Don Scott: Expect a critical event in your IT systems

Regardless of the size of your organisation, it’s inevitable that – at some point – a few bad things will happen. You will be the target of a cyber-attack. Your systems will experience a failure. You will have a data breach.

This isn’t fearmongering. Whether you’re a single-handed IFA practice, or a large organisation, a ‘critical event’ is something all modern businesses should expect.

But that doesn’t mean you and your firm are powerless to do anything. Prevention should be a key part of your operational resilience strategy without a doubt. But it’s even more important to use the critical events that do happen as an opportunity to respond, recover and learn.

Why does this matter? Operational disruption and cyber-crime are not only a pain for your business, causing outages and breaches you need to fix on the fly, they are also very likely to harm your clients.

If these incidents are not managed well, if you don’t learn your lessons for next time (and there will be a next time), you may lose the confidence and loyalty of your clients, directly impacting your bottom line.

Not just an IT issue 

Crucially, ensuring operational resilience is not necessarily an IT responsibility. It is a priority for the FCA, as evidenced in its 2019/2020 business plan, and earlier surveys and discussion papers. Subsequently, operational resilience should be a priority for every business, implemented from the highest levels and overseen by those responsible for compliance.

Getting your house in order 

One of the greatest vulnerabilities for financial advisers is the use of third-party providers and a lack of a comprehensive cyber strategy. When it comes to operational resilience, prevention and preparation is the best way to tackle these weaknesses. You need to protect the perimeter of your systems, assets and networks.

Cyber-criminals will be able to easily exploit vulnerabilities in your systems – vulnerabilities caused by a lack of understanding, and a failure to record key assets, services and third parties.

Therefore, it’s essential to truly get to the bottom of the systems you use and how they impact business resilience, service continuity and customer outcomes.

Tackle this housekeeping in five steps:

1. Know your assets

It’s likely that you have a general understanding of the information assets your organisation holds. You probably have a vague knowledge of the third parties you use. But this all changes frequently, often without adequate assessment of the vulnerabilities of the systems, networks and assets.

Conduct an audit and log the data in an all-encompassing register making sure this information is up-to-date and complete. In particular, you should identify who within the third parties has access to your systems and data and how this could be restricted.

2. Appreciate the business impact

Plenty of firms do not fully appreciate the sensitivity of their information assets, and just how critical these are to the continuity of business services.

Your audit should cover how these assets and systems are used within business services and the impact of failure if they aren’t adequately protected.

3. Assess the customer impact

Are you assessing the risk that failure could have on your clients?

Your audit should include an assessment of how systems outages and breaches will influence your clients’ ability to access and use your services.

4. Develop protective measures

Organisations can neglect to upgrade or replace their information assets in good time, particularly at the end of their usable life. They also often fail to carry out any added risk management practices while assets are replaced.

Cyber-criminals often access systems by exploiting unaddressed vulnerabilities in unsupported assets. You need to understand the impact of cyber-crime and systems failures on both your operations and your customers, responding with effective, risk-based preventative measures.

This should include scenario planning, penetration testing and stress testing to ensure the measures you put in place are as robust as possible.

5. Regularly review

Although some firms regularly review their assets, networks, systems and third parties to identify those reaching the end of their life, they often don’t carry out a complete or continuous review. In some cases, the review may only be done periodically on a manual basis.

You should review periodically with an annual audit and also put processes in place that ensure the record is kept continually updated as assets change over time.

So, now might be time for a spring clean. For many firms this will be a long and complex process combining people from across the business, for smaller businesses it could be completed by one person. Either way, conversations should be happening at the very highest levels in each organisation to make sure this is an ongoing priority, as it certainly will be for the regulator for the foreseeable future.

Don Scott is technical director at TCC


Is volatility dead? No, sell credit

There are several arguments that one could currently make for why credit markets look unattractive. These include signals that the US economy is in late cycle, the fact that corporate leverage has been increasing (with 2016 setting a record for the amount of global bond issuance), and that US high-yield default rates have risen considerably […]


News and expert analysis straight to your inbox

Sign up


    Leave a comment


    Why register with Money Marketing ?

    Providing trusted insight for professional advisers. Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and thought leadership.

    News & analysis delivered directly to your inbox
    Register today to receive our range of news alerts including daily and weekly briefings

    Money Marketing Events
    Be the first to hear about our industry leading conferences, awards, roundtables and more.

    Research and insight
    Take part in and see the results of Money Marketing's flagship investigations into industry trends.

    Have your say
    Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

    Register now

    Having problems?

    Contact us on +44 (0)20 7292 3712

    Lines are open Monday to Friday 9:00am -5.00pm