Case Studies

Like most regulators around the world, Cyber Security is now top of mind for the BMA (Bermuda Monetary Authority) who developed a Code of Conduct (CoC) for the Insurance Sector. All registrants within the Insurance sector are now required to comply with requirements of the CoC. Our Cyber risk experts enabled a Bermuda based leading Re-Insurance client meet regulatory compliance deadline of December 2021. In record time the client was able to demonstrate how their Operational Cyber Risk Management practices and controls complied with the regulatory requirements within the BMA Code of Conduct. This is a challenge we know too well given our years of experience in the area of compliance with various regulatory requirements. We went off to work engaging with the client to pull together a very small team of resources who understood the client’s business and current operations. In record time we developed develop a plan of action that covered a thorough technical review of their technology landscape and processes to determine there were gap. We used our expertise to determine the most efficient use of resources to develop an actionable roadmap for prioritisation of effort. As expected, we worked in the client’s time zone as a joined-up team. We supported the client to on board and roll out new technologies and worked on identifying a suitable Managed Service Provider (MSP) for a 24/7 security monitoring and response. As required, we worked with the client to develop enhance their operational Cyber Security processes and governance structures To top it up, we engage with the independent Internal Audit team to put our delivery to the test. It was a resounding success with the business and Internal Audit. At the end of PCL’s engagement with our client no areas were found to lack required controls and client could now demonstrate a coherent approach to their Operational Cyber Risk Management. Priority Consult can provide the advice, guidance, consultancy and assurance to your IT and Business teams on how to comply with any regulatory, industry or contractual requirements.

An OES (Operator of Essential Services) client reached out looking for support in responding to a notice from the regulator on compliance with the NIS (Network and Information Systems) regulation 2018. We worked with the client to review their operational services, systems and networks that supports the delivery of essential and developed a response that provided assurance to the regulator on client’s approach to meeting the requirements of the NIS. The client was super excited on how we helped to effectively manage the regulatory enquiry that we were approached to help develop a Controls Framework that could ensure ongoing assurance would easily be demonstrated. Priority Consult is regulatory and industry framework agnostic and are able to help your business develop the People, Processes and Technology to meet your contractual or regulatory compliance requirements. Why not reach out to one of our experts and we will schedule a session to go through your requirements.

Our public sector client needed some help in developing a set of guardrails for the secure use of public cloud services. Business Challenge Our client was looking to use the public cloud for hosting services which will be accessed by members of the public and required to be security expertise to help then develop guardrails that will ensure public cloud could be used securely. Solution we provided Priority Consult developed a set of cloud security standards for our client. These standards were then implemented as code within the cloud environment. Any cloud service that did not meet the standard was flagged as non-compliant and notification sent to the owner of the resource for remediation. Outcome The automation of security controls and detection of violation led to quicker governance for projects looking to deploy services into the public cloud. Our client also reduced their cost in standing up services in the public cloud environments and are one the leading government agencies leveraging the public cloud.

A client within the public sector had discovered that accounts were being created for fake customers and wanted us to help them out. We rolled up our sleeves and got to work straight away trying to understand how the attack happened. We reviewed the client’s technology stack that supported and relayed traffic to the abused website. From intelligence we gathered we were able to simulate how the attack could have been carried out. We were able to confirm our initial assumption that the attacker was using an automated script also known as a BOT to conduct the attack. Knowing that the client had a WAF (Web Application Firewall) that proxied traffic to the website we did a deep dive to understand how it was configured and discovered that capabilities that could have been enabled to prevent BOT attacks were off. We also discovered that the client had not enabled their defences against DDoS (Distributed Denial of Service Attacks) on any of their services. Whilst it was clear that the threat actor’s motive was not to bring down the website the client needed a coordinated response to ensure that once they block ability of the attacker to further abuse their website; they were resilient to possible DDoS attacks. We worked with the client to devised a set of defense in depth controls to comprehensively mitigate the vulnerabilities that were being exploited and provide additional layers to make it difficult for further attacks to be successful. For the website we implemented reCAPTCHA, developed appropriate rate limits for various HTTP methods on specific PATHs on the website. We also helped the client to implement capability to defend against BOT detection and general protection from DDoS.

A British multinational banking and financial services organisation, with a cloud first strategy and stringent regulatory requirements was on a mission to deliver services using the public cloud. Business Challenge The organisation had limited security expertise in the use of public cloud technologies and due to regulatory requirements in some region the client still needed to host some of their applications within their on-premise data centre. The client was also in the middle of exiting their contractual relationship with the existing API management vendor (Mulesoft) and so needed to migrate over 4000 APIs to the public cloud. As a bank the client is very security conscious and have stringent security requirements, governance and compliance regimes that needed to be satisfied before workloads can be deployed to production environments. Solution we provided Priority Consult was engaged to provide the security consultancy for all aspects of the solutions that needed to be delivered to make the transformation a success. We assured the security of the architecture for multi region Kubernetes clusters hosted in Amazon EKS. The on premise deployment leveraged Google Anthos and all container clusters used the Istio service mesh for mutual TLS and fine grained access control. We ensured the developer community were trained in secure coding and supported the roll out of security tooling within the CI/CD pipelines. Since we were rolling out a container hosting planning we ensured container images could be security scanned for vulnerabilities using AquaSec product suite. Outcome The end result was that the client had the capability to host services in either the AWS or on premise with all the security built into the hosting platforms. This enabled the client to be able to migrate their applications to the new container hosting platforms and reduced their costs and carbon footprint, deploy services quicker to marker and become a more agile enterprise.