Breaking finance and business news, tax information, jobs and more for finance directors and senior finance professionals.

Management

Financial services firms lax on data

Written by Adrie van der Luijt

Thursday, 24 April 2008

The Financial Services Authority (FSA) is urging firms to change their attitude to data security.

The FSA said they should do more to help prevent their customers falling victim to identity fraud and other types of financial crime.

Risk of data loss underestimated

The warning follows an FSA review of systems and controls for data security at 39 firms including banks, building societies, insurance companies and financial advisers.

There were examples of good practice across the industry however many firms still underestimate the risk of data loss and fraud to their businesses, and especially to their customers.

This includes senior management at firms not recognising the value of their customers' data to fraudsters or that staff could pose a similar threat to data security as that posed by computer hackers and burglars.

The FSA said that on occasions of significant data loss, firms seemed more concerned about adverse media coverage than on being open and transparent with their customers. Following the review, one firm has been referred to enforcement.

Increased public awareness

Speaking at the FSA's annual conference on financial crime on Thursday 24 April, Philip Robinson, director of its financial crime and intelligence division, called it worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms were still not taking this risk seriously.

He pointed out that customers had a right to be confident that firms were doing everything reasonably possible to keep their personal and financial details safe.

Robinson said that some firms had made progress by adopting good practice while others needed to do more in this area to ensure that they were treating their customers fairly.

Firms getting data security right is a key priority for the FSA and Robinson warned that it expected the industry to raise its standards.

"This report provides a wealth of information including examples of good practice that could help firms benchmark their own systems and controls and make necessary improvements. We will follow up on this work with firms and will not hesitate to take action if future breaches are found," he added.

Emphasis on IT controls

The findings showed that many firms are not proactively checking that third party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data.

Many large and medium sized firms devote adequate resources to data security risk but placed too much emphasis on IT controls and not enough on staff awareness and training or regular risk assessments.

The FSA said that many small firms were wholly reliant on compliance consultants, who did not understand the importance of data security within the firm.

Examples of good practice found at the firms visited included encrypting laptops and transferring data via secure internet links to third parties, masking financial details where they are not necessary for staff to do their jobs and appointing a senior manager with overall responsibility for data security.

The FSA is addressing data security risks with firms through ongoing supervision and is increasing its visits to small firms to review their systems and controls.

It is also publishing a factsheet to help senior management at small firms understand their data security responsibilities.

In February 2007, the FSA fined Nationwide £980,000 for information security lapses and in December 2007, Norwich Union was fined £1.26 million for exposing its customers to the risk of fraud.

Appropriate level of seriousness

Andrew Clark, partner in the Forensics practice at PricewaterhouseCoopers LLP, said that the FSA was clearly serious about the issue of data compromise, believing it presents a very real threat to financial services companies in the UK.

He warned that many companies still believed it was solely an IT issue, however, and did not treat it with the appropriate level of seriousness.

Clark added that data compromise can consist of anything from lost or stolen equipment to unintentional leaks through inexperienced staff and said it was clear that there were a range of threats which did not fall under simply an IT heading.

In a recent data compromise exposure assessment undertaken by PricewaterhouseCoopers for a client, the Big Four firm discovered that the only proactive steps that had been taken were to encrypt laptops for staff who worked out in the field and to disable USB ports to prevent the use of memory sticks.

What they had failed to do was to assess their exposure to a range of other data compromise threats such as malicious insider activity and weak security practices by their third party suppliers.

Consider the problem from the criminal's perspective

In treating this issue as one of financial crime, financial services companies can look beyond matters which relate just to technology.

"They can consider the problem from both the criminal’s perspective and that of the regulator, thus helping to avoid possible losses and protecting their reputations. In addition, there is obvious competitive advantage to be had by demonstrating real commitment in response to the FSA’s concerns and ensuring they have adequate resource devoted to the risk," Clark pointed out.

The most common financial crime incident the FSA’s financial crime team has investigated during the last year is the compromise of customer data by firms holding large amounts of sensitive information.

According to the recent PricewaterhouseCoopers’ Global Economic Crime Survey, UK companies continue to underestimate the probability of being victims of financial crime.

Only 17 per cent believed they were ‘quite’ or ‘very likely’ to suffer a financial crime, whereas the survey showed that 48 per cent actually were victims of financial crime.

Related articles

Related links