Part I: Security and compliance
Let’s start on a positive note: when it comes to the UK mid-market financial services sector, we are bullish.
It is an indispensable industry, and Britain boasts institutional experience, high-quality companies offering innovative services, and a sophisticated, forward-thinking market. Whatever is in store for the UK economy as a whole, British financial services will remain a world player, and domestically it will remain critical to our institutions, businesses, and personal lives.
In our own recent experience, we are seeing real buzz in mid-market companies in a broad range of financial services areas, including:
- Insurance
- Payments
- Financial processing
- Wealth and investment management
- Community banking and lending (e.g. building societies)
- Boutique PE houses
- Funding platforms
- The whole range of professional and consulting services
Now for the difficult bit. We can’t have a clear-eyed discussion of financial services without acknowledging the twin upheavals of Brexit and COVID-19.
As for Brexit, we do feel confident that London will continue to be a global financial centre. But we may see an impact on financial services centres within Britain, such as Manchester, Leeds, and Edinburgh. Also, it is an absolute certainty that compliance and regulatory obligations will be more complicated.
As for COVID-19, whilst Britain is thankfully opening up again, the lockdown exposed the security weaknesses and process issues of so many companies. We weren’t surprised when Deloitte reported a spike in ‘phishing attacks, Malspams and ransomware attacks’ by criminals looking to take advantage of the confusion.
Another difficult bit: security and compliance issues are especially difficult in the mid-market space. It is subject to many of the same complicated regulations and cyberthreats as the giant multinationals, and yet mid-market firms don’t have the same resources to deal with these problems.
What follows is an overview on how mid-market financial services firms can handle security and compliance issues without punishing expense and at the same time increase efficiency, improve customer satisfaction, and fatten margins.
Data security is the cost of doing business
Data security is a growing problem, and it’s only going to get worse.
Verizon, the American telecom, analysed more than 150,000 incidents worldwide and confirmed nearly 4,000 data breaches in 2020. This is only what one company analysed, and the year isn’t over yet! To make matters worse, around twenty-five percent of these attacks were in the financial services sector.
Why the explosion of cyberattacks in financial services? As the famous American criminal Willie Sutton said when asked why he robbed banks, ‘because that’s where the money is’.
More specifically, the rush to homeworking has exposed the security weaknesses of many companies. Ten years of behavioural change were compressed into ten weeks; staff and IT teams weren’t prepared for it.
When we speak of security, however, we are not only speaking about what happens online. In our digital age, too many businesses aren’t careful enough about the connections between data security and what happens offline. Thieves no longer pilfer the post for the cheques, but to aid in identity theft. They steal mobiles not to sell the device for quick cash, but to use as source of inside data to help them find the soft way in for ransomware.
Remember: All the firewalls in the world won’t help if a thief gets access to the CFO’s email account! A lot of stolen cash is transferred willingly by authorized finance staff who cheerfully think they are following instructions from the real CFO—but in reality, it’s a clever scam.
Another frequent lapse is how often businesses remain unprepared for disruptions, whether due to natural disasters or human error. Due to the 2014 floods, the average small business lost £82,000 and fifty working days. And then it happened again in 2019.
It isn’t just flooding. Experts predict that extreme weather events will become almost commonplace in Britain. Thus it is in your best interest to prepare your business for them. Just as you should prepare for other mishaps. A few examples of what we’ve seen with our clients:
- A new office building experienced a structural failure, forcing the immediate need for an alternative site.
- An external contractor accidentally cut the cables, leaving the business without Internet – meaning no access to email or systems or cloud-based files!
- An IT service provider went bust, leaving the company without access to their servers.
In each instance, we helped our clients keep their doors open and recover. But it would have been easier—and less expensive!—had they brought us in earlier. Because we already knew that disaster preparedness is just part of running the IT function.
In the meantime, see our Technology Roadmap for Growth Knowledge Centre
Find the risks before they find you
The first step for a CEO looking to mitigate security concerns is to create a risk-and-issue log. This is simply a list of the risks and issues your company faces so that you can have a plan for when something happens.
For the log to be effective, it needs to:
- Describe each risk and issue;
- Rate the chances of its occurrence (or re-occurrence);
- Estimate the potential damage to the business;
- Based on the above, prioritise each problem;
- Clarify how each problem will be mitigated or resolved.
Nothing should be off the table, even scenarios that seem extremely unlikely. In 2019, most Western businesses thought a global pandemic was completely ridiculous! But companies with experience of SARS knew it was very possible.
Once you’ve created the log, it needs to be maintained and managed. (There are few things more useless than an out-of-date risk-and-issue log.) Thus you absolutely must appoint a high-level executive as responsible for (a) maintaining the log and (b) mitigating the risks it has revealed. Without clear ownership and responsibility, the log will fade into the background. And then during the next emergency – because there will be one – the recovery will be longer and harder. That is, if your company survives.
Are we being too dramatic? Perhaps. The good news is that, as Freeman Clarke Principal Bruce Pomerantz points out, ‘It shouldn’t be burdensome to produce this.’ It will of course take time and attention. But producing and maintaining the log is not an especially complicated process, and your business will be stronger for it.
Even the process of bringing the senior team together to identify and discuss the risks creates a common understanding, flushes out issues, and builds preparedness.
Compliance comes with the territory
Compliance, as you already know, means following the regulations of external authorities. An equally important part of compliance is proving compliance.
Before we get into more detail, let us remember that in financial services, legal requirements are nothing new or surprising. Just like data security, it is part of doing business in this sector. And when considered as part of a larger effort to streamline your systems and processes, it needn’t be prohibitively expensive or oppressive.
Compliance can even be part of your business strategy: for mid-market businesses looking for points of difference, there are opportunities for companies who can demonstrate their commitment to compliance, as well as for companies offering compliance consulting and services.
Regardless, also like data security issues, compliance is not going away, and it won’t get any easier. Whatever your thoughts on Brexit, there is slim chance it will make compliance less complicated. Meanwhile, British companies in the financial services space are already dealing with multiple regulatory authorities ranging from GDPR, to PCI DSS and FCA regulations. The ICO are becoming less forgiving, and the FCA levied fines of almost £400M in 2019!
Beginning questions
A mid-market financial services business looking to shore up compliance needs to first consider its weaknesses. Given the wide range of services that fall under the umbrella of financial services, the particulars will be individual to your own company. That said, here are areas in which we see and help mid-market companies streamline compliance:
Document management. Are you aware of the requirements for document management particular to the services you provide? For example, do you know how long you need to keep emails or any kind of correspondence? Do you have an automated system for backing up correspondence? Do your processes and systems automate retention and deletion compliance? How are you documenting employee participation in training programs?
Centralized vs separate teams. Is your data siloed or is it easily accessible between departments? Manual sharing can be labour-intensive, expensive and error-prone; clumsily managed data creates compliance problems and opens the door for fraud and malware attacks. And it is likely you will miss opportunities for cross-selling and upselling!
Overcompliance. Are you following rules that have been rendered moot by more recent regulation? Have you been sold overly complicated software tech that is too difficult to use and doesn’t deliver value?
We don’t provide these questions to add to your general stress level. We do suggest you ask yourself if you may be lax or behind in these areas, so that you have a place to focus your efforts. Compliance has to be done with an eye towards both appropriateness and the bottom line. The above questions may provide a good place to start.
Three steps to better compliance
Of course, compliance is more than simply complying; you’ve got to produce regular, repeatable evidence of compliance, or face even more scrutiny and potentially huge fines. Here is how to get started:
- Appoint someone at the executive level responsible for compliance. Mid-market businesses may not have the resources to appoint one person as a compliance officer. Nor does a CEO have time to take complete ownership of compliance. But someone at the very top level has to have the authority to get it done.
- Create a simple view of how the regulations apply to your business. Clear and streamlined businesses do compliance easily. And they provide better service and fatter margins. Keep simplicity and efficiency at the forefront of your approach to compliance.
- Take a sensible and commercial approach to compliance. The overall goal is evidencing that is efficient, repeatable, and automated. Compliance experts tend to create very, very long lists of actions; so whoever you appoint internally to oversee the project must have a balanced, sensible, and commercial viewpoint.
At the end of the day…
So much of financial services is about personal relationships. In the end, security and compliance lapses put your reputation on the line.
The vast majority of cybercrime can be thwarted with basic security techniques and training. It is extremely unlikely that the authorities will come knocking if your evidencing is on point. And most physical disasters can be overcome with the right planning.
But something will go wrong. And when a crisis hits, would you rather be known as a company prepared for troubled waters, or a company that foundered?
One final note: It may seem overwhelming to have to consider compliance at the same time as data security! However, when you consider both as part of a larger effort toward streamlining your systems—resulting in increased efficiency, improved customer satisfaction, and fatter margins—it may seem less daunting.
Either way, if you have any questions about security and compliance, or how IT can drive growth for your financial services company, feel free to get in touch.