Financial services firms are failing to check the IT
security arrangements of firms they outsource back-office functions
to, according to the Financial Service Authority
(FSA).
In its Data Security in Financial Services 2008 report, the
financial services watchdog said it was a "major concern" that
firms are not checking that outsourcing suppliers have the right IT
security and policies in place for handling their customers'
details.
In the report, which analysed 39 companies across the sector,
the FSA said nearly all firms questioned rely on IT support from
third parties.
"Very few firms proactively check how third parties vet their
employees or the security arrangements in place to protect customer
data," it said.
The FSA said some firms were not aware of which individuals at
suppliers had access to their customer data and did not monitor
access.
Separate research by KPMG found that 904 incidents of data loss
have been identified since 2005, of which 12% were within the
financial services sector. According to the KPMG findings, 89% of
the data lost was not protected.
Marshall said financial services companies were probably the
most advanced in terms of gaining supplier security assurance. "But
they have a long way to go to make sure supply chains are
secure."
The FSA recommended that companies carry out due diligence of
data security standards before contracts are agreed, review data
security systems and controls, and only allow third-party IT
suppliers access to customer databases for specific tasks on a
case-by-case basis.
Barclays said it manages its outsourcing suppliers through a
programme that incorporates due diligence and risk assessment.
"Based on the risk assessment, detailed IT and penetration
testing may take place we regularly review our procedures to ensure
that we continue to serve our customers and clients well," Barclays
said.
The FSA fined outsourced services provider Capita Financial
Administrators £300,000 in March 2006 because it "had not
maintained effective systems and controls to mitigate the risk of
fraud".
Outsourcing increases hacking risk