I have found the team at HTL to be friendly and professional throughout our entire relationship. Their ability to work alongside our internal IT support team has been a great asset.
7 Ways to Better Meet FCA and ICO/DPA Technology Guidelines
Technology Compliance for Alternative Investment Companies and Other Organisations in Scope of FCA and ICO/DPA Regulation
Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale for robust regulatory oversight of the financial industry is compelling.
Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly reliant on technology. Technology changes quickly and the threat environment may be characterised as agile and blended, with a need for constant vigilance.
Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms. Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information Commissioner’s Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA).
As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.
The objective of this regulatory approach appears to be to create a culture where financial services businesses demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need to be mitigated.
In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using technology within their businesses.
- Drive it from the top down
Where ever there is a failure of leadership to assert control and set high standards for a business and its employees, there is often the potential for significant problems.
Take responsibility at board level
Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should never be complacency around the value of information and cyber security.
The board should set up a process to ensure it is satisfied about policies and procedures for protecting information, especially where dependencies lie with third parties or with a parent group. Cyber security should be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board level.
It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications through both voice and email; and safeguarding against money laundering activities are all in place.
Enforcement action
The Money Shop
Date: 06 August 2015
Type: Monetary penalties
Sector: Finance insurance and creditThe ICO has issued a £180,000 civil monetary penalty to The Money Shop in response to the loss of computer equipment containing a significant amount of customer details.
- Keep your systems up-to-date
Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit ‘vulnerabilities’ (that’s IT code for holes in security) to gain unauthorised access to networks, systems and data.
Simple to plug security gaps
One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software versions. This is done by regular updating or ‘patching’ with updaters downloaded or automatically pushed out by software vendors. Many of the firms that have been fined could have escaped financial penalty by simply taking the reasonable step of ensuring systems were kept up-to-date.
- Tighten up staff security
Employees are only human, and even in the most secure environments, people are often responsible for breaches, either through deliberate action or failing to observe security policies and procedures.
Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users should not use the same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a user/password combination is not enough to permit access.
Data loss
Incidences of employees taking data offline (e.g. on a USB stick or a laptop) and then losing it are frequent. Consider prohibiting the practice or only allowing download to secure devices - those managed by the business and with encrypted storage - that are only accessible using a username/password combination.
Activity monitoring
Consider monitoring communications activity. Record all telephone calls and archive all email. Some companies record all network activity, although this is more for internal security rather than for FCA compliance.
HR Policies
Consider consulting with HR to review any points where security has touch points with HR policies. Some examples where issues may arise include:
- Hiring
- New hire induction
- Ongoing training
- Disciplinary procedures
- Termination of employment
- Dual Factor Authentication
- Offline working with company data
- Online working with data encryption
- Activity Monitoring
Enforcement action
Jala Transport Limited
Date: 26 September 2013
Type: Monetary penalties
Sector: Finance insurance and creditA monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.
Keep on top of documentation
Always ensure up-to-date network documentation is available. Similarly, request documentation from your partners and any other 3rd parties.
Typically, documentation should include information on:
- Who has access to what?
- What is the update procedure?
- How is data secured?
- What is the backup procedure?
- What is the disaster recovery plan?
Enforcement action
Think W3 Limited (Thomas Cook subsidiary)
Date: 23 July 2014
Type: Monetary penalties
Sector: Online technology and telecomsThink W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
RFI
External firms may submit a Request for Information (RFI) before commencing trading with your company. This will almost certainly include questions on software, versioning and IT security. Likewise, your business should consider issuing an RFI to any new partner before doing business. Also consider formalising documentation for existing partners if an RFI has not previously been part of the partner engagement process.
Demonstrating a responsible approach
Maintaining up-to-date documentation means you have the right information to hand whenever it is requested from your business. It reassures senior management everything has been given reasonable thought and appropriate systems are in place. Documentation can easily be passed to the FCA if required, to demonstrate a responsible approach.
- Plan for disaster
Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many areas of IT there is no absolutely right or wrong way. There is a ‘menu’ of different elements that may be mixed and matched together to form the right solution to meet the specific needs of a business.
The core question is: How long can you afford the business to be offline? Once you establish this maximum tolerance to a loss of IT services, you work backwards from there. Some points to consider are:
Avoid backup tapes
A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There are a number of examples of companies losing them and getting fined. Tapes and autoloaders are also expensive and prone to failure because they are mechanical. Online backup is more reliable and secure.
Data retention
Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for compliance with FCA data retention rules. Ideally, legacy data needs to be kept accessible but out of the way and this could guide the design any hierarchical storage system for filing and retrieval.
FCA Retention Periods for Data Record type Retention period Emails 6 years Record of election to comply Indefinite All other financial records 3 – 6 years MiFID 1 – 5 years Basel II risk legacy data 2 – 5 years Telephone & electronic communications 6 months Identify single points of failure
Typical single points of failure include power, network and servers. Search for anything where there is just one of. At the top level, the whole of an office or site is a single point of failure. To mitigate the loss of an entire site, it’s often easier to replicate all of your data to another site. Then comes the question – How far away is far enough?
Data replication
The potential for disasters – both natural and man-made - is a key consideration when determining the distance to the replication site. Many businesses in the UK conclude that a distance of 50 miles is appropriate. For even better risk reduction consider replicating in more than one place. Remember to include telephone systems.
Document disaster recovery plans
Whatever the specific process for disaster recovery it’s vital to document the disaster plan.
Key DR plan information includes:
- Who instigates the plan?
- Where is the recovery site?
- How are employees notified?
- How long before the business returns to operational status? (Sometimes referred to as the Recovery Time Objective, RTO)
- Commission an external audit
Consider assessing your systems against ISO27001, the management system for IT security, by checking credentials, external audit or penetration testing.
External IT partner
If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and should adhere closely to industry best practice for information security.
Internal IT team
If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited company to audit your network. An internal IT team may only have in depth experience in your environment. Employing an external team to check the systems often gives an insight into your own network you may otherwise not be able to obtain.
Penetration testing
Consider penetration testing or pen testing. This is the process of ‘stress’ testing your systems to see if a ‘tiger team’ of computer security professionals acting as hackers is able to break through to gain access to your network, servers and data.
Review physical security
Companies that keep all their data in the office should review physical security with an audit. Some typical questions that might be used to audit physical security include:
- Who has access to the office? (Don’t forget cleaners, caterers & security guards)
- Are all computer workstations including laptops and tablets locked when not in use?
- Who has access to the server cupboard, comms room or data centre?
- Are there access control records documenting entry and exit of the premises?
Offsite datacentre
To mitigate physical security risks, consider the benefits of locating data in an offsite data centre. Any choice of data centre should be governed by accreditation to ISO 27001 and means the facility is audited for physical security in line with the management system standard.
Data sovereignty
It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored. When evaluating offsite data storage it is essential to understand where data may be stored by service providers. Changing legislation and challenges to agreements such as Safe Harbour mean the landscape may shift suddenly.
Enforcement action
Staysure.co.uk Limited
Date: 24 February 2015
Type: Monetary penalties
Sector: Finance insurance and creditAn online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk.