Last month I looked at some of the high level issues that were raised by the FSA’s Financial Crime unit in their recent examination of data security. I believe this issue is so important it is worthwhile revisiting to highlight some additional issues that may not be immediately obvious to adviser firms but that could impact on their businesses.
It is important to recognise that the FSA have made it clear that they see it as essential that firms have a policy of actively encouraging staff to come forward and identify where client data has been put at risk. In such circumstances the regulated firm is expected to actively contact the clients affected, to help them understand what steps the individuals should now take to protect themselves and bear the cost of any action to protect clients. The report identifies the typical cost of such remedial action as £55 per client record. Any significant data involving a group arrangement of even modest size could therefore involve advisers in considerable additional costs and this may be an issue that firms will want to raise with their PI insurers. Given that the FSA have said that they expect advisers to take such action, but in the days of principle based regulation there is not an explicit Conduct of Business rule to require this, it would be interesting to understand how insurers might react to advisers seeking to recover the costs of action following a data loss.
In the light of the FSA’s clear indication that they expect to revisit the issues raised in their report, it would be prudent for firms to recognise that they have effectively been put on notice that the regulator is expecting to see a dramatic improvement across the industry in this area. To be fair, following the plethora of high profile data losses over recent years most institutional organisations have already put in place enhancements to their technology security processes, and with the FSA highlighting so many weaknesses in non IT security matters it would be bordering on negligence for a compliance officer not to have already started a review of physical security.
When looking at data security it is important for firms to understand who exactly has access to what data, and what mechanisms are in place to recognise the susceptibility of such staff to financial crime.
For example, even the most junior IT support staff may have very wide ranging access across IT systems. It is not unusual for such staff to be able to log on into almost any part of a system in order that they may help users across a business. Whilst this is understandable for commercial reasons, is it in fact prudent? All too often IT support staff may actually be contractors brought in for a relatively short period, hired for their skills in this area, without any long term prospects within the business. Given the sensitivity of the data they have access to, it is important to have an understanding of their financial wellbeing and also consider criminal record checks.
Equally, how many chief executives or senior partners truly understand the extent of information that their senior IT managers could extract from a system. This issue may not only apply to the abilities of senior managers; relatively junior programmers may have far more sophisticated IT skills, and the ability to manipulate and extract data in many ways if their access to systems is not controlled. This reinforces the need for firms to control access to CD and DVD burners in hardware and USB devices.
Many adviser firms are now adopting web-based client management software. This means that the data is normally hosted externally from the adviser business. If your firm has such a system in place how much do you know about the employment checks that are carried out by your IT supplier or even service suppliers to their business? Financial criminals will always seek out the weakest link in any chain.
It is important for adviser firms to be able to show that they have investigated these issues to understand what the processes are within both their own IT suppliers and the organisations that their suppliers may use if those companies will also potentially have access to client data. This should identify who has access to what data, what they can do with it and how any staff with access to client information are vetted.
The impact of a major data loss could be devastating to any business both in terms of the relationship with their clients and now the expectation to fund the cost of protecting clients where a loss has taken place. Consequently adviser firms should think seriously about how they can minimise these risks.