Data security in the media: A look on what it takes to plug the gaps beyond traditional DLP solutions

Insider threat contributes to more than 64 percent of data breaches in any organization: Digital Guardian.

The media speaks

On 11 November, the website of CNBC TV 18 published an article titled ‘Data protection: Who cares? If you are a listed company, you should’ authored by Utkarsh Morarka, co-founder and business development head, IndusOne Business Solutions.[1] What makes the article interesting is his note (and SECUDE strongly agrees!) on the greater threat posed by seemingly innocuous insiders – and the need to look beyond traditional DLP solutions.

Utkarsh quotes Digital Guardian when stating, “Who can cause you more damage, a thief who has entered your house, has limited time and movement abilities to find, secure, and escape with your precious life’s work – or is it your trusted employee who knows where you keep your valuables and your schedule and one day becomes disgruntled. In quite the same way, your employee can cause you far more damage than an outsider.”


Securing your SAP data files throughout their life cycle, wherever they may go! Watch: http://bit.ly/SecureFile


The need to secure Sensitive data – a case in point

Utkarsh states, “Forgetting for a moment that the RBI (for banks and NBFCs), IRDAI (for insurance companies and brokers), and SEBI (for listed public entities) have already issued guidelines for data protection which will soon become a tangible law with a roadmap for implementation – (briefly put) it has been known to increase security, improve compliance, decrease costs, and improve productivity… not to mention reduce monetary loss arising from security breaches.”

SEBI Prevention of Insider Trading Regulation – An overview

Mooted by an Expert Committee, the Securities and Exchange Board of India (SEBI) issued the Prohibition of Insider Trading (PIT) Amendment Regulation on 31st December, 2018, which was further amended on 21st January 2019. The amendment has taken effect on 1st April, 2019.

The amended regulation stresses on matters related to sharing of Unpublished Price Sensitive Information (UPSI), tracing the flow of such information, creation of induction process of how and when people are brought inside – especially on sensitive transactions, role and responsibility assignment for the Board and Audit Committee for maintaining a digital database on information shared with insiders and to review the compliances of codes and internal control, respectively. In January 2019, SEBI introduced a further amendment that requires even the members of the promoter group to make initial and continual disclosures under the regulation.

This amendment highlights the implication that security of highly sensitive data, such as UPSI, is also the responsibility of an organization’s financial department and, as such, it is under the aegis of the Chief Financial Officer himself. The CFO’s skin is in the game.

Nine Points to Note

  1. New requirement places responsibility on MD & CEO to put in place a code of conduct that is executed by an effective system of internal controls to regulate, monitor, and report trading to ensure compliance to prevent insider trading
  2. Identify employees having access to UPSI
  3. Identify and maintain confidentiality of all UPSI
  4. Place restriction on communication or procurement of UPSI
  5. Maintain list of employees with whom UPSI is shared
  6. Serve confidentiality agreements or notice on them
  7. Periodically review process to evaluate effectiveness of internal controls
  8. Audit Committee will review compliance at least once in a financial year and verify that internal control systems are adequate and operating effectively
  9. Company to maintain a structured digital database of persons with whom UPSI is shared; Database to have time stamping and audit trail

Data flow audit: Critical component for compliance

Sharing of such critical data should be policy driven and should also include management of all relevant details, such as the person(s) receiving UPSI and other information in order to track whether the information was misused. The amendment also brings to the fore the need to set up and maintain a database containing critical information name and identifier information, such as PAN, of persons with whom UPSI has been shared.

SECUDE’s HALOCORE® is a unique technology that protects sensitive information, such as Unpublished Price Sensitive Information (UPSI), extracted from SAP finance applications. By integrating directly with SAP, HALOCORE® protects data with automated classification, blocks unauthorized reports, and helps generate fine-grained access policies. It monitors data flows in real time. This innovative approach allows enterprises to maintain a high level of control and security over sensitive documents extracted from SAP throughout their lifetime, even if these have been shared via email, downloaded to a recipient’s PC, or printed as PDF.

For more information on how you can protect your sensitive data, visit https://secude.com/halocore/

Reference

[1] Data protection: Who cares? If you are a listed company, you should

Related Reading

[1] The seven colors of the insider threat rainbow

[2] Four steps to spot and stop data theft in your SAP landscape

[3] Insider threat could be insidious to regional stability