The FSA’s eagerness to get the sector to raise its game is understandable, given that cyber crime is the second most common type of economic crime in the financial services industry after “asset misappropriation”, according to research by consultancy PricewaterhouseCoopers (PwC). The same research also showed that only 18 per cent of respondents had in place all the security measures that PwC believes are essential to respond effectively to cyber crime.
Is the security message getting through?
This suggests the FSA’s efforts to boost IT security in the sector are only having a limited effect. One reason for this may be the authority’s seemingly lax approach to monitoring compliance with its own security guidelines. When Computing asked it how many financial services firms are fully compliant with its data security guidelines, the FSA responded that it “does not keep figures regarding enforcement action over IT security breaches”.
A spokesman said the FSA assesses compliance as part of its broader supervisory process, adding that it “expects all firms that are regulated by the FSA to be compliant”. The fines against HSBC and Zurich show that this was certainly not the case at the end of the last decade, but perhaps things have improved since then.
David Ragan, group compliance officer at Groupama Insurance, believes the fines succeeded in spurring firms into taking more steps to bolster their digital defences.
“There is a need to think outside the box, even though I think that the FSA rules mean that you are addressing most of the risks to a fairly high standard,” said Ragan. “For example, we are aiming for ISO27001 compliance, which is a native project that our IT security officer is engaging in and running out of the company, which should deliver additional levels of security.”
Groupama appointed a dedicated IT security officer 18 months ago after witnessing the impact security breaches were having in and around the industry.
“We thought that if we start losing data in ways that may not be our fault it would still point to a lack of proper security and that would give our organisation a major problem,” Ragan said. “It was at that time that we had our specialised audit by Ernst & Young, so instead of using our own internal people we used external data specialists. One of their key recommendations was that we needed somebody internally who would look at systems security on a daily basis. Ernst & Young said it was not sufficient to manage IT security on the basis of our own unspecialised knowledge.”
Ragan said that the insurer has since gone even further to protect itself. “We also have regular audits around IT security and we also have insurance to cover ourselves against cyber crime, because we’ve decided it’s such an important area of activity,” he said.
Ovum analyst Andy Kellett agrees that organisations need dedicated staff able to deal with the constant changes in technology and regulation.
“The most important factor in the financial sector is to maintain compliance daily and to make sure that the person or people who are dealing with IT security are up to date with the FSA rules, the Data Protection Act and any changes within those acts,” said Kellett.
“They also have to be up to date in their knowledge of threats and computer systems so they can understand what impact a change in their systems has on the compliance procedure of the organisation. Bringing the two points together is important.”
Computing says: Instead of writing directives that would see innocent people sent
to jail, maybe the European Parliament should instead consider legislating for heavier fines against organisations that are lackadaisical in their management of sensitive data. Or, better still, start taking advice from security professionals.