Data protection and cyber-security: some tips for compliance officers
Sandra Lawrence, Collas Crill, Executive director, Guernsey, 25 January 2020
Data is one of the most valuable assets that every financial firm has, not least because it ensures that its clients receive the high quality of service that they deserve and because it helps to protect it from abuse by financial criminals.
External validation
The compliance officer might give his firm an additional layer of confidence use of 'ethical hackers' can offer the by deliberately, and with permission, attempting to hack workplace systems and networks. In this way they can expose hitherto-unknown weaknesses and help the firm rectify things.
Accreditation firms can assess financial firms' controls and, if all goes well, award them 'kitemarks' (such as the Cyber Essentials Plus certificate) which the firms can then show to regulators and customers. The assessment process is a healthy one in and of itself because it checks the 'health' of a firm and identifies areas for improvement.
Policies and procedures
People are often complacent and easily distracted and therefore pose one of the largest problems for cyber-security. When a compliance officer develops policies, procedures and controls in this area he must take account of this.
Good culture, the so-called "tone at the top" and the continual training of staff are also important in helping a firm to overcome its weaknesses. What use is there, for example, in a firm insisting on its staff using complicated and secure passwords if the CEO has a piece of paper stuck to his keyboard with his password written on it?
If the firm's policies and procedures are not to be circumvented, it ought to be clear about its expectations of its people, their access to various systems, the difference between acceptable and unacceptable behaviour and ways in which to deal with bad incidents. It must write these things down, tell its employees about them and check to make sure that they have understood.
The firm might also want to institute a Bring-Your-Own-Device (BYOD) Policy to govern the way in which employees use their own personal devices to access the company's systems and data. Many benefits accrue to a company when its employees use their own devices - it is cheap and allows for flexible working arrangements and business continuity planning - but the practice also endangers cyber-security. What happens if someone loses his device or innocently downloads a spyware-laden game onto it? He ought to know what to do in either of these circumstances.
The training of staff
Policies and procedures, without adequate information and training being given to staff, are worthless. A company can do a lot to help its people realise how cyber-security problems might affect it (and them) by giving them meaningful examples, especially if they are drawn from its own experience.
A compliance officer can gauge the effectiveness of training by sending deceptive emails, similar to malicious emails, to staff to gauge their responses to phishing, thereby spotting gaps in their knowledge. He must, however, take care not to reprimand them too harshly for their mistakes, because a culture of blame discourages people from reporting incidents. Phishing attacks can be very sophisticated and difficult to spot.
Communication during a crisis
'Crisis communication' is a public-relations exercise by which a firm tries to limit the damage that a disaster does to its reputation and compliance officers might find themselves involved in it when there is a cyber-attack. As we have said, such an attack is highly likely and every firm must prepare for the inevitable before it happens.
The firm must have a list of clients, shareholders, regulators, data protection authorities, law enforcers and newspapers. It must plan, as far as it can, how to communicate with the media during that difficult time.
There are many poor examples of crisis communications, TalkTalk being a well-known case from 2015. The person who is destined to be the face of the firm during a crisis must be well-prepared and able to cope under intense pressure during interviews with the press.
If and when the compliance officer prepares an outline of things to say in a crisis, he must take the priorities of every interested party into consideration. He might even want to do this in a general way before the crisis occurs. He must also ask practical questions about who has the password for the company's LinkedIn or Twitter account and what happens if they are on holiday when an incident occurs.
Containment and recovery
Even though every firm that suffers a cyber-attack ought to want to contain the situation and recover from it, ideally recovering lost data, the police might want the attack to continue, at least to a certain extent, so that they can trace the guilty. This might play havoc with the compliance officer's priorities and responsibilities. How can a company allow a cyber-attack to continue? Conversely, how can it ignore the advice of the police without facing legal action itself? This is the compliance officer's dilemma.
* Sandra Lawrence can be reached on +44 1481 734808 or at sandra.lawrence@collascrill.com