Part I: Security and Compliance
Let’s start on a positive note: when it comes to the mid-market financial services sector, we are bullish.
It is an indispensable industry, and the U.S. boasts institutional experience, high-quality companies offering innovative services, and a sophisticated, forward-thinking market. Whatever is in store for the economy as a whole, American financial services will remain a world player, and domestically it will remain critical to our institutions, businesses, and personal lives.
In our own recent experience, we are seeing real buzz in mid-market companies in a broad range of financial services areas, including:
- Financial processing
- Wealth and investment management
- Community banking and lending (e.g. credit unions)
- Boutique PE houses
- Funding platforms
- The whole range of professional and consulting services
Now for the hard part. We can’t have a clear-eyed discussion of financial services without acknowledging the deep effects of COVID-19.
The massive rush to telecommuting, in particular, exposed the security weaknesses and process issues of so many companies. We weren’t surprised when Deloitte reported a spike in “phishing attacks, Malspams and ransomware attacks” by criminals looking to take advantage of the confusion.
Another hard part: security and compliance issues are especially difficult in the mid-market space. It is subject to many of the same complicated regulations and cyberthreats as the giant multinationals, and yet mid-market firms don’t have the same resources to deal with these problems.
What follows is an overview on how mid-market financial services firms can handle security and compliance issues without punishing expense and at the same time increase efficiency, improve customer satisfaction, and fatten margins.
Data Security is the Cost of Doing Business
Data security is a growing problem, and it’s only going to get worse.
Verizon analyzed more than 150,000 incidents worldwide and confirmed nearly 4,000 data breaches in 2020. This is only what one company analyzed, and the year isn’t over yet! To make matters worse, around twenty-five percent of these attacks were in the financial services sector.
Why the explosion of cyberattacks in financial services? As the famous American criminal Willie Sutton said when asked why he robbed banks, “because that’s where the money is.”
More specifically, the rush to work-from-home has exposed the security weaknesses of many companies. Ten years of behavioral change were compressed into ten weeks; staff and IT teams weren’t prepared for it.
When we speak of security, however, we are not only speaking about what happens online. In our digital age, too many businesses aren’t careful enough about the connections between data security and what happens offline. Thieves no longer pilfer the mail for the checks, but to aid in identity theft. They steal smartphones not to sell the device for quick cash, but to use as source of inside data to help them find the soft way in for ransomware.
Remember: All the firewalls in the world won’t help if a thief gets access to the CFO’s email account! A lot of stolen cash is transferred willingly by authorized finance staff who believe they are following instructions from the real CFO but in reality, it’s a clever scam.
Another frequent lapse is how often businesses remain unprepared for disruptions, whether due to natural disasters or human error. The California Camp Fire of 2018 caused an estimated 86 deaths and $16.6 billion in losses. The current fires all over the American West will likely bring about even bigger losses of life and money.
It isn’t just forest fires. Experts predict that extreme weather events will become almost commonplace. Thus it is in your best interest to prepare your business for them. Just as you should prepare for other mishaps. A few examples of what we’ve seen with our clients:
- A new office building experienced a structural failure, forcing the immediate need for an alternative site.
- An external contractor accidentally cut the cables, leaving the business without Internet—meaning no access to email or systems or cloud-based files!
- An IT service provider went bust, leaving the company without access to their servers.
In each instance, we helped our clients keep their doors open and recover. But it would have been easier—and less expensive!—had they brought us in earlier. Because we already knew that disaster preparedness is just part of running the IT function.
In the meantime, see our technology Roadmap for Growth Knowledge Center
Find the Risks Before They Find You
The first step for a CEO looking to mitigate security concerns is to create a risk-and-issue log. This is simply a list of the risks and issues your company faces so that you can have a plan for when something happens.
For the log to be effective, it needs to:
- Describe each risk and issue;
- Rate the chances of its occurrence (or re-occurrence);
- Estimate the potential damage to the business;
- Based on the above, prioritize each problem;
- Clarify how each will be mitigated or resolved.
Nothing should be off the table, even scenarios that seem extremely unlikely. In 2019, most Western businesses thought a global pandemic was completely ridiculous! But companies with experience of SARS knew it was very possible.
Once you’ve created the log, it needs to be maintained and managed. (There are few things more useless than an out-of-date risk-and-issue log.) Thus you absolutely must appoint a high-level executive as responsible for (a) maintaining the log and (b) mitigating the risks it has revealed. Without clear ownership and responsibility, the log will fade into the background. And then during the next emergency – because there will be one – the recovery will be longer and harder. That is, if your company survives.
Are we being too dramatic? Perhaps. The good news is that, as Freeman Clarke Principal Bruce Pomerantz points out, “It shouldn’t be burdensome to produce this.” It will of course take time and attention. But producing and maintaining the log is not an especially complicated process, and your business will be stronger for it.
Even the process of bringing the senior team together to identify and discuss the risks creates a common understanding, flushes out issues, and builds preparedness.
Compliance Comes with the Territory
Compliance, as you already know, means following the regulations of external authorities. An equally important part of compliance is proving compliance.
Before we get into more detail, let us remember that in financial services, legal requirements are nothing new or surprising. Just like data security, it is part of doing business in this sector. And when considered as part of a larger effort to streamline your systems and processes, it needn’t be prohibitively expensive or oppressive.
Compliance can even be part of your business strategy: for mid-market businesses looking for points of difference, there are opportunities for companies who can demonstrate their attention to compliance, as well as for companies offering compliance consulting and services.
Regardless, compliance is not going away, and it won’t get any easier. Companies in the financial services space already have to deal with federal, state, and even municipal authorities, as well as facing potential international exposure in the case of the Payment Card Industry Data Security Standard (PCI DSS) or the General Data Protection Regulation (GDPR).
A mid-market financial services business looking to shore up its compliance needs to first consider its weaknesses. Given the wide range of services that fall under the umbrella of financial services, the particulars will be individual to your own company. That said, here are areas in which we see and help mid-market companies streamline compliance:
Document management. Are you aware of the requirements for document management particular to the services you provide? For example, do you know how long you need to keep emails or any kind of correspondence? Do you have an automated system for backing up correspondence? Do your processes and systems automate retention and deletion compliance? How are you documenting employee participation in training programs?
Centralized vs separate teams. Is your data siloed or is it easily accessible between departments? Manual sharing can be labor-intensive, expensive and error-prone; clumsily managed data creates compliance problems and opens the door for fraud and malware attacks. And it is likely there will be missed opportunities for cross-selling and upselling!
Overcompliance. Are you following rules that have been rendered moot by more recent regulation? Have you been sold overly complicated software that is too difficult to use and doesn’t deliver value?
We don’t provide these questions to add to your general stress level. We do suggest you ask yourself if you may be lax or behind in these areas, so that you have a place to focus your efforts. Compliance has to be done with an eye on both regulations and the bottom line; the above questions may provide a good place to start.
Three Steps to Better Compliance
Of course, compliance is more than simply complying; you’ve got to produce regular, repeatable evidence of compliance, or face even more scrutiny—and potentially huge fines. Here is how to get started:
- Appoint someone at the executive level responsible for compliance. Mid-market businesses may not have the resources to appoint one person as a compliance officer. Nor does a CEO have time to take complete ownership of compliance. But someone at the very top level has to have the authority to get it done.
- Create a simple view of how the regulations apply to your business. Clear and streamlined businesses do compliance easily, and they provide better service and fatter margins. Simplicity and efficiency should be your goals and your guides.
- Take a sensible and business-minded approach to compliance. The overall goal is evidencing that is efficient, repeatable, and automated. Compliance experts tend to create very, very long lists of actions; so whoever you appoint internally to oversee the project must have a balanced, sensible, and business-minded viewpoint.
At the End of the Day…
So much of financial services is about personal relationships. In the end, security and compliance lapses put your reputation on the line.
The vast majority of cybercrime can be thwarted with basic security technologyniques and training. It is extremely unlikely that the authorities will come knocking if your evidencing is on point. And most physical disasters can be overcome with the right planning.
But something will go wrong. And when a crisis hits, would you rather be known as a company prepared for troubled waters, or a company that foundered?
One final note: It may seem overwhelming to have to consider compliance at the same time as data security! However, when you consider both as part of a larger effort toward streamlining your systems resulting in increased efficiency, improved customer satisfaction, and fatter margins it may seem less daunting.
Either way, if you have any questions about security and compliance, or how IT can drive growth for your financial services company, feel free to get in touch.