The Financial Services Authority (FSA) urged financial institutions to improve security systems after a review exposed the fact that many companies underestimate the value of their customer’s information.
The FSA assessed the systems and controls at 39 UK firms including banks and building societies, as well as insurance companies and financial advisers, many of which still do not realise the dangers surrounding the exposure of client data.
Businesses are not checking if third-party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data, it said.
Training was also an issue, with businesses placing more emphasis on IT control procedures for data protection than on security awareness and education for their workforce, said the FSA review.
"It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously,” said FSA’s director of financial crime and intelligence division Philip Robinson.
“Customers have a right to be confident that firms are doing everything reasonably possible to keep their personal and financial details safe,” said Robinson.
"Some firms have made progress by adopting good practice while others need to do more in this area to ensure that they are treating their customers fairly,” he said.
Understanding areas of data exposure is a practical challenge for many financial services organisations, said Deloitte’s head of UK security and privacy services Mike Maddison.
“A common challenge for companies is having a complete view of their exposure to the risk of data compromise,” said Maddison.
“Many firms struggle to define what their sensitive data actually is and where that data resides or who it is provided to. They also struggle to co-ordinate management of these risks, which are owned by different parts of the business,” he said.
“The FSA recommendation to appoint a senior manager with overall responsibility for data security, in conjunction with the publication of more information to help management understand their responsibilities, will go some way towards addressing this.”
Comments