Latest News

  • Home /
  • Latest News

Mitigo - Why cyber risk management is not the same as IT support

3 November 2021
Lindsay Hill, CEO at Mitigo

Cybercrime is increasingly sophisticated, and methods of attack constantly evolve. Wealth managers and other financial services firms are a prime target. Attacks pose a serious risk to operational resilience, data and system security, client relationships and confidentiality, and business reputation. Security should be right at the top of any firm’s risk register. Which is why firms must adopt proper cyber risk management systems and not assume that their IT function has it covered.

Ask yourself these questions about your cybersecurity.

1. Who is currently undertaking and documenting your cybersecurity vulnerability risk assessment?

This is now a legal requirement under the Data Protection Act 2018 and it is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience. They should know the current methods of entry and forms of attack against firms like yours, such as email account takeover and ransomware. It will provide you with an assessment of your vulnerabilities. It must of course include scanning and probing for vulnerabilities in your technology and its current configuration. But that alone is not enough. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms you rely upon; and so much more.

2. Who is configuring your security?

Your vulnerability assessment will provide visibility of risk. A cybersecurity professional can now determine how to configure your technology appropriately. This is a specialist job - configuration must provide protection against attacks without interfering with daily functionality. Firewalls, anti virus, email set up, logins to cloud platforms, personal devices, remote connections, back ups, access rights, user privileges, logs, detection alerts, are just some of a long list of areas requiring attention. Equally important, is advice on the other organisational controls and governance necessary to protect you against the risks identified. 

3 .Are you meeting legal, professional and regulatory requirements?

Does your security adviser really know how to comply with your legal obligation to take appropriate technical and organisational measures for the security of personal data, and to review their effectiveness on an ongoing basis? And do they know your regulatory obligations, such as protecting your clients, to run the firm in accordance with proper governance and risk management principles and as regards operational resilience? Are they providing the necessary information for your Board reports and are they satisfying your other record keeping obligations?

4. Who is providing cybersecurity awareness training to staff?

This is about making all staff aware of the type of dangers which exist, including the tricks being used to gain access to credentials, your systems, data and finances. Some estimates reckon that over 60% of breaches are caused by staff error. So regular training is a crucial aspect of a firms’ defences. It is also now a legal obligation. And you should test that the training is working, by simulating attacks. We have frequently found that before training, over 25% of staff will click on phishing emails, but that figure reduces to under 5% after training.

5. Have you got the right policies and procedures in place?

Your systems are most secure when people know how to use them safely. Defining and communicating policies and procedures will help prevent or mitigate security incidents. As well as being another legal obligation, policies protect your business, your staff and your clients. And have your staff agree and sign for a cybersecurity staff handbook as part of their training, so that everyone knows the rules and what is expected of them.

6. Are you buying security software which you do not need and which is not actually solving your security problems?

Buying additional software will rarely solve your security problems. It just creates a false sense of security.
Worse still, we find many firms have been persuaded to purchase a patchwork of expensive security software and ad hoc deployments with overlapping functionality. In most cases, their existing technology had perfectly good protection built in, if only it were correctly configured (and in some cases, simply switched on).

7. Are you getting the right help in replying to FCA and client questionnaires and in assessing your own supply chain?

Firms are increasingly being asked to satisfy the FCA, clients and others about their security arrangements. Your security professional should be able to help with this. They should also be advising you on the type of checks you should be doing on those with whom you share systems and data.

8. Who is providing you and your Board with ongoing assurance that your security controls remain both appropriate and effective?

It is a basic principle of risk management that assurance be provided by someone independent. It is neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own homework. Nor will their professional indemnity insurers when a breach occurs.

Just like a vulnerability assessment, assurance is not a one off spot check. Over time, your technology will change, as will the threats, forms of attack and methods of extortion. So testing and auditing your security configuration and controls should be undertaken on a regular basis to ensure your defences are kept up to standard and you continue to be protected. Again, checking the effectiveness of your security measures on an ongoing basis and recording this in writing, is now a legal obligation.

If you still think your IT support are the right people to be looking after your cyber risk management, you are now lagging behind the field and are likely to suffer a breach.

The FCA have been clear that they require someone at Board level to be responsible for cybersecurity and operational resilience, and for leading a “security culture” from the top down. It is time to stop hoping you are secure and start proving you are secure.

Paradigm has partnered with Mitigo to offer cybersecurity risk management services to our members.  Take a look at their full service offer and watch one of their latest videos on email account takeover here.

For more information contact Mitigo on 0161 8833 626 or email [email protected] 



 

29 November 2021

Just WIN, WIN, WIN... Thank you


26 November 2021

Blackfinch Energy acquires largest solar farm to date


26 November 2021

ESG at Invesco


26 November 2021

Prudential - International Portfolio Bond – helping your clients help the planet


16 November 2021

Octopus On Film - Diversity and inclusion


3 November 2021

What investors want: Our research on client perceptions of ESG investing


3 November 2021

Mitigo - Why cyber risk management is not the same as IT support


28 October 2021

intelliflo - Why you shouldn’t discount technology for older clients


28 October 2021

Prudential - The year of 2.5 budgets


25 October 2021

Invesco - Small steps to a better future


15 October 2021

Prudential - ISA Case study 1 – Managing volatility with cash


14 October 2021

Prudential On Film - ESG


12 October 2021

intelliflo - How technology will impact the future of paraplanning and advice


11 October 2021

Just: Winners of Just Group vulnerable customer awards announced


11 October 2021

Prudential: ESG Policy for the Risk Managed Passive and Risk Managed Active fund ranges


7 October 2021

Aegon - Thinking ahead: Social care funding and intergenerational advice


13 September 2021

Invesco - Investment Intelligence Seminars 2021 – register now


8 September 2021

Blackfinch Renewable European Income Trust September 2021


7 September 2021

intelliflo - Five benefits of a client portal


7 September 2021

Prudential - Our 'Future-proofing Fridays' seminars are coming to you virtually


6 September 2021

Prudential - New PruFund Support


26 August 2021

PruFund range of funds - EGR and UPR announcement


26 August 2021

intelliflo - The power of deep integrations


25 August 2021

PruFund Planet - Support for your ESG client conversations


23 August 2021

Prudential - PruFund Planet - How are the funds managed?


20 August 2021

Prudential - Download the app for automatic daily valuations through intelliflo


12 August 2021

Prudential - The Great Reset: Why it's time to invest for a sustainable recovery


11 August 2021

Prudential - Planning for education?


6 August 2021

Invesco - It's more about growth than inflation


6 August 2021

Prudential - Sir Isaac Newton’s first law of motion and ESG


3 August 2021

Prudential - PruFund Planet - The power to create the world your clients want


2 August 2021

Prudential - Our 'PruFund Planet - a world of good' seminar is coming to you virtually


21 July 2021

Just on Film - Vulnerable Clients


19 July 2021

Prudential - Pep up your ISA planning webinar


7 July 2021

intelliflo - Future-proofing your technology


2 July 2021

Prudential - Our 'Onshore... Offshore - you decide' seminar is coming to you virtually


1 July 2021

Prudential - New AKG financial strength report and due diligence support


24 June 2021

Prudential - A Spotlight on Asian Bonds


24 June 2021

Invesco - Emerging markets: Innovation unleashed


21 June 2021

intelliflo - Four ways technology can improve client engagement


16 June 2021

Have you looked at our Retirement Account recently?


9 June 2021

Prudential - The importance of sequencing of returns risk for clients taking an income from their pension


8 June 2021

Tax Efficient Review - Updated independent reviews now available


3 June 2021

Prudential - Could our Risk Managed 1 and 2 funds help in de-risking?


2 June 2021

Blackfinch: Adapt IHT portfolios - Q1 Trading Activity


2 June 2021

Prudential: Upcoming Webinars June


28 May 2021

Prudential - PruFund range of funds - EGR and UPA announcement


27 May 2021

Prudential - Intergenerational Planning


20 May 2021

Prudential - Do your clients dream of becoming millionaires?


17 May 2021

intelliflo - Using data to drive client engagement


17 May 2021

Invesco - My three rules of investing


17 May 2021

Prudential - Maximising ISA Allowances


14 May 2021

Prudential - Retirement Account & onshore bond bulk valuations added for intelliflo users


4 May 2021

Just - New awards for excellence in customer vulnerability. Enter now!


4 May 2021

Prudential - Are your clients ‘SKI’ing?


29 April 2021

Prudential - What do clients most want advice on, following Covid-19?


27 April 2021

Prudential - Our Future of Pensions Advice seminars are coming to you virtually


22 April 2021

Prudential - How comfortable are families with using the same adviser?


21 April 2021

intelliflo - One year on: advice industry powers on with more clients and greater efficiencies


16 April 2021

Prudential - The Defined Benefit Transfer Debate


15 April 2021

Prudential - A 5.5 trillion pound opportunity, worth exploring!


9 April 2021

Invesco - Bonds: shaken not stirred


7 April 2021

Welcome to intelliflo


7 April 2021

Prudential - What’s stopping clients transferring wealth?


1 April 2021

Prudential - NEW and exclusive intergenerational research


31 March 2021

Prudential - Submit ISA business right up to the tax year end


24 March 2021

Prudential - We’re removing the stress from ISA investments


18 March 2021

Prudential - Can our Retirement Account save you time?


17 March 2021

Blackfinch - Firms fit to thrive


10 March 2021

Prudential - What makes our Prudential ISA different from the rest?


10 March 2021

Just: Drawdown's secret weapon


5 March 2021

Invesco - Online training: Understanding ESG


5 March 2021

Prudential - Les' Budget Update


3 March 2021

PruFund range of funds - EGR and UPA announcement


3 March 2021

Prudential - Suport for your clients' pension planning


1 March 2021

Aegon - What the Spring Budget could mean for your clients


25 February 2021

Prudential - Cash is king! Or is it?


19 February 2021

Prudential - Planning for tax year end? Your pension planning questions answered


18 February 2021

Prudential - EGR and Budget webinars


17 February 2021

Prudential - 2021 and beyond – a diversified fund range of funds to help match client’s needs


12 February 2021

Prudential - Managing future risk - virtual seminars


1 February 2021

Mitigo - 6 cybersecurity resolutions for your firm


28 January 2021

Prudential - Introducing our new Investment Pathways


27 January 2021

Prudential - PruFolio Collectives Webinar


22 January 2021

Prudential - Managing future risk virtual seminars