Is your business sufficiently cyber-resilient? Chris Davies outlines some practical steps for adviser firms operating under the ever-increasing threat of cybercrime
As we have seen with the Covid-19 pandemic, resilience is a key strategy and concern for the Financial Conduct Authority.
There are two key areas here: financial and operational resilience. What is often overlooked where operational resilience is concerned is cyber-crime.
In its recent paper Cyber-security – industry insights, the FCA is clearly keen to ensure retail investment advice firms (RIAs) engage in good governance practice in this area.
The paper covers some important strategy that can easily be employed across:
- Governance and risk management: Taking a top-down approach and using enterprise risk management approach to assess and monitor cyber-risks across the business operations, technologies, client service strategy
- Keeping it simple: Move away from management speak and keep language and communications clear and concise
- Cyber-culture champions: appoint influential and experienced staff members to take responsibility for addressing cyber-risk
- Think strategically: Identify who can attack the business, where and how. Identify vulnerable data management practice and understand the extent of cyber-crime networks across the UK and internationally
- Link risk and controls: Creating metrics and indicators for critical controls is imperative
- Use existing standards. Standards provide valuable frameworks devised from good practice; consider the NIST Cybersecurity Framework, ISO27001/2, SANS CIS, NCSC’s 10 Steps to Cyber Security or NCSC’s NIS Directive Cyber Assessment Framework, Cyber Essentials
It is important to identify what you need to protect so here the FCA provides some simple yet effective techniques that can easily be applied:
- Consider what you know: The GDPR provides great guidance on data security, so leverage this and re-assess your systems and controls plus identify what you don’t know and find solutions fast
- Take a holistic approach: Too many businesses employ checklist and tick-box strategy which can create a silo approach, firms now need to think vertically and horizontally across all business activities this can then aid change management records, vulnerability scans, anti-virus management and other sources
- Know who does what: Identifying roles and responsibilities is a key requirement of the Senior Managers and Certification Regime (SM&CR) so here we need to ensure that we know what staff are responsible for, map it out and also re-assess how personal data for staff and client’s alike is processed in line with the SM&CR and the ICO’s GDPR.
- Watch out for outsourcing: Identifying and managing stakeholders can be difficult so again along with the SM&CR and GDPR, any outsourced suppliers need to be managed carefully particularly when it comes to processing personal data and related cyber-risks
Chris Davies: Improving Advice Suitability
So what can be done to ensure data is protected?
Effective cyber-risk strategy requires careful planning and use of the right tools and techniques:
- Invest in training: Ensure all staff are aware of cyber-risk on an ongoing basis. We conduct plenty of Anti-Money Laundering training, but as some of this activity has shifted online, there are no excuses as to ensuring cyber-crime is not a mandatory annual training standard within your business
- Be aware of vulnerabilities: knowing weaknesses and your digital footprint is essential to good research and due diligence in your cyber-risk strategy. Also understanding the digital reach of your business is essential
- Cyber-security integrated with change management strategies: Resilience is an essential compliance and business strategy, this can be undermined very quickly via a cyber-attack, so including cyber-security within change management strategy can build a resilient structure
- Employ detection tools: As with the GDPR, run a systems check and keep a register so you are able to detect any attempted attacks on systems and business services. This involves:
- Mapping roles and responsibilities (similar to SM&CR) and identifying those with privileged access to data e.g. data controllers plus monitor systems behaviour and apply the SM&CR Conduct rules to user behaviour
- Design logs to assess your firm’s data and generate relevant alert systems
- Apply string access controls to audit database logs to prevent cybercriminals removing any traces
- Respond and Recover: Be aware of emerging threats by participating in industry conferences, forums and learn from others. As with any resilience focus firms will need to:
- Test and retest scenarios and your defences
- Define business tolerance for recovery of systems
- Learn lessons from any failures
- Use Technology: identifying and applying technology can aid thwarting and a swift response to any cyber-attacks.
- Use encryption, this could involve e-mail encryption services such as Origo’s Unipass Mailock
- Back up regularly
- Update your services
- Create strong passwords
- Audit using RegTech systems so you are aware of where all the issues may lie prior to your manual audit process – this can also have the added benefits of securing renewal PII terms
With cyber-crime on the up in this pandemic, if you apply strategy, tools and techniques we have discussed then you will ensure your business is cyber-resilient.
Chris Davies is founder and director of Model Office