If you work in the financial services sector, you’ll already be well aware of the Financial Conduct Authority (FCA) and the various regulations and guidelines it puts in place to ensure financial markets are honest, fair and effective.
The authority regulates more than 58,000 financial businesses from the largest banks, insurers and market infrastructure providers to the smallest advisers. Cyber security is hot on its list of objectives as it looks to create a ‘security culture’ in firms of all sizes – from the boardroom down to every employee.
For financial companies, it’s a big, relentless and often daunting task to have everything in check at all times to ensure you are fully compliant. It’s not a job you want to get wrong; especially considering the real and meaningful consequences if the regulators come knocking and you haven’t been following the rules.
Financial services: a prime target for attack
Around half of UK companies are likely to experience some kind of breach at any given time. So, cyber security needs to be taken seriously no matter what industry you operate in. But in the financial services especially, a security breach is even more likely.
There’s BIG money in this area – and we all know money is the main goal for most cyber criminals. Whatever their size, financial firms also hold large quantities of sensitive and personal data which, if compromised, could have a ripple effect on other areas of the financial sector (and business generally).
In this sector, where trust is fundamental and even the smallest firms are a prime target for attacks, a breach could prove catastrophic. The FCA uses a wide range of criminal, civil and regulatory enforcement powers to take action against firms found not to meet its standards. For example, it might withdraw a firm’s authorisation, suspend them from undertaking regulated activities, issue huge fines or even bring criminal prosecutions.
And if the press hasn’t already caught wind of the breach, you can bet the FCA will make a public announcement when it begins disciplinary action – publishing details of the warning, decision and final notices. This could cause irreparable damage to a firm’s reputation (and you can wave goodbye to many of your customers if you’re found to be responsible due to poor processes).
That’s where Cyber Essentials comes in…
Luckily, there are ways for companies operating in the financial services sector to protect themselves and their clients. In fact, the Cyber Essentials scheme can help reduce the risk of attack by up to 80%
Cyber Essentials is a government-backed standard which demonstrates and proves to regulators that your company is committed to cyber security and has taken the appropriate measures to ensure compliance. And unlike the paperwork-heavy legislation that is GDPR, Cyber Essentials is a far more approachable scheme.
There are two levels to the standard: basic and plus. If you are a financial services firm with mostly private clients, the basic self-assessed level may well be enough to reassure them – and to give you a competitive edge over businesses that are not Cyber Essentials certified. However, since this level is self-assessed, it may not be enough to reassure commercial clients. In this case, the independently tested second ‘plus’ level may be necessary to ensure suitable security measures are in place and fully functional.
Reputation is king in this industry, and a Cyber Essentials certification is a great addition to investor packs and portfolios – helping to demonstrate you have all the right processes and documentation in place. And with the extended SMCR regulations coming into force from 9th December 2019, the standard is also an excellent way for managers to ensure their firms are compliant and, equally, for companies to support their staff.