Finance companies are leaving themselves open to
potential lawsuits because they are underestimating the IT security
requirements needed to implement the
Markets in Financial Instruments Directive
(Mifid), experts have warned.
Ambiguities in the directive mean that organisations are leaving
decisions on IT security to business analysts, who are less aware
of the need to maintain data integrity, said PJ Di Giammarino,
chief executive at consultancy JWG-IT.
"The problem is that Mifid does not define accountability or
measures for ensuring IT systems are secure," he said. "Maintaining
the security of data is implicit in the directive, but it is not
made explicit."
Although Mifid does not spell out what steps IT departments
should take to secure data, organisations need to be able to show
that they have systems in place to ensure that any sensitive data
they are holding has not been compromised. Failure to do so could
leave organisations exposed to lawsuits.
"Mifid is not simply about retaining and retrieving the records
associated with a transaction. It is also about being able to prove
that while that data is being held, its integrity has been
maintained," said Philip Higgins, executive partner at systems
integrator BrookCourt Solutions, which has worked with firms in
preparing IT systems for Mifid.
"This is not only about securing IT hardware and software, but
also business processes," said Di Giammarino.
However, David Lacey, former head of IT security at Royal Mail,
said there were advantages in regulations not being overly
prescriptive. "The more prescriptive the guidance, the more likely
it is to upset the level playing field across industry. Regulators
have to focus on high-level principles that can be implemented in
alternative ways.
"There is nothing wrong with that. It is just frustrating when
you cannot establish what will be adequate," Lacey said.
Specialists have advised companies to implement measures such as
restricting employee access to Mifid data, building in the ability
to audit what data is consumed by whom and when, and providing
incentives to support best practices when handling data.
They should also keep a close eye on how
budgets for Mifid compliance are being spent
to ensure they are not "throwing away money" on insecure
systems, said Di Giammarino.
Mary Knox, research director at analyst firm Gartner, said that
Mifid posed risks that required firms to rethink business
strategies and restructure their technology architectures,
including IT security.
Investment firms that do not comply with Mifid will be closed
down, she said.
Financial services firms on track for market
regulation >>
FSA says Mifid could cost firms more than £1bn
>>
Reuters releases Mifid suite >>
Comment on this article:
computer.weekly@rbi.co.uk