Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites.
Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. For avoidance of any doubts and to make it easier, you may consider any links to external websites as sponsored links. Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Cyber security: How to be proactive with the safety of client data before the hackers “byte” you

Written by Laura Scaife and Stephen Lansdown, Commercial, Hill Dickinson:

cybercrimeYou may have seen in the press and as has been reported on this site recently that the U.K. parliament’s intelligence and security committee, which oversees Britain’s intelligence services, has said in its annual report that the threat of attack from cyber activity “is at its highest level ever”.

This may lead you to wonder what exactly therefore is at threat. According to the committee, the key categories of data which are most vulnerable to compromise relate to intellectual property, personal details and classified information. Clearly if such data is accessed by hackers and used for unauthorised purposes this can result in significant financial, reputational and even personal harm.

Clearly cyber security is an important issue for businesses who may hold large amounts of data about their clients and employees. Indeed the committee’s report said that in 2012 more than 200 email accounts of British government workers in 30 departments were targeted in an attempt by unidentified hackers to steal unspecified confidential information, however private-sector businesses were also highlighted as targets for attack. In order to meet the demands that the threat is placing upon businesses the report has suggested that companies take responsibility for their cyber security.

One area of major concern in the UK and as highlighted by Andrew Haldane, the Bank of England’s executive director for financial stability, is the financial system and industry. In order to manage data security firms operating in this area need to be especially alive to the requirements imposed by the Data Protection Act 1998 (DPA 1998) and the Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) (which has been transferred in part to each of the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in relation to clients and customers.

The PRA which is concerned in this area with the assessment of the risks that data is exposed wants financial institutions to demonstrate that they are addressing and managing risk issues arising from information security and that their safety and soundness is not at risk e.g. exposure to threat of systemic financial crime risk. The predecessor of the FCA, the Financial Services Authority (FSA) took a dim view of failure by very high profile firms to manage this area indeed a number of firms have been fined for misdemeanors, such as Zurich who were fined £2,275,00 and HSBC receiving a penalty of over £3,000,000.

Early signs indicate that the FCA will adopt a similarly firm stance with much of the FSA’s behavior and materials in this area remaining of application, for example the requirements of Principles 2 and 3 (PRIN 2.1.1 R) and SYSC are concerned with possible weaknesses in firms’ systems which open up the possibility of the UK financial system being used for financial crime (e.g. SYSC 3.2.6 R, in the FCA Handbook) as customer data is valuable in this context. These requirements also directly support the general DPA 1998 principle requiring businesses keep personal data secure by taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage. Again, the FCA picks up from the FSA in the fight against financial crime.

Managing the Risk
While there is an understanding of the risks presented, and the regulatory framework which maps out the area, the key issue for businesses holding such data how to practically manage the risk presented and implement frameworks which govern data in a manner which reduces their vulnerability to attacks. As part of a cyber-strategy firms should consider putting together an information strategy plan which deals with the following sorts of issues:

  • Draft a statement of intent which sets out the firm’s stance towards data security and requirements imposed by the relevant regulatory bodies
  • Take organisational ownership and responsibility of data so that there are clear lines of responsibility
  • Implement an information asset management and destruction policy
  • Adopt a separate policy in relation to human resources information
  • Impose physical and environmental security and access control
  • Roll-out training on cyber security including delivering the policy
  • system development
  • Introduce business continuity in the face or threat of attack
  • Draft a policy which identifies key areas of risk and how they will be managed
  • Implement an incident management strategy which can be put into action, should an attack occur

It is possible that some of these issues will be dealt with in other policies and procedures but, where this is the case, they must be developed and adapted to reflect the underlying information management and security provisions. They key is to pin down, define and implement your firms policies and not to leave them floating about in cyberspace thereby leaving gaps for the cyber attackers, it is an old adage but one that has much wisdom…protection is the best form of defense…