Platform due diligence – cyber security questions

10 October 2019

What cyber security-related questions should firms be asking their platform partner?

The challenges that firms face to keep themselves and their clients data safe from modern day criminals was brought home this week with a warning from the FCA regarding a clone financial planning firm, posing as the real firm and trying to get investors to put money in high risk investments.

This is on top of the challenges firms face from cyber threats, which grow ever more sophisticated.

Firms are recommended to employ a three-pronged approach* to protect themselves against cybercrime.

‘The first prong is having a cyber strategy. This includes implementing technology and best practices to secure a firm’s infrastructure and prevent hackers from gaining access.

Second is cyber security, which is the state or process of protecting and recovering networks, devices, and programs from any type of cyber attack.

Third is cyber resilience, which is a firm’s ability to withstand, respond to, and recover from a cyber attack or data breach. Cyber resilience of regulated firms of all sizes is a concern for the FCA.’

Equally as important as taking the right approach and employing the appropriate depth of security within a business, is ensuring that the companies a firm does business with and buys services from also have robust cyber security in place.

This has to form part of any due diligence process undertaken by financial planning firms when researching their service providers, particularly those that have access to client data, as the responsibility for client data cannot be transferred.

This week Professional Paraplanner was talking with management at FundsNetwork who advised they had a structured a set of questions they thought all financial planning firms should ask of their platform providers in respect of cyber security.

12 example questions

The 12 example questions provided by FundsNetwork are set out below. They are arranged under six headings: Risk management, Network security, Incident management, Managing user privileges, Staff checks and education, and Fraud.

You can use the link at the bottom of the page to see FundsNetwork’s answers to the questions.

Risk management

2. How do you ensure that client data is protected and your systems are secure?

2. How robust is your Information Security Management System (ISMS)?

3. What controls and risk-assessments do you place on third parties?

Network security

4. How are your network and servers protected against external threats and attacks?

Incident management

5. How do you respond to a cybersecurity incident?

6. What data recovery, business continuity and disaster recovery plans do you have?

Managing user privileges

7. Are staff user privileges and data access rights controlled?

8. What security measures are in place in relation to staff working from home (or

remotely) and using removable media?

Staff checks and education

9. How do you ensure staff are not a security risk?

Fraud

10. How do you manage the risks associated with fraudulent email instructions?

11. How do you ensure a payment instruction is genuine?

12. Are you a member of Cifas, the UK’s fraud prevention agency?

FundsNetwork offers example questions on their website, with other educational material for helping to keep advice firms’ data safe. You can see the answers <HERE>.

* Source: ATEB Consulting. See article next week.

Professional Paraplanner