View more on these topics

Insider raiding

Organised criminal gangs are placing bogus staff in financial firms to carry out fraud.

Criminal gangs are now trying to make big bucks by placing staff within financial companies, according to the FSA’s Countering Financial Crime Risks in Information Security,The regulator researched 18 financial companies, including one IFA, to establish the potential scale of criminal activity. It believes high-tech crime accounts for 74m of the 195m financial crime committed and believes this figure will increase.

However, unlike other business threats, the treatment of IT risk management is often haphazard and can be non-existent. Regard-less of whether an IFA or product provider runs its IT internally or outsources it, the risk management rules are the same. IT should be treated like any other business risk.

Advisers can no longer hide behind firewalls, assuming systems are safe. The European Commission in 2003 estimated that the EU needed a further 1. 6 million IT and communications operators. In the UK, up to 70,000 jobs are vacant. Many advisers have problems with recruiting and retaining IT staff, especially with the rollercoaster of legislative changes over the last few years.

It is easy to see how someone with a decent CV and a bit of charisma could walk into an IT position – consider journalists getting jobs at Buckingham Palace or major airports. The recent focus on money laundering highlighted that criminal gangs can gain access to jobs at all levels, so it would be naive to assume that the same would not apply to IT fraud and misappropriation of data.

First, someone with board responsibility must be accountable for IT. This goes further than reporting lines. Someone must take an active role in monitoring all threats, risks and vulnerabilities to the company or there is the danger that risk management considerations are subsumed by other commercial pressures.

This person should ensure that information will be protected from unauthorised access, confidentiality will be assured, integrity of inform-ation will be maintained, regulatory and legislative requirements are met, business continuity plans are maintained and tested and information security training is provided to all staff.

Second, whether it is an internal appointment or an external contractor looking after your network, the risks to a company are the same and the appointment procedures should be equally stringent. With our contractors working for the Metropolitan Police, Buckingham Palace and 10 Downing Street, the requirements that we impose are very strict but we would argue that they should apply regardless of the organisation. If functions are outsourced, then the insurer must be confident that the sub-contractor is adequately screening all their employees, who may well be freelance or contractors.

Many of the standard checks can also apply to money laundering and, at a minimum, should include name, address, qualification and career validation and criminal record checks – regardless of where the person is from. CCJ referencing and Bank of England terrorist checks should also be taken if the person will be working in an environment where money laundering, fraud or terrorist activity is possible.

Third, businesses need to be much more rigorous in their approach to staff accessing systems. There is little point in spending significant sums on firewalls when the prevalence of laptops, PDAs, external hard drives, USB drives and MP3 devices means that more staff are accessing work computers for private purposes.

Companies should, almost without exception, prevent staff connecting up their own storage devices. Many devices could carry viruses and can easily circumvent security measures designed to stop external attacks. The same policy should apply to all unauthorised software.

Finally, IT departments need to audit big downloads of data either on or offsite. With 160Gb external hard drives costing 100 to 200, a user could download much of a typical small business database. Remote access must be monitored and unauthorised remote access must be investigated.

Specialist IT and cyberspace liability underwriter and claims manager Media/Professional Insurance managing director Chris Newton says: “IT risk management and the extent to which any adviser understands and treats its risk exposure will ultimately dictate whether terms are offered.

“Only once identified and quantified can you devise and implement the strategy to minimise and transfer the risk. The easiest route is via employees and sub-contractors so a company’s human resources and external contract appointment policy must take this into account. It will not be long before those affected by a company’s failure to adopt a joined-up approach to risk management will seek financial redress.”

Recommended

Tories set to reveal savings plan

An increase in the limit on tax-free Isas will be floated by the Conservatives today.The Tories will unveil a series of proposals including designed to stave off the UK savings crisis. Proposals are thought to include a lifetime savings account that would match part of savers contributions with payments from government.The paper will be the […]

NU reduces lifetime mortgage interest rates

Norwich Union is reducing the interest rates on its fixed rate lifetime mortgage from 10 January 2005. The fixed interest rate for lifetime mortgages introduced by intermediaries will be 6.87 per cent (7.30 per cent APR). The fixed interest rate offered by the Norwich Union Personal Finance sales force will be 7.06 per cent (7.50 […]

Skandia provides protective seal

Skandias protected portfolio investment range provides capital growth linked to an equally weighted portfolio of five externally managed funds with varying degrees of capital protection and return over a five year term.The underlying portfolio of the protected portfolio investment contains the Framlington equity income, Schroder UK mid-250, New Star alpha, Norwich property trust and Invesco […]

Thoresen set for ScotEq decision

Aegon UK chief executive Otto Thoresen faces some challenging decisions in his first months in charge with the firm set to determine the future of the Scottish Equitable brand and its role in the stakeholder market.

Benefits of using a probate bare trust

Have you ever wondered what happens to someone’s investment bond on their death if it is not written in trust? When someone dies it is essential to deal with their estate, which can be made up of their home, belongings, investment bonds and anything else they may have owned. But, it is not as simple […]

Newsletter

News and expert analysis straight to your inbox

Sign up

Comments

    Leave a comment

    Close

    Why register with Money Marketing ?

    Providing trusted insight for professional advisers.  Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

    News & analysis delivered directly to your inbox
    Register today to receive our range of news alerts including daily and weekly briefings

    Money Marketing Events
    Be the first to hear about our industry leading conferences, awards, roundtables and more.

    Research and insight
    Take part in and see the results of Money Marketing's flagship investigations into industry trends.

    Have your say
    Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

    Register now

    Having problems?

    Contact us on +44 (0)20 7292 3712

    Lines are open Monday to Friday 9:00am -5.00pm

    Email: customerservices@moneymarketing.com