Governance and data security for financial firms
By Stuart Janicki • 19 Jun 2013
In a previous entry we highlighted the need for Financial Services Firms to take greater responsibility for data security. This entry looks at how firms should approach governance of data security.
Data security comes in two forms, the first and quite frustrating is data loss. This is when a file is deleted or information is corrupted. The bigger impact comes from data breaches, where data has been stolen, compromised or a physical device (paper, computers or servers) goes missing.
Firms must treat data security as a specific risk, in the same way that markets, credit, countries, political or interest rate risks are approached. Senior Management should realise that any data breach harms the reputation of the firm, can result in the loss of customers and will result in a significant financial penalty. Data security requires governance policies, procedures and risk assessment.
Firms need someone to manage this governance; this can be a senior manager, a committee or both. This individual or committee enables a risk assessment to be conducted and ensure that communication occurs between key stakeholders, including senior management, IT, human resources, financial, security, compliance and internal audit.
With a committee representing all business areas, staff are empowered to take control of data security and encourage others to view data security importantly. The committee must be closely linked to the board to continue highlighting the importance of data security.
Data security policies should be introduced, by formally including it into the staff contract or handbook and also a more engaging day-to-day channel. These policies should be relevant and proportionate to regular staff tasks, and encourage them to follow appropriate systems and controls.
Given the damage that a data breach can cause the firm, encouraging staff to report any potential issues is vital. Channels of communication should be introduced, with mechanisms to report data security risks. This will enable the firm to react to any risks in an open and honest culture without fear of blame and recrimination.
Firms also need to prepare for the possibility of a data breach. The Information Commissioner’s Office guide on data security breach management lists four key stages:
- Containment and recovery. This includes investigating the breach, understanding who needs to be involved, if the breach can be limited and deciding if the police need to be contacted.
- Assessing the risks. To assess the consequences of the breach you need to evaluate the type of data, the sensitivity of information and what does the data say about the individual. This is incredibly significant for firms who hold highly sensitive data.
- Notification of breach. As well as legal requirement, it is best to be honest about any breach. The Information Commissioner’s Office should be informed and potentially the FCA; both will be able to provide relevant advice. Impacted customers should be contacted and informed about the extent of the breach, what data has been accessed, how you plan to minimise the impact and provide them with guidance they can take to protect themselves.
- Evaluation and response. You should investigate the causes of the breach and evaluate how you responded. Were the policies you incorporated strong enough or has it highlighted a problem that you were previously unaware of? You should review and update these policies appropriately.
Share this post