How are financial services firms in the UK addressing the risk that their customer data may be lost or stolen and then used to commit fraud or other financial crime?
Not so well, according to a wide-ranging report by a watchdog, the Financial Services Authority.
The FSA terms poor data security ‘a serious, widespread and high-impact risk’. Many firms are failing to identify all aspects of the data security risk they face, for three main reasons, according to the report. "First, some do not appreciate the gravity of this risk; second, some do not have the expertise to make a reasonable assessment of key risk factors and devise ways of mitigating them; and third, many fail to devote or coordinate adequate resources to address this risk. The investigators found a lack of coordination among departments such as information security, human resources, IT, and physical security. "There is too much focus on IT controls and too little on office procedures, monitoring and due diligence. This scattered approach, further weakened when firms do not allocate ultimate accountability for data security to a single senior manager, results in significant weaknesses in otherwise well-controlled firms.
No excuse for ignorance
As the report said, nobody in the UK can claim ignorance of the risk of customer data falling into the wrong hands. "It is good practice for firms to conduct a risk assessment of their data security environment and implement adequate mitigating controls … Our experience of dealing with data loss incidents shows that firms often fail to consider the wider risks of identity fraud arising from significant cases of data loss. Many firms appear more concerned about adverse media coverage than in being open and transparent with their customers.
Vetting
Financial firms’ vetting of staff is variable. "In most firms, more-stringent vetting is applied to staff in senior positions – there is little consideration of the risk that junior staff may pose. Many firms, small and large, use third parties for IT maintenance, as well as the backing up of electronic files and archiving of paper documents. Firms generally rely too much on assumptions that contractual terms are being met, with very few firms proactively checking how third parties vet their employees." Large and medium-sized firms usually recognise the risks of data loss via laptops, USB devices and the internet. But few firms completely mitigate data security risks by locking down USB ports and CD writers, encrypting laptops and USB devices.
Confidential waste
There was some good news. The authors found disposal of confidential paper was generally very good. “Every one of the firms we visited demonstrated an awareness of the risk that paper containing customer data could fall into the hands of criminals if disposed of carelessly. All were taking some steps to mitigate that risk by using shredders, locked bins for confidential waste or secure disposal companies. Even firms with poor systems and controls overall were taking some steps to dispose of customer data carefully.” Small firms and branches of larger firms tended to use shredders on their premises, while medium and larger firms usually set up contracts with a specialist secure disposal company. These contractors usually provided locked confidential waste bins for the firm, the contents of collected periodically. In an interesting example of how information security, physical security and IT security overlap, the report went from paper-based customer data disposal to destroying after use electronic customer data held on computers and other devices. “This is because fraudsters might try to obtain computers and other devices that have been discarded by firms in the hope of finding customer data stored on them. It usually requires technical knowledge and appropriate software to erase all traces of data. Although a user without technical expertise might delete files and believe that no files are visible on the hard-drive directory, fraudsters could use widely-available forensic software to retrieve, reconstruct and display files that have been erased. “This risk can be mitigated, either by wiping the hard drive using specialist software or by removing or physically destroying the hard drive. The same applies to portable media such as USB sticks, CDs and cartridges.” Some IT managers were stockpiling their old computers, not knowing how to get rid of them securely.
Awareness
In some larger firms, the investigators saw ‘innovative use of in-house magazines and poster campaigns to raise awareness of basic risks, with the promotion of key security messages via email, screensavers, mouse mats, and ‘post-it’ note logos’.
Physical
The report was not all about IT and software. On physical security, the authors had mixed things to say. They said: "A firm’s first line of defence in mitigating the risk of data loss is preventing unauthorised access to its premises. Nearly all firms had considered the physical security of their offices, and in 21 of the 39 firms visited we observed good physical security. This was often supplemented with either personal supervision around the office and/or authorised swipe access to areas of the business holding large amounts of customer data, such as call centres, IT areas and server rooms. Many firms, particularly small firms located in vulnerable or run-down locations, had installed intruder deterrents such as buzzers or keypad entry doors, alarm systems, barred windows, and CCTV in strategic areas such as car parks and rear entrances. All of these measures gave some protection against the theft of customer data. However, small firms had a general lack of awareness of data security risk, which suggests such measures were in place primarily to prevent the theft of material items such as computer hardware. Two larger firms chose to employ security guards as direct employees of the firm, rather than through a third-party supplier. These firms believed that there was a clear benefit with this approach as they did not need to conduct due diligence of a third party and they were clear about the standard of vetting applied to the security guards. In addition, these firms believed that directly-employed staff were more likely to feel a commitment and loyalty to the firm than an employee of a third party. In ten of the 39 firms visited, the FSA staff ‘observed some alarmingly basic lapses in physical security, which gave rise to a significant risk to customer data and other assets. When we raised our concerns with senior management at these firms, they were generally accepting of the need to review and strengthen current procedures.’ Among the examples: a financial advice firm allowed 12 people, including a security guard, to access their server room. "The security guard was not employed by the firm and senior management had conducted no due diligence of the third-party supplier which provided the security guard; in fact, they did not even know the name of the third-party supplier." In fact the report went into some details about managing third-party suppliers. For example, a large bank outsourced all functions they deemed to be ‘non-core’ such as printing, marketing, cleaning, security and telephone sales. Each of these functions was carried out by a different third-party supplier and all required access to customer data. In contrast, a similar-sized insurer retained nearly all functions in-house, with minimal reliance on third parties. Smaller firms tended to perform most operations in-house, simply due to the reduced scale of their business but nearly all firms relied on IT support from third parties. The authors found little evidence that firms either performed data security due diligence on third parties before; or did auditing during a contract. The FSA was disappointed to find that firms rarely examined their agencies’ recruitment and vetting standards. “In some cases, firms simply did not know whether third-party staff had been vetted at all … Some firms had not even visited off-site storage locations to assess whether the facilities were secure.”
Laptops
The FSA visited 39 firms, including retail and wholesale banks, investment firms, insurance companies, financial advisers and credit unions. As for a point made in a foreword by the Information Commissioner, Richard Thomas – that it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted – the FSA adds that it may take enforcement action against firms that fail to encrypt customer data offsite. The FSA adds that it will offer security fact-sheets on its website. It advised: "As in any other area of their business, firms should take a proportionate, risk-based approach to data security, taking into account their customer base, business and risk profile. Failure to do so may result in us taking enforcement action." You can download the 104-page document.
As some background: last year the FSA created a specialist Financial Crime and Intelligence Division under Philip Robinson. As Hector Sants, FSA Chief Executive told a financial crime conference in April, that division has worked on mortgage fraud and against money laundering. He said: “Financial crime is an area where the landscape is constantly shifting, both in terms of the regime within which we work, and the threats posed to us by criminals. We do not stand still but nor do the criminals whom we are targeting. Gathering robust information on the extent of crime and the risks it poses is a problem shared by regulators, law enforcement bodies, government and the industry.”
Conference
The Financial Services Authority is running an enforcement conference on June 18. It’s exploring the effect of FSA enforcement and how it changes the behaviour of the firms and individuals regulated. It’s at The Brewery, Chiswell Street, London EC1Y 4SD. For details fax 020 7066 3211 or visit;
