Archive for the ‘Security and Compliance’ category

Power BI autp install for TEAMS is coming.

September 17th, 2021
  • Power BI will begin automatically installing the Power BI app for Teams for users when they visit the Power BI service
  • Power BI admins can choose not to auto-install through a new Power BI tenant setting
  • The tenant setting has started to roll-out now, giving admins time to opt-out if desired.
  • The automatic installation will start to take effect in November 2021, for organizations with the setting enabled.

Auto-install for Power BI app for Microsoft Teams

When the Power BI app for Microsoft Teams is installed, users get better experiences without leaving Teams, like:

These capabilities are available once the Power BI app for Teams is installed for a user

The Install Power BI app for Microsoft Teams automatically tenant setting is added to the Power BI admin portal. Power BI admins can control the auto-install behavior. By default, the auto-install is enabled.

Power BI tenant setting that controls automatically installation of the Power BI app for Microsoft Teams for a user.

The automatic installation happens for a user under the following conditions:

  1. The Power BI app for Microsoft Teams is set to allowed in the Microsoft Teams admin portal
  2. The Power BI tenant setting Install Power BI app for Microsoft Teams automatically is enabled
  3. The user has a Microsoft Teams license
  4. The user opens the Power BI service (e.g. app.powerbi.com) in a web browser

Initially, auto-install applies to new users the first time they visit the Power BI service in a web browser. In the future, auto-install will occur for all active users of the Power BI service who meet the criteria.

When auto-install occurs, the following notification is shown in the Power BI service notification pane.

Graphical user interface, text, application Description automatically generated

Questions and Answers

What happening today?

Pre-announcing auto-install of Power BI in Teams.

Starting to roll-out a Power BI tenant admin setting which enables Power BI admins to choose to opt-out of the automatic installation behavior.

When will these changes take effect?

In November 2021, Power BI auto-install of Power BI in Teams will start rolling out.

Which users will be affected?

When the Power BI tenant setting is enabled, the Power BI app for Microsoft Teams will be installed for users who meet the criteria specified. Initially, automatic installation will apply to new users and will expand to all users who visit the Power BI service in a web browser after the initial roll-out in November 2021.

When should I use a Microsoft Teams App Setup Policy?

Microsoft Teams app setup policies allow Microsoft Teams Admins to install an app for a target set of users. Since this applies to all users in the specified group, you can ensure everyone who needs Power BI has it, even when they’re not active Power BI users. Use app setup policies to pin the Power BI app in Teams to the Microsoft Teams left rail. This additional step makes data and analytics prominently available throughout your organization..

Read more about automatic installation in the Power BI documentation

Read more about the Power BI app for Microsoft Teams

Read more about collaboration in Microsoft Teams with Power BI

IFRS 17 – compliance accelerator system- ask Synergy Software Systems.

September 1st, 2021

IFRS 17 is the newest IFRS standard for insurance contracts and replaces IFRS 4 on January 1st 2022. It states which insurance contracts items should by on the balance and the profit and loss account of an insurance company, how to measure these items and how to present and disclose this information.

This is a big change for insurance companies and data administration, financial presentation and actuarial calculations will need to change.

 

Why are IFRS 9 and IFRS 17 implemented together?

  • The insurance liability (IFRS 17) is always closely connected to the financial instruments (IFRS 9) within insurers.
  • When a client buys an insurance, the insurance liability is created and with the paid premiums are financial instruments bought.
  • Insurers want to reduce the volatility in their earnings and there are some choices within IFRS 9 and IFRS 17 which they can make which can impact the volatility.
  • Under IFRS 17 insurers can decide whether results of changing financial risk assumption go through OCI or through the profit and loss account.
  • Under IFRS 9 insurers can decide whether changes in equity will go through profit and loss or through OCI.

Both standards will impact earning volatility and hence balance sheet management choices are connected. Consequently, the IFRS board decided it is better that insurers are granted the option to implement both standards together.

IFRS 9 explains the classification and the measurement of financial instruments. Hence IFRS 9 helps to improve the information disclosure around financial instrument. Many perceive the information disclosure around financial instruments during the financial crisis as inaccurate for example impairments on financial instruments were taken too late and the amounts were too little.

IFRS 9 makes the classification of each financial instrument more logical and principle based. There are two questions which need to be answered for the classification:

  • Why is the company holding the asset; just for collecting the cash flows from the underlying asset, or is the asset also held for trading?
  • What kind of asset is the financial asset? Is it a derivative, an equity or a debt instrument? With the SPPI (solely payment of principal and interest) model it can be tested whether an instrument is really a debt instrument.

 The classification determines:

  • which accounting principle is used;
  • should the instrument be measured at fair value or at amortized cost
  • and whether earnings and losses should go through the profit and loss account or through the OCI (other comprehensive income) account.

IFRS 9 also includes a more dynamic credit loss model instructing when an insurer should take an impairment on financial assets. The model is forward looking thereby also expected future losses should be taken into account with the impairment.

 IFRS 9 also makes hedge accounting possibilities more rule based, thereby being in line with how risks are  managed within insurers.

Why does this matter?

There is a huge impact on insurers and a big change in the disclosure.

  • Almost all of the asset and liability side is hit by the combination of IFRS 9 and IFRS 17.
  • New concepts and terms are introduced.
  • The standards will impact the presented numbers. Under IFRS 17 the insurance liability needs to be based on updated assumptions which is not currently a requirement. .
  • More data with more granularity and more history will challenge internal data storage, reporting and IT performance.
  • Reporting timelines are shortened, which will challenge the systems, and the cooperation between different departments.
  • New components like the unbiased Cash Flows, Risk Adjustment, Discount Rate and CSM are introduced. This means the insurer needs to understand the IFRS 17 principles and decide how to implement IFRS 17. For example which measurement model to choose for an insurance product, which transition measure to user. Read here more about the IFRS 17 model, and here about the transition period.
  • In the balance and income statement, insurance liability will n be specified in a different way, the importance of gross written premiums will disappear, while equity will be impacted.
  • The presentation of the balance and P&L are also significantly affected.
  • Risk engines are needed to calculate the CSM and cope with all the different groups
  • Insurers need to disclose information bases on group of contracts.
  • A group is a managed group (often a product) of contracts which were all profitable, onerous, or may become onerous (decided at inception) with a certain inception year. Insurance companies can have hundreds of groups and IFRS 17 insists on this grouping to have more transparency as insurance companies cannot offset the result of one group to another

Synergy Software Systems has been implementing and supporting financial solutions in the insurance vertical for 25 years. If you need to rapidly implement a solution for IFRS 17 compliance that will sit alongside your existing erp and finance systems then call us on 0097143365589.

August 24th, 2021

A bungled data migration of a network drive caused the deletion of 22 terabytes of information from Dallas Police Department police force’s systems – included case files in a murder trial,during a data migration exercise carried out at the end of the 2020-21 financial year

“On August 6, 2021, the Dallas Police Department (DPD) and City of Dallas Information and Technology Services Department (ITS) informed the administration of this Office that in April 2021, the City discovered that multiple terabytes of DPD data had been deleted during a data migration of a DPD network drive,” said a statement [PDF] from the Dallas County prosecutor’s office.

14TB were recovered, presumably from backups, but “approximately 8 Terabytes remain missing and are believed to be unrecoverable.”

The Home Office initially issued a statement saying the data loss was down to a “technical issue”, which had been resolved, There must have been some technical resolution because the Home Office later said it was not a technical issue after all, and in fact a “housekeeping error” with Home Secretary Priti Patel saying: “Home Office engineers continue to work to restore data lost as a result of human error during a routine housekeeping process earlier this week.”

In a letter published by The Guardian, National Police Chiefs’ Council (NPCC) deputy chief constable Naveed Malik, lead for the organisation on the Police National Computer (PNC), said approximately 213,000 offence records, 175,000 arrest records and 15,000 person records had potentially been deleted in error. The DNA database connected to the PNC saw 26,000 records corresponding to 21,710 subjects potentially deleted in error, “including records previously marked for indefinite retention following conviction of serious offences”. The letter also said 30,000 fingerprint records and 600 subject records may have been deleted in error.

The PNC dates back to the 1970s. The current iteration is a Fujitsu BS2000/OSD SE700-30 mainframe based in a Hendon data centre, running Software AG’s natural programming language-using ADABAS database. The UK’s territorial and regional police forces, Serious Fraud Office, Security and Secret Intelligence Services (MI5, MI6), HM Revenue & Customs, and the National Crime Agency all make use of it. They have controlled and 24-hour access from remote terminals and through local police force systems.

These incidents highlight the importance of backups and backup and recovery processes. How often do you test whether you can restore your back ups? Does this still work for restoring older back ups when you upgrade? Has a move to the cloud changed the retention of your back ups, the frequency of upgrades, or the ease or time for restore?

AML/CFT – Anti-money Laundering & Combating the Financing of Terrorism – Regulatory compliance

August 23rd, 2021

Global Governments have implemented concerted measures to increase the scrutiny of AML/CFT processes and controls, to fight financial crimes.

In December 2020, the UAE Cabinet adopted the formation of the Executive Office of the Anti-Money Laundering and Countering the Financing of Terrorism with an aim to follow the international requirements in this sector. The Ministry of Economy (MoE) sent out e-mails to all companies with a link to the Annual AML/ CFT Risk assessment form along with deadlines for each category of DNFBPs.

All Designated Non-Financial Businesses and Professions (“DNFBP’s) must register on a “goAML portal” before 31 March 2021.  So any ‘grace period ‘ is well over.

The goAML portal is a integrated platform used to file Suspicious Transaction Reports (STRs) and/or Suspicious Activity Reports (SAR).

It is your obligatory duty under the Federal Decree Law 20 of 2018 and Article 20(2) of Cabinet Decision No. (10) of 2019, to have procedures in place to report Suspicious Transactions to manage anti-money laundering (“AML) and counter terrorist financing (“CFT”). This system will allow you to help authorities identify criminal and suspicious activity.Failure to register on goAML may result in severe penalties invoked by the Ministry of Economy. We therefore urge you to treat this notice as a matter of priority and complete your application to ensure access to the goAML system.

Non- compliance to this will attract fines up to AED 5 Million!
In addition to the financial sector, this regulation applies to all Designated Non-Financial Businesses and Professions (DNFBP), and the members of their boards of directors, management, and employees, established and/or operating in the territory of the UAE. They are applicable to all such natural and legal persons in the following categories: 

Auditors and accountants; 
• Lawyers, notaries and other legal professionals and practitioners; 
• Company and trust service providers; 
• Dealers in precious metals and stones; 
• Real estate agents and brokers; 
• Any other Designated Non-Financial Businesses and Professions (DNFBPs) not mentioned above.

All such businesses must:

• register with the Financial Intelligence Unit (go AML)

enroll on the Committee for Commodities Subject to Import and Export Control system (Automatic Reporting System for Sanctions List).

To determine whether you are likely to be a DNFBP go to: https://www.economy.gov.ae/english/AML/goAML/Pages/verify.aspx

Cybercrime attacks in MEA surge.

August 17th, 2021

A recent study by Kaspersky reveals that organisations in the Middle East faced 161 million malware attacks over the past year. T. Oman, Kuwait, Bahrain and Egypt saw a large spike in malware attacks, which increased by 67%, 64%, 45% and 32%, respectively. Qatar and the UAE had lower increases of 16% and 7%.

Turkey accounts for around a quarter of malware attacks in the region (44 million), followed by Egypt (42 million), UAE (34 million), Oman (14 million), Kuwait (11 million) and Bahrain (5 million).

Cyber criminals now target their attack strategies, to focus on advanced persistent threat (APT) type attacks to steal sensitive data form organisations. The growth in digital transformation and the increase in remote working resulting from the COVID-19 pandemic, has made countries of the Middle East an attractive target. In a cloud age of any-time any-device access, from anywhere and staff who work remotely and access corporate networks from their personal devices, companies must contend with a rapidly expanding attack surface. Personal devices might not have adequate level protection and once compromised and an employee logs into the network, criminals might get access to sensitive data or encrypt data and cripple the organisation.

No more ransomware project

July 28th, 2021

The No More Ransom project celebrates its fifth anniversary today after helping over six million ransomware victims recover their files and saving them almost €1 billion in ransomware payments.

No More Ransom is an online portal launched in July 2016 as a public-private partnership created by law enforcement and industry leaders (Europol’s European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands’ police, McAfee, and Kaspersky).

Today, the No More Ransom project includes 170 partners worldwide, including BleepingComputer, who joined the project in 2018. https://www.nomoreransom.org/

“The decryptors available in the No More Ransom repository have helped more than six million people to recover their files for free,” Europol said.

“This prevented criminals from earning almost a billion euros through ransomware attacks. Currently offering 121 free tools able to decrypt 151 ransomware families, it unites 170 partners from the public and private sector.”

No More Ransom 2021
Image: Europol

How does it work?

No More Ransom aims to help victims recover their encrypted files, raise awareness of the ransomware threat, and provide ransomware victims and the general public with direct links to report attacks.

To get a decryptor, you have to upload two encrypted files and the ransomware note via No More Ransom’s Crypto Sheriff, which will try to match them against a list of available decryption tools.

Should a match be found you will get a link to a suitable ransomware decryptor that comes with detailed instructions on how to unlock files.

When no decryptor is available, you are advised to check again for a match in the future since new unlock tools are added to the database regularly.

Ransomware victims are advised to never pay as this will finance the criminals future attacks but, instead to take measures to both prevent and to lessen the damage of such attacks:

  • Regularly back up data stored on your computer. Keep at least one copy offline.
  • Do not click on links in unexpected or suspicious emails.
  • Browse and download only official versions of software and always from trusted websites.
  • Use robust security products to protect your system from all threats, including ransomware.
  • Ensure that your security software and operating system are up-to-date.
  • Be wary while browsing the internet and do not click on suspicious links, pop-ups or dialogue boxes.
  • Do not use high privilege accounts (accounts with administrator rights) for daily business.
  • If you become a victim, do not pay! Report the crime and check No More Ransom for decryption tools

credit – https://www.bleepingcomputer.com/news/security/no-more-ransom-saves-almost-1-billion-in-ransomware-payments-in-5-years/

GDPR _ Microsoft’s Windows diagnostic data processor feature is GA

July 13th, 2021

Microsoft introduced a new capability in some of its products to help organizations ensure their compliance with data privacy regulations, in particular the European Union’s General Data Protection Regulation (GDPR).

The “Windows diagnostic data processor configuration” became generally available this week, Microsoft announced, It’s enabled in certain Microsoft tools, namely “Desktop AnalyticsUpdate ComplianceMicrosoft Managed Desktop, and the Windows Update for Business deployment service,” .

Data Controller Oversight
Windows collects diagnostic information, and organizations have had rather non-transparent ways of limiting what gets collected. They can just select a pre-set data collection level. Microsoft’s current data collection levels include “Diagnostic Data Off” (previously called “Security”), “Required” (previously called “Basic”) and “Optional” (previously called “Full”). Organizations that use the Windows Update service to keep systems patched need to use the Required option. These nuances, and more, are described here https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration

Microsoft is positioning the Windows diagnostic data processor configuration capability, as being equivalent to having data controller oversight as required by the GDPR.

From the “Configure Windows Diagnostic Data” document:

The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.

According to a European Union glossary entry, “the data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data.” The glossary entry adds that “the actual processing may be delegated to another party, called the data processor.”

It seems that Windows diagnostic data processor configuration capability is mostly conceived as a means for organizations to become compliant with the GDPR with regard to their customers. It’s also an assurance about Microsoft’s data collection practices.

Now generally available, the Windows diagnostic data processor configuration further empowers you to manage your organization’s diagnostic data. It provides you familiar tools to support data subject rights, including managing, exporting, or deleting data stored securely in your Azure tenant. It also lets you benefit from our technology without compromise.

The capability also helps organizations to elete data should they get a customer request to do so, which is also a GDPR prerogative. The customer, in GDPR lingo, is known as the “data subject” in such cases.

Handling data subject requests happens though “the admin portal,” according to a note in this “Windows 10 and Privacy Compliance” document.

Prerequisites to Using Diagnostic Data Configuration
There are prerequisites to using the Windows diagnostic data processor configuration capability, which is just supported on devices using “Windows 10 Pro, Education or Enterprise editions, version 1809 with July 2021 update or newer.” In addition, the Windows devices “must be joined to Azure Active Directory.”

The Windows diagnostic data processor configuration capability just applies to data collection by Windows components. It doesn’t apply to the apps running on top of Windows, which have their own data collection practices.

Identity theft

June 28th, 2021

In recent years, there has been a huge rise in the number of cases of identity theft. Around 49 million people have reported falling victim to crimes under this category. Identify fraud caused a total loss of approximately $56 billion in 2020 alone. This spike in identity theft has caused more and more people to think seriously about how they can better protect their identity.

You might find it helpful to read this extensive guide On What To Do If Your Identity Gets Stolen  https://spycamerasreviewed.com/tips-and-advice/guide-to-identity-theft/

Ransomware – are you ready for the inevitable attack?

June 12th, 2021

The question about whether your organization will be hit with a ransomware attack is not “if” but “when.” Ransomware attacks are still on the rise, and can hit anything from critical infrastructure to smaller enterprises that try to stay under the radar of cybercriminals. An epidemic of security breaches involving ransomware and other types of malware is hitting large companies. In some cases, including the May ransomware attack on Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online. The ransomware attackers prompted major disruptions to gasoline and jet fuel supplies in the Southeastern US.

Ransomware attacks in North America have soared by 158% and globally by 62% since 2019, according to the 2021 SonicWall Cyber Threat Report

Earlier this month, JBS, the largest US supplier of meat, temporarily shut down its US plants following a ransomware attack on its network.

Game-maker Electronic Arts and the Presque Isle Police Department in Maine are responding to an event they had both been dreading: the theft of gigabytes of private data by hackers who breached their Internet-connected networks.

In EA’s case, the theft included 780GB of source code and tools for FIFA 21,

In another recent incident around 200GB of private data belonging to the Presque Isle Police Department was dumped online by a ransomware group known as Avaddon. The police department was hacked on April 18 and given 10 days to pay a ransom. The department was able to rebuild its network using data backups, and it declined to pay. Earlier this week, Avaddon posted the data on its website hosted on the dark web. The haul included 15,000 emails, according to leak site Distributed Denial of Secrets, which is making the data available to journalists and researchers. The Avaddon site also showed a sampling of police reports and witness statements that date back to at least 2011. The files document incidents of domestic violence, shoplifting, and physical assault and in many cases provide phone numbers, addresses, and other personal information belonging to victims and defendants.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs.

Dark web ads for these viruses promise that they can build a virus to attack virtually any app the buyer needs. Once infected, a PC will regularly send pilfered data to a command and control server operated by the attacker. The files can be useful in piecing together the habits and interests of the victims, and if the cookies are used for authentication, they give access to the person’s online accounts.

If you want to determine whether your data was swept up by the malware check the Have I Been Pwned breach notification service, which has uploaded a list compromised accounts.

So what can you do to protect yourself. There is some good advice here https://www.eweek.com/enterprise-apps/how-can-you-prevent-ransomware/

In Theordore Levitt’s book, Thinking About Management, he says managers should ask simple questions. Why do we do it this way? What are the alternatives? What are the potential business costs? Who does it better? It is time for CEOs to start asking these kinds of simple questions about their firm’s security posture.

Contingency plans are part of sound preparedness. One of them should be that, in the case of a ransomware attack: How can the company ensure near-instantaneous recovery if the ransomware attack is ignored? Secondly, how can the company ensure that the data is not corrupted? Knowing and strategizing to have contingency plans in place to address these challenges will give a company’s leadership greater confidence to move forward.

IT executives need to have a seat at the crisis management table and be empowered to speak the truth, even if the other executives are reluctant to hear it. In the midst of a cyber attack, the communication within a company can easily be disrupted, fragmented, and isolated. Weaknesses in internal communication, and a disconnect between business executives and IT executives, is exposed. When business executives have limited information and do not have a full, clear picture of what the company can and can’t do, knee-jerk decisions are made, that lead to financial loss, reputation damage, and business disruption, when with preparation it can be avoided. 

Ransomware criminals have unlimited dollars and every tool and technology needed to succeed. 

Are you ready?

IFRS 17 and IFRS9 – Insurance contracts – are you ready? Ask Synergy Software Systems

June 1st, 2021

IFRS 17 is the newest IFRS standard for insurance contracts and replaces IFRS 4 on January 1st 2022. Mainly to make the financial statement easier to compare across insurance companies and among industries

It states which insurance contracts items should by on the balance and the profit and loss account of an insurance company, how to measure these items and how to present and disclose this information.

This is a big change for insurance companies because data administration, financial presentation and actuarial calculations will need to change!

IFRS 9 explains the classification and the measurement of financial instruments. Hence IFRS 9 helps to improve the information disclosure around financial instrument. Many perceive the information disclosure around financial instruments during the financial crisis as inaccurate for example impairments on financial instruments were taken too late and the amounts were too little.
IFRS 9 makes the classification of each financial instrument more logical and principle based. There are two questions which need to be answered for the classification:
• Why is the company holding the asset; just for collecting the cash flows from the underlying asset, or is the asset also held for trading?
• What kind of asset is the financial asset? Is it a derivative, an equity or a debt instrument? With the SPPI (solely payment of principal and interest) model it can be tested whether an instrument is really a debt instrument.
The classification determines:
• which accounting principle is used;
• should the instrument be measured at fair value or at amortized cost
• and whether earnings and losses should go through the profit and loss account or through the OCI (other comprehensive income) account.
IFRS 9 also includes a more dynamic credit loss model instructing when an insurer should take an impairment on financial assets. The model is forward looking thereby also expected future losses should be taken into account with the impairment.
IFRS 9 also makes hedge accounting possibilities more rule based, thereby being in line with how risks are managed within insurers.

Why are IFRS 9 and IFRS 17 implemented together?
• The insurance liability (IFRS 17) is always closely connected to the financial instruments (IFRS 9) within insurers.
• When a client buys an insurance, the insurance liability is created and with the paid premiums are financial instruments bought.
• Insurers want to reduce the volatility in their earnings and there are some choices within IFRS 9 and IFRS 17 which they can make which can impact the volatility.
• Under IFRS 17 insurers can decide whether results of changing financial risk assumption go through OCI or through the profit and loss account.
• Under IFRS 9 insurers can decide whether changes in equity will go through profit and loss or through OCI.
Both standards will impact earning volatility and hence balance sheet management choices are connected. Consequently, the IFRS board decided it is better that insurers are granted the option to implement both standards together.

Likely impacts
• New concepts and terms are introduced. for example components like unbiased Cash Flows, Risk Adjustment, Discount Rate and CSM
• The standards will have an impact on the presented numbers. Under IFRS 17 the insurance liability needs to be based on updated assumptions which is currently not the case with IFRS 4.
• Faster disclosure is needed, which needs faster processes within the organization
• Insurance liability needs to be specified in a different way, the importance of gross written premiums disappears, while equity will be impacted.
• Risk engines are needed to calculate the CSM and cope with all the different groups
• The general ledger system will change as new measurements are introduced
• Big impact on presentation of the balance and P&L
• More data is needed. with finer granularity and with more history, which challenges internal data quality and consistency and IT performance.
• Reporting timelines are also shortened. both challenging the systems but also the cooperation between different departments.
• Staff training will be needed.

To find out more about the requirements contact us or your auditors.
To update your financial software or to acquire software to support IFRS 17 please call Synergy Software Systems on 009714 3365589