GRACE to manage Cybersecurity, Data Privacy and IT Risks

Manage using IT security with Best practice frameworks

Address Cybersecurity, Data Privacy, Business Continuity, IT and Vendor Risks in a Unified way with GRACE

Cybersecurity Risks have escalated in organizations specially in financial institutions. Ransomware, Account take overs, ID theft, hacking and misuse of valuable customer information have been on the rise from work-from-home, geo political and changes in technology. Data privacy regulations to prevent misuse of customer information, 72 hour reporting to regulators for incidents of material loss of customer data, and regulatory examinations of Cybersecurity processes of firms are on the rise.
Material incidents can also lead to increase and at times denial of cyber insurance if the proper processes are not in place. Each material incident response, management and prevention can become very costly with need to deploy cybersecurity specialists, e-discovery specialists and lawyers for determining the extent of damage. Regulatory fines, Payments for class action lawsuits and Reputation Loss could also be bad outcomes of such incidents.

IT and Vendor Policies and procedures, Up-to-data inventory of internal data, as well as those with outsourced vendors, the protections in place for Personally Identifiable data and infrastructure including physical security, continuous monitoring and issue reporting for accesses and vulnerabilities, incident response planning and incident management, security training of all staff, business continuity management, vendor due diligence and vendor monitoring are all a big part of IT Risk Management in the organization

Mapping organization's processes to best practice frameworks like NIST, ISO, COBIT, being in compliance with SoC2, PCI-DSS, HIPAA, CMMC as needed by your business, identifying gaps in your policies, procedures and control processes and implementing the changes needed, have become very important to establishing and staying on top of risks in Cybersecurity, Data Privacy, Vendor Risk and Business Continuity in your organization.

GRACE makes it easy for you to establish the above needed processes to help you monitor and manage your IT and Vendor Risks.

Recent News

CyberSecurity - Biggest Risk Plaguing Markets

IT systems have become the backbone of all operations in companies and hold the repository of all critical information about customers including their names, addresses , SSN, phone nos, emails, bank accounts etc. A single hack into the systems can yield the bad elements access to this very important information that can be misused blatantly. Outsourcing of processing, client Information in multiple systems and lack of proper protection in vendor operations can be disastrous.

Misuse of client information for target marketing and other activities have taken away control of client information from the clients and have put them in the hands organizations that could sell the information without the consent of the client. Having such large scale personal information has created huge vulnerabilities to cyber attacks and compromise of critical client information.

Client Data Protection - Top of Regulator's Mind

Regulators have responded by defining rules and examination priorities around cyber security and privacy and protection of client data as their highest priority. Large fines for violations have been defined by Regulations like GDPR, California Privacy Act, Colorado Privacy Act, Connecticut Privacy Act and others to ensure that businesses are obligated to protect client information.

Regulators expect organizations to keep track of all the client data whether they be within the organization or with outsourced entities, ensure protection of this data against security violations and misuse. They also expect you to take client’s consent and establish the lawful basis for the collection and use of the data. Regulators expect you to have a central repository of client information that is being managed across the organization, identify the security management in place and ensure that client consent of information is being taken. Clients requests for erasure of their information as well as Opt-Out have to be honored.

GRACE Can Help You Track and Manage IT Risks

GRACE IT Risk management has been specifically built to help you set up your Cybersecurity processes and controls as defined by best practices like NIST, CMMC, ISO, COBIT, ITIL and certification needs for SoC2, HIPAA, PCI-DSS and others that organizations have to put in place.

It helps you setup and manage IT policies and procedures and keep them updated. Controls monitoring processes to gather controls data on a scheduled basis and identifying issues can help identify risks as early as they happen.

GRACE can help you build and keep updated, Asset inventory of all the systems, network and other infrastructure and record the personally identifiable data (PII) as well as understand the security posture like encryption, anonymization, data at rest, data in transit over each of them.

Conducting Risk Assessments helps identify process and control gaps, issues and risks in implementations and manage their mitigation.

Incidents happen from internal failure and external threats and organizations need to have a proper Incident Response Plan and Business Continuity Plan with clearly assigned roles and responsibilities. Periodic drills to ensure that the plans work and failures can be handled in an organized manner with least impact on customers and services are important. Incident Management and tasks associated with incident recovery must be done properly and taken to conclusion. Incidents of material nature are now required to be reported to regulators within the stipulated no of hours, leading to examinations, e-discovery, large legal expenses and at times class action lawsuits. It is important that incidents be tracked for their severity and frequency of occurrence to prevent vulnerabilities from repeating.

California Consumer Privacy Act (CCPA) Expectations

The California Consumer Privacy Act (CCPA), was unanimously passed by California lawmakers and signed into law by the Governor on June 28th, 2018 and has to be implemented by all organizations that provide services to California Consumers from Jan 1 2020.
It gives California consumers unprecedented personal data protections and possibly sets the tone for similar legislation in other states.

It offers new and wide ranging privacy rights for California residents, including a right to be informed about personal data collected by a business and rights to access and delete that information, a right to prevent personal information from being sold to third parties, and a right to data portability. The law applies to all businesses that collect or use this personal information, not just those companies in California. The California Attorney General may bring actions for civil penalties of up to $7,500 per violation and there is a limited private right of action for individual victims of data breaches for penalties ranging between $100-750 per violation.

Companies are mandated to develop and implement data policies, procedures and data governance processes to address

  • The Right to Know, through a general privacy policy and with more specifics available upon request.
  • What personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold
  • The Right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in)
  • The Right to have a business delete their personal information, with some exceptions
  • The Right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

Click here to Read Detailed Expectations of California Consumer Privacy Act

GDPR Expectations

The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and is one of the most significant overhaul to data protection laws in a generation. It applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe.
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime

  • Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, up to 20 million Euros or 4 % of worldwide annual turnover (revenue), whichever is higher.

Companies are mandated to develop and implement data governance, protection and privacy of client information including where data is managed by outsourced third parties. All breaches have to be reported within to the regulators within 72 hours.

Click here to Read Detailed Expectations of GDPR

India’s Digital Personal Data Protection Act of India (DPDP) 2023

India, the most populous country in the world with more than 1.4 billion people, is the largest democratic country to pass a comprehensive personal data protection law – The Digital Personal Data Protection Act, 2023 (DPDP Act).

The new law marks a seminal moment in the nation’s legislative landscape, establishing a comprehensive framework that serves to protect the personal data of its citizens. Given the Act’s all-encompassing scope, it promises to bring about significant changes in how organizations handle, process, and safeguard personal data. Let’s dive in and learn more about it.

What is the purpose of DPDP Act?

The DPDP Act is a robust piece of legislation that aims for transparency, accountability, and most importantly, the secure and ethical use of personal data.

According to the official statement by the Indian government, the purpose of DPDP is:

“to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

— Ministry of Law and Justice

On 11 August 2023, the President of India has given assent to the Digital Personal Data Protection Bill, 2023 which made it the Digital Personal Data Protection Act, 2023.


The schedule to the Bill specifies penalties for various offences such as up to:

(i) Rs 200 crore for non-fulfilment of obligations for children

(ii) Rs 250 crore for failure to take security measures to prevent data breaches.

Penalties will be imposed by the Board after conducting an inquiry.

Click here to Read Detailed Expectations of DPDP 2023

GRACE for Integrated IT and Vendor Risk management to address Cybersecurity, Business Continuity and Data Privacy Regulations

Protect your client data comprehensively whether it is within your organization or with vendors

Manage IT Policies and Procedures

  • GRACE Helps you create comprehensive Policies and Procedures for IT Risk identification and management for all the lines of Businesses of the organization.
  • Manage detailed reviews and comments by all related departments including legal, compliance, client management and other groups on how client management is gathered and being managed.
  • Ensure all comments are incorporated and release the policy or procedure

Online Training

  • GRACE Helps you create and manage your vendor Database of vendor locations, contact persons, SLAs and Contract documents. You can conduct vendor due diligences and Risk Assessments to identify security management risks in their processes and manage and monitor their mitigation.
  • Vendor Risk Profile can be generated based on the no of risks seen so organization can take early corrective action. Periodic Monitoring Calendar and follow up items and recording of findings identify issues early and show trends
  • Vendor Dashboard helps you monitor issues and risks and view trends

Conduct Controls Monitoring

  • Set up and Assign Responsibilities for IT Controls Monitoring
  • Receive Controls Monitoring Reports Online
  • Monitor Issues reported by Controls Monitoring and identify issues early.

Map IT Processes to IT Standard Frameworks

  • GRACE offers IT Frameworks information from NIST, ITIL, COBIT to allow organizations to benchmark their controls against the expectations of the frameworks

Client Consent Information Management

  • All systems that process client information should have consent from the client for the legal purpose of using the data as well their consent to share the data with other third parties where needed.
  • Clients also have the right to request to be forgotten. Organizations have to provide functions for the client data to be removed from all of their systems on such requests
  • Tracking of consent as well as the requests are an important part of the requirements of GDPR. Data from the systems and the vendors can be gathered on GRACE to monitor the status of client consent management

Incident Management

  • Forms are available for Online reporting of Incidents as soon as they happen. This enables the organization to react quickly to any breaches and other incidents and contain the damage.
  • Incident management includes various tasks that have to be undertaken to intimate various entities, assess the damage and take quick corrective action for client management. Incident reporting to authorities is also part of the process.
  • GRACE provides functions for status reporting and monitoring of various tasks needed for incident management to bring it to closure.
  • The Incident Dashboard is a powerful tool to see the frequency of incidents, severity and understand your vulnerabilities across internal systems and vendor systems and prevent future happenings

Conduct IT Risk Assessments

  • GRACE can help you set up and use standardized checklists for periodic risk assessments for IT Risk within the organization as well as within vendor organizations. You can set up Calendars for assessments and receive alerts . You can send out Risk Assessment Questionnaires Online and use Survey like function to collect information from within the organization as well as from vendors.
  • On site inspection can also be conducted using the risk questionaires. Findings from risk assessments will allow organizations identify risks, classify them, score them and manage their mitigation by assigning responsibilities.Findings from Risk Assessments could also refine policies and procedures and lead to enhanced training, re-attestation and other processes as mitigation.
  • The Risk assessment dashboard that can help track status of assessments, findings and mitigation task status

Online Attestation

  • All staff can be sent standard templates for attestation periodically, to remind them to follow the Privacy Procedures.
  • Staff will receive alerts from the system and will get their particular forms and can attest them online. Reminders will be sent if they are not attested within the given timeline.
  • Attestation dashboard will provide information
  • Ensure that all staff are sent the latest IT management policy / procedures for them to read and attest online.This ensures that the latest procedures for ensuring IT security are well understood by staff. Periodic attestation can help staff be reminded of the correct procedures for IT management.
  • GRACE can set up Attestation templates, as well as Attestation calendars for the staff / groups of staff can be included.
  • Emails can be received to alert them about the attestation. and reminders can be sent.
  • Attestation dashboard will allow the organization to see how many people are pending attestation and ensure all of them go thru the attestation process.


  • GRACE offers multiple dashboard that are specialized for each area including Policy and Procedure Dashboard, Risk Assessment Dashboard, IT Risk Dashboard, Incident Dashboard, Attestation Dashboard, Training Dashboard etc. Access Rights can be turned on or off to each of the dashboards
  • Each dashboard will present the overall information, charts, trends, reports and queries and will allow Slice and dice & deep drill down on all information gathered and status of approval.Issues, risk and mitigation management and trends with graphics and reports will enable action to be taken.Reports can be queried for user defined criteria, printed and exported to Excel / PDF formats

The Great Value You Get from Using GRACE IT Risk Management

Manage your Data Privacy and IT Risk management comprehensively

Keeps track of your infrastructure

Keeps track of your IT Infrastructure and the cybersecurity protection in place for your client data

Risk Management becomes online and real time

With an integrated web based access anytime anywhere, so risks can be addressed as quickly as they happen to reduce the costs of mitigation

Ensure Policies are being followed

Ensures IT Policies and Procedures are in place and your staff knows about the procedures to be followed

Regulatory examinations can be handled with confidence

Centralized and visible risk management processes means regulatory examinations can be handled with confidence

Manage the risks with your Outsourced Vendors

Keeps track of your outsourced vendors to ensure that they have cybersecurity protections in place for your data

Identify Vulnerabilities Early

Helps you conduct periodic risk assessments to ensure Privacy of Customer Information and identify vulnerabilities early

Organization Ownership of Data

Organizations suffer when key risk and compliance staff leaves. The information is scattered if maintained solely by individuals and are lying on disks in various forms. GRACE becomes the single central repository of documents, data and processes enabling continuity even when key people leave the organization

Ensure Security, Business Continuity / Disaster Recovery processes

Helps ensure Business Continuity / Disaster Recovery processes within and across your vendors so you are not left vulnerable

Manage Incidents as soon as they happen

Helps you track and manage incidents to take corrective action and prevent future events

Easy to Integrate and Customize

GRACE offers easy integration with organizational source systems to enhance the functionality and extend it at low costs. This is a great benefit for end users who can bring in all the relevant data into a single system through automated process allowing them to focus on risk management and compliance instead of data gathering

Easy integration

Integrates easily with tools to help you manage your infrastructure safely

Enormous Cost Savings

Enormous costs savings in early mitigation, avoids regulatory fines, legal costs, reputation risks and empowers the organization in its ability to manage risks.

Helps you manage your Regulatory Examination

Helps you manage books and records for regulatory examinations

Latest News

blank image


Annual Eversheds Sutherland Analysis of FINRA Disciplinary Actions Shows Huge Surge in Financial Sanctions

All information Quoted from the article March 8, 2022 Eversheds Sutherland has completed its annual study of the disciplinary actions reported...