In 2008, the FSA made “Data Security” one of their priorities and although they do not lay down rules specific to data security, they expect authorised firms to take it extremely seriously as part of their commitment to establishing effective management systems and controls, and their obligation to treat customers fairly.
The risk of damage to a firm’s reputation and the cost of dealing with lost or stolen client information is bad enough but worse still is the danger that clients may be exposed to identity theft. Even small financial services firms which hold limited data on clients can be targeted by organised criminals or casual opportunists. The greatest threat often comes from the firm’s own staff; database encryption and secure servers are pointless if somebody can take client information away from the office on a CD or accidentally leave their laptop on a train.
The first step in establishing data security, is a performing a risk assessment specific to your business. The advice from the FSA is that:
“If firms think their in-house resources or expertise are inadequate to perform an effective risk assessment, they should consider seeking external guidance.”
Once completed, the risk assessment becomes the foundations on which proper policies and business-specific procedures can be built.
“We were not convinced by firms that claimed to have detailed data security rules but were unable to produce written policies and procedures”
Of course written policies are pointless if staff are not appropriately trained in their use. Because many people wrongly assume that data security is common sense (and because, let’s face it, it’s not a subject naturally dripping with drama), it is important to be creative.
“Our experience shows that many instances of data loss occur because staff do not know or understand relevant policies and procedures.”
Of course, we hope that risk assessments, appropriate procedures and effective training will prevent data loss or theft but if the worst happens, firms must decide how to react and this will probably involve advising those affected, something which must be done carefully but swiftly.
“Firms should consider telling affected consumers exactly what data has been lost, give them an assessment of the risk and give advice and assistance to consumers at a heightened risk of identity fraud.”
For a business-specific risk assessment, help creating suitable procedures, and some effective training on data security, do please give us a call or send us an e-mail.