Following the publication of the latest report from the FSA’s financial crime and intelligence division entitled, Data Security in Financial Services, any firm that does so without first ensuring that the contents of the laptop are encrypted is now at risk of enforcement action from the regulator.
Although it includes extensive examples of both good and bad practice by regulated firms, I find it hard not to see the full document as a damming condemnation of the state of data security in the industry generally and particularly among small firms.
In my view, the regulator has been very diplomatic when describing some of the practices they found. At the same time, they make it clear that if firms fail to act on their findings, enforcement action is a likely conclusion. Indeed the report explicitly states that the FSA is likely to repeat this exercise to see if standards have improved.
This is not a case where the FSA has given notice that it will require action to be take in the future, it is endorsing the position of the Information Commissioner that “it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted”. This means these requirements are in effect now. There is no grace period.
Laptops are, of course, not the only form of mobile device capable of being used to carry data away from offices. USB devices and a range of portable storage media are widely used in our industry and are increasingly being used as an alternative to conventional paper documentation. While from an environmental and portability perspective this may be attractive, such devices also bring with them significant security risks.
One of the most useful freebies I received from a life office last year was a pen which when unscrewed revealed a USB data device. It was really great for carrying around information although it did give me a chill every time I though about the data security implications.
It is important for all adviser firms using laptops to understand if the underlying database within their client management software is encrypted. Having spoken to a number of the leading system providers, I am getting varying reactions. It would appear that not all suppliers have done as much as they might do in this situation. Clearly, there is a need for very urgent action on the part of any supplier who does not already have such encryption in place. Even if the database within your client management software is encrypted, the adviser needs to be careful that any word documents, excel spreadsheets or acrobat files containing client data are encrypted.
I suspect the vast majority of adviser firms will have little in the way of formal policies for encrypting data within their businesses. This is an obvious area where either their client management system providers or portals could provide assistance and, indeed, I would suggest that they should be well placed to do so.
It is perhaps surprising that most of the off-theshelf anti-virus and firewall products do not extend to these areas. However, off-the-shelf solutions for data encryption of this type do exist. Pretty Good Privacy http://www.pgp.com/, one of the market leaders in this sector, offers a range of products designed to encrypt email, instant messaging and full disk encryption as well as secure file shredding capability.
There should, however, be the opportunity for software vendors to act as wholesalers for these services to give adviser firms access to multi-user pricing. As the FSA requires that all adviser firms have such security I believe there should be a case for an industrywide purchase agreement. For example, the PGP products range from £40 to £159 for individual users depending on the features and type of licence required.
On the other hand if, as is clearly the case, there is an industry need for potentially tens of thousands of licences, thsi is, to cover every PC or laptop in every adviser’s office, there must be massive scope for economies of scale.
While the message on use of laptops is significant, I believe the most important point made by the FSA in the report is that data security is not just an IT issue.
Physical security at adviser firms is recognised as being particularly weak and responsibility for such issues should not just rest with IT. The information gathered during a “know your client” process could easily also be summarised as “everything you need to know in order to be able to commit financial fraud or identity theft”.
As I have identified previously in this column, the value of people’s long-term savings and investment contracts can be significantly higher than the amounts they keep in their bank accounts. Most security procedures involve asking customers for information about themselves that the provider will already know. A copy of a completed fact-find would be invaluable to fraudsters in trying to circumvent such security checks.
The spate of high-profile data losses over the last year or so has significantly raised consumers awareness of such issues. As a result, most major institutions have significantly increased their levels of security. The net effect must be that fraudsters will increasingly target smaller firms. Against this background, it is essential that everyone working within adviser businesses understand the threats and how to address them.
While at 100 pages, the full text of the FSA report may be too much for all advisers to take in, I would certainly make both the 10-page fact sheet and the consolidated examples of good and bad practice on pages 83 to 95 required reading for anyone working in an adviser firm.
The full FSA report on data security can be found at http://www.fsa.gov.uk/pubs/ other/data_security.pdf and the factsheet is at http:// www.fsa.gov.uk/pages/Doing/small_firms/general/data_ security.shtml