All organisations in the EU, or non-EU organisations offering services into the EU that handle personal identifiable client data are now subject to stringent legislative changes. The legislative changes are aligned with, and somewhat attempt to address the increasing and pertinent cyber threat that most businesses now face – especially in the financial sector.
Data Reporting & Data Protection for activities in the EU is regulated by:
effective May 2018
(EU General Data Protection Regulation)
(EU Directive on Security of Network and Information Systems)
effective Jan 2018
(data reporting of Markets in Financial Instruments Directive II)
Due to the inherit risks, Data Reporting and Data Protection has become a specialised practice. It requires comprehensive knowledge and experience of cyber security, physical security, law and risk management. Mitigating the costs to comply using existing staff and resources will not only leave an organisation vulnerable due to lack of knowledge and expertise, but would endanger an organisation and its business strategy. As a result of GCS’s business strategy, we can support or lead your organisation’s compliance programmes, processes, and / or ongoing activities in relation to compliance with any of the above regulatory requirements in a more cost-effective manner, whilst ensuring regulatory compliance and moreover, the ability of allowing organisations to get on with business.
EU GDPR sets strict data security standards, requiring organisations to protect personal data, and report breaches to the relevant authorities within 72 hours. GDPR compliance is enforceable as of 25 May 2018.
Fines have been expressly specified by the regulator for certain non-compliances to be 2% of global turnover or €10million, whilst for others 4% of global turnover or €20million, whichever is higher.
The sizable requirements mean that this will need to be a C-suite consideration and priority. The overall legislation includes, but is not limited to: elements of permissions for the exact uses of the data, transparency, encryption, storage, portability, deletion, client requests for information, vulnerability testing, penetration testing, security risk management, the requirement of an independent Data Protection Officer (compliance), a Cyber security team, the obligation to inform the regulator of a breach…
NIS, adopted in July 2016 by the European Union (EU) aims to create a high common level of network and information systems security across the EU in 3 ways:
- Increasing cooperation on the matter of cyber security among EU member states.
- Increasing cyber security capabilities at the national level for all EU member states.
- Introducing security measures and incident reporting obligations for operators of essential services in critical national infrastructure and digital service providers (DSPs)
The “operators of essential services” referred to above include enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors.
For many financial services firms, there are overlaps in requirements of the NIS and the GDPR and such firms are subject to both sets of legislation and must report to each relevant authority separately.
Non-compliance with MiFID II can cost a firm penalties of up to €5million or 10% of annual turnover. MiFID II is the EU legislation that regulates firms who provide services to clients linked to ‘financial instruments’ (as defined by the legislation) and the venues where those instruments are traded. New financial instruments are being developed continuously that can stretch the rules that exist around trading, while the volume and variety of trades continues to go up all the time. MiFID II therefore tries to encompass all these developments. GCS’s security and risk management services are designed to help clients not only to exceed regulatory compliance but also be aligned with Company strategy.
Under MiFID II, both the industry regulators across Europe and the trading firms will be required to keep a complete and accurate list of all trades taking place. This data must also be protected. Existing services previously not regulated, now come under regulation with MiFID II, in particular:
- Approved publication arrangements (APAs): entity providing the service of publishing trade reports on behalf of investment firms for the purpose of post-trade disclosure.
- Approved reporting mechanisms (ARMs): entity providing the service of reporting details of transactions to competent authorities or; to ESMA on behalf of investment firms.
- Consolidated tape providers (CTPs): entity providing the service of collecting post-trade information for financial instruments from trading venues (i.e. regulated markets, Multilateral Trading Facilities and Organized Trading Facilities) and APAs.
(Note that organized trading facilities were previously not under any specific regulation and now also fall under MiFID II).
MiFID II already requires a large amount of data to be held and communicated across different entities. If mishandled, this data could pose material risks along the regulatory chain and possibly close down your business. GCS is strategically placed and has comprehensive knowledge in all aspects of MiFID II and therefore is able to assist both EU and non-EU companies which fall under the scope of MiFID II.
How can GCS help with regulatory compliance?
GCS offers unique specialisations in the financial, governmental and health care sectors. GCS is well placed to help organisations tackle the challenge of achieving GDPR, NIS, MiFID II compliance. GnL assists organisations by offering the following services:
Legal Advice and opinions
Compliance Reporting and compliance assessments
Provision of Data Protection Officers (DPOs)
Vulnerability and Penetration testing
Tailored Cyber Security solutions according to requirements and budgets
24/7 Cyber security monitoring and support
Complete end to end solutions and packages
Cyber Insurance and readiness solutions
Training and awareness programs
Risk Assessments/ Risk Management