IT Security in Financial Services

Nearly all businesses are dependent on their IT systems, but few carry the burden of compliance – and the consequences of non-compliance – to the same degree as organisations in the financial services sector. This was illustrated last year by two unrelated but equally alarming events.

• In August, JP Morgan was subjected to a cyber attack in which hackers obtained the names, addresses and telephone numbers of 76 million households. The bank was quick to reassure its customers and the market that no account information was obtained during the attack and there was no evidence of the bank or any of its customers being defrauded, but it will inevitably have suffered considerable reputational damage as a consequence of this incident.
• In November, the Financial Conduct Authority and Prudential Regulatory Authority fined RBS £56m in response to an IT system crash in 2012 which led to a backlog of 100 million unprocessed payments across RBS, NatWest and Ulster Bank. This incident resulted in customers being unable to access their accounts to carry out day-to-day transactions and standing orders such as mortgage instalments and payroll payments not being processed. In addition to the fines and remedial costs, it was reported that RBS paid compensation in the order of £70m to those affected, which comprised 10 per cent of the UK population.

Incidents of this nature are not confined to the financial services sector, and the cyber attacks on retailers Target and Home Depot, and more recently on Ashley Madison, were in many respects more high-profile and wide-ranging than the attack on JP Morgan. However, the fact that financial services institutions by their very nature hold customer financial information makes them an attractive target for hackers. In addition, the high level of regulation in the financial services industry increases the likelihood of a cyber attack or IT failure at a bank or other financial institution giving rise to a significant fine and payment of compensation to customers.

Current and forthcoming legislation

Cyber security is probably a bigger headache for compliance officers than IT failure given that most cyber attacks will be undertaken with a degree of fraudulent intent and the theft of customer data or other confidential information is often the primary objective. It is also a topic which is currently highly newsworthy and prominent on the legal and regulatory agenda. 

The Network and Information Security Directive, which is likely to be finalised over the coming months, will set out minimum information security standards for companies operating in the EU and mandatory procedures for reporting of security breaches to national authorities. The scope of the directive is yet to be determined and certain industry sectors are lobbying for exclusion. However, the requirements are almost certain to extend to organisations in the financial services sector given that it is viewed as a critical sector, although it remains to be seen whether the new directive will impose security obligations which go beyond current standards. Despite incidents such as the ones referred to above, most financial services organisations have robust and well-developed information security policies. 

A cyber attack which leads to customer information being released into the public domain could also be a breach of data protection legislation. The consequences will depend on the applicable regime. Under the Data Protection Act 1998 a breach could result in a fine of up to £500,000. The long-awaited EU Data Protection Regulation will stipulate a significantly higher maximum fine, possibly Euro 100m or 5% of global turnover.  This, of course, will be in addition to any fines levied by the financial regulatory bodies.

Good practice

Although there will not always be a direct link between a cyber attack and a software failure, robust information security procedures and general good governance will minimise the risk of both and should also ensure compliance with data protection requirements. There are several steps which can be taken to strengthen information security and reduce the risks.

• Effective risk management policies should be in place to ensure customer data and other business sensitive data is protected. These policies should be expressed clearly and concisely, and be accessible to all relevant employees (which in many cases will be all employees). They should state the importance of information security and set out the procedures to be followed to minimise the risks of the business’s operations being disrupted or customer data compromised by a cyber attack or software failure. The policies should include a single sheet of “dos and don’ts” which employees can keep to hand. Many of these requirements will be straightforward and of general application, such as setting strong passwords.  Others will be more complex and may depend on the exact nature of the business and its data systems.
• The business’s IT security should be thoroughly audited on a periodic basis, preferably by experienced independent consultants. These audits should include a robustness analysis to identify any areas of weakness which could allow cyber attackers to access IT systems. A typical arrangement may be a full audit every 12 to 18 months with additional more focussed reviews whenever a new software product is introduced or there has been any incident which may give rise to concerns over the security of the system. The reviews should include appropriate revisions to policies and procedures to ensure they continue to respond to the needs of the business.
• In addition to audits, the IT systems should be constantly monitored by appropriately trained employees to detect whether a cyber attack has occurred or been attempted.
• Data should be structured in such a way that if there is a cyber attack, business critical or confidential data, including customer data, will not be easily accessible.
• Software products used should be kept up to date with the latest patches, especially products which form part of the business’s IT security. They should also be upgraded as soon as practicable.
• Care should be taken when new IT products are integrated with existing systems, for example if a bank is introducing a new payment platform. Poor integration could put a strain on the IT system as a whole, increasing the likelihood of a system failure and possibly creating a point of weakness which would allow access for a cyber attack.
• All data should be backed up on a regular basis, making recovery from a system failure more straightforward, minimising business interruption and reducing the risk of a fine or payment of compensation to customers.
• The risk management procedures should include processes which will enable the business to deal rapidly and effectively with the consequences of a cyber attack or IT failure. For many organisations in the financial services industry, this will involve having in place a rapid response team comprising representatives of senior management, day-to-day users of IT systems and those who support them, lawyers and potentially PR agents who will be able to assist in managing the adverse publicity that could arise from an incident, all overseen by the CISO or senior compliance officer.
• Those responsible for data security must keep up-to-date with developments in the legal and regulatory framework in which the business operates. The FCA publication “Financial crime; a guide for firms” contains a useful, but not mandatory, section on data security. As noted above, the Network and Information Security Directive when implemented is likely to set out minimum standards for the security of data and may introduce requirements for the reporting of cyber attacks. There is also extensive existing and proposed legislation on data protection and the reporting of incidents of breach of data protection requirements.
• The business should have appropriate insurance policies in place to cover the financial impact of a software failure or cyber attack. This is likely to involve policies to cover the operational risks of IT failure and a bespoke cyber security policy. Insurance policies which cover the risks of a cyber attack are relatively new, but will no doubt become mainstream and more widely available. Taking out or renewing a policy will itself provide occasion for an audit of information security systems and policies as the insurance provider will work with its client to assess the risks and price the policy accordingly. It also provides an opportunity for the CISO to demonstrate to the business the importance of robust policies as the premium payable will be much lower if the information security policies provide a high level of protection.

These arrangements should be supported by clear statements from senior management encouraging a culture of compliance. Ultimately senior management is responsible for protecting the business’s operational and customer data, but all employees should understand that they have an important role to play in following designated procedures. The costs of setting up and maintaining these arrangements can be significant, but do not bear comparison to the potential consequences of a data breach or system failure.

If you would like assistance with developing your IT risk management policies, managing the consequences of a cyber attack or IT failure, or any other issues raised in this article please contact us at [email protected]. We will be happy to help.