Data protection and cyber-security: some tips for compliance officers
Sandra Lawrence, Collas Crill, Executive director, Guernsey, 25 January 2020
Data is one of the most valuable assets that every financial firm has, not least because it ensures that its clients receive the high quality of service that they deserve and because it helps to protect it from abuse by financial criminals.
Most financial firms store copious amounts of data on a variety of vital information technology (IT) platforms and networks every day. The average firm has bolted many of these platforms together over time and designed many of them long before it truly realised the full gravity of growing threats to the security of its data and its cyber-systems - and, indeed, before data-protection legislation grew truly onerous.
Data is a valuable commodity for cyber-criminals and HNW clients are entitled to have their data protected in line with the principles of the European Union's General Data Protection Regulation and other laws. Firms ought to be storing this data securely, confidentially and with integrity.
When, not if
We all know that a cyber-attack is an inevitable consequence of the digital age and that every company experiences one. High-profile incidents such as Sony, the Panama Papers and the WannaCry attack have made people more aware than ever of the threat that cyber-criminals pose to the reputation of the financial sector. The European Union's General Data Protection Regulation (GDPR) has made people more accountable and helped to protect clients' data.
Due skill and care
Data protection and cyber-security are not simply IT issues; they are also regulatory issues and reside at the top of every board's agenda. However, even though directors have many responsibilities, how many of them can honestly profess to be IT experts with a full understanding of the controls that relate to data protection and cyber-security that their firms have in place, thereby fulfilling their duty to be skilful and careful?
Directors may not know the right questions to ask their IT staff and they may not understand the answers that they receive. A director might think: "did the IT man say this-or-that just to mollify me, or should I press him for more answers?"
Traditionally, IT practitioners are backroom boys who have little contact with others the business, using (literally, in respect of coding) a completely different language; I can draw many comparisons between them and compliance practitioners 20+ years ago. Now they find themselves at the top of every board's agenda and have to report to boards or committees regularly, while dealing all the time with constructive criticism. They often lack crucial report-writing and other communication skills and training. They are no experts on corporate governance or their firms' regulatory responsibilities and might not appreciate the reasons why their boards are taking such an interest in the first place.
Diversity is a good thing
When different professions come into contact, misunderstanding and conflict often result. However, the coming together of people of different professional backgrounds can create an invaluable diversity of expertise because they are well suited to challenging each other's ideas and debating weighty matters. Such cross-fertilisation should be welcomed as an antidote to stultifying 'groupthink.'
Let's work together
A crucial step for a financial firm that wants to improve its data-protection and cyber-security controls is that of ensuring that all major parties know what the firm expects of them and appreciate each others' motivations and obligations. By understanding each other's problems and by talking to each other effectively, they can deal with the dangers that might befall the data. Clients are likely to be unsympathetic to any company that does not keep its data secure and takes a lackadaisical approach to cyber-security.
Risk
Controls that protect data and make IT systems more secure have to follow the same broad principles as any other way of managing risks – the firm must identify and measure the dangers, implement mitigating policies, procedures and controls, test those controls periodically and re-evaluate and improve them regularly, where necessary.
Risk registers
A financial firm ought to gauge, record and measure its exposure to problems, review that exposure continually and decide on the technical controls (see below) by which it can diminish it.
It can also identify a confluence of risks by setting up a risk register. This is a document in which a risk manager (or, in this case, a compliance officer) writes down information about each of the relevant risks that he has spotted, including its nature, its reference number, the person to be punished if it becomes actual, and steps to be taken to offset it. He can display all this as a scatterplot or in a table.
Technical controls
The term 'technical control' refers to the use of IT as a protection against threats. Examples include many well-known methods such as firewalls, which detect and protect networks from unauthorised access, two-factor authentication as an added barrier to anyone who wants to enter a system, programmes that detect email phishing, regular updates of security patches, the regular backing-up of systems and, very importantly, checks to see that the back-ups have been successful and that data is retrievable. These controls are far from perfect and the world of cyber-security is constantly changing, so the compliance officer should conduct routine and continual reviews to spot emerging risks.