Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Cyber Security: How to Be Proactive With the Safety of Client Data Before the Hackers “byte” You

Published by Gbaf News

Posted on August 2, 2013

5 min read

Last updated: January 22, 2026

Add as preferred source on Google

Cyber security: How to be proactive with the safety of client data before the hackers “byte” you - Technology news and analysis from Global Banking & Finance Review

Written by Laura Scaife and Stephen Lansdown, Commercial, Hill Dickinson:

cybercrime You may have seen in the press and as has been reported on this site recently that the U.K. parliament’s intelligence and security committee, which oversees Britain’s intelligence services, has said in its annual report that the threat of attack from cyber activity “is at its highest level ever”.

This may lead you to wonder what exactly therefore is at threat. According to the committee, the key categories of data which are most vulnerable to compromise relate to intellectual property, personal details and classified information. Clearly if such data is accessed by hackers and used for unauthorised purposes this can result in significant financial, reputational and even personal harm.

Clearly cyber security is an important issue for businesses who may hold large amounts of data about their clients and employees. Indeed the committee’s report said that in 2012 more than 200 email accounts of British government workers in 30 departments were targeted in an attempt by unidentified hackers to steal unspecified confidential information, however private-sector businesses were also highlighted as targets for attack. In order to meet the demands that the threat is placing upon businesses the report has suggested that companies take responsibility for their cyber security.

One area of major concern in the UK and as highlighted by Andrew Haldane, the Bank of England’s executive director for financial stability, is the financial system and industry. In order to manage data security firms operating in this area need to be especially alive to the requirements imposed by the Data Protection Act 1998 (DPA 1998) and the Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) (which has been transferred in part to each of the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in relation to clients and customers.

The PRA which is concerned in this area with the assessment of the risks that data is exposed wants financial institutions to demonstrate that they are addressing and managing risk issues arising from information security and that their safety and soundness is not at risk e.g. exposure to threat of systemic financial crime risk. The predecessor of the FCA, the Financial Services Authority (FSA) took a dim view of failure by very high profile firms to manage this area indeed a number of firms have been fined for misdemeanors, such as Zurich who were fined £2,275,00 and HSBC receiving a penalty of over £3,000,000.

Early signs indicate that the FCA will adopt a similarly firm stance with much of the FSA’s behavior and materials in this area remaining of application, for example the requirements of Principles 2 and 3 (PRIN 2.1.1 R) and SYSC are concerned with possible weaknesses in firms’ systems which open up the possibility of the UK financial system being used for financial crime (e.g. SYSC 3.2.6 R, in the FCA Handbook) as customer data is valuable in this context. These requirements also directly support the general DPA 1998 principle requiring businesses keep personal data secure by taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage. Again, the FCA picks up from the FSA in the fight against financial crime.

Managing the Risk
While there is an understanding of the risks presented, and the regulatory framework which maps out the area, the key issue for businesses holding such data how to practically manage the risk presented and implement frameworks which govern data in a manner which reduces their vulnerability to attacks. As part of a cyber-strategy firms should consider putting together an information strategy plan which deals with the following sorts of issues:

Draft a statement of intent which sets out the firm’s stance towards data security and requirements imposed by the relevant regulatory bodies
Take organisational ownership and responsibility of data so that there are clear lines of responsibility
Implement an information asset management and destruction policy
Adopt a separate policy in relation to human resources information
Impose physical and environmental security and access control
Roll-out training on cyber security including delivering the policy
system development
Introduce business continuity in the face or threat of attack
Draft a policy which identifies key areas of risk and how they will be managed
Implement an incident management strategy which can be put into action, should an attack occur

It is possible that some of these issues will be dealt with in other policies and procedures but, where this is the case, they must be developed and adapted to reflect the underlying information management and security provisions. They key is to pin down, define and implement your firms policies and not to leave them floating about in cyberspace thereby leaving gaps for the cyber attackers, it is an old adage but one that has much wisdom…protection is the best form of defense…