THE MAG IT for today and tomorrow 2O18-2O19 edition
CYBER-RESILIENCE,
A MAJOR CHALLENGE FOR THE 21 ST CENTURY
P.4
FULL DIGITAL TRANSFORMATION
FOR KBL EPB
P.16
FINTECH
AT THE HEART OF DIGITAL EUROPE
P.19
USING BLOCKCHAIN TECHNOLOGY
FOR COMPLIANCE BY DESIGN
P.2O
MEET THE TRUST CHALLENGE
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
Synopsis
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
Dear Clients, Partners, Colleagues, and Readers We are all members, stakeholders, decision-makers or leaders of our digital
concrete example of the “Tech4Good” approach described on pages
community.
24 and 25. This story should be shared widely and the lessons committed to memory.
In a previous white paper entitled “Digital needs Trust”, we described the challenges facing our core business: how to build together a trusted digital
CYBER-RESILIENCE: WHERE DO WE START? Download our "Cyber-Resilience towards Cyber-Reliance" White Paper
4
CYBER-RESILIENCE,
a major challenge for the 21st century – Yves Reding, CEO, EBRC
6
https://www.ebrc.com/en/whitepapers
8
CYBER-RESILIENCE
in your organisation
RISK MANAGEMENT CONSULTING
9 1O
Digital transformation can improve banking services, offer improved Each of us are driven by the same ambition, whatever our respective areas
transaction transparency thanks to blockchain technology, and improve
of activity, whether that be banking, other financial businesses, FinTechs,
customer analyses (KYC).
e-commerce, health, pharmaceuticals, bio-technologies, European and international institutions, manufacturing, digital services, space, defence, law
FOUR KEY COMPONENTS
However, there should be no doubt that exploring the digital world
Building a better world with digital.
requires forethought and planning. Navigating the cyber-seas offers new perspectives, but appropriate techniques must be used, and prospective
Digital offers unlimited opportunities, and may be the solution to some
travellers must learn to protect themselves against the risks inherent to
of the greatest challenges humanity faces, including hunger, improving
cyberspace. Only then will they be cyber-resilient (see pages 4 to 15).
medical diagnostics and healthcare.
of Cyber-Resilience
THE 5 GOLDEN RULES
for Business Resilience
EBRC - European Business Reliance Centre - is your trusted partner. The electronic patient record of the “e-Santé” agency (a development we
We are a digital specialist which offers advice to help navigate the
assisted with and provide IT operations for) pursues that objective: saving
cyber-seas and provide cyber-confidence. We will help you increase the
lives and improving health by developing a form of personalised healthcare.
pace, take advantage of favourable winds, assist you as you seek to avoid and face-up to cyber-storms, and do everything so that you reach your
– Christophe Ruppert, Senior Consultant, EBRC
12
SNAPSHOT
of a Tier IV Data Centre – Bruno Fery, Head of Data Centre Services, EBRC
16
Céline Bardet’s project entitled “We Are Not Weapons of War”, was developed
FULL DIGITAL TRANSFORMATION FINTECH
– Jean-François Hugon, Head of Marketing, EBRC
Published by: EBRC
Layout:
BLOCKCHAIN TECHNOLOGY 2O forUSING compliance by design – Fabrice Croiseaux, CEO, InTech
22
KAMOO STUDIO
arnaud@kamoostudio.com www.kamoostudio.com +352 691 461 806
I-HUB, MUTUALISED KYC
continuous management platform
EBRC KEY NUMBERS
DIGITAL
a new defence against rape as a Weapon of War – Céline Bardet, Founder & President, WWoW
26
MEDICAL BIOLOGY
a high voltage sector
– Dr Jean-Luc Dourson, General Manager & Founder, BioneXt LAB
2
12 %
> 4OO
since 2015
the management of their
average growth
clients entrust EBRC with
> 7O
awards and certifications
ICT and security
71 M€ turnover in 2017
– Pascal Morosini, CEO, i-Hub
24
Yves Reding CEO I EBRC
(with support provided by InTech and EBRC) is an inspiration to all. It is a
for KBL epb
at the heart of digital Europe
desired destination safely.
in cooperation with ShareIT within the French “Station F” incubator
– Éric Mansuy, Group Head of IT & Operations, KBL epb
19
We believe in the tremendous potential of digital.
firms, start-ups, and many others.
what you need to know
– Philippe Dann, Head of Risk & Business Advisory, EBRC
Digital can be used to develop a more socially-responsible world.
ecosystem.
7
offices in 7 major French cities
O downtime
3
availability since 2000
Data Centres
5O
> 34O
100% Data Centres
FinTech clients since 2011
Tier IV certified
employees
(210 in Luxembourg and 130 in France)
3
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
Cyber-Resilience,
a major challenge for the 21 century st
Cyber-Resilience and essential Services — Risk Management, Business Continuity, Cyber-Security, Crisis Management
The European NIS directive, aimed at considerably strengthening European digital resilience, concerns all stakeholders. Affected in particular will be the so-called “operators of essential services” such as the energy sector, transportation, banks, market infrastructure, health, digital infrastructure and “digital service providers”.
The beginning of the 21st century is a pivotal time. Our world is rapidly
EBRC - European Business Reliance Centre - puts its “Cyber-Resilience”
acquired in a range of sectors including European finance (banking, funds,
moving towards a new virtual world based on digital.
experience and know-how at the service of businesses, thus supporting
FinTech, insurance, etc.) and with national and international stakeholders
their efforts to comply with these new requirements.
in the fields of e-commerce, the health and biobank sector, manufacturing
While the third industrial revolution is centred on processing the new key
industries, international institutions, the defence sector, the space sector,
raw material, data, the fourth industrial revolution will be more revolutionary
EBRC’s pragmatic “Cyber-Resilience” strategy is based on experience
ICT services, major law firms, start-ups, and more. EBRC’s clients have
still. We can already see the outlines of this new world. It will be based on the
acquired over the course of 18 years in the field of risk management,
to be able to guarantee high levels of data availability, confidentiality,
convergence of new technologies including artificial intelligence, extreme
Business Continuity management, sensitive-data protection and security,
integrity and auditability, as well as ensuring operational effectiveness in
robotics, quantum computing, nano-technologies and genetic engineering.
and Cyber-Security consulting services, all the time ensuring alignment
an increasingly regulated environment.
Future generations may spend much of their lives outside the physical
with best practices and international certifications. This experience was
world. Our children and grandchildren will experience and have to contend with the reality we are building today. In the course of the 21st century, our civilisation will have to face two major challenges:
EBRC Trusted Advisory Services:
warming and other challenges. These are issues faced by over 7.5 billion
an end-to-end support
human beings daily;
— From Cyber-Security to Cyber-Resilience - Yves Reding, CEO, EBRC
• Developing resilience in the virtual world currently under construction.
“Guaranteeing Business Continuity in a
Unlike Cyber-Security, Cyber-Resilience looks
The Cyber-Resilience promoted by EBRC
Our digital world has two aspects: a positive vision of improved services
digital environment increasingly exposed
beyond technical considerations, and focuses
makes Cyber-Security a central focus for
and solutions, and a darker side with the potential for threats as described in
to risks requires new proactive and better
on developing an effective immune system
the business.
“Nineteen Eighty-Four” by George Orwell or by Aldous Huxley in “A Brave New
integrated strategies. EBRC promotes
for each digitally-dependent line of business.
World”. More recent non-fiction works describe in more detail the new risks
Cyber-Resilience by implementing the
The risk is evaluated and mitigated in order
"Business Continuity is guaranteed by
inherent in cyberspace, for example “Cyber War: The Next Threat to National
latest standards and best practices to
to limit the impact of the incident, to quickly
continuously
Security” (Richard Clarke, 2010) and “Dark Territory” (Fred Kaplan, 2016).
enable system protection “by design” and
detect threats, to enable critical applications to
detecting, responding to the incident and
to provide guarantees to organisations that
continue running, to preserve data, and quickly
restoring systems.
trust in digital.
resume business as usual.”
• Developing the resilience of our planet’s ecosystem, by controlling global
Only a few of us have a clear understanding of the intrinsic risks of the digital world. Yet digital hygiene and cyber-immunity have to become part of the Yves Reding CEO I EBRC
identifying,
protecting,
To this end, EBRC anticipated the
daily routine of our professional and private lives. Thus Cyber-Resilience
In 2017, we learned that no organisation is
implementation of the NIS directive,
remains a major challenge, as the global socio-economic ecosystem will
immune from cyber-attack and incidents
which had to be transcribed into national
soon be entirely dependent on digital.
with the potential for economic and/or reputational impact. EBRC’s teams look beyond the usual principles of protection to offer a comprehensive and integrated Cyber-Resilience strategy aimed at ensuring Business Continuity. In essence, resilience is the ability of a body or a system to
BENEFITS FOR THE CLIENT IDENTIFY, PROTECT, DETECT, RESPOND AND RECOVER
legislation since mid-May 2018. As a “digital service provider” working for “essential service operators”, EBRC intends to take its responsibilities seriously by building a strong ecosystem and alliances with European partners. This way, customers can be sure to trust digital in Europe."
recover its initial properties after alteration.
4
5
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
Cyber-Resilience IN YOUR ORGANISATION CYBER-RESILIENCE
IN YOUR EnsuringORGANISATION the security and the continuity of your business
Ensuring the continuity of your business
KEY POINTS OF CYBER-RESILIENCE: KEY POINTS OF CYBER-RESILIENCE: • Being aware of and complying with the regulatory framework: GDPR, NIS, supervisory authorities
• Knowledge of and compliance with the regulatory framework: GDPR, NIS, supervisory authorities (finance, insurance, trans (finance, insurance, transport, health, etc.) port, health, etc.) • Adopting international risk management and business resilience standards: ISO 31000, ISO 27001,
• Adopting international standards risk management and business resilience:ISO 31OOO, ISO 27OO1, ISO 27O18, ISO 27O32, ISO 27018, ISOfor 27032, ISO 22301, ISO 22316 ISO 22301, ISO 22316 • Adopting and/or imposing upon service providers an appropriate level of security based on the relevant certifications: Tier IV Data Centre, PCI DSS, HDS/HDH (Health Data Host), ISO 27001, ISO 22301 • Adopting and/or imposing ons service providers the appropriate level of security and continuity on the basis of certification: Tier IV Data Centre, PCI DSS, HDS (Health Data Host), ISO 27O01, ISO 223O1 • Designing or transforming existing infrastructure by integrating “Security and Privacy by design”: proxy,
firewall, antivirus, anti-DDoS, mail security, sandboxing, IPS/IDS, WAF
• Designing or transforming existing infrastructure by adopting an approach based on ensuring “Security and privacy by design”: proxy, firewall, anti-DDoS, mail security, sandboxing, IPS/IDS,allWAF • anti-virus, Continuously raising awareness, training and informing employees and stakeholders about Cyber-Resilience
• Raising awareness, continuously training and informing all employees and stakeholders about cyber-resilience • Ensuring the business’ ability to deploy those resources, or opting for a partner able to provide support in the implementation of Cyber-Resilience. This includes audit, consultancy, risk management, • Decide on the company’s ability to deploy such resources or opt for a partner able to provide support in the implementation of Business Continuity, certified Data Centres, operational and integrated security management cyber-resilience: audit, consulting, risk management, business continuity, certified data centres, operational and integrated (SOC/CERT), IT infrastructure management, certification programmes, and more. security management (SOC/CERT), IT infrastructure management, certification programmes, etc
Philippe Dann Head of Risk - Business Advisory I EBRC
6
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
CONTINUOUS IMPROVEMENT 1
PREPARE
ADV KEY PEOPLE CEO, CISO, BCM, CRO, DPO
7
RECOVER
KEY PEOPLE CIO, CISO, BCM, CRO
ADV
ACTIVITIES • Back to normal operations • Forensics • Continuous improvement • Legal • Communication
IDENTIFY
2
ACTIVITIES • Business impact analysis • Risk assessment • Cyber-Resilience audit • Compliance & standards • Cyber-Resilience strategy • Governance & policies • Awareness & exercise
KEY PEOPLE CIO, CISO, BCM
ADV
ACTIVITIES • Gap analysis Business/IT • Vulnerability assessment • Penetration test • Technology watch • Vulnerability watch
3 6
KEY PEOPLE CIO, CISO, BCM
RESPOND
KEY PEOPLE CEO, CISO, BCM, CRO, DPO
ADV
ACTIVITIES • Decisional crisis management • Crisis communication • Containment • Remediation • Business continuity
PROTECT
4 5
ANALYSE
KEY PEOPLE CIO, CISO, BCM ACTIVITIES • Threat analysis • Prioritisation • Operational crisis management
ADV
ACTIVITIES • Risk mitigation • Continuity management • Security management • High availability architecture • Data centre availability • Change management
DETECT
KEY PEOPLE CIO, CISO, BCM
ADV
ADV
ACTIVITIES • Log correlation • Real-time alert • Incident management
EBRC EXPERTISE ADV – ADVISORY CERT – COMPUTER EMERGENCY RESPONSE TEAM MS – MANAGED SERVICES SOC – SECURITY OPERATION CENTER
7
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
Risk Management consulting
Four key components of Cyber-Resilience
— An interview with Philippe Dann, Head of Risk & Business Advisory, EBRC
WHY OPT FOR EBRC?
EBRC’s consultants support businesses by understanding the challenges faced while responding to needs efficiently and meeting clear targets.
Our clients benefit from our advice and proven solutions, all of which are tai-
Businesses face three key challenges:
EBRC consultants are experienced and certified in information security manage-
lored to meet numerous regulatory requirements.
Each brings the potential for new IT security incidents, including hacking attempts. Threats come in many forms, each with their own range of impacts on information system availability. These can range from denial of service attacks to leaks of personal or corporate data and intellectual property, as well as threats to information integrity.
ment, risk analysis, management of Business Continuity and related vulnerabili1 Regulation. GDPR, NIS and sector-specific rules.
ties, “ethical hacking”, forensics, and security log and component management.
2 Cyber. New threats affecting the availability, integrity and confidentiality
They work closely with EBRC’s Data Centre internal service teams, database
managers, project managers, IT architects, security engineers, systems and
of data will continue to appear.
3 Economic. Risk management and investment strategies must be modified
ETHICAL HACKING
CERT/SOC
FORENSIC: post-mortem analysis
Identify
Identify, Detect, Analyse, Respond, Recover
Recover
EBRC’s ethical hackers work to identify a given
CERT:
Response
Risk is a certainty in cyberspace. If a cyber-
PCI DSS, and SIEM solutions certifications. The
system’s vulnerabilities and weaknesses. They
Teams, also known as Computer Security
attack has been successful, even if security
company operates infrastructure and provides top-level
operate according to a tightly controlled mission
Incident Response Teams (CSIRT), are skills
measures taken, it is crucial to:
statement that follows strict ethical rules.
centres tasked with alerting and responding
network engineers, etc.
to meet threats.
WHAT CAN BE DONE? EBRC’s consulting work takes each client’s strategy and constraints into
EBRC has ISO 27001, ISO 22301, ISO 27018,
account by first gaining full understanding of each unique business profile
services to over 400 international customers requiring
and challenges.
high-performance service models.
A risk-based approach is used to provide support for operational, regulatory, and business matters. Our consultants interact with operational teams and management to analyse existing resources, develop and fine-tune action plans but also provide support when obtaining certification.
EBRC’s expertise in analysing vulnerabilities and conducting intrusion tests is based on hundreds of tests carried out on its own and on clients’ infrastructure.
Computer
Emergency
to cyber-attacks. They centralise support
• Ascertain what happened and how by collec-
Their objectives include:
requests following security incidents, process
• Working with clients to identify security
alerts, establish and maintain a database of
vulnerabilities, either from hackers working
vulnerabilities, and disseminate information
• Audit and analyse the attack. This involves
internally or through connections with
on the precautions to be taken in order to
reconstructing the incident, and identifying
partners;
minimise risk. They also coordinate with other
the damage and residual risks based on
entities such as network competence centres,
evidence collected;
ting evidence and tracing access;
SUPPORT IN OBTAINING CERTIFICATIONS
EBRC offers outsourcing services: “CISO as a Service”,
• Conducting penetration tests on networks/
internet operators and ISPs, as well as national
EBRC’s consultants have supported several major businesses working to
“DPO as a Service”, security improvement programmes,
information systems using the same methods
and international CSIRTs. In short, they
• Organise resources to block and contain
as malicious hackers;
accumulate knowledge in order to anticipate
the attack as soon as possible in order to avoid
and maximise responsiveness to cyber-attacks.
it spreading;
identified vulnerabilities in order to imple-
SOC: a Security Operations Centre is an
• Once the attack has been contained, it is
ment effective protective measures.
information systems supervision mechanism.
necessary to identify the compromised
It detects incidents, analyses them, and defines
components, thus enabling the system to be
EBRC consultants provide technical suggestions,
the response strategy. The SOC’s experts
restored to operation.
identify security vulnerabilities, and suggest
continuously analyse events reported by the
Support for obtaining ISO 22301 Business Continuity
action plans. They also conduct risk analyses on
system and identify potential Cyber-Security risks.
EBRC’s approach is based on legally-recognised
certification: ARENDT SERVICES became the first certified PFS in
potential security vulnerabilities, including an
Its main purpose is to provide 24/7 monitoring of
information collection solutions which provide
assessment of the impact on the business, the
the information system.
the client with relevant and admissible evidence.
achieve different levels of certification:
alignment with international standards all the way up
to ISO certification. Preparatory work to achieve Tier IV certifications from Uptime
• Suggesting countermeasures to address
Institute. This helped the first (and so far only) France-based
EBRC has its own SOC (Security Operations Centre)
Data Centre of a major French bank achieve this highest level.
and CERT (Computer Emergency Response Team) for
Tier IV certification is the highest ranking as regards Data Centre
clients that need added security.
security and continuity.
Luxembourg in 2016. EBRC helped a leading insurance broker in
WE APPLY OUR RECOMMENDATIONS INTERNALLY
France achieve this certification.
customer’s regulatory framework, etc. EBRC supports its clients with technical and
EBRC helped many businesses in the Grand Duchy of
AN ECOSYSTEM OF INTERNATIONAL PARTNERS
Luxembourg and in Belgium with ISO 27001:2013 certification
As well as the skills and experience of our consultants, EBRC has
preparation and exercises to define roles and
regarding their information security management systems.
partnerships with companies offering innovative solutions that boost
responsibilities, and provide support for crisis
EBRC acquired its own ISO 27001 certification in 2010.
efficiency and provide measurable added value. These partners include
This combined with extensive practical experience, enables
EGERIE, Guidance Software OpenText, Omada, WALLIX, Phosforea. EBRC
clients to have full confidence in the support we provide.
uses, integrates and sells these solutions.
organisational
CYBER-RESILIENCE: WHERE DO WE START?
matters,
including
upstream
management efforts.
Download our “Cyber-Resilience towards Cyber-Reliance” White Paper Author: EBRC
https://www.ebrc.com/en/whitepapers Author: EBRC
8
9
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
The 5 golden rules for Business Resilience
Companies need a business-based approach to ensure continuity and recovery of their activities if disaster strikes. A Business Impact Analysis (BIA)
— Business Impact Analysis: guaranteeing Business Resilience
is crucial, and is a fundamental prerequisite to achieving ISO 22301 certification related to Business Continuity management systems. Christophe Ruppert, Senior Consultant, Lead Implementer & Lead Auditor ISO 22301, Business Continuity Management Practice Lead at EBRC explains. Business Continuity has proven its worth since the concept emerged in the 1980s; addressing some of the issues surrounding disaster recovery plans. Most efforts have been focused on IT, with the aim of guaranteeing system availability or quick recovery after an incident. However, it is only since the 2010s that the concept has been extended, notably with the BS 25999 standard and the creation of the ISO 22301 certificate. “The scope of Business Continuity is now much wider. Projects are often driven by the board based on a holistic business approach”, said Christophe Ruppert. EBRC, as a Business Continuity expert, supports its customers as they work to improve their Cyber-Resilience.
RULE N° 1 UNDERSTAND THE BUSINESS TO ASSESS THE RISKS
RULE N° 3 HAVE THE RIGHT PLANS FOR YOUR BUSINESS
RULE N° 4 ASSESS THE PROCESSES TO IDENTIFY THE BEST SOLUTIONS
“Understanding how the business operates is
RULE N° 2 IDENTIFY CRITICAL ACTIVITIES AND ASSESS INTERRUPTION TOLERANCE
Needs can differ from one department to
A Business Impact Analysis is at the heart of
RULE N° 5 MAKE THINGS EASIER FOR YOURSELF. MAKE USE OF ISO 223O1 CERTIFICATION
a prerequisite of knowing what impacts are
“We conduct interview to identify critical
the next. Every process needs assessing
Business Continuity planning. It involves risk
ISO
possible, said Christophe Ruppert. There is much
activities, as well as interdependencies between
individually. “In most cases, decisions are
analysis which identifies threats that may
developed to enable organisations to benefit
more to this than just system management.
departments and with external stakeholders,”
made by senior management as they are best
interrupt critical activities, and assessing their
from continuous improvement. It is the ideal
First, core activities have to be identified and the
said Christophe Ruppert. “We challenge
placed to understand the range and severity of
occurrence probability. “We take the processes,
basis from which to build robust Business
related processes understood. Only then can a
teams and managers in each department. Our
different risks. When a major incident strikes,
compare them to the threat, and this enables us
Continuity policies and plans. “The challenge
full Business Impact Analysis be carried out.
extensive experience enables us to make an
management needs to take hard headed
to achieve the most robust recovery solutions,
is to improve overall business protection by
It is important to understand the potential short,
assessment, to define a framework for action,
decisions related to the critical nature of each
all the while assessing the resilience of your
achieving a higher level of understanding of
medium and long-term impact should a critical
featuring suggestions for best practice. This way
process or database affected. Also relevant is
critical suppliers”, advised Christophe Ruppert.
processes and their inherent risks. Thus we
process be halted.”
the consequences of business interruption can
the exposure level of the wider industry and
ensure that the business is a solid partner for
be evaluated for each team and department.
customers”, said Christophe Ruppert. The needs
all stakeholders including customers, partners,
This first step is to conduct a Business Impact
Various criteria can be used including recovery
of every team have to be considered when
and the regulator”, said Christophe Ruppert.
Analysis. This can only be carried out with in-
time objective (RTO), recovery point objective
building the critical processes needed to obtain
“Such certification is reassuring and helps
depth knowledge of the organisation to identify
(RPO), maximum acceptable outage (MAO)
Business Continuity certification.
reinforce trust in Business Continuity”. EBRC
which activities are critical and how each
and minimum Business Continuity objective
provides support to institutions in the finance,
employee fits into each process.
(MBCO). Thanks to these indicators, we can
banking, manufacturing and insurance sectors
define the bearable level of interruption for
to help them become ISO 22301 certified.
22301
certification
was
specifically
each department, so that resilience measures can be defined accordingly.”
Author: EBRC
According to Christophe Ruppert, Senior Consultant, Lead Implementer & Lead Auditor ISO 22301, Business Continuity Management Practice Lead, EBRC,
Understand the difference Christophe Ruppert Senior Consultant I EBRC
10
between risks and threats
many people do not understand the key difference between a risk and a threat. It is common to confuse risk and threat, but it is crucial to understand the difference. Threats can be identified, whether it is the disclosure of information, corruption, intrusion into IT systems or a violent terrorist act. Threats can affect one or more processes, depending on their vulnerability. Assessing risk requires the threats to be identified and their probability defined. It is also necessary to assess the potential impact on the business of each on financial resources, on reputation, and with regulators. This indicates whether risk is low, medium, or high. Using this information and these indicators, the management will be able to choose to eliminate, mitigate or accept the risk.
11
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
SNAPSHOT
OF A TIER IV DATA CENTRE
What is Tier IV certification?
Back then, although white papers had been
WHAT ACTIVITIES DOES THE DATA CENTRE SUPPORT? HOW DOES IT ACHIEVE THIS?
published there was no formal certification
EBRC offers a range of comprehensive,
process. This is why we decided in that year
integrated IT services across six business
to build the first Tier-IV-ready Data Centre
lines: advisory, managed services, cloud,
in Luxembourg. Subsequently, in 2013, the
security, resilience (Business Continuity) and
Resilience Centre South was certified as a
Data Centre. This positioning enables each
Tier IV Constructed Facility, becoming the very
client to develop their projects from top to
first Data Centre in Luxembourg, the third in
bottom, and this with a single provider which
Europe, and the ninth in the world to obtain
is fully versed in the intricacies of each IT
this highest certification level.
component. We have modelled four pathways
In 2005, some clients expressed a preference for being hosted in a Tier IV Data Centre.
— An interview with Bruno Fery, Head of Data Centre Services, EBRC
WHY OBTAIN TIER IV “CONSTRUCTED FACILITY” CERTIFICATION?
to meet our clients’ expectations: digital EBRC’s clients manage sensitive data. They
transformation, tailored projects, start-up
must trust their IT service provider fully
and innovation, and business development
to guarantee high availability and high
in Europe. Capitalising on our experience
performance for their critical services and
this way provides optimised responses and
“Uptime Institute’s international Tier IV
networks. Over the years, EBRC has developed
reduced lead times.
certification, much like the ISO 27001,
unique expertise in designing, implementing
ISO 20000 and ISO 22301 standards, enables
and operating critical IT infrastructure,
EBRC’s offering was initially shaped by the
us to prove the quality of our offering as an IT
delivering on our promises and providing very
financial sector’s requirement to integrate
service provider. This international standard
high levels of resilience and security.
security “by design” into their infrastructure.
is a prerequisite for growing business with
This added value has increasingly become
global companies. We need this because EBRC
EBRC uses state-of-the-art infrastructure to
a priority in every industry we work with:
has more than 400 clients from 45 countries.
offer constant availability. Redundant hosting
banking, insurance, other financial businesses,
Selecting a Data Centre is frequently the first
capabilities ensure that our clients’ systems and
government, e-commerce, health, FinTech,
step taken by clients as part of their strategy for
data are safe in all of our Tier IV certified fault-
defence, state institutions, and space.
developing business in Europe. Most often it is
tolerant Data Centres. They are built to “design and
the base from where central decision-making
constructed facility” standards.
activities are based. Having certification of that
management and guaranteeing Business
we have acquired, with this verified by
Institute is the sole tangible assurance of quality
Continuity. This approach makes maintaining
independent audits. Ultimately this saves our
delivered by their Data Centre service provider.
our clients’ business operations a priority.
clients a lot of time,” explained Bruno Fery. “For example: we set up VALVE’s entire European infrastructure in just a few weeks. EBRC’s Tier IV Data Centres support the gaming technology developed by this firm, the Seattle-
gaming experience, with continuous operation and high availability combined with very low
continuous improvement:
1.
Prepare
2. Identify 3.
Protect
4.
Detect
5. Analyse 6.
Respond
7.
Recover
This process is also based on ISO standards.
approach to Cyber-Resilience offering crisis For our clients, certification issued by Uptime
enabled them to continue offering an optimal
there are seven key steps to the process of
In 2018, EBRC crystallised a cross-cutting
calibre is a clear guarantee of the expertise
based world leader in online gaming. This
Starting with a Business Impact Analysis (BIA),
“A ‘COMMERCIAL’ DATA CENTRE WITH TIER IV FACILITY CERTIFICATION IS A CONSIDERABLE ACHIEVEMENT.”
Cyber-Resilience = ISO 31000 + ISO 27001 + ISO 22301 + ISO 22316
latency times. This is thanks to the excellent connectivity available in Luxembourg. Gamers have demanding expectations, and high availability and low latency are often the most Bruno Fery Head of Data Centre Services I EBRC
12
JULIAN KUDRITZKI, CHIEF OPERATING OFFICER OF UPTIME INSTITUTE
crucial requirements. Other industries, such as
It also uses very sophisticated protection and
in the FinTech space, also have similarly high
response facilities such as a CERT and a SOC,
requirements.”
both of which EBRC has created internally.
13
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
WHAT ADVANTAGES HAS OBTAINING TIER IV CERTIFICATION BROUGHT? WHAT CHALLENGES HAS IT ENABLED YOU TO MEET? “Communication and procedures," replied
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
SOME KEY FACTS ABOUT EBRC DATA CENTRES
COMBINE THE LATEST CARBON-FOOTPRINT REDUCTION TECHNOLOGY WITH TIER IV CRITERIA
Bruno Fery.
With five interconnected Data Centres, for a total in excess of 15,000 m² of private and shared server space spread out across Luxembourg, EBRC offers state-of-the-art infrastructures meeting the highest client
Obtaining Tier IV Constructed Facility certification for the Resilience Centre South was quite a
Kyoto wheels
to undergo an on-site audit conducted by experts
cooling using indirect air with an adiabatic exchanger as a free cooling system
company offering network connectivity that provides access to 70% of European GDP a direct fibre optic link connects the European
after auditors conducted breakdown simulations
Reliance Centre East to SES, the world
Use of stored rainwater
More than 70 satellites in two separate orbits
This required close communication between our
(geo-synchronous equatorial orbit - GEO,
IP-Bus topology
helped build additional trust. In practice, 63 critical
for UPS capacity components and distribution channels
tests were performed over the course of a week.
and medium Earth orbit - MEO), SES provides clients in all industries with video distribution and data transfer services.
effectively under considerable pressure. In the
Racks equipped with aisles channelling cold air
end, the feedback from our clients was excellent”,
in order to optimise energy performance
Basic, Non-Redundant
Tier II
Redundant Capacity Components
Tier III
Concurrent Maintenance
Tier IV
Concurrent Maintenance & Fault Tolerance
leading communications satellite operator.
were able to follow this certification process. teams and our clients’ teams, and this experience
Tier I
within a radius of under 500 km. In addition,
from Uptime Institute. Certification was achieved
“EBRC’s Data Centre services team had to work
Performanced-based, globally-accepted Data Centre benchmarking system
requirements. EBRC is a Luxembourg-based
challenge. That Data Centre was the first of three
while the system was operational. Our clients
UPTIME INSTITUTE TIER CLASSIFICATIONS
said Bruno Fery.
Author: EBRC
Another successfully completed major challenge
Natural “free cooling”
involved ensuring that state-of-the-art technology
used and further optimised by pulverised water spray
for carbon footprint reduction was in line with Tier IV criteria. To achieve this, EBRC opted to
Ed Rafter
invest in more expensive technologies which are
Principal of Uptime Institute, June 2013
significantly more efficient in terms of energy “What most impressed was not the
consumption. EBRC was thus able to reduce its carbon emissions by 10,000 tonnes per year thanks to this investment in new technology.
Our methods are based on Uptime Institute’s principle of Starting with the goal
“things”, but rather the human aspect.
in mind, emphasised Bruno Fery. This was particularly the case when aligning our
The most compelling message taken
infrastructures to operational needs; taking into account our clients’ requirements,
from this EBRC TCCF demonstration
CAPEX, OPEX and Tier IV objectives. Each test was prepared ahead of the TCCF (Tier
is not the technical capabilities of the
Certification of Constructed Facility) process.
facility, which are significant, but the commitment of management and the engineering staff. Bruno Fery has truly empowered his
STANDARD OPERATING PROCEDURES
engineering staff. All high-performance organisations are committed to the contribution of their human assets to
PROCEDURE METHOD
the organisation, and EBRC exemplifies this corporate thinking and culture. I expect we will hear much more about
EMERGENCY OPERATING PROCEDURES
14
EBRC and its successes.” Ed Rafter, Principal of Uptime Institute, June 2013.
15
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
KBL European Private Bankers’ (KBL epb)
subsidiaries”, explained Éric Mansuy, Group
services cannot be interrupted. We are very
strategy is to position the group as a European
Head of IT & Operations at KBL epb. "Today, IT
pleased to have been able to contribute, with the
network of banks as trusted partners for their
and business operations are the foundations of
support of our partners, to the success of this IT
private clients. In the broad context of the
the bank’s future".
transformation project. It enables our client KBL to
internationalisation of the management and
Operational performance is key to achieving their ambitions, many of which are focused on
In 2014, the bank had to face some tough facts:
the bank also wished to make a technological
increasing proximity with the client. As a result,
significant medium-term investment had to be
leap. The analyses conducted by the KBL epb
digital platforms have become vital for building
made to its in house Data Centre infrastructure
teams, EBRC and their partners showed that the
a relationship of trust between private bankers
to maintain high levels of reliability and security.
rejuvenation of servers, networks and storage
and their clients.
Supported by an audit conducted by APL’s expert
systems could take place directly in the new Data
face new challenges and opportunities.
— Customer testimonial
FULL DIGITAL TRANSFORMATION
FOR KBL EPB
KBL European Private Bankers achieved several key digital milestones in recent years. Central to this was a redefinition of their professional platform by deploying the BPO solution of the Lombard Odier group. They also implemented a new technological infrastructure with two new Data Centres in partnership with EBRC. This amounted to a successful alignment targetted at establishing a digital foundation for future growth.
More than simply relocating Data Centres,
services, KBL epb turned to the market leader to
Centres. “New in new, smiled Éric Mansuy. The aim
consolidate its Data Centre activity, while enjoying
is therefore to implement the new equipment in
2017 by achieving several milestones. The bank
significant optimisation of allocated space.
the new rooms dedicated to KBL epb. At one time,
boosted its geographical reach by developing its
At the end of the RFP process, EBRC – European
four Data Centres were interconnected: KBL epb’s
capabilities in Luxembourg through subsidiaries
Business Reliance Centre – was chosen. They are
two historic Data Centres and EBRC’s two new
across Europe. Early in 2017, the KBL epb family
sensitive information experts and are specialised
Tier IV sites”, said Eric Mansuy. This solution
expanded to include the Dutch banks Insinger
in the exploitation and operation of certified
provided much greater latitude to the project
de Beaufort and Theodoor Gilissen Bankiers.
Tier IV Data Centres. They were selected to
aimed at relocating the infrastructure. Associated
Later, the agreement was reached with Société
assist the bank in the implementation of the
costs were controlled because they were
Générale de Banque du Liban for the sale of
new Data Centre infrastructure to a clear road
accounted for in the project plan and helped by
KBL Richelieu (France) and KBL Monaco Private
map. According to Yves Reding, CEO of EBRC:
the flexibility of the EBRC model.
Bankers.
“Transforming a bank’s digital infrastructure
In a shifting context for business, the financial
is always a particularly delicate and complex
“Together, we looked at several alternatives
operation. Banking relies entirely on IT, and
for the Tech-Refresh”, said Éric Mansuy. “We
industry continues to weather regulatory,
ensured that there was a balance between our
technological and generational changes. The
ambition, the benefits inherent to introducing
KBL epb group anticipated some of these thanks
new technologies and the desire to control the
to a new IT platform: G2 is used as a BPO service
risks linked to the project. We therefore adopted
from TBI Europe, a subsidiary of the Swiss
a prudent approach, combining a physical move
private banker Lombard Odier. This was a first for such a large Luxembourg operation.
A NEW COURSE In January 2016, Banque Puilaetco Dewaay Luxembourg was the group’s first subsidiary to migrate its activities to the new financial services platform. It was joined by KBL Richelieu European Private Bankers in Luxembourg in July 2017. Deployment of the new system will continue with the group’s other subsidiaries.
MOVE TO STARBOARD In parallel, the bank took a strategic decision
16
FULL STEAM AHEAD!
The KBL epb group cemented this ambition in
in the same year and subsequently by KBL
Éric Mansuy Group Head of IT & Operations I KBL epb
gain new impulse in its core business.”
THE DATA CENTRE, AT THE HEART OF THE SYSTEM FOR CONTINUOUS IMPROVEMENT
transmission of private assets, wealth managers
EBRC IS THE SPECIALIST IN THE MANAGEMENT OF SENSITIVE DATA, AS WELL AS A CERTIFIED TIER IV DATA CENTRE SERVICE PROVIDER. EBRC WAS CHOSEN TO WORK WITH THE BANK TO HELP PUT IN PLACE KBL EPB NEW DATA CENTRE INFRASTRUCTURE.
with the partial reengineering of the technological platform. The outcome has validated our approach. There are now richer technological opportunities, in particular with the emergence of cloud services.”
MOVING FORWARD Many challenges needed to be confronted during the KBL epb computer centre migration project. Part of this was a move away from the use of mainframe technology, as well as the legacy archival robot. Those additional challenges, when faced together, created conflicts of interest between individual strategic projects.
to obtain a state-of-the-art technological
Thanks to the full backing of the executive
platform. “We redesigned entirely how we
committee, it was decided to move ahead
organise our services-hub activity for our
with the twin aspects of this project.
17
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
execution. Challenges were overcome using a
“The most remarkable thing about this project
FinTech at the Heart of Digital Europe
results-based approach, and I am certain that
was that we kept to the strategy developed
— By Jean-François Hugon, Head of Marketing, EBRC
the chemistry between the teams made this
during our discussions in 2014. We did not
possible”, said Éric Mansuy. The bank’s teams
deviate from the initial ambition by one iota.
are proud of having successfully completed
Our requirements were clearly understood,
such a large project; a once-in-a-lifetime career
that the BPO project could not in any way be
opportunity.
affected by the technological project”, said
EBRC, THE PARTNER OF YOUR IT TRANSFORMATION
Éric Mansuy.
The climate of trust built by the team through
at KBL epb. Their strength lay in the rigorously
their clearly professional attitude at all levels,
followed guidelines. Even following the six
was crucial to successful completion. “The
changes of location needed for the bank’s two
project benefitted from everyone’s high levels
Data Centres, commitment and energy levels
of motivation. This was strengthened through
remained high and never faltered.
consistent
communication
and
controlled
Thoroughness is a desirable fault in this type
The financial sector is preparing for digital
A POWERFUL FINANCIAL CENTRE
transformation against the back-drop of strong
Luxembourg
competition among FinTechs. They are working
advantages for FinTechs thanks to its globally
Making digital an asset for meeting new
to reinvent processes and developing new B2B
significant
business challenges and improving
and B2C uses. Data protection has also come to
The country is the world’s second biggest
offers
additional
cross-border financial
strategic sector.
of complex project. The teams benefitted
Since the project’s completion, KBL epb
agility. Strengthening IT security in
the fore (not least via GDPR), meaning IT risks
centre for investment funds, is a major wealth
from the necessary time upstream to cope
has much more than just new Data Centre
order to achieve the highest level of
could now have bigger impacts on businesses.
management player, is a specialist in cross-
with each unforeseen event. “Our partners
Jean-François Hugon Head of Marketing I EBRC
infrastructure. The group is now better
Cyber-Resilience with EBRC’s certified
Brexit is a further risk factor for the European
border insurance, and hosts many other niche
had real expertise and we never felt as though
prepared to confront opportunities provided
experts. Gaining easy access to the
financial sector in general and certain FinTechs
sectors. Entrepreneurs therefore have access
Thanks
we were left alone to face open questions.
by digital and to promote the private bank’s
range of integrated services offered
in particular.
to a comprehensive local ecosystem of experts
framework, any new idea has an excellent
Each point was raised and detailed with care”,
image across Europe.
by EBRC Trusted Services Europe. This
and infrastructure. This is a unique position for
chance of success. CEOs regularly mention
FinTech to enjoy, operating at the intersection
the ecosystem as being a key positive reason
of an experienced technology with the added
for deciding to move to Luxembourg. The
to
this
strict,
business-friendly
professional certification (PCI DSS) and
SEEKING STABILITY AND TECHNICAL EXPERTISE
international standards (ISO 27001 and
Faced with these diverse concerns, it is striking
know-how of a range of financial professionals.
result is a true land of opportunity that is well
ISO 20000).
how the countries which were already attractive
Financial businesses are regulated either
placed to attract numerous start-ups and
qualities of EBRC and its partner for this
due to their professional know-how (banking,
by the CSSF (Commission de Surveillance
European FinTech players over the long-term.
project Anidris. “If we had to do it again, we
finance, insurance...) decided to become
du Secteur Financier) or the CAA (Insurance
The current wave of innovation will contribute
would choose the same partners, without any
fully equipped, value adding ecosystems by
Commissariat) which both have reputations
to establishing the country as one of the
doubt”, said the group head of IT & Operations
hosting systems, applications and platforms.
for rigour allied with a willingness to support
most competitive and attractive places to do
Luxembourg has undeniably taken this route,
business growth and innovation. Luxembourg
business for digital start-ups.
understanding long ago the importance of
thrives partly thanks to a reputation for a
major investment. The result of this strategy is
high level of regulatory compliance, part of
that this small country has become a leading
which involves meeting rigorous international
player on the European stage.
standards related to client data confidentiality.
will bring regulatory compliance (PFS),
said Éric Mansuy.
STAYING THE COURSE
Author: EBRC
Consistency and rigour were two of the
In addition to the geographic location of the
Author: EBRC
country at the heart of Europe, the Grand
ONE OF THE QUALITIES OF EBRC AND ITS PARTNER ON THIS PROJECT ANIDRIS WAS THEIR CONSISTENCY AND RIGOUR. "IF WE HAD TO DO IT AGAIN, WE WOULD CHOOSE THE SAME PARTNERS, WITHOUT ANY DOUBT." SAID THE GROUP HEAD OF IT & OPERATIONS AT KBL EPB.
18
Duchy is at the crossroads of several highspeed digital highways. This extensive network
TIER IV FACILITY CERTIFICATION
infrastructure offers very low latency for connections between different countries, and
Since the year 2000, EBRC offers its
this is a further essential advantage in this
clients 100% availability in its certified
sector. These characteristics, in combination
Tier IV facility and design Data Centres.
with
Awarded by Uptime Institute, this
infrastructures, were the prerequisites for
certification
optimal
turning Luxembourg into the ideal hub for
level of security for IT infrastructure
European FinTechs. Alongside this, we must
and guarantees a 99.995% rate of
add the high level of collaboration between
availability, i.e. less than 26 combined
players in this sector. Working together helps
minutes of downtime per year.
to make large-scale projects easier to realise.
defines
the
highly
efficient
technological
19
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
USING BLOCKCHAIN TECHNOLOGY
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
established, and permanently incorporated
significant portion of the tedious administrative
and entrepreneurs in the field of blockchain
into the blockchain technology, it becomes
auditing work, it could make fraud impossible,
technology.
unalterable and enables information to be
and would provide protection to the financial
traced easily. At that point, a guarantee that
institution, the investor and the state. These
transactions will comply with all requirements
would be inviolable, regulated, trusted
MANY POTENTIAL APPLICATIONS
before being validated can be provided”, said
ecosystems,” said the CEO of InTech.
This is just one example of potential new
Fabrice Croiseaux.
FOR COMPLIANCE BY DESIGN
ATTRACTING BLOCKCHAIN PROJECTS TO LUXEMBOURG
applications for the technology. There are also many possibilities for guaranteeing
EBRC AND INTECH, MEMBERS OF THE BLOCKCHAIN
BUILDING TRUSTED ECOSYSTEMS USING SMART CONTRACTS
The stakes are high. “Compliance by design
non-financial contexts. “The challenge now
The Infrachain initiative brings together
models would make it much easier and
lies in enabling such ecosystems to emerge.
companies which support the develop-
The challenge lies in building regulated
more attractive to have compliant ICOs in
The Eddits.io platform, for instance, enables
ment of blockchain based solutions.
and trusted ecosystems using blockchain
Luxembourg. This would improve how the
holders of an address on the Ethereum
The initiative forms working groups
technology. Luxembourg has many new
financial centre is viewed by international
blockchain to link it to their existing digital
open to any interested stakeholder for
opportunities, in particular as regards hosting
stakeholders, thus helping the development
identity via LuxTrust. This enables new
the purpose of developing best prac-
Initial Coin Offerings (ICOs): a method for
of business based on these new practices”,
applications and services using blockchain
tices across different sectors.
raising funds by tokenising an asset and
explained Fabrice Croiseaux, CEO of InTech.
technology to be offered, such as e-commerce
organising a pre-sale to finance the project.
He sees even more possibilities ahead. “To the
solutions, KYC or AML features, and more.
The Luxembourg government aims
The CSSF has clarified the rules applicable to
extent that such ecosystems would guarantee
These environments enable better checks to
to “set up a governance structure,
compliance with regulations in financial and
these new practices. Although stating that it
new budgetary revenues which would be paid
be carried out and offer improved trust and
implement a common technical basis
Most financial regulators are still cautious about applications using blockchain technology, such as ICOs
was prepared to review all projects submitted
automatically to the state while facilitating
security. Although the technology seemed
and make infrastructure compliant
(Initial Coin Offerings). Yet, full observance of compliance rules can be ensured through a specific eco-
to it in this field, it also pointed out the extent
lower cost regulatory checks, they could be
to be able to replace trusted third parties, we
with the legal framework in force in
system of smart contracts implementing compliance at source. By defining standards for ecosystems
to which such an endeavour could be likened
used as a means of offering more attractive
now find that it is necessary to re-integrate
order to foster trust for end users and
of “compliant by design” smart contracts, Luxembourg’s financial sector could take advantage of new
to the marketing of investment products.
taxation for these specific financial products”,
them into the value chain in another ways.
investors.”
opportunities offered by the technology, while also strengthening the financial centre’s reputation for
Thus an ICO could therefore be subject to
he said. Positioning Luxembourg as a
This helps ensure guaranteed compliance by
reliability and compliance.
financial regulation. It also warned potential
pioneer in the field of compliant ICOs would
design that is less costly to implement.”
investors of the inherent risks related to the
encourage the development of new business
lack of regulation. European regulators have
opportunities. This would come with reliable
adopted a rather cautious attitude to these
guarantees to European regulators, investors
Discussions about blockchain technology
Deep understanding of the components of
new practices, emphasising the risks over the
and crypto-currencies often focus on their
blockchain technology and the possibilities
opportunities. Perhaps advisedly.
wrongful use. These technologies’ detractors
it offers will enable us to provide efficient
and sometimes the authorities point negatively
solutions in line with regulations. More,
to the fact that these new ways of exchanging
the technology makes it possible to create
COMPLIANCE WOVEN INTO BLOCKCHAIN
assets and investments are not supervised
“compliant by design” environments which
Blockchain technology can provide more
by the usual regulatory mechanisms. “The
would create major first-mover advantages.”
robust guarantees with regard to inchain
regulators did not have much room for
transaction-regulation
compliance.
COMPLIANCE “AT SOURCE”
applications, particularly Bitcoin. Auditing
While the General Data Protection Regulation
the smart contract driving its implementation
mechanisms such as KYC, AML and the
(GDPR) has popularised the concept of “privacy
also contains systematic checks. These could
forwarding of tax information were simply
by design”, blockchain technology could take
be carried out prior to the acceptance of
non-existent,” noted Fabrice Croiseaux, CEO
us into an era of “compliance by design”. The
transactions for the trading of tokens", said
of InTech, a Digital Services company involved
technology could be used to systematically
Fabrice Croiseaux. "By validating such an
in several blockchain projects in Luxembourg
guarantee
the
ecosystem, the regulator could be assured that
and beyond. "This raises questions and
regulator’s standards. “Compliance is currently
KYC and AML measures were being carried out
requires warnings to be made to investors with
verified after the fact using reviews and audits.
by an accredited, trusted third party. As regards
no protection in place. It is crucial to provide
Blockchain technology incorporates these
the taxation of ICOs, a smart contract could
structural responses to these issues, and some
checks from the outset. A suitable ecosystem
trigger withholding tax to be deducted directly
financial centres have already begun this work.
of smart contracts can ensure that transactions
when capital gains are achieved.” Almost
For example, the Paris financial centre has set
are compliant with requirements currently
anything of this nature can be coded into a
an ambition of becoming a centre for ICOs.
in force. Once the ecosystem has been
smart contract. “This would help to alleviate a
20
transactions
meet
Author: Sébastien Lambotte, ITnation Magazine - Summer 2018
“For
manoeuvre with regard to many of these
that
(source: IT Nation.lu, November 2016).
instance, the regulator could accept an ICO if
Fabrice Croiseaux CEO I InTech
21
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
i-HUB, MUTUALISED KYC CONTINUOUS MANAGEMENT PLATFORM i-Hub uses a continuous management platform to offer end-to-end maintenance of KYC (Know Your Customer) records. A unique solution developed within the ecosystem of the POST Luxembourg group, and run by EBRC.
level. In this, they rely on their own internal
FOR THE FINANCIAL SECTOR AND OTHER REGULATED BODIES
risk management policies before dealing with
i-Hub improves the collection processes
managed KYC record maintenance service,
any new customer, and during the on-going
of customer identification documentation,
coupled with the advantages of mutualisation.
relationship. “The challenge for the financial
offering significant operational effectiveness.
Together this distinguishes i-Hub from other
service industry is to be able to use the data,
This is a welcome progress compared to
KYC solutions. “Thanks to the constant
be it already available or to be acquired. The
the often tedious, paper-based customer
monitoring of updates to data and documents
goal is to meet the requirements of the most
registration processes. “We are able to offer
in a controlled and standardised environment,
stringent regulators and improve the services
a single, digital and secure KYC record to
i-Hub
offered to their customers,” explained Pascal
institutions such as banks, insurers, management
professionals)
Morosini, CEO of i-Hub. And for good reason:
companies, securities depositories, and others.
remediation plans.”
the costs of acquiring and updating data,
This reduces considerably duplicated efforts
carrying out compliance checks and drawing
for those institutions and their customers,” said
up regulatory reports continue to increase.
Pascal Morosini. "Moreover, end customers can
GUARANTEES BY STRONG PARTNERS
control where and when their data is shared.
i-Hub also guarantees the best hosting and security
They do this via the platform and an app, in
conditions in Luxembourg through EBRC. EBRC
categorise customers according to their risk
i-HUB OR THE PRINCIPLE OF MUTUALISATION
benefits of outsourcing a continuously-
helps
its
customers
manage
(regulated
costly
recurring
accordance with GDPR criteria. In other words,
has the status of a PFS support (Professional of
This context is the i-Hub working environment.
customers are able to check personally which
the Financial Sector) meaning its activities are
It is a subsidiary of POST Luxembourg, and
identification data institutions have about them,
supervised by the financial regulator, the CSSF.
was created in 2016. The principle is simple:
and can update that personal data directly,
“Due to the nature of the business, we are required
the highly-secured platform makes it possible
upload documents, and more.”
to provide the highest guarantees in terms of
As a “KYC Utility”, i-Hub was launched in
to
documents
security", said Pascal Morosini. “Although the
December 2018 in collaboration with a major
and data management for customers from
service is mutualised, it is not in the public
Luxembourg bank. Other stakeholders such
regulated
the
cloud. We chose the ‘on premise’ method in
as fund managers and transfer agents soon
collection, verification, validation, continuous
Luxembourg, in EBRC’s certified Tier IV Data
expressed an interest. The platform, the only
management and storage in digital format
Centres. Access to the platform is also protected
one of its kind, enables the outsourcing of
of identification data. The platform is easily
continuous updates and the mutualisation of
accessible for regulated institutions and end
KYC records. It has attracted much interest
customers.
centralise
and
bodies.
mutualise Services
include
due to the increasing cost of regulatory
Pascal Morosini CEO I i-Hub
Pascal Morosini emphasises the advantages
compliance and the growing penalties for
“i-Hub eliminates the need for those
the lack of vigilance. Data will always be at
institutions and their customers to provide
the heart of financial activities, and more
several copies of the same documents to
specifically of regulated activities. The data
different counterparties,” said Pascal Morosini.
related to individual or corporate clients is
The platform significantly reduces risk and
undeniably of key strategic value, and ensuring
inefficiency thanks to a robust and resilient
it is reliable and up-to-date is a major security
control environment in which data and
challenge. Beyond the obvious business
documents are categorised according to the
aspects, complying with various regulations
required level of vigilance. In practice, it saves
has cost steadily more since the 2008 financial
both time and money, while also improving
crisis. Laws against money laundering, terrorist
the accuracy of the data and documents. This
financing, corruption and fraud require a high
enables professionals to focus on controls,
level of vigilance. In particular, regulated
analysis and their core business by outsourcing
bodies have to be able to identify, verify and
to a specialist.”
i-HUB IS A UNIQUE PROJECT, DRIVEN BY POST LUXEMBOURG, TAKING ADVANTAGE OF THE SKILLS OF ITS VARIOUS SUBSIDIARIES, INTECH, VICTOR BUCK SERVICES, EDITUS, POST TELECOM AND, OF COURSE, EBRC.
thanks to an authentication method involving LuxTrust. And although blockchain technology was initially considered, it was dismissed due to the importance of the ‘document repository’ function. Along with our partners, InTech and EBRC, we selected the most appropriate technology which enables optimal support for the business, guided by the experience of our compliance officers. We are pleased with this choice.” In this sense, i-Hub is a unique project addressing the increasingly pressing issue of managing KYC. It is a product from POST Luxembourg, taking advantage of the skills of its various subsidiaries, InTech, Victor Buck Services, Editus, POST Telecom and, of course, EBRC. Author: Alain de Fooz, Soluxions Magazine and EBRC
Solution Powered by EBRC
22
23
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
DIGITAL
A NEW DEFENCE AGAINST RAPE AS A WEAPON OF WAR The “We Are Not Weapons of War” project is an aspect of the “Tech for Good” programme driven by the ShareIT platform from Station F in Paris. InTech and EBRC are proud to support this initiative which uses digital to combat the proliferation of sexual violence during armed conflicts. A secure digital platform will be implemented to facilitate the gathering of evidence of these heinous crimes to help victims and assist legal processes.
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
A PLATFORM FOR REPORTING PROBLEMS
the transfer of documents and photographs,” explained Fabrice Croiseaux, CEO of InTech. "It is important that these documents cannot
The We Are Not Weapons of War (WWoW)
In the context of ShareIT, after working with
be intercepted. The solution uses a range
NGO was founded in 2004 by Céline
InTech and EBRC, WWoW designed a new
of technologies (including blockchain) to
Bardet, a legal expert and an international
application. “The goal is to provide a robust
guarantee the integrity of the reports and
investigator specialised
in war crimes.
reporting tool to victims or eyewitnesses,”
documents being transferred,” he added.
She works extensively in conflict zones, often
said Céline Bardet. “The individuals involved
where basic infrastructure is lacking, let
can then chose whether to make a report or
alone sophisticated digital ICT networks. “I
not, but in any case, the information is neither
ENSURING THE PROTECTION OF CRITICAL INFORMATION
meet victims with the key goal of collecting
stored nor visible on the victim’s device. When
The platform is hosted in EBRC’s Data Centres
information that may help prosecute the
a report is filed, we receive an alert in Paris,
in Luxembourg, a good option given its spe-
perpetrators of violence and crimes against
and we can then implement procedures to
cialisation in the management of sensitive in-
local people”, she explained. In recent
help. This might range from contacting local
formation. Its expertise ensures the protection
years she has focused on sexual violence
medical services to building an international
of the transferred data and the integrity of the
perpetrated as part of conflict. “There are
legal case. The goal is a global solution with
received documents, guaranteeing their ad-
numerous problems to overcome. First of
local impact,” she added.
missibility for court proceedings which may
all, armed groups keep a watch on victims
take place several years after the events. “Our
of movement, even to the point of being
A SIGNIFICANT SECURITY CHALLENGE
unable to visit a doctor. Following these
WWoW relied on the expertise of InTech
by developing expertise in the management
acts of physical and psychological violence,
and EBRC to create this platform. The two
and protection of sensitive data, thus ensu-
there is also a risk of being stigmatised and
Luxembourg-based
developed
ring the security and availability of the ser-
shamed within the community, and this
the solution to meet WWoW’s specific
vice,” said Yves Reding, CEO of EBRC. “This
prevents victims from speaking out”, she said.
needs. “Security is a significant challenge.
project handles extremely critical data on
WWoW provides information about rape as
Eyewitnesses and victims must be able to
which lives depend. By offering the potential
a weapon of war, guides local institutions
make reports in a confidential manner, so the
for victims to achieve justice, we are reacting
throughout the judicial process, and supports
interface was designed to be both easy to use
to one of our core values: helping partners be
victims by working through their trauma and
and to ensure no trace of the information is left
resilient in the face of attack. At the heart of
rehabilitation.
on the device used. As well as being used to
this is safeguarding key information.”
who as a result often enjoy little freedom
TECHNOLOGY TO HELP VICTIMS
companies
report sexual violence, it enables supporting information to be communicated, including
mission has always been to generate confi-
BY OFFERING THE POTENTIAL FOR VICTIMS TO ACHIEVE JUSTICE, WE ARE REACTING TO ONE OF OUR CORE VALUES: HELPING PARTNERS BE RESILIENT IN THE FACE OF ATTACK. AT THE HEART OF THIS IS SAFEGUARDING KEY INFORMATION.
dence in digital services. In particular this is
Author: Sébastien Lambotte, ITnation Magazine - Spring 2018
“The often severe physical, social and psychological restrictions on victims make it difficult to report these despicable acts and, ultimately this hinders the prosecution of those responsible," said Céline Bardet. The
service of this humanitarian cause. “Contrary
EBRC, PARTNER OF SHAREIT AND THE "WE ARE NOT WEAPONS OF WAR" PROJECT, WAS A CO-RECEPIENT OF THE “ETHICAL” PRIZE PRESENTED AT THE 2018 “TROPHÉES DE LA TRANSFORMATION NUMÉRIQUE” AWARDS IN PARIS
to the preconceptions of some, many people
Through ShareIT and the project developed for WWoW, InTech and
in these conflict situations have access to
EBRC demonstrated that digital can be used to innovate and respond
high-speed mobile networks and can use
to a variety of human challenges. “This project provides evidence
tablets and smartphones. I believe better use
that the ecosystem of digital stakeholders gathered around ShareIT,
could be made of the technology to collect
including the two Luxembourg-based players, can use technology to
and secure witness statements related to
add value to efforts that support a crucial global cause,” concluded
alleged crimes, to the ultimate benefit of
Yves Reding.
legal expert and social entrepreneur wants Solution Powered by EBRC
to remedy this by using digital technologies. WWoW has joined the ShareIT incubator in Paris, with the goal of using digital in the
victims”, she explained.
24
25
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEET THE TRUST CHALLENGE | EBRC THE MAG | 2018-2019 EDITION
MEDICAL BIOLOGY A “HIGH VOLTAGE” SECTOR Solution Powered by EBRC
Improving the quality of care provided to patients, optimising the services put at the disposal of medical staff, coping with growing pressure on budgets, are all areas in which the medical biology analysis sector is making a positive difference. Here we focus on myLAB®, a digital health ecosystem developed by the BioneXtLAB. It is a medical analysis laboratory and an open-ended communication interface between health professionals and patients.
For Dr Jean-Luc Dourson, Founder and General Manager of BioneXt LAB, medical
provide reliable, highly available service to our
tests. An application specially designed for
doctors and patients.” Doctors can henceforth
children carried out blood tests in two minutes
generate an electronic prescription based on
without the child noticing anything.
the nomenclature rules in force. The cost for the patient is automatically calculated, and
A SECTOR WITH A FUTURE
payment agreements for patients and any
“Whether in terms of abruptly changing
other consent forms are likewise generated
economic constraints, or the galloping pace
automatically. The relevance of the myLAB®
of technological progress, the medical analysis
BioneXt LAB is a Luxembourgish medi-
solution is already reflected in its integration
sector faces many challenges. Medical biology
cal biology analysis laboratory. Since
into medical practices’ software environments.
is a sector with a strong future given its growing
2nd June 2017, BioneXt LAB has been
importance in medical diagnosis and as new
equipped with a new technical analysis
technologies are integrated. At BioneXt LAB,
platform that can cover every medical
we have decided to consider this particularly
biology needs and comply with the latest changes in quality standards.
future. “Medical analysis is a key element of
NEW TESTING SERVICES WITH PICKEN DOHEEM
the healthcare process, with medical biology
BioneXt LAB uses a collaborative approach to
challenging environment as an opportunity to
and laboratory analysis contributing to
deploy an analysis tool and related services
make a difference. This is thanks to the relevance
disease diagnosis and treatment monitoring
which are part of its on-going improvement
of the solutions and services we provide to
BioneXt LAB uses this platform to carry
in nearly 70% of cases.”
process regarding its service to patients.
doctors and patients. Our digital transformation
out laboratory tests for in-patients at
is in line with the 4P medical model: preventive,
Emile Mayrisch Medical Centre and
Private medical biology is nonetheless a
This is how “Picken Doheem” emerged: the
participatory, predictive and personalised. The
across the Picken Doheem network.
highly competitive sector, with particularly
first and only free of charge home mobile
added value of the tool is how it allows for an
strong price pressure. New regulations
blood test service in Luxembourg.
expanding patient base, but mainly regarding
BioneXt LAB is characterised by a coo-
biology is a sector with a highly promising
the improvement of care provided to patients.
perative approach geared to deploying
of prescriptions being issued. “Even if the
“After the modernisation process, we decided
We are all concerned as potential patients
analysis tools and related services. The
nomenclature of analysis laboratories had to
to bring all testing services linked to BioneXt
ourselves”, concluded Dr Jean-Luc Dourson.
ultimate aim is to improve the care pro-
be revised (because it had become outdated
LAB under the "Picken Doheem" banner. With
in structural and medico-technical terms), it is
"Picken Doheem", you can be tested wherever
still so complex that it is nearly impossible for
is most convenient: at home, at work, or in
a doctor to know whether the tests he or she
one of our 40 test centres,” said Dr Dourson.
have led to a significant drop in the number
prescribes will be reimbursed by the health Apart from the fact that medical analysis
VIRTUAL REALITY FOR THOSE WITH NEEDLE PHOBIA
laboratories have no alternative but to invoice
Research shows that around 5% - 10% of us
the patient for the share of the treatment not
suffer from varying degrees of trypanophobia:
reimbursed by the CNS (Luxembourgish health
the fear of needles. For these people, a blood
fund) under the third-party payment system,
test is often a real ordeal. To help, Picken
the new prescription rules are also detrimental
Doheem equipped its blood test centres
to the doctor’s freedom of therapeutic choice.
(Luxembourg Belair, Heisdorf and Schifflange)
insurance scheme,” Dr Dourson continued.
ELECTRONIC PRESCRIPTION AS A RESPONSE TO INCREASINGLY COMPLEX NOMENCLATURE
with virtual reality helmets. BioneXt LAB partnered with Oncomfort, a clinical purposes. Together they developed
prescriptions
a
myLAB®,
its
open
ended communication interface that links
multilingual
application,
26
THE LUXEMBOURGISH LABORATORY BIONEXT LAB RELIES ON THREE STRATEGIC APPROACHES TO BOOST GROWTH: DIGITISATION, SERVICE HARMONISATION AND VIRTUAL REALITY.
DIGITISATION AND HARMONISATION OF VIRTUAL REALITY SERVICES
including
Luxembourgish and Portuguese options.
“Our laboratory deals with highly sensitive health data. With EBRC, we have a reliable partner who understands the specific challenges of our business,” says Dr Jean-Luc Dourson,
laboratories, doctors, health professionals and
Dr Jean-Luc Dourson Founder and General Manager I BioneXt LAB
Author: EBRC
start-up specialised in virtual reality tools for
BioneXt LAB has just integrated electronic into
vided to patients by the clinician.
patients. The Founder and General Manager of
This anxiety and pain management solution
BioneXt LAB commented: “EBRC’s solution
combines approved treatment approaches and
ensures that the IT infrastructure of our
virtual reality, and resulted in an 82% reduction
laboratory works efficiently, meaning we can
in emotional stress experienced during blood
Founder and General Manager of BioneXt LAB.
27
5, rue Eugène Ruppert L-2453 Luxembourg www.ebrc.com/contact