Where finance once relied upon hard copies, technology now rests at the heart of it with finance systems improving processes daily. There is constant improvement of these systems, but there is also constant improvement of threats such as hackers – meaning that there has to be an increased focus on cyber security.
The Alternative Investment Fund Managers Directive (AIFMD) alongside the Capital Requirements Directive IV (CRD IV) are vital in conducting UK businesses such as investment firms. Finance technology is under the Financial Conduct Authority (FCA) guidelines with the Information Commissioner’s Office (ICO). The ICO are the office that will step in and take enforcement action if there are any breaches of the Data Protection Act (DPA) found.
Because of this, there is plenty of information out there on how to ensure that your business is compliant with the guidelines provided while also not breaching DPA. However, a lot of the information is open to interpretation so it can be hard to know where to make distinctions for your own situation while ensuring compliance.
We have constructed a guide to help with different ways in which you can ensure that you have met ICO/DPA regulations when using technology within your business.
- Work from the top and work your way down – assess how the leaders of your company work with regard to compliance of ICO/DPA. Is it a priority of theirs? Do they uphold high standards for the rest of the employees to follow? If there are any areas where leaders are lacking with data protection protocol or they believe that because they are higher up, they don’t have to comply – this raises its own issues that could filter down to the rest of the staff.
Compliance to these guidelines is of vital importance and should be something that your board take ownership of and ensure that it is communicated correctly with the rest of the teams across the company. Nobody should be an exception to the rule as this can raise doubts and make people less likely to comply with their own cyber security if they know that their manager doesn’t and gets away with it. Enforce the importance of cyber security to your board leaders and they then will need to do the same for their teams – there can be no room for error when it comes to these guidelines.
Alongside the guidelines presented in ICO/DPA, the board should create their own process to ensure procedures are in place to keep information safe – this is especially essential when sharing confidential information with third parties. There should also be a select member of the board who is championing cyber security and holds accountability for it such as a CIO (Chief Information Officer).
Day-to-day data protection is important but it is also important to have a plan in place for if your company was to come under a cyber-attack or fraud phone calls/emails. With regard to the finance teams, there should also be precautions in place to safeguard business money against any money laundering that may be taking place.
- Maintain your systems and keep them up-to-date – the ICO can issue fines against businesses if, in their findings, they reveal that there weren’t appropriate actions put in place to prevent hackers or cyber-attacks. Hackers naturally look for any vulnerabilities that are within your systems in order to receive unauthorised access to private networks, systems and sensitive data. However, these vulnerabilities are simple enough to solve.
One of the biggest protection actions you can put in place is to ensure that all of your software is up-to-date and maintained – using outdated systems to save money could in fact, lose your money as you could fall prey to a hacker. Software developers also will be looking for holes in their current systems and the updates will often provide fixes to look after their customers.
- Be prepared for human error – however much training you provide for your employees, there is always room for human error. It is people and not technologies that are the most responsible for security breaches – whether deliberately or through lack of care with compliance procedures. Below are the main areas that can fall to human error:
A. Passwords – by nature, passwords are designed to add security but how they are kept can make them a threat to said security. Password control is vital in businesses to ensure they do not go astray if they are written down in a notebook that is left out on the desk overnight. Users also shouldn’t use the same password across different platforms as this leaves room for hackers to get in and steal data. Users should use a one-time only key for each different platform that is hard to decipher and isn’t easy to guess such as their birthday.
B. Loss of data – when employees want to take their work home, they can put documents on a USB stick to work from later. However, this can then lead to the USB being misplaced and therefore, the data is compromised. Ideally, you shouldn’t allow your employees to use USB sticks with sensitive data. Instead, suggest that they use a secure device that has been authorised by their manager and is governed by the business. With encrypted storage, the data will be more secure.
C. Monitoring activity – a safety measure to put in place is to monitor communications inside and outside of your business. This means recording any telephone calls and archiving old emails that come through to your users. This will also help your internal security as well as FCA compliance.
D. Old HR policies – put your HR policies under review to ensure that security is at the heart of them. Issues may come up in areas such as the hiring process, induction of new employees, activity monitoring, training, online working with data encryption, disciplinary procedures, offline working with company data, termination of employment and finally, dual factor authentication. Work with your HR team to find the best policies that will move you forward to improving ICO/DPA compliance.
- Stay up to date with documentation – your network documentation is equally as important to stay updated as your software. In the same instance, you can request documentation from third parties and other business parties to ensure that everything is as up to date as it can be – keep an eye out for any update emails that you may have previously deleted thinking it was ‘spam’.
There are two steps to how you can do this. The first is to ensure that you are open for any RFI that may come in to you or Request For Information. These may come from any external parties who you do business with – this documentation is vital as it could be the difference between you commencing trade with the business or them rejecting the offer. They will often include questions such as which software you use and how you enhance IT security.
Your documentation should include:
A. Who has access to which documents?
B. How is sensitive data secured?
C. What is the recovery plan in case of disaster?
D. What is the update procedure?
E. What is the backup procedure?
The second step is to ensure that you act responsibly with the documentation. Even though it may seem like a mundane job to keep it updated, it’s important. You need to ensure that if someone was to request information that you have it to hand and quickly. This shows prospective business partners that you have appropriate policies in place. Documentation can also be passed to the FCA if necessary.
- Have contingency plans in place in case the worst happens – nobody wants to think about if their data is compromised but as a business, it is a very real possibility that this could happen. Therefore data backup, business continuity and disaster recovery planning are essential if you were hacked into. There is no right or wrong way to do this as each business is different.
Firstly, you need to think about how long your business could last offline. Then you can work backwards through your planning and bear in mind the following factors:
A. Do not use backup tapes – the use of a physical backup tape can be useful if taken off site as it wouldn’t be susceptible to cyber attack. However, by their very nature of being physical, they can be easily lost which is a data security risk in itself – many companies have fallen into trouble and have been fined because of this. Using online backup is a lot more secure for your data.
B. Data retention – backup is at the heart of the data retention strategy. Having an archive of legacy data will ensure that you are compliant with FCA data retention rules. It also should be simple to access without being easily accessible for anyone.
C. Consider the points of failure in your business – these are elements such as the power, servers and the general network. Write down everything that could have an issue and whether there is just one of them as it will create more of an issue if there is no backup. For example, if your data is all on one site then the loss of one site could be detrimental. Consider keeping your data duplicated on another site.
D. Create a document disaster recovery plan – document this even if everyone already knows the process. This should include:
-a) Who is the instigator of the plan?
-b) How would employees be notified of the breach?
-c) Where is the site of recovery?
-d) How long would it take for the business to become operational again? This can also be called the Recovery Time Objective or RTO.
Organise an external audit – this means that you can accurately check your systems against ISO27001 which is the management system for IT security. Begin by checking the credentials of your external IT partners; they should be fully accredited and follow best practice for cyber security. You can then move onto your internal team by organising an external audit – they can have a fresh perspective on how things should be run and they may notice concerns that your own team couldn’t see.
Finally, you should consider penetration testing, otherwise known as pen testing. This is the act of a fabricated situation which will put your system under stress to see if an auditor’s team of professionals acting as hackers would be able to break into your system. It will show any vulnerabilities.
Review your physical security – this may seem like the most simple stage but it is the most important. Even if your cyber security is of the highest standard, if you don’t have strong physical security then your data is still at risk. If all of your data is in one office then this should be reviewed by an external auditor. Be prepared for them to ask questions such as:
A. Who has access to the office? This includes other members of staff who don’t work in the office such as cleaners and security guards.
B. Who has access to the server cupboard, data centre or comms room?
C. Are all computer workstations locked when they aren’t being used?
D. Are there access control records which document entry and exit of the site?
As we mentioned earlier, there is a large benefit in having a data centre which isn’t on your site. However, you have to ensure that the data centre is in line with the accreditation to ISO 27001 – have the centre audited for physical security.
When putting all of these tips into consideration, you now hold the key to know how to improve compliance with ICO/DPA technology guidelines.
Computers in the City, your compliance partner
Computers in the City is London’s longest standing IT partner. With over 20 years’ experience, we can assist you to meet ICO/DPA compliance.
We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.