FCA joins hands with the ICO. What does this mean for financial services?

What does this mean for financial services?

The Financial Conduct Authority (FCA) and the Information Commissioners Office (ICO) have had a close relationship for many years, first publishing a joint Memorandum of Understanding in 2014. In February 2019, the FCA and the ICO released an updated Memorandum of Understanding, outlining a framework for stronger cooperation between the two parties, particularly in regard to sharing of information. This update was largely driven by the introduction of GDPR regulation in 2018, which gave the ICO more power and has seen an increase in its levels and severity of enforcement activity.

Due to the nature of their business, financial services organisations will naturally collate large volumes of extremely sensitive information regarding clients and prospects. With FCA regulations stating that many types of records must be held for at least five years, this can lead to huge databases of personal data even for comparatively small organisations.

It is therefore no surprise that the ICO considers that FCA regulated firms require strong monitoring and enforcement of GDPR compliance. The FCA, in its role as protector of consumers and the market in general, is also keen to prevent data breaches that could be extremely harmful to the individuals and company in question, not to mention the wider industry.

This stronger, more joined up relationship between the two parties means there will be no hiding place for firms that are unfortunate enough to suffer a data breach.

So, what should financial services organisations be doing to protect themselves from breaches? The FCA themselves have stated that “as part of their obligations under SYSC [Senior arrangements Systems and Controls], firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls”. The important point to note here, is the term “controls”, i.e. it is not just a case of deploying technology. The FCA and the Bank of England have been quoted as saying that cyber attacks generally exploit processes and people, something that we agree with wholeheartedly.

Following a cyber security framework can provide a means to measure resilience levels, and provides a structured method for implementing improvements. In order to implement meaningful changes however, any such program requires sponsorship at board level, and the adoption of a company-wide culture of cyber awareness and resilience that is driven from the top down.

The first step to take when making improvements to digital resilience is to understand your current position of maturity regarding your technology, processes, and people. Accelerate Technologies offers a Security Maturity and Digital Resilience Assessment that provides a benchmark of a company’s current position compared to organisations of a similar size and from the same industry, plus recommendations for areas requiring improvement. From that position, a plan can be put in place to take the business to its desired level of resilience including the adoption of any framework that is deemed appropriate.

Please click here for more information