-
Privacy and Data Protection
Our digital risk team is made up of a combination of subject matter experts and technical specialists who can help your business comply with the GDPR.
-
Governance, Risk and Compliance (GRC)
While business goals and strategies evolve, our services support you wherever you are in your business cycle. The digital economy is simultaneously increasing the magnitude of new business opportunities while increasing the difficulty of getting it right.
-
ISO 27001 and ISO 27701
Grant Thornton’s ISO 27001 and ISO 27701 specialists will arrange and oversee the formal audit process.
-
SOC 1,2,3
As a service organization there are many ways to provide assurance to your customers and in turn other stakeholders over your control environment. One of the most effective and cost-efficient ways is to issue a Service Organization Control (SOC) Report.
-
Incident Response
Grant Thornton’s Cyber Incident Response Team can support your business in the event of a cyberattack or data loss event. We work alongside your existing IT and Legal teams to provide a co-ordinated, timely and efficient investigation and remediation.
-
Hacking Services
At Grant Thornton, our cyber security experts can develop a bespoke penetration testing plan to meet your business needs and unique IT environment. We can undertake the full suite of testing or conduct individual assessments, as required.
-
Cyber Health Check
Approximately 54% of organizations report that they have experienced at least one cyber-attack during the past year. Grant Thornton’s cyber health check provides you with an objective, jargon-free assessment of your current cyber security, drawing on both qualitative and quantitative elements.
-
Dark Web Threat Intelligence
We use a variety of dark and deep web monitoring tools that continuously scans illegal sites to discover any mention of your data, ranging from breached security credentials such as usernames and passwords to leaked confidential documents of your company.
-
Digital forensics and electronic discovery
We offer a full suite of digital forensics and data acquisition services in investigations related to cybercrime, disputes, fraud and regulatory investigations.
-
Insolvency
If you're facing a time of personal or corporate financial crisis you need advice from someone who listens, who understands your specific issues and deals with them in a supportive and sensitive manner.
-
Crisis stabilisation and turnaround
In periods of financial distress, management teams often face considerable challenges, with many directors having little or no experience of similar conditions.
-
Operational and financial restructuring
Companies challenged by underperformance often need support in identifying options for financial or operational restructuring. Tapping this type of advice helps them create a stable platform for business turnaround.
-
Accelerated M & A
Even fundamentally sound businesses run into difficulties. Cash flow can come under pressure from the loss of a big client, or a dip in performance can threaten a breach of banking covenants if there is insufficient headroom.
-
People Services
Our HR Outsourcing solutions are designed to provide you with the flexibility and expertise needed to manage your people effectively and efficiently.
-
Relocation made easy!
We bring to the table our in-depth understanding of Cyprus immigration legislation and policies, coupled with long experience supporting corporate clients relocating non-EU staff to Cyprus, as well as entrepreneurs and executives moving with their families.
-
Family Office Services
In an era of rising digital threats, protecting the sensitive information and assets of high-net-worth families is paramount. In collaboration with our dedicated strong Cybersecurity and Data Protection team, we can help ensure the data security and privacy of your Family Office (employees and c-suite), family members and any staff supporting them, and also trusted associates.
-
Indirect Tax
Our experienced VAT specialists are available to assist companies and entrepreneurs of all industries and sizes in meeting their obligations.
-
Direct Tax
We can help you ensure a bespoke balance between tax compliance and effective tax planning for your special circumstances.
-
Ημερίδα Γνωριμίας με την Grant Thornton Κύπρου
Σας προσκαλούμε σε μια μοναδική ευκαιρία να γνωρίσετε την Grant Thornton Κύπρου! Την Τρίτη, 5 Νοεμβρίου 2024, θα έχετε τη δυνατότητα να συναντήσετε την ομάδα μας, να ενημερωθείτε για επαγγελματικές ευκαιρίες και να εξερευνήσετε πιστοποιήσεις όπως ACCA.
-
Life at Grant Thornton
At Grant Thornton Cyprus, we are taking a holistic approach and reimagining the way we work, continually assessing it and making necessary changes to better support our people.
-
In the community
Unlocking the potential for growth in our local communities.
-
Diversity and inclusion
Diversity helps us meet the demands of a changing world. We value the fact that our people come from all walks of life and that this diversity of experience and perspective makes our organisation stronger as a result.
-
Global talent mobility
One of the biggest attractions of a career with Grant Thornton Cyprus is the opportunity to work on cross-border projects all over the world.
-
Learning and development
At Grant Thornton we believe learning and development opportunities allow you to perform at your best every day.
-
Our values
We are a values-driven organisation and we have more than 56,000 people in over 140 countries who are passionately committed to these values.
What is the NIS Directive?
The European Commission proposed the EU Network and Information Security Directive as part of the European Cyber Security strategy. The directive came into force on the 10th of May 2018 with aim to increase the maturity level of cybersecurity across the state members of EU and ensure their strategic cooperation through Risk Management and Incident Reporting.
The Digital Security Authority (DSA) is the NIS authority of Cyprus which was established by Law 17(I)/2018 on the Security of Network and Information Systems. The DSA is the authority responsible for the transposition of the NIS Directive in Cyprus. As far as the NIS Directive is concerned, the DSA acts as the Single Point of Contact (SPOC), the National Competent Authority (NCA) and it incorporates the National CSIRT of Cyprus (CSIRT-CY).
Who is Impacted?
Operators of Essential Services (OESs)
OESs are public entities or private businesses that if their services were disrupted, would have a profound impact on the society or the economy.
- Healthcare
- Transport
- Energy
- Banking
- Financial Market Infrastructure
- Digital Infrastructure
- Water Supply
The OESs are highly dependent on technology, hence any malicious act can be proven disastrous for both economy and society. Serious incidents with significant impact should be reported to the relevant national authority without delay. Such operators must take appropriate security measures ensuring that the adequate controls and safeguards are in place. Moreover, it is important that they implement comprehensive security awareness programs as well as an information security management system. In case of a cyber incident it is also significant in understanding the total impact of the incident in terms of total duration, total number of affected users and total economic and societal impact, understand the root causes of incidents and how similar incidents can be mitigated or even prevented.
Digital Service Providers (DSPs)
DSPs as provided by the regulation are the below:
- Online search engines: A digital service that allows users to perform searches of websites on the basis of a query on any subject.
- Online marketplace: A digital service that allows consumers and/or traders to conclude online services or service contracts with traders.
- Cloud computing services: A digital service that enables access to a scalable and elastic pool of shareable computing resources
Key digital service providers will also have to comply with the security and notification requirements under the new Directive. It is essential for the DSPs to establish, implement, operate, monitor and maintain an appropriate level of security and assess the level of related risk on a regular basis. Moreover, it is a requirement to be able to identify trends or patterns in cyber security and understand the efficiency and effectiveness of the incident and the collaboration and information sharing mechanisms.
Requirements of the Directive
The Directive requires Operators of Essential Services (OESs) and Relevant Digital Service Providers (RDSPs) to:
Achieve the outcomes set by the 14 NIS principles, as shown below, by taking appropriate measures, technical and organizational, to manage the risk posed to the security of the network and information systems used.
Objective A: Managing Security Risk
- Governance: Putting in place the policies and processes which govern your organisation’s approach to the security of network and information systems.
- Risk Management: Identification, assessment and understanding of security risks as well as the establishment of an overall Organisational approach to risk management.
- Asset Management: Defining all systems and/or services required to maintain or support essential functions.
- Supply Chain: Manage the security risks to networks and information systems that derive from dependencies on external suppliers.
Objective B: Protecting Against cyber-attack
- Service Protection Policies and Processes: Defining and communicating appropriate Organisational policies and processes to secure systems and data that support the operation of essential functions.
- Identity and Access Control: Understanding, documenting and controlling access to networks and information systems supporting essential functions.
- Data security: Protecting e-transmitted or stored data from adversary actions that may cause an impact on essential functions.
- System Security: Protecting critical network and information systems and technology from cyber-attack.
- Resilient Networks and Systems: Building resilience against cyber-attack.
- Staff Awareness and Training: Ensuring the organisation’s staff contributes sufficiently to the cyber security of essential functions.
Objective C: Detecting Cyber Security Events
- Security Monitoring: Monitoring to detect possible security issues and track the effectiveness of existing security measures.
- Proactive Security Event Discovery: Detecting anomalous events in relevant network and information systems.
Objective D: Minimizing the Impact of Cyber Security Incidents
- Response and Recovery Planning: Implementing appropriate incident management and mitigation procedures.
- Lessons Learned: Improving the resilience of essential functions by implementing the outcomes of lessons learned.
- Notify the competent authorities or the CSIRT of any incident that has an impact to the provided services with undue delay.
Consequences of non-compliance with the NIS Regulations
- Organisations that fail to comply with the regulation may led to major fines and other consequences, such as revenue loss and long-term reputational damage.
What is needed to be done
- Identification of the security of the relevant network and information systems.
- Incidents that affect the continuity of the essential services provided must be reported without undue delay.
- Achieve the aforementioned 14 high-level principles set by NIS
- Compliance with International Standards.
- Compliance with the Cyber Assessment Framework that has been developed around the 14 principles and each principle has IGP (indicators of good practice). Competent authorities will use CAF as an auditing framework to measure compliance
How can we help?
Our Technology Risk team can support your organization in various areas such as:
- NIS Directive Readiness Assessment / Gap Analysis
- NIS Directive Implementation support via creating / or reviewing the respective Information Security Policies based on International Standards (e.g. ISO27001, PCI-DSS, NIST Cybersecurity Framework)
- Implementation of Business Continuity Plan / Disaster Recovery Plan
- Delivering Information Security and IT Risk Assessments to identify and help you address risks of the offered services.
- Conducting Penetration Tests to identify weaknesses and vulnerabilities of the Systems in-scope.
- Incident Readiness
- Digital Forensics and Incident Response (DFIR) for handling a Cybersecurity / Data Breach Incident.
- Security and Privacy Awareness Trainings
- Preparing the organization to be certified for ISO27001
- Conducting Information Systems Audits