“We expect you to be able to protect the sensitive information you hold.” – Financial Conduct Authority
“Cyber-attacks are increasing in number, scale, and sophistication, and pose a threat to all financial services firms. We expect you to be able to protect the sensitive information you hold.” – Financial Conduct Authority
Cybersecurity and data breach matters continue to generate high numbers of legal disputes; and for financial advisors who are the target of a successful attack, the reputational damage far outweighs operational costs.
The shift in cyber security attacks from personal information to intellectual property, and the compromising of supply chains, means that financial advisors who are often the custodians of commercially sensitive information are finding themselves the focus of increasing attacks.
What does this mean when engaging technology partners?
Never assume that your managed service provider, cloud service partner or anyone else that provides you with technology services, has the appropriate cyber security provisions in place.
It is expected that commercial and high net worth clients will require fairly exacting assurances regarding cyber protection, before engaging a financial advisor. That should be reflected in your own supplier engagement process.
Before choosing a technology partner you must be confident in their ability to safeguard your data. Your process for engaging new suppliers should include a rigorous assessment of their Cyber Security and Data Protection capabilities.
1. The first step is to understand the type of data you will be asking them to handle or to which they will have access. This will help you understand the level of exposure to your business.
2. Next, the areas you should focus on are your supply chain partners responses to –
- Data Protection: Where will your data be processed and stored. Where are the technicians located who will access your data? Is it encrypted? Will a third party of sub-contractor access your data? Is the vendor GDPR compliant? Do they have a breech notification process?
- Information Security: Does the vendor hold ISO, Cyber Essentials or other relevant security certification? What intrusion detection/protection systems are in place? Do they carry out their own vulnerability assessments? How will your data be encrypted? How do they screen their employees? How do they manage authorised access to your data? What technical controls are in place to prevent unauthorised access to their systems and your data?
Cyber Insurance and Compliance
All business need insurance against cyber-attacks – period. You may have this covered with existing commercial insurance or require specific cyber insurance. However you have this covered, do check with your insurance provider to confirm their requirements about how you engage new vendors. You will also need to understand both regulatory and compliance requirements and how this extends to your supply chain partners.
Who’s in Charge of this?
Who owns your security? Ideally this is someone within your organisation who even if they don’t have specialist skills, at least have formal responsibility to safeguard your business.
It may well be that you rely on the expertise and advice from your main technology partner; if that’s the case you should expect them to proactively assist with your supply chain engagement processes. If your tech environment is hybrid in nature with cloud services, software as a service, your own devices, and data sources; they will need to demonstrate a thorough understanding of that complexity and how your data is exposed and protected.
For advice and more information about how to protect your business, give us a call