8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

0207 093 6020

Client Portal (/ClientPortal)

7 ways to better meet FCA and

ICO/DPA technology guidelines

TECHNOLOGY COMPLIANCE FOR ALTERNATIVE INVESTMENT COMPANIES AND OTHER

ORGANISATIONS IN SCOPE OF FCA AND ICO/DPA REGULATION

Introduction
Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession
demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale
for robust regulatory oversight of the financial industry is compelling.
Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly
reliant on technology. Technology changes quickly and the threat environment may be characterised as agile
and blended, with a need for constant vigilance.
Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV
(CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms.
Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information
Commissioners Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA).
As a result there is a mix of recommendations and mandatory compliance points. This means some areas are
open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.
The objective of this regulatory approach appears to be to create a culture where financial services businesses
demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need
to be mitigated.
In this guide we discuss 7 ways alternative investment businesses, and professional services companies
supplying services
to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using
technology within their businesses.
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

1/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

DOWNLOAD THIS WHITE PAPER

First Name *

Last Name

Email *

DOWNLOAD NOW

DRIVE IT FROM THE TOP DOWN

Where ever there is a failure of leadership to assert control and set high standards for a business and its
employees, there is often the potential for significant problems.

Take responsibility at board level

Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from
the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should
never be complacency around the value of information and cyber security.
The board should set up a process to ensure it is satisfied about policies and procedures for protecting
information, especially where dependencies lie with third parties or with a parent group. Cyber security should
be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board
level.
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

2/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications
through both voice and email; and safeguarding against money laundering activities are all in place.

Enforcement action

The Money Shop

Date: 06 August 2015
Type: Monetary penalties
Sector: Finance insurance and credit
The ICO has issued a 180,000 civil monetary penalty to The Money Shop in response to the loss of
computer equipment containing a significant amount of customer details.

KEEP YOUR SYSTEMS UP-TO-DATE

Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit
vulnerabilities (thats IT code for holes in security) to gain unauthorised access to networks, systems and data.

Simple to plug security gaps

One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software
versions. This is done by regular updating or patching with updaters downloaded or automatically pushed out
by software vendors. Many of the firms that have been fined could have escaped financial penalty by simply
taking the reasonable step of ensuring systems were kept up-to-date.

TIGHTEN UP STAFF SECURITY

Employees are only human, and even in the most secure environments, people are often responsible for
breaches, either through deliberate action or failing to observe security policies and procedures.

Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users
should not use the same name and password combinations for company and personal accounts, as this would
allow hackers to gain access to company data and systems by stealing account data from personal or
consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication.
This means a unique, One Time Key is required at every login, so just knowing a user/password combination is
not enough to permit access.

Data loss
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

3/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

Incidences of employees taking data offline (e.g. on a USB stick or a laptop) and then losing it are frequent.
Consider prohibiting the practice or only allowing download to secure devices - those managed by the business
and with encrypted storage - that are only accessible using a username/password combination.

Activity monitoring
Consider monitoring communications activity. Record all telephone calls and archive all email. Some companies
record all network activity, although this is more for internal security rather than for FCA compliance.

HR Policies
Consider consulting with HR to review any points where security has touch points with HR policies. Some
examples where issues may arise include:
Hiring
New hire induction
Ongoing training
Disciplinary procedures
Termination of employment
Dual Factor Authentication
Offline working with company data
Online working with data encryption
Activity Monitoring
Enforcement action

Jala Transport Limited

Date: 26 September 2013
Type: Monetary penalties
Sector: Finance insurance and credit
A monetary penalty notice has been served on Jala Transport, a small money-lending business, after
the theft of an unencrypted portable hard drive containing its customer database.

KEEP ON TOP OF DOCUMENTATION

Always ensure up-to-date network documentation is available. Similarly, request documentation from your
partners and any other 3rd parties.
Typically, documentation should include information on:
Who has access to what?
What is the update procedure?
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

4/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

How is data secured?

What is the backup procedure?
What is the disaster recovery plan?
Enforcement action

Think W3 Limited (Thomas Cook subsidiary)

Date: 23 July 2014
Type: Monetary penalties
Sector: Online technology and telecoms
Think W3 Limited, an online travel services company, has been served a 150,000 monetary penalty
after a serious breach of the Data Protection Act revealed thousands of peoples details to a malicious
hacker.

RFI
External firms may submit a Request for Information (RFI) before commencing trading with your company. This
will almost certainly include questions on software, versioning and IT security. Likewise, your business should
consider issuing an RFI to any new partner before doing business. Also consider formalising documentation for
existing partners if an RFI has not previously been part of the partner engagement process.

Demonstrating a responsible approach

Maintaining up-to-date documentation means you have the right information to hand whenever it is requested
from your business. It reassures senior management everything has been given reasonable thought and
appropriate systems are in place. Documentation can easily be passed to the FCA if required, to demonstrate a
responsible approach.

PLAN FOR DISASTER

Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many
areas of IT there is no absolutely right or wrong way. There is a menu of different elements that may be mixed
and matched together to form the right solution to meet the specific needs of a business.
The core question is: How long can you afford the business to be offline? Once you establish this maximum
tolerance to a loss of IT services, you work backwards from there. Some points to consider are:

Avoid backup tapes

http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

5/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There
are a number of examples of companies losing them and getting fined. Tapes and autoloaders are also
expensive and prone to failure because they are mechanical. Online backup is more reliable and secure.

Data retention
Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for
compliance with FCA data retention rules. Ideally, legacy data needs to be kept accessible but out of the way
and this could guide the design any hierarchical storage system for filing and retrieval.
FCA retention periods for data
Record type

Retention period

Emails

6 years

Record of election to comply

Indefinite

All other financial records

3 6 years

MiFID

1 5 years

Basel II risk legacy data

2 5 years

Telephone & electronic communications

6 months

Identify single points of failure

Typical single points of failure include power, network and servers. Search for anything where there is just one
of. At the top level, the whole of an office or site is a single point of failure. To mitigate the loss of an entire site,
its often easier to replicate all of your data to another site. Then comes the question How far away is far
enough?

Data replication
The potential for disasters both natural and man-made - is a key consideration when determining the
distance to the replication site. Many businesses in the UK conclude that a distance of 50 miles is appropriate.
For even better risk reduction consider replicating in more than one place. Remember to include telephone
systems.

Document disaster recovery plans

Whatever the specific process for disaster recovery its vital to document the disaster plan.
Key DR plan information includes:
Who instigates the plan?
Where is the recovery site?
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

6/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

How are employees notified?

How long before the business returns to operational status? (Sometimes referred to as the Recovery
Time Objective, RTO)

COMMISSION AN EXTERNAL AUDIT

Consider assessing your systems against ISO27001, the management system for IT security, by checking
credentials, external audit or penetration testing.

External IT partner
If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and
should adhere closely to industry best practice for information security.

Internal IT team
If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited
company to audit your network. An internal IT team may only have in depth experience in your environment.
Employing an external team to check the systems often gives an insight into your own network you may
otherwise not be able to obtain.

Penetration testing
Consider penetration testing or pen testing. This is the process of stress testing your systems to see if a tiger
team of computer security professionals acting as hackers is able to break through to gain access to your
network, servers and data.

REVIEW PHYSICAL SECURITY

Companies that keep all their data in the office should review physical security with an audit. Some typical
questions that might be used to audit physical security include:
Who has access to the office? (Dont forget cleaners, caterers & security guards)
Are all computer workstations including laptops and tablets locked when not in use?
Who has access to the server cupboard, comms room or data centre?
Are there access control records documenting entry and exit of the premises?

Offsite datacentre
To mitigate physical security risks, consider the benefits of locating data in an offsite data centre. Any choice of
data centre should be governed by accreditation to ISO 27001 and means the facility is audited for physical
security in line with the management system standard.

Data sovereignty
http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

7/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored.
When evaluating offsite data storage it is essential to understand where data may be stored by service
providers. Changing legislation and challenges to agreements such as Safe Harbour mean the landscape may
shift suddenly.

Enforcement action

Staysure.co.uk Limited
Date: 24 February 2015
Type: Monetary penalties
Sector: Finance insurance and credit
An online holiday insurance company has been fined 175,000 by the ICO after IT security failings let
hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters
after the attack on Staysure.co.uk.

Why is Serviced Cloud a preferred technology service provider to the

finance sector?
Serviced Cloud is a specialist provider of cloud technology solutions to the financial sector. Serviced cloud has
the expertise and experience to help alternative investment companies and those supplying services to
regulated businesses to meet their regulatory obligations or follow guidelines on the use of technology.
The exact rules a regulated firm needs to follow, and their interpretation, is often determined by an in house
compliance officer, or compliance team. This means FCA compliance is highly subjective. Getting it wrong can
be a costly mistake.
Serviced Cloud works with in-house compliance experts or external consultants to ensure any solution exceeds
interpretation of the regulatory code. Serviced Cloud is able to provide the appropriate level of services required
by the majority of SME FCA regulated businesses.

About Serviced Cloud

Serviced Cloud is a close knit and highly professional team of technology professionals that are evangelists for
cloud solutions. This is because we believe the benefits are unrivalled by equivalent on-premise approaches to
provisioning business technology.

http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

8/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

The business benefits of the cloud are regularly highlighted in the press and deliberated in boardrooms. Cloud
technology is a topic about which the vast majority of business leaders are likely to have more than a passing
interest.
Based in the heart of London in Canary Wharf, Serviced Cloud was incorporated in 2009 with a clear and simple
vision. We are dedicated to helping business leaders in financial service organisations find the best way of
successfully adopting cloud technology in their businesses. We offer best of breed Hosted Cloud Services in our
ISO27001 London data centres, and help clients to create their own Private Cloud systems in their own offices
or data centres.
Our friendly and professional engineers and consultants have extensive experience, proven track records and
can-do attitudes. We offer independent advice but partner with the leading cloud technology companies to
ensure seamless support. We are serviced focused; our clients satisfaction is paramount.

References and further reading

Financial Conduct Authority
http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/informationgathering/data-security (http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firmguides/information-gathering/data-security)
http://www.fca.org.uk/your-fca/documents/fsa-data-security-factsheet (http://www.fca.org.uk/yourfca/documents/fsa-data-security-factsheet)
http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/informationgathering/call-taping (http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firmguides/information-gathering/call-taping)
https://www.fca.org.uk/your-fca/documents/guidance-consultations/gc15-06 (https://www.fca.org.uk/yourfca/documents/guidance-consultations/gc15-06)

Information Commissioners Office

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
(https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/)
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ (https://ico.org.uk/fororganisations/guide-to-data-protection/principle-7-security/)

Miscellaneous
http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is-FarEnough.htm (http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-isFar-Enough.htm)
http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-fromprimary-site/ (http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-idealdistance-from-primary-site/)

http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

9/10

8/19/2016

WhitePaper:FCAandICO/DPAtechnologyguidelinesServicedCloud

SECTORS

CLOUD SOLUTIONS

Financial Services (/sectors/financialservices)

Hedge Funds (/sectors/hedge-funds)
Private Equity (/sectors/private-equity)
Accountants (/sectors/accountants)
Recruitment (/sectors/recruitment)
Legal (/sectors/legal)
Travel (/sectors/travel)
Software (/sectors/software)

Hosted Desktop (/cloud-solutions/hosted-desktop)

Private Cloud (/cloud-solutions/private-cloud)
Backup/DR (/cloud-solutions/backup-dr)
VoIP (/cloud-solutions/voip)
Support & Service (/cloud-solutions/support-and-service)
Internet Connectivity (/cloud-solutions/internetconnectivity)
Microsoft Office 365 (/cloud-solutions/microsoft-office-365)
VEEAM (/veeam)

OTHER

ABOUT

Home (/)
Case Studies (/case-studies)
Contact (/contact)
Client Portal (/client-portal)
Remote Support
(http://help.servicedcloud.com/)

About Us (/about-us)
White Papers (/more/white-papers)
Blog (http://blog.servicedcloud.com)

NETWORK STATISTICS

500+
HOSTED DESKTOPS

2016. Serviced Cloud. Terms & Conditions (/terms-conditions) Privacy Policy (/privacy-policy)

(https://twitter.com/servicedcloud)

(https://www.linkedin.com/company/serviced-cloud)

(https://plus.google.com/+Servicedcloud) (/index.php?
option=com_easyblog&view=latest&format=feed&type=rss)

http://www.servicedcloud.com/whitepaper/7waystobettermeetfcaandicodpatechnologyguidelines

10/10