The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018) have had a significant impact on the fostering sector over the last couple of years. Many agencies have rightly focussed on compliance by ensuring privacy notices are up to date, internal processes are robust, and that data is protected through cyber security counter measures and awareness programs.
Notwithstanding the heroic efforts to meet the regulation and stay within the law, we are often asked two questions:
- Is Cyber Essentials certification of value?
- Should we obtain cyber/data protection insurance?
Those who know Guardian Saints or have attended our seminars know that we are strong advocates for Cyber Essentials certification; there are a number of good reasons for this.
It is important to understand that certification in itself will not guarantee that personal data is adequately protected. The core benefit of certification is that the process leads the applicant through a series of questions about the technical environment under scrutiny. This means that an applicant will check compliance against the requirements of the scheme and any gaps will be exposed. This enables meaningful remediation plans to be established, driving a more secure cyber security environment. The GDPR and DPA2018 are clear that technical security measures are expected to be in place to
protect personal information.
As a number of local authorities have begun to follow central government principles, Cyber Essentials is sought from suppliers as a confirmation that a baseline level of cyber security has been achieved. We have heard from some of our clients that commissioning has become simpler since achieving their Cyber Essentials badge. Consequently, certification may provide a distinct competitive advantage in the future.
The Cyber Essentials Scheme is owned by the National Cyber Security Centre and is managed by their partners IASME (Information Assurance for Small and Medium Enterprises).
There are two ways of applying for Cyber Essentials certification; guided and self-assessment.
Self-assessment If you decide to go down the self-assessment route, you will input details/responses into an online portal. The key here is to read the questions and notes with great care. We have seen many issues referred back to applicants, simply because questions were not answered fully.
Guided This process, though more expensive, provides the applicant with a consultant who can help explain the
questions thoroughly and provide advice and guidance in terms of assessing cyber security maturity levels and whether your processes are sufficiently embedded to warrant certification application.
IASME maintains a list of consultancies that are able to support a guided application.
In terms of risk management, insurance is often cited as a means of ‘risk transference’, where a bad outcome can be offset against the policy. General cyber insurance will not pay an ICO (Information Commissioner’s Office) fine unless there is a specific clause in the policy, so it is necessary to understand what each cyber insurance policy actually covers. In our experience to date, cover will generally pay for expert advice and assistance in the recovery of data and systems that have been subject to a cyber-attack. This is a very useful facility where, for example, the policy holder has been
the victim of a crypto jacking or ransomware attack and the data they rely upon has been encrypted; recovery is usually held to ransom by the attackers in these scenarios.
Specialist cyber insurance is available from a number of leading insurers and it will be important to understand exactly what each policy covers, comparing them to determine which one will best suit your requirements.
Risk transference is an interesting risk treatment as it is possible to offset some potential financial liability. However, a key factor to bear in mind is: although you may be able to transfer risk, you cannot transfer accountability. You are still responsible for the protection of the personal information for which you are a data controller or a data processor.
Insurance is one of those services that we hope we never need, which amplifies the justification for embedding a robust cyber security framework into your organisation. This will help you better protect the personal information of all your data subjects and the information you manage on behalf of other data controllers and joint controllers.
For those wishing to gain Cyber Essentials certification, cyber insurance is included where the applicant fulfils specific criteria relating to the size of the business, the business sector and location. To see if this is of interest to your agency, it is worth visiting IASME. where certification and insurance information is available. IASME is the National Cyber Security Centre’s partner for delivering the Cyber Essentials scheme. Guardian Saints is a Cyber Essentials Certification Body and consultancy working with IASME.