Data is one of the most valuable assets that every financial firm has, not least because it ensures that its clients receive the high quality of service that they deserve and because it helps to protect it from abuse by financial criminals.

Most financial firms store copious amounts of data on a variety of vital information technology (IT) platforms and networks every day. The average firm has bolted many of these platforms together over time and designed many of them long before it truly realised the full gravity of growing threats to the security of its data and its cyber-systems - and, indeed, before data-protection legislation grew truly onerous.

Data is a valuable commodity for cyber-criminals and HNW clients are entitled to have their data protected in line with the principles of the European Union's General Data Protection Regulation and other laws. Firms ought to be storing this data securely, confidentially and with integrity.
 
When, not if

We all know that a cyber-attack is an inevitable consequence of the digital age and that every company experiences one. High-profile incidents such as Sony, the Panama Papers and the WannaCry attack have made people more aware than ever of the threat that cyber-criminals pose to the reputation of the financial sector. The European Union's General Data Protection Regulation (GDPR) has made people more accountable and helped to protect clients' data.

Due skill and care

Data protection and cyber-security are not simply IT issues; they are also regulatory issues and reside at the top of every board's agenda. However, even though directors have many responsibilities, how many of them can honestly profess to be IT experts with a full understanding of the controls that relate to data protection and cyber-security that their firms have in place, thereby fulfilling their duty to be skilful and careful?

Directors may not know the right questions to ask their IT staff and they may not understand the answers that they receive. A director might think: "did the IT man say this-or-that just to mollify me, or should I press him for more answers?"

Traditionally, IT practitioners are backroom boys who have little contact with others the business, using (literally, in respect of coding) a completely different language; I can draw many comparisons between them and compliance practitioners 20+ years ago. Now they find themselves at the top of every board's agenda and have to report to boards or committees regularly, while dealing all the time with constructive criticism. They often lack crucial report-writing and other communication skills and training. They are no experts on corporate governance or their firms' regulatory responsibilities and might not appreciate the reasons why their boards are taking such an interest in the first place.

Diversity is a good thing

When different professions come into contact, misunderstanding and conflict often result. However, the coming together of people of different professional backgrounds can create an invaluable diversity of expertise because they are well suited to challenging each other's ideas and debating weighty matters. Such cross-fertilisation should be welcomed as an antidote to stultifying 'groupthink.'
 
Let's work together

A crucial step for a financial firm that wants to improve its data-protection and cyber-security controls is that of ensuring that all major parties know what the firm expects of them and appreciate each others' motivations and obligations. By understanding each other's problems and by talking to each other effectively, they can deal with the dangers that might befall the data. Clients are likely to be unsympathetic to any company that does not keep its data secure and takes a lackadaisical approach to cyber-security.
 
Risk

Controls that protect data and make IT systems more secure have to follow the same broad principles as any other way of managing risks – the firm must identify and measure the dangers, implement mitigating policies, procedures and controls, test those controls periodically and re-evaluate and improve them regularly, where necessary.
 
Risk registers

A financial firm ought to gauge, record and measure its exposure to problems, review that exposure continually and decide on the technical controls (see below) by which it can diminish it.

It can also identify a confluence of risks by setting up a risk register. This is a document in which a risk manager (or, in this case, a compliance officer) writes down information about each of the relevant risks that he has spotted, including its nature, its reference number, the person to be punished if it becomes actual, and steps to be taken to offset it. He can display all this as a scatterplot or in a table.
 
Technical controls

The term 'technical control' refers to the use of IT as a protection against threats. Examples include many well-known methods such as firewalls, which detect and protect networks from unauthorised access, two-factor authentication as an added barrier to anyone who wants to enter a system, programmes that detect email phishing, regular updates of security patches, the regular backing-up of systems and, very importantly, checks to see that the back-ups have been successful and that data is retrievable. These controls are far from perfect and the world of cyber-security is constantly changing, so the compliance officer should conduct routine and continual reviews to spot emerging risks.  

External validation

The compliance officer might give his firm an additional layer of confidence use of 'ethical hackers' can offer the  by deliberately, and with permission, attempting to hack workplace systems and networks. In this way they can expose hitherto-unknown weaknesses and help the firm rectify things.

Accreditation firms can assess financial firms' controls and, if all goes well, award them 'kitemarks' (such as the Cyber Essentials Plus certificate) which the firms can then show to regulators and customers. The assessment process is a healthy one in and of itself because it checks the 'health' of a firm and identifies areas for improvement.
 
Policies and procedures
 
People are often complacent and easily distracted and therefore pose one of the largest problems for cyber-security. When a compliance officer develops policies, procedures and controls in this area he must take account of this.
 
Good culture, the so-called "tone at the top" and the continual training of staff are also important in helping a firm to overcome its weaknesses. What use is there, for example, in a firm insisting on its staff using complicated and secure passwords if the CEO has a piece of paper stuck to his keyboard with his password written on it?
 
If the firm's policies and procedures are not to be circumvented, it ought to be clear about its expectations of its people, their access to various systems, the difference between acceptable and unacceptable behaviour and ways in which to deal with bad incidents. It must write these things down, tell its employees about them and check to make sure that they have understood.

The firm might also want to institute a Bring-Your-Own-Device (BYOD) Policy to govern the way in which employees use their own personal devices to access the company's systems and data. Many benefits accrue to a company when its employees use their own devices - it is cheap and allows for flexible working arrangements and business continuity planning - but the practice also endangers cyber-security. What happens if someone loses his device or innocently downloads a spyware-laden game onto it? He ought to know what to do in either of these circumstances.
 
The training of staff

Policies and procedures, without adequate information and training being given to staff, are worthless. A company can do a lot to help its people realise how cyber-security problems might affect it (and them) by giving them meaningful examples, especially if they are drawn from its own experience.
 
A compliance officer can gauge the effectiveness of training by sending deceptive emails, similar to malicious emails, to staff to gauge their responses to phishing, thereby spotting gaps in their knowledge. He must, however, take care not to reprimand them too harshly for their mistakes, because a culture of blame discourages people from reporting incidents. Phishing attacks can be very sophisticated and difficult to spot.

Communication during a crisis

'Crisis communication' is a public-relations exercise by which a firm tries to limit the damage that a disaster does to its reputation and compliance officers might find themselves involved in it when there is a cyber-attack. As we have said, such an attack is highly likely and every firm must prepare for the inevitable before it happens.
 
The firm must have a list of clients, shareholders, regulators, data protection authorities, law enforcers and newspapers. It must plan, as far as it can, how to communicate with the media during that difficult time.

There are many poor examples of crisis communications, TalkTalk being a well-known case from 2015. The person who is destined to be the face of the firm during a crisis must be well-prepared and able to cope under intense pressure during interviews with the press.
 
If and when the compliance officer prepares an outline of things to say in a crisis, he must take the priorities of every interested party into consideration. He might even want to do this in a general way before the crisis occurs. He must also ask practical questions about who has the password for the company's LinkedIn or Twitter account and what happens if they are on holiday when an incident occurs.

Containment and recovery

Even though every firm that suffers a cyber-attack ought to want to contain the situation and recover from it, ideally recovering lost data, the police might want the attack to continue, at least to a certain extent, so that they can trace the guilty. This might play havoc with the compliance officer's priorities and responsibilities. How can a company allow a cyber-attack to continue? Conversely, how can it ignore the advice of the police without facing legal action itself? This is the compliance officer's dilemma.

* Sandra Lawrence can be reached on +44 1481 734808 or at sandra.lawrence@collascrill.com