Cybersecurity regulation expert joins Bovill, with warning for small firms
Chris Hamblin, Editor, London, 2 May 2018
David Copland, a cybersecurity regulation expert, has joined the compliance consultancy of Bovill as a managing consultant.
Copland comes from a risk management consultancy and will help buy-side asset managers in relation to risk management, cybersecurity, electronic and algorithmic trading. He has 18 years’ financial experience in hedge funds and brokerage operations.
Copland warns that regulators around the world will begin clamping down on financial firms that fail to evolve basic cybersecurity protection policies. In the EU, this will happen on the back of the General Data Protection Regulation, which comes into effect later this month. Other regulators around the world also show signs of taking cyber non-compliance seriously.
According to Copland, smaller firms are most likely to fall under regulators’ glare: “When it comes to cybersecurity, this is something of a crunch period. Despite the saturation of cybersecurity warnings and guidance, there is compelling evidence that an alarming proportion of firms still lack basic protective measures. Regulatory patience with these firms is running out fast.
“In the US and Singapore, we’ve seen that regulators have started routinely demanding evidence that financial service firms have cybersecurity procedures in place. Furthermore, these regulators are bringing prosecutions and fines if they find procedures aren’t being practised or defences are not sufficient. This is a step change. Typically, regulators would explore whether procedures were in place, and punish accordingly, in the event of a breach. They are becoming more proactive.
“In the UK, the FCA already does this in other areas. For example, punishing firms if they don’t follow their policies and procedures to protect client money risk. The GDPR is now raising the urgency of this issue when private data is at stake. However, many smaller firms are simply not aware of the need to have cybersecurity policies, or the need to evidence their cybersecurity risk reduction efforts, be that technical measures or policies and procedures.”
Bovill analysis of press data published on major cybersecurity breaches finds that 47% can be traced to an internal firm source, placing extra emphasis on data classification, data archiving strategies, data access, data loss protection, HR recruitment controls and staff IT acceptable use polices.
Copland adds:
“Observing cybersecurity defences relating to staff actions is growing in importance. This includes staff who unwittingly email confidential data externally, or who are unware they have clicked on email links which allow the download of malware. And, in extreme cases, rogue staff who maliciously steal data.”