Financial services firms are failing to check the IT security arrangements of firms they outsource back-office functions to, according to the Financial Service Authority (FSA).
In its Data Security in Financial Services 2008 report, the financial services watchdog said it was a "major concern" that firms are not checking that outsourcing suppliers have the right IT security and policies in place for handling their customers' details.
In the report, which analysed 39 companies across the sector, the FSA said nearly all firms questioned rely on IT support from third parties.
"Very few firms proactively check how third parties vet their employees or the security arrangements in place to protect customer data," it said.
The FSA said some firms were not aware of which individuals at suppliers had access to their customer data and did not monitor access.
Separate research by KPMG found that 904 incidents of data loss have been identified since 2005, of which 12% were within the financial services sector. According to the KPMG findings, 89% of the data lost was not protected.
Marshall said financial services companies were probably the most advanced in terms of gaining supplier security assurance. "But they have a long way to go to make sure supply chains are secure."
The FSA recommended that companies carry out due diligence of data security standards before contracts are agreed, review data security systems and controls, and only allow third-party IT suppliers access to customer databases for specific tasks on a case-by-case basis.
Barclays said it manages its outsourcing suppliers through a programme that incorporates due diligence and risk assessment.
"Based on the risk assessment, detailed IT and penetration testing may take place we regularly review our procedures to ensure that we continue to serve our customers and clients well," Barclays said.
The FSA fined outsourced services provider Capita Financial Administrators £300,000 in March 2006 because it "had not maintained effective systems and controls to mitigate the risk of fraud".
Outsourcing increases hacking risk