03 May 2007, Victoria Pennington, Operational Risk & Regulation
New research has highlighted that security risks are in danger of being overlooked, as firms rush to comply with the Markets in Financial Instruments Directive (Mifid). A panel of industry experts has determined that as financial services firms get to grips with identifying and storing all the data required by Mifid, they may be exposing existing flaws in their security as well as introducing new threats they will need to manage.
The panel emphasises the importance of building security into record-keeping processes, to ensure the long-term integrity and security of records. It also points out that there are new risk drivers, which are increasing existing risk and introducing new internal and external risks. Technical solutions exist to many of the security risks that Mifid will introduce; the challenge is getting everything to work together. Some firms have already invested heavily in security solutions, and there is an opportunity to repurpose and re-use existing solutions. However, it’s not just a technical problem, as the panel points out, there needs to be a change in mindset inside firms as many of the new risks come from ‘soft’ factors such as people’s behaviour and attitude. Policy management and identity management will also be key challenges, as well as timeliness – the ability to detect intrusions or anomalous behaviour quickly – which will offer a major advantage.
Firms that do not tackle security issues raised by Mifid will substantially raise their risk profile and leave themselves open to both reputational damage and legal action, the panel warns.
The panel consisted of Ovum’s Graham Titterington, a senior business continuity and security analyst, PJ Di Giammarino, chief executive of financial services industry think-tank JWG-IT, and Brookcourt Solutions’ chief executive Phil Higgins.
“With the vast amount of data across the enterprise, firms will be required to store and trace documentation for significant periods under MiFID and make reconstitutable as at the time of capture," says Phil Higgins, CEO of Brookcourt Solutions. "Security is a key element for firms. For Financial institutions this means data will need to be accessible and auditable in order to comply with MiFID. This includes personal client information, financial products, transactions, governance policy and best practice. Firms are required to ensure this Information is secure and prove its integrity when requested by regulators or clients.”
“With only six months left until ‘M’ day, firms are waking up to the profound implications Mifid has on business processes and supporting infrastructure,” said Di Giammarino. “What JWG-IT are saying is that while it’s important to implement compliant processes and systems, these also need to be secure. Security is one of the key topics that our new financial services Technical Special Interest Group will be looking at over the coming months.”