Latest News

  • Home /
  • Latest News

Mitigo - Why cyber risk management is not the same as IT support

3 November 2021
Lindsay Hill, CEO at Mitigo

Cybercrime is increasingly sophisticated, and methods of attack constantly evolve. Wealth managers and other financial services firms are a prime target. Attacks pose a serious risk to operational resilience, data and system security, client relationships and confidentiality, and business reputation. Security should be right at the top of any firm’s risk register. Which is why firms must adopt proper cyber risk management systems and not assume that their IT function has it covered.

Ask yourself these questions about your cybersecurity.

1. Who is currently undertaking and documenting your cybersecurity vulnerability risk assessment?

This is now a legal requirement under the Data Protection Act 2018 and it is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience. They should know the current methods of entry and forms of attack against firms like yours, such as email account takeover and ransomware. It will provide you with an assessment of your vulnerabilities. It must of course include scanning and probing for vulnerabilities in your technology and its current configuration. But that alone is not enough. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms you rely upon; and so much more.

2. Who is configuring your security?

Your vulnerability assessment will provide visibility of risk. A cybersecurity professional can now determine how to configure your technology appropriately. This is a specialist job - configuration must provide protection against attacks without interfering with daily functionality. Firewalls, anti virus, email set up, logins to cloud platforms, personal devices, remote connections, back ups, access rights, user privileges, logs, detection alerts, are just some of a long list of areas requiring attention. Equally important, is advice on the other organisational controls and governance necessary to protect you against the risks identified. 

3 .Are you meeting legal, professional and regulatory requirements?

Does your security adviser really know how to comply with your legal obligation to take appropriate technical and organisational measures for the security of personal data, and to review their effectiveness on an ongoing basis? And do they know your regulatory obligations, such as protecting your clients, to run the firm in accordance with proper governance and risk management principles and as regards operational resilience? Are they providing the necessary information for your Board reports and are they satisfying your other record keeping obligations?

4. Who is providing cybersecurity awareness training to staff?

This is about making all staff aware of the type of dangers which exist, including the tricks being used to gain access to credentials, your systems, data and finances. Some estimates reckon that over 60% of breaches are caused by staff error. So regular training is a crucial aspect of a firms’ defences. It is also now a legal obligation. And you should test that the training is working, by simulating attacks. We have frequently found that before training, over 25% of staff will click on phishing emails, but that figure reduces to under 5% after training.

5. Have you got the right policies and procedures in place?

Your systems are most secure when people know how to use them safely. Defining and communicating policies and procedures will help prevent or mitigate security incidents. As well as being another legal obligation, policies protect your business, your staff and your clients. And have your staff agree and sign for a cybersecurity staff handbook as part of their training, so that everyone knows the rules and what is expected of them.

6. Are you buying security software which you do not need and which is not actually solving your security problems?

Buying additional software will rarely solve your security problems. It just creates a false sense of security.
Worse still, we find many firms have been persuaded to purchase a patchwork of expensive security software and ad hoc deployments with overlapping functionality. In most cases, their existing technology had perfectly good protection built in, if only it were correctly configured (and in some cases, simply switched on).

7. Are you getting the right help in replying to FCA and client questionnaires and in assessing your own supply chain?

Firms are increasingly being asked to satisfy the FCA, clients and others about their security arrangements. Your security professional should be able to help with this. They should also be advising you on the type of checks you should be doing on those with whom you share systems and data.

8. Who is providing you and your Board with ongoing assurance that your security controls remain both appropriate and effective?

It is a basic principle of risk management that assurance be provided by someone independent. It is neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own homework. Nor will their professional indemnity insurers when a breach occurs.

Just like a vulnerability assessment, assurance is not a one off spot check. Over time, your technology will change, as will the threats, forms of attack and methods of extortion. So testing and auditing your security configuration and controls should be undertaken on a regular basis to ensure your defences are kept up to standard and you continue to be protected. Again, checking the effectiveness of your security measures on an ongoing basis and recording this in writing, is now a legal obligation.

If you still think your IT support are the right people to be looking after your cyber risk management, you are now lagging behind the field and are likely to suffer a breach.

The FCA have been clear that they require someone at Board level to be responsible for cybersecurity and operational resilience, and for leading a “security culture” from the top down. It is time to stop hoping you are secure and start proving you are secure.

Paradigm has partnered with Mitigo to offer cybersecurity risk management services to our members.  Take a look at their full service offer and watch one of their latest videos on email account takeover here.

For more information contact Mitigo on 0161 8833 626 or email [email protected] 



 

10 December 2024

Beyond the Budget – Unpacking IHT changes for your clients


4 December 2024

Triple Point Venture VCT - Early bird discount extended


3 December 2024

A Postcard from Boston: Onshoring, AI and the regulation of water


3 December 2024

The second Nucleus UK Retirement Confidence Index


25 November 2024

Investing alongside science to deliver a sustainable world


11 November 2024

Triple Point - What Budget changes to Business Relief mean for clients


4 November 2024

Edwards Lifesciences: shaping the future of cardiac care


28 October 2024

Gene therapy is set to change the face of medicine


22 October 2024

What China’s economic stimulus measures could mean for investors


16 October 2024

Triple Point - Venture VCT announces 2p tax-free dividend


7 October 2024

Triple Point - VCTs: a powerful way to help clients pay less income tax


2 October 2024

The next smart move for your clients


26 September 2024

Puma VCT 13 launches new £50m fundraise


24 September 2024

3 steps advisers can take to close the gender pension gap


19 September 2024

Puma Investments- Launches Puma AIM VCT


18 September 2024

M&G Wealth - Six ways to keep clients invested for long-term success


10 September 2024

M&G Wealth - Dash to cash: why it pays to think longer-term with your client’s money


6 September 2024

Join the Defaqto Future of Advice conference


2 September 2024

Triple Point - Understanding Venture Capital Trusts (VCTs)


28 August 2024

M&G Wealth - Keeping it smooth since 2004


19 August 2024

Prudential - Cost reductions and changes to our Strategic Asset Allocation


15 August 2024

Liontrust - Building a sustainable future with social housing


15 August 2024

Puma Investments - Join our CPD webinar: Closing the gaps: IHT and Estate planning featuring Tony Wickenden


7 August 2024

Liontrust - Plugging into the energy transition


6 August 2024

Defaqto - The Future of Advice - The Defaqto Adviser Conference


26 July 2024

Hello Kitty: A big cat in the investment universe?


24 July 2024

Liontrust – A postcard from Japan: enabling the sustainable transition


18 July 2024

Liontrust - Does a brighter future for housebuilding lie ahead?


16 July 2024

Triple Point – Holistic Estate Planning Strategy for Clients


8 July 2024

Triple Point – Join our CPD webinar: helping investors plan for big life events


1 July 2024

Intergenerational wealth planning for difficult times


24 June 2024

Liontrust Sustainable Investment: Annual Review 2023


19 June 2024

Investing in the energy transition


18 June 2024

Triple Point is partnering with ESG Accord to host a webinar: "A Practical Guide to SDR and Investment Labels for Advisers."


17 June 2024

Latest PruFund monthly investment updates


13 June 2024

Defaqto MPS Comparator: the UK's only accurate MPS performance tool


12 June 2024

Hear about Triple Point Venture VCT - 18th June 2024


6 June 2024

The Nucleus Retirement Confidence Index


24 May 2024

Join us for our Breakfast Briefing with Foresight! June 4th at 9:30am


17 May 2024

Looking forward with optimism


8 May 2024

The retirement income advice red paper


8 May 2024

Liontrust Views: Why smaller can be beautiful for US equities


7 May 2024

CPD Horizon Series: Tax planning for life’s key events


18 April 2024

Liontrust: Opportunities from secular growth trends


15 April 2024

Defaqto Roadshow - The challenges and opportunities of pursuing Income


11 April 2024

Liontrust: US small caps are overlooked and undervalued


4 April 2024

Q1 2024 Rebalance – we think the backdrop is good for stocks


21 March 2024

25 years of ISAs: a quarter of a century of tax-efficient savings and investing


4 March 2024

Stepping out of cash needn’t be daunting


26 February 2024

Managing lifetime wealth – trends in the UK retirement advice industry


23 February 2024

Empowering advice for women in finance


14 February 2024

Tech Matters is here!


5 February 2024

Defaqto upcoming event – Engage webinar 22nd February


1 February 2024

The gender divide in retirement confidence


30 January 2024

SDGs in focus: climate and nature


26 January 2024

Tax year end prep. We’re here to help.


8 December 2023

2023: Another momentous year for markets


8 December 2023

2024 investment outlook


7 December 2023

The 2023 Nucleus UK Retirement Confidence Index


4 December 2023

Paradigm's brand new Technology hub is here


4 December 2023

New service for advisers - Do you have UK clients with overseas assets/liabilities?


30 November 2023

Defaqto Upcoming events - Engage virtual


28 November 2023

Deepbridge Celebrate 2023 Growth Investor Awards Success


22 November 2023

5 reasons why EIS deployment timescales are so important


21 November 2023

November 2023 Asset Allocation Changes: Bonds looking better


20 November 2023

Blackfinch portfolio company Tended named ‘one of the best inventions of 2023’ by Time Magazine


10 November 2023

Value tracker: Where are the cheapest/most expensive stock markets?


9 November 2023

The Asia opportunity – looking for smarter growth


3 November 2023

The big headlines of quarter 3 2023


1 November 2023

Just launched: Octopus Titan VCT


24 October 2023

Understanding Portfolio Management


17 October 2023

It is fair to say that 2023 to date has been a slow year across the Venture Capital (VC) sector


11 October 2023

VCT’s evolving client profile: take another look at your client bank


6 October 2023

Death Benefits


5 October 2023

intelliflo - Building stronger client relationships through technology


4 October 2023

Puma Investments opens £50m fundraise for Puma VCT 13


3 October 2023

Family wealth planning - connected through you


29 September 2023

How well do you know your clients? (Survey + Amazon voucher offer)


25 September 2023

NOW OPEN – Octopus AIM VCTs are open to new investment


14 September 2023

Defaqto ‘Asset allocation – stick or twist’ roadshow


1 September 2023

New maternity law – are you ready?


17 August 2023

Artificial Intelligence: Jobs created or jobs destroyed?


10 August 2023

The big headlines of the second quarter 2023


7 August 2023

Cashflow modelling integral to the advice process


2 August 2023

Asian and emerging markets


28 July 2023

Investment Intelligence Seminars


25 July 2023

Embrace technology to focus on the value of advice


25 July 2023

Emerging-market debt: a potential source of protection and diversification?


21 July 2023

2023 Mid-year Investment Outlook


18 July 2023

25 years of the £2 coin - worth half its value to UK consumers since circulation


5 July 2023

Product and Platform Switching and The Consumer Duty


28 June 2023

How do we invest in the ESG themes range


16 June 2023

eAdviser Index proves the transformative power of technology


8 June 2023

10 tips for the countdown to Consumer Duty


1 June 2023

The easiest financial product to promote


31 May 2023

Invesco's flexible approach for navigating market uncertainty


15 May 2023

Our platform, your way


26 April 2023

Defaqto Spring Roadshow


24 April 2023

Adding value for your clients – Cash flow planning


21 April 2023

PruFund Growth and PruFund Cautious Client Facing Reports


19 April 2023

Puma VCT 13 hits £50 million fundraising target


17 April 2023

Book your free office lunch today


13 April 2023

What next for Open Banking?


22 March 2023

The future of adviser technology


14 March 2023

Property Insight: Commercial Real Estate is always late!


28 February 2023

Technology and the advice journey


23 February 2023

Get ready for tax year end


21 February 2023

Capability, low-cost and choice -retirement planning made easier


3 February 2023

Tax Year End Prep – PRU are here to help


1 February 2023

NOW OPEN – Octopus Ventures Knowledge Intensive EIS Fund


18 January 2023

Listed infrastructure… to the rescue


17 January 2023

Defaqto Engage – CIC Compare