Panel — Power and Threats to Personal Data: How is Regulation Driving Innovation? Featuring Jaya Baloo (KPN), Ronald Koorn (KPMG), Sjoerd Slot (Fraud Dynamics) and Diana Paredes (Suade Labs), and moderated by Arthur van der Wees (Arthur’s Legal).
What better way to follow on from opening speeches about data privacy than looking at cybersecurity and regulatory technologies? This dynamic panel opened up the conversation to a broader playing field, covering not only personal privacy issues but problems in cybersecurity more generally. Participants were diverse in terms of their profession and their personal interests, and this generated a lively and heated discussion.
Arthur van der Wees moderated the panel, and he began by pointing out that the panel topic covers an enormous range of issues. What, he asked, do we really need to focus on? He presented the panelists with a series of pointed questions aimed at generating specific answers, rather than general musings.
First he asked the panelists whether, when it comes to privacy, consumers know what to buy, deploy, and use. Diana responded that she feels that, in the past, businesses did not understand cybersecurity at all, and were easily confused by terminology such as “cloud computing.” These days, she said, there is in fact quite a lot more awareness (among businesses, at least) as to what these terms mean.
Jaya spoke up next. First she argued that the terms “cybersecurity” and “regtech” should never be used together. Combining them gives the impression that somehow regtech is an answer to cybersecurity issues. She said:
“As an industry we’ve failed the user, regardless of individual or B2B because we put the burden of proof of privacy onto individual.”
Who made these inadequate products and services that we’re all buying? Why do we blame the user? Why is the burden of proof for cybersecurity put on everyone but the software companies who make these products?
@jayabaloo at #FintechVortex who is responsible for the crappy products we are all using anyway? #StopBlamingTheUser @FinITiativePR
— Omara Nahar (@OmaraNahar) September 26, 2017
Sjoerd replied that, these days, regulators are more interested in whether a security beach has occurred, and what happens after. It is so difficult to regulate at the “floor” (where the end users are) rather than the “ceiling” (where products are made). He commented:
“People are like water, they will go anywhere to do what they want to do. If you don’t let them do that then you’re just lost.”
Arthur asked the panelists whether they think customers know what they want. Ronald replied:
“as long as services are efficient, convenient, and there are low barriers to engage, most people don’t care whether things are in the cloud or not.”
Moreover, consumer survey results can’t be trusted. When people answer surveys, they generally say they are very concerned about security, but their practices tell a different story. This doesn’t mean that the companies who make products shouldn’t take responsibility, but “we need a practical approach to privacy.”
Arthur’s next question was about biometrics. He pointed out that much more of our genetic data is out there than ever before. He asked, “Should we move away from biometrics? If so, what’s the alternative?”
Sjoerd responded that no institution should ever rely on one identity, but rather on a package of verifications.
Ronald commented that online authentication is still quite a mess: most people are still dealing with many passwords, tokens, and so on. The advantage of biometrics is that they can replace all of these. He stated, “It needs to be well thought out but biometrics are still the way to go.”
Countering this, Sjoerd argued that we should focus on the perpetrators rather than the victims. He said, “Don’t try to identify the legitimate user, try to identify the one who is being deviant from that.”
Arthur then pointed out that the word “security” is mentioned 50 times in the upcoming GDPR legislation, but encryption is mentioned only four times. What does this mean? Are we focusing on the right thing?
Jaya responded that “the devil is in the details”: all encryption is not created equal. Just talking about encryption is not enough, we need to be specific about what kind of encryption we are using and what it is meant to achieve.
Arthur argued that questions of privacy and cybersecurity are not just about technological measures, but also about organisational measures. If you invest one unit in tech, you need to invest three units in people. He said that when he asks people in company who is responsible for data, “they’re all looking at their own shoes. And we’re in a data economy.” Nobody wants to take responsibility.
Jaya responded that, of course you need someone in a company to take a formal role in caring for security, but in fact we’re all responsible. She said:
“I would rather invest in my people and my practices throughout the company, not just in the security team, rather than buying another box or paying for a technical implementation somewhere.”
Going forward, one issue is that not everyone understands difference between accountability and compliance. Given the complexity of regulation and the fast-changing nature of the market, compliance isn’t always possible. Instead, we need to show that we have put thought into what we are doing – this is the basis of accountability.
The session ended with Arthur making something of a joke (or was he serious?) when he said, “We just invented accountability tech, Don can you please put it on the agenda?”
Live blogged by Erin Taylor, senior researcher at Holland FinTech. Read more about CyberSecurity & RegTech in the article Best Practices in Compliance Reporting, part of our Fintech Vortex series. Join the conversation with us @HollandFinTech on Twitter, #FintechVortex
Meet the Speakers
Chief Information Security Officer, KPN
Jaya Baloo is Chief Information Security Officer at KPN. She was recognized in 2017 as one of the top 100 CISOs globally. For the past 18 years, Baloo has worked primarily for global telecommunications companies such as Verizon and France Telecom. Follow her on Twitter @jayabaloo
Ronald Koorn is a Partner at KPMG, part of a large international network of professional accountants and advisory offices. With 25 years of experience, Koorn researches and advises (semi) government agencies on how to improve their information management, business management and IT systems.
Founder, Fraud Dynamics
Sjoerd Slot is co-founder of Fraud Dynamics, a company aimed at addressing the growing dynamics of financial crime and providing solutions based on top-class analytics, agile platforms and extensive experience in the area fraud management. Slot specializes in the field of financial crime control (fraud, AML, CDD/KYC, CTF).
CEO and founder, Suade
CEO-founder of Suade, open platform for financial regulation, Diana Paredes left an insightful career in trading at Merrill Lynch and Barclays to start the entrepreneurial life. Marked by the crisis, she decided to dedicate her work to optimize regulations and bridge the regulatory gap. Follow her on Twitter @Dianartemis3
Arthur van der Wees
Managing Director, Arthur’s Legal
Arthur van der Wees is an attorney at law. He is Managing Director of Arthur’s Legal and CEO of Zapplied Platform. Arthur’s Legal is a strategic tech-by-design law firm, headquartered in Amsterdam. Follow him on Twitter @Arthurslegal