Author: John Salmon
Businesses and governments are continuing to wrestle with the question of what can and cannot be considered 'adequate' IT security in compliance with regulations including data protection laws.
The European Commission has unveiled its proposal for a network and information security directive and its 'cyber strategy', while the Prime Minister has signed a new cross-border cyber security deal with India. Meanwhile the FSA has begun a sector-wide assessment of IT security arrangements.
In order to comply with data protection laws, financial Institutions must take "reasonable steps" to ensure that respect for technical and organisational security measures is maintained. Financial regulators also require that security arrangements be "comprehensive and proportionate to the nature, scale and complexity of their operations". But with daily reports of successful hacking taking place and data being unintentionally disclosed, more and more businesses are asking for specifics as to what constitutes a "reasonable step" or a "comprehensive and proportionate" arrangement, and more importantly, what does not.
The obvious and easy response for a business looking to identify security weaknesses is to lay blame on the IT department and any failings of it to properly manage systems already in place. But most organisations now also understand that achieving acceptable IT security requires an analysis of behaviours across the whole business and clear leadership from senior management.
In terms of data breaches, a reasonable step to sufficiently guarantee security would require that proper arrangements be put in place to manage employees who have the potential of leaving mobile devices in cabs and pubs or damage the business' reputation through ill-advised social media rants.
These are all well-documented concerns, but despite the added media attention the importance of internal systems and controls to IT security is receiving, achieving a standard of adequacy requires that arrangements with outsourced providers be regularly reviewed. Figures provided by Trustwave recently suggest that of the more than 450 suspected data breach cases it had analysed, 63% involved IT outsourcing providers.
New light on the matter
Identifying weak points within an organisation or in supplier arrangements however can only lead to adequate security if the organisation has a clear understanding of the level of security that must be maintained in order to avoid a legal claim or fine. And a few developments in recent weeks are notable in this regard.
Sony seems to be willing to take up the cause for greater clarity of security requirements by appealing the decision of the Information Commissioner's Office (ICO) to fine it £250,000 for a security breach. Financial institutions will want to watch this appeal closely and identify the specifics of what made Sony's security arrangements fall below the level of what the ICO considers adequate. Hopefully, the appeal may provide some practical guidance as to what constitutes reasonable care in the context of security.
The FSA for its part is also looking into introducing more clarity into the standard required by reviewing the security arrangements of 30 authorised firms. The FSA is hoping that its investigation will result in better benchmarking and that through an updated Business Continuity Management Practice Guide and discussion paper it will be able to provide more specifics to enable the financial services sector to better understand security obligations.
And at EU level both the European Central Bank and the European Commission have had their say on cyber security with the Commission suggesting that raising awareness, improving coordination at EU level and promoting a single market for cyber security products are key objectives.
It goes without saying that as these developments are brought together businesses will be hoping to ascertain a level of clarity which is presently lacking.