.svg)
COVID-19 may have seen working from home policies and flexible working revolutionised, but the UK’s financial watchdog has warned supervised firms to ensure compliance lapses do not creep in, should they choose to continue with a hybrid approach.
The Financial Conduct Authority (FCA) has issued new guidance to companies operating a remote or hybrid working model.
During the COVID-19 crisis, many companies were forced to adopt home working arrangements as a result of national legislation or due to the safety concerns as the virus spread throughout the country.
“A hybrid working model brings with it huge benefits in terms of employee wellbeing, cost-saving and flexibility, but also substantial cyber risks,” pointed out Tim Sadler, chief executive at software company Tessian.
The FCA has said that firms will be evaluated on a case-by-case basis and should be prepared to prove that the lack of a centralised location or remote working does not or is unlikely to affect the company’s ability to meet the threshold for the regulated activities it has or will have permission to undertake.
For Sadler, it is right that the regulator raises awareness of the need for companies to carefully consider how they manage remote working operations to ensure they remain compliant at all times.
“The FCA is right to warn financial services firms about the risks associated with hybrid working, particularly around challenges, such as regulatory requirements, data compliance and accountability,” agreed Sridhar Iyengar, managing director at technology firm Zoho Europe.
The COVID-19 pandemic has forced through many positive changes in terms of working practices, yet far too many companies still lack the training and assessment of personnel and the IT infrastructure and systems to ensure complete compliance, he pointed out.
The FCA’s guidance states that companies should be careful to ensure that remote working does not affect the ability of the firm to oversee its functions, cause detriment to consumers, damage the integrity of the market, increase financial crime or reduce competition.
When asked by VIXIO, the Payments Systems Regulator (PSR) said that the FCA guidance has been published by the FCA and is intended for FCA regulated firms. "Given our close working relationship and remit, some of those firms will also be PSR-regulated."
“As you’d expect, we speak to the organisations we regulate on a wide range of topics," the spokesperson said. "We have not issued any specific guidance for sole-PSR regulated firms about working from home arrangements, but it is something we keep in mind as we continue our work.”
Additional advice contained in the FCA’s proposals includes the need for companies to have the necessary contingency planning in place, and that their systems, including their information technology (IT) functionality, is robust.
Companies have also been advised that they should ensure they have considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
“Moving forward, organisations seeking to build a truly safe and secure hybrid working culture must look towards operating systems that can offer key applications to manage everything from collaboration and finance to analytics and customer engagement. This will bring a new level of safety and security to remote working, helping to keep companies compliant in line with FCA standards,” added Iyengar.
The Security Challenge
“Hybrid working brings with it many security challenges, particularly for firms operating within the financial services sector,” said Chris Ross, senior vice president at Barracuda Networks, a cybersecurity firm, adding that this guidance from the FCA is welcome. “With ransomware attacks on the rise, keeping companies fully aware of their regulatory responsibilities when managing remote working models is an essential step, alongside the necessary security systems and training for staff.”
Research undertaken by the company has shown that 81 percent of IT leaders have admitted that their organisation has suffered a security breach in the last 12 months. “Worryingly, companies operating a remote or hybrid working model had a substantially higher breach rate, at 85 percent compared to office-based businesses where the figure was 65 percent,” he continued.
Moreover, three-quarters of those surveyed stated that they had been the victim of at least one ransomware attack.
“It’s therefore vital that all companies operating hybrid working models remain compliant and acutely aware of potential security risks at all times,” he cautioned.
Ensuring the right security systems are in place and that staff are fully trained about the risks posed in terms of data security is essential, according to Sadler, noting incorrectly addressed email correspondence, as well as external threats like phishing emails and ransomware attacks, as examples.
“Financial services organisations manage valuable and critical data, and it’s so important that they do not allow flexible working practices to put them at risk of a breach,” he warned.
Cybersecurity has become a hot topic among regulators in both the US and Europe.
The EU is currently negotiating the Digital Operational Resilience Act (DORA) as part of its Digital Finance Strategy.
To comply with DORA in its current form, financial entities, including banks and payment service providers, will have to maintain a comprehensive IT risk management framework, including a business continuity policy and a disaster recovery plan.
The fight against ransomware has been a key focus area for US regulators and policymakers, meanwhile. In September, the Treasury Department took historic action against a crypto-company for laundering cyber-ransom money, and the Office of Foreign Assets Control (OFAC) updated an advisory note pertaining to ransomware.
To support this, the White House published a fact sheet on Wednesday detailing the ongoing efforts of the Biden administration to tackle ransomware attacks. Their focus has been organised along four lines of effort: disrupting ransomware infrastructure; bolstering resilience; addressing the use of virtual currencies to launder payments; and setting up international cooperation to disrupt the ransomware ecosystem.
