How Financial Firms Can Better Meet FCA and ICO/DPA Technology Guidelines

Posted on Thursday, October 31, 2019

The financial industry is driven by technology. In fact, today it is completely reliant on it. If a financial organisation doesn’t have the proper and most up-to-date technology to support their service, clients will leave without question to find a better service elsewhere. And as quickly as technology changes, organisations need to be constantly aware of their competition and remain vigilant in order to stay ahead of the curve. 

 

With the threat of hackers and cybercrime its also clear that the financial industry needs regulation relating to how it uses technology and there are a number of rules and bodies that financial firms must comply with. 

 

Particularly in discussion are the Capital Requirements Directive IV (CRD IV) and the Alternative Investment Fund Managers Directive (AIFMD), which govern the UK’s alternative investment firms. In addition to those two directives is the Financial Conduct Authority (FCA), which, in conjunction with the Information Commissioner’s Office (ICO), not only governs technology but also enforces the Data Protection Act (DPA). 

 

Amongst the need to be competitive yet compliant, enterprises will find a mixture of mandatory requirements and recommendations. With so much being left open to interpretation, it is extremely important for businesses to understand what is required of them. One of those somewhat recent expectations is that financial firms demonstrate responsibility and are willing to address and mitigate any risks that arise by the use of their systems and storage of data. 

 

There are six key ways that alternative investment firms and professional services companies supplying services to regulated firms can boost their ability to meet the guidelines for using technology while also meeting ICO/DOA or FCA regulatory guidelines.

 

 

TAKE INITIATIVE STARTING AT THE TOP

 

The struggles that many businesses face in regard to compliance with any set of regulations is failing to set an example in the C-suite. If the CEO doesn’t effectively relay the importance of compliance, the CFO won’t either. If the CFO doesn’t, the COO won’t. If the COO doesn’t, management won’t. If management doesn’t understand or care about compliance, staff won’t either. It starts at the top, and the board needs to set high standards for the organisation while also abiding by those standards and showing the rest of the organisation how they’re expected to comply as well. 

 

The board needs to create a culture of compliance and show that there is no tolerance for security breaches. The board should never get too comfortable and assume that they are immune to cyber-breaches and regulatory fines. Instead, they should realise that threats are around every corner. This sense of urgency is even more vital when third parties are dependent upon you. There are many steps to take in order to accomplish this, and they’re mostly based around putting policies and procedures in place and training staff accordingly. 

 

KEEP YOUR SOFTWARE UPDATED 

 

Outdated software is much more dangerous than it may seem. Besides reputational risks associated with data breaches, organisations have to deal with the risk of hefty fines related to the GDPR. The ICO has issued fines to many organisations for failing to take reasonable steps to prevent hacking. Yet, too many organisations still fail to update their software, leaving vulnerabilities that are easily exploited by cyber-criminals who, in turn, hold hostage or sell their data.

 

Maintaining up-to-date software and making sure you have the most current version is the easiest way to prevent cyber-threats. It can be as simple as regular patching of software when updates are made available. Typically, IT staff is even informed of the need for patching by the software company itself, meaning there is no excuse for not updating software. Don’t make the mistake of putting it off either. Installing auto-updates or setting a schedule for your IT team to address these updates can prevent a hacker from exploiting any vulnerabilities when you leave the door wide open for them. 

 

REVIEW BOTH STAFF AND PHYSICAL SECURITY

 

What started simply with providing staff with physical keys to locked doors has now evolved into using intelligent security systems that can even recognise the identity of someone based on something as high-tech as a retinal scan. While you may have a high-tech security system to physically keep intruders out of your organisation, the biggest threats may already be inside. In fact, you likely hired them. Your employees are human and can easily make mistakes that lead to security breaches. As such, the following security measures are vital: 

 

  • Enforce strict password policies. Don’t allow employees to use the same combinations of usernames and passwords for personal and company accounts. If a hacker gets access to one of your employee’s personal accounts because of their lack of diligence in regard to security, it is your problem too when they use the same password and username combination to access your network. Solely having a username and password combination that grants access to a network should no longer be an option. Employees should also utilise dual factor authentication which also requires a unique key to be used at every login. 
  • Prevent mobile data loss. Data loss due to employees moving data to a USB stick or even to their own laptop and then losing them are too frequent. Consider only allowing employees to download information to secure devices that are managed by your organisation. Encrypting data is important too, so it can only be accessed by the person authorised to access it, not someone who may intercept it maliciously. 
  • Monitor communications. Archive all email and record all telephone calls (with prior consent/notification). Also, although recording network activity is more for internal security than FCA compliance, some organisations make a point to do this. 
  • Consult with human resources to review any policies that may affect or be affected by security. Such policies include process in regard to: 
    • Recruiting
    • Onboarding new hires
    • Training 
    • Disciplinary processes
    • Termination 
    • Multi-factor authentication
    • Working off-line with company data
    • Working online with encrypted data
    • Communications and activity monitoring

 

 

DOCUMENT EVERYTHING, AND REQUEST THE SAME OF THIRD-PARTIES

 

Keep on top of all network documentation and make sure it is easily accessible if needed or requested. This type of documentation should include:

    • How data is secured
    • Who has access to what information
    • What the procedure is for updating software
    • Any backup procedures in case the normal procedure can’t be used
    • The disaster recovery plan

 

One specific reason to document everything is due to the fact that, before starting business with your organisation, external firms can submit a request for information (RFI). Organisations who are mindful of today’s security threats will include questions about IT security and whether software is updated. In turn, your organisation should do the same with any business it considers working with. You can even start doing this with partners with whom you’ve already established working relationships.  

 

While demonstrating that your organisation is responsible is good for business, it is also convenient in case someone requests it of your firm and reassures anyone you do business with (whether internal or external) that processes have been thought through and you’ve done your due diligence. What’s more, is that you can pass all that documentation to the FCA easily if necessary. 

 

ASSUME DISASTER WILL HAPPEN, AND PLAN FOR IT

 

Having a disaster recovery plan and business continuity plan in place is important, but when creating them, it is even more important that you take them seriously with the assumption that it will happen. While there is no one correct way to create these plans, they’re both closely related. Think of every possible thing that could go wrong no matter how uncomfortable it may be. Ask how long you think your business can afford to be offline should disaster strike. Think about the maximum amount of time you can tolerate being out of business or offline and then work from there, considering the following points:

 

  • Back up data online or in the cloud. Don’t use back-up tapes. When tapes have to be physically taken off-site in order to be backed up, it opens the door to the risk of loss. In fact, companies have been fined for losing back-up tapes. What’s more, tapes are expensive and their mechanical nature makes them prone to failure. Online backup in the cloud is what more organisations are moving to due to its better security and reliability. 
  • Retain data in accordance with FCA data-retention rules. Keep in mind that legacy data should be kept out of the way but also accessible. Design your hierarchy of storage guidelines keeping that in mind. Following is the minimum set of guidelines for data retention. 

 

FCA Data Retention Periods
Electronic and Telephone Communications6 months

Legacy Data

2 – 5 years
MiFID1 – 5 years
All Other Financial Records3 – 6 years
Record of Election to ComplyIndefinite
Emails6 Years

 

 

  • Identify single points of failure. These can include servers, your network and power sources. Start by considering anything that there is only one of. For example, a whole office would be one single point of failure. To counter the risk of losing that entire site, it could be easier to replicate your data at another site. Then consider how far away is far enough.  
  • Put thought into the data replication site. Many UK businesses consider a distance of 50 miles to the data replication site to be appropriate, keeping in mind that the potential for disaster is the main thing to consider when determining how far it should be. Having multiple replication sites can provide even more protections. Be sure not to forget about including telephone systems as well. 
  • Document disaster recovery plans. As mentioned previously, the importance of having a disaster recovery plan cannot be understated. Be sure to document it and include information such as:  
    • Who should be responsible for instigating the plan
    • Where the recovery site is
    • How employees are notified
    • The ideal time it should take before the business can return to operations (the recovery time objective) 

 

 

CONSIDER USING AN EXTERNAL AUDIT

 

What better way to test your security than to ask someone from the outside to do it. It is wise to assess your network and processes using ISO27001 as a guideline, considering that is ISO’s information security standard. In regard to who should do the audit, consider the following:

  • An external IT partner, if you have one, can check your organisation’s credentials. Be sure that the external partner is accredited and knows it needs to adhere to industry best practices. 
  • An internal IT team can be used, but you should still receive a second opinion by an accredited company, as they will be knowledgeable in many areas but may not be aware of threats and security gaps they’ve never dealt with before.
  • Penetration testers can stress test your system using a group of professionals who act as hackers to gain access to your network, data and servers. 

 

REVIEW PHYSICAL SECURITY

 

Just like you can have internal processes and systems audited, you can also have the physical security of your site audited. Some things that will be looked at during a physical audit include:

  • Who has access to the office, including security guards, cleaners and guests
  • Whether workstations are locked when not in use
  • Who has authorised access to the server and/or data centre
  • Whether there are access control records that document who enters and exits the premises

 

You should also consider using an off-site data centre as a means for mitigating physical security risks. 

Make sure the data centre is accredited to ISO 27001. It is also important to keep data sovereignty in mind when evaluating what off-site data storage centres to use. 

Like with anything, don’t assume that the legislation will stay the same. Organisations have to be prepared for changes in legislation in an ever-shifting landscape. 

 

About Mustard IT, your technology compliance partner

Mustard IT are a trusted team, experienced in compliance and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.