Last month DataFort hosted the second in our popular series of FCA Compliance and Disaster Recovery seminars held at the top of the iconic Gherkin in the heart of the City of London. The aim, to help Financial Services organisations explore the risks involved and the compliance guidelines provided by the FCA. The result, a fully packed room, good solid debate and a lot to think about.
“Expect the unexpected”
The event opened with a wide ranging discussion on the need for people to examine their assumptions on risk in terms of scale and likelihood of disasters. Chris Needham, who has spent a lifetime helping organisations plan their business continuity, explored the notion of risk and preparing for the unexpected.
The main thrust in his entertaining presentation was to encourage organisations to focus on those elements of risk they can both understand and actually manage. To illustrate he quoted some known recent examples: an organisation that placed their data centre in a basement directly underneath the lobby water feature, or another where the evening cleaners took their smoking break in the server room fitted with a fire sprinkler system as it seemed to them to be the most convenient and comfortable.
As disaster recovery issues affect all departments their needs to be a more unified approach taken to overcome the departmental silo effect that often afflicts businesses. So that in the above example it would alert the office facilities manager to the dangers of placing the server room under a water feature as well as making clear to the IT manager that there was an issue having their business servers housed underneath the water feature they walked past every morning.
On the other hand there is no point worrying about those risks that you neither understand nor can do anything about. Many business risk managers expend valuable resources trying to plan for events that they can’t possibly control such as terrorism. “You can accept that there is risk of disruption to the business so ensure that you have the right data protection and disaster recovery process in place to mitigate the risk.”
Business Continuity & FCA Compliance
Having considered the need for all organisations to secure their data and to be prepared for the unexpected, Julie Ampadu, turned to the specifics requirements for Business Continuity and data protection laid down by the FCA. Julie has many years helping and advising Financial Services organisations overcome the hurdles required to maintain regulatory compliance.
Trying to read, let alone act on, all the regulations and best practise requirements produced by the FCA can be extremely challenging. This was the vociferous feedback from a large section of the audience as Julie went through just some of the FCA guidance. However, as Julie pointed out, “you might not like it, and I can really understand that it is challenging, but if you want to operate as an FCA compliant organisation you need to find the resources to do this. Being busy is not really an excuse.”
Julie indicated that one of the reasons that the FCA was becoming more active in their monitoring of compliance was that their research had suggested that there was widespread poor practise around their central three core themes of Governance, Culture and Controls. These included:
Poor Governance and Culture
- Customers are not contacted after their data is lost or compromised
- Data Security is not recognised as a financial crime risk
- Staff are discouraged from reporting data losses due to a ‘blame culture’
- There is no control over how a firm’s third parties protect customer data
- No written policies or procedures on data security
- Failure to learn from peers
Poor Management Controls
- Staff and third parties have access to customer data that’s not required
- Files are not secure
- Password policies are not robust
- Superusers are not monitored
- Staff working remotely do not dispose of customer data correctly
- Data Security training is not provided to staff on a regular basis
- Staff training inadequate
- Back up procedures and controls are inadequate
Through the use of a 50 point GAP analysis exercise Julie enabled the audience to consider if there was anything missing in their compliance plan relating to business continuity. Having undertaken the short exercise, most people in the audience found that there was at least one aspect within their plan that warranted some reconsideration.