulation changes
• Identifies specific actions
• Makes GDPR simpler to understand

16. Links
• gydeline.com/dpia
• gydeline.com/datamap
FCDEC2017 – 25% discount on lifetime of subscription

18. End
www.gydeline.com
hello@gydeline.com

19. Richard Wilding, Head of Cyber Services
Cyber Essentials / IASME
accreditation

20. 20
Why PKF Francis Clark
• Trusted advisers – experienced auditors
• We offer assurance not consultancy
 Offer assurance to set well known standards
approved by Government and NCSC
 Cyber Essentials and IASME are constantly
updated and monitored for quality control
• Some additional services can be offered

21. www.website.com
General Data Protection Regulations
2018
• GDPR has 2 main sides to it
• The two main areas of GDPR that
organisations need to look at
 Data subject rights and the need for
‘informed consent’
 Good standards of information security
• Cyber Essentials is a great first step
• IASME demonstrates a wider governance
system for data controls

22. Cyber Essentials
• Self-assessment questionnaire for the company to complete
• Covers 5 key areas/71 questions
• We provide upfront assistance (1 days needed) to support
how to complete and progress
• It is submitted via a secure portal for us to assess
• Basic vulnerability scan performed
• Assessor feedback provided
• Once successful can use the Cyber Essentials logo for 12m
• Limited insurance provided/can help reduce further cyber
insurance

23. Cyber Essentials PLUS
• We audit and test the 5 key control areas
• Includes detailed vulnerability and limited penetration
testing
• A report is then issued
• Once successful can use the Cyber Essentials PLUS
logo for 12m
• Can help to reduce cyber insurance further

24. IASME (Information Assurance for Small and Medium Enterprises)
• IASME – two levels standard and gold
• 180 questions (including those in Cyber Essentials)
• Includes GDPR specific questions
• Akin to ISO27001
• A report is then issued
• Once successful can use the IASME logo for 12m

25. 25
Next steps
• See brochure in pack
• Complete form
• Chat with us after this event
• Contact your PKF Francis Clark adviser or e-
mail: cyber@pkf-francislark.co.uk

26. Disclaimer & copyright
c) copyright PKF Francis Clark, 2017
You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or otherwise
circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided by PKF Francis
Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.
To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without limitation, the
conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark.
These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark.
The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours to
ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the materials and
/or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF Francis Clark are up-
to-date or error or omission-free.
Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current law and
related regulations on the re-use of Crown copyright extracts in England and Wales.
These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a copy
of which is available on request.
Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential loss
or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or otherwise,
including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for fraud, for death
or personal injury caused by our negligence, or for any other liability is not excluded or limited.
PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with registered
number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is available for
inspection and at www.pkf-francisclark.co.uk. The term ‘Partner’ is used to refer to a member of Francis Clark LLP or to an employee. Registered to carry on
audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal activity of non-contentious
probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency practitioners are licensed in the
UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative Receiver acts only as agent of the
insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does
not accept responsibility or liability for the actions or inactions on the part of any other individual member firm or firms.

27. Insurance Aspects of Cyber

28.  Insurance Cover – Cyber &/or Crime
 The Threats
 Why Do Businesses Need Cyber Insurance?
 Claims
 Reducing risk
 Q&A

29. Cyber &/or Crime
Cyber Liability Insurance provides
businesses with protection against financial
loss resulting from the loss of personal
and/or corporate data.
Cover addresses the first and third-party
risks ranging from the loss of a single laptop
or file to the hacking of a companies
website or network.
Security
Breach
Data
Breach
Operational
failure
Main policy triggers:
Crime Insurance provides businesses with protection against financial loss
resulting from criminal or fraudulent taking, obtaining or appropriation of money,
securities, funds or property.

30. The ThreatsTHREATS
NEGLIGENT EMPLOEE
Send wrong data
Loss of hardware (mobile theft)
Victim of Phishing, Vishing
OUTSIDERS
Denial of Service
Theft of Data
Hactivism
Crime Syndicate
Denial of Service
Theft of Data
Government Agencies Industrial Espionage
Denial of Service
Malware
Extortion
Shut Down Infrastructure
Advanced Persistent Threats
Credit / Banking details
Government ID
Personally Identifiable Info
Protected Health Info
Corporate Information
SOCIAL NETWORKING
Twitter
Facebook
LinkedIn
ROGUE EMPLOYEE
Physical Theft
Steal Data
Competitive advantage
Sell to criminals
Extortion
VENDORS
Cloud
Data Centers
Outside Providers
Network Interruption
Theft of Data due to Security Failures
Unauthorized Access of Data
Loss of Data
Network Interruption
Physical Theft of Servers
Theft of Data due to Security Failure
Network Interruption
Backdoor Intrusion
Employees
Negligent Employees
Rogue Employees

31. It’s all about Balance Sheet Protection….
• First Response Costs
• TP Liability
• Fines
• Loss of Revenue
• Brand / Reputational Damage
• Loss of Intellectual Property
• Contractual Liability
• Share Price

32. Cyber claims received by AIG EMEA (2013-
2016)
By industry
* Construction, Food & Beverage, Information Services, Other Services, Transportation,
Agriculture & Fisheries, Energy and Real Estate

33. By type
Cyber claims received by AIG EMEA (2013-
2016)

34. Claims Examples
Cloud Service
provider accidentally
de commissioned live
server (PI claim?)
Confidential Waste
Bins stolen
Older server
handed to bogus
courier
Legal papers
(EPL issues) sent
to wrong person
Details of delayed
products and refund
option sent to 250
people in error
IT consultant
providing HR
services
attempted hack
Insurance brokers
Krypto locked

35. Claims Examples
A fraudster hacked into the company’s email system to gain information
about its organisational structure. During telephone calls with a member
of staff in the finance department the fraudster mimicked the voice of the
company CEO. It was strongly suspected that the fraudsters listened to
his voice on a webcast and had practiced it to perfection.
The requested payments were supposedly for a confidential acquisition
that only senior management knew about and the fraudster provided
forged invoices containing forged signatures to the member of staff
contacted.
Hacking & Impersonation

36. Reducing the risk to your business
• Ensure your software is up to date and that you have the latest anti-virus software
installed as updates are released frequently to help combat the most recent cyber
threats.
• Staff training is essential. Educate your employees on how to recognise suspicious
emails and browse the internet safely. Cyber awareness should be included in part of
your induction process and revisited in regular refresher sessions.
• Ensure you have an incident response plan in place which you can call upon in the
event of a breach or interruption. This should include technical measures that enable
the recovery of systems, operations and data, and a communication strategy if
necessary.
• If you are looking for additional advice and guidance on prevention, we would
recommend the Cyber Essentials website, a government-backed cyber security
certification scheme that sets out a good baseline of security suitable for all
organisations across all sectors.
Reducing Risk
Identify Analyse Control Transfer

37. Any Questions?

38. Glenn Nicol, Corporate Partner
Chair’s close