Firms will fail on IT security and business continuity

The majority of brokers are unlikely to meet the FSA's requirements in the areas of IT security and business continuity. At the very least, they will fail the requirement to hold adequate documentation. More worrying is that individual senior managers will face condemnation for not meeting the regulator's basic principles of integrity, due care, skill and diligence and for failing to take reasonable care to organise and control the affairs of their business effectively and with adequate risk management.With IT - particularly access to the internet and email communication - becoming fundamental to the operation of most broking businesses, senior managers will no longer be able to offload their responsibilities. Lack of understanding will not be a defence.Cyber Protect's research has uncovered worrying situations that are common to both the personal lines and commercial sectors. Notably:

Documentation and written policies are hardly ever in place

Disaster recovery is unplanned and/or poorly documented - certainly not tested

Back-ups are generally made, but are often left on site and testing is poor or non existent

Firewalls are often inadequate or non existent

Virus scanning software is not properly deployed

Password controls are inadequate and rarely monitored

Monitoring of internet and email use/abuse by staff is largely ignored

There is no insurance cover in place to cover digital risks.

Particularly alarming is the fact that the senior managers in these businesses believed (and had been assured) that their IT people had everything under control. They were blissfully unaware of the risks to their business (see box), believing that their IT and HR professionals had all bases covered. The rapidly changing cyber environment in which brokers now operate makes it virtually impossible for the IT people to keep up to date with threats and relevant solutions.IT security and business continuity are no longer the responsibility of only the IT fraternity. HR and finance professionals must be equally engaged if adequate defences are to be implemented and maintained.The majority of brokers would benefit from an assessment of their exposure by an independent specialist assessor. Not only does it make good business sense, but more importantly it will help them to demonstrate to the FSA that they have acted diligently by taking and acting upon independent advice.

David Hiddleston is chairman of IT security specialist Cyber Protect

Why is it important to have sound IT security in place?

74% of businesses have suffered a security breach in the last year

50% of back-ups tested do not work

Fewer than 10% of businesses with a disaster recovery plan have tested whether it works in practice

80% of businesses with no business continuity plan never reopen after a significant security breach

An employee who spends just two hours a week dealing with spam email or "cyber skiving" on non work related websites costs the business 5% of his salary in lost productivity

Source: DTI