Finance companies are leaving themselves open to potential lawsuits because they are underestimating the IT security requirements needed to implement the Markets in Financial Instruments Directive (Mifid), experts have warned.
Ambiguities in the directive mean that organisations are leaving decisions on IT security to business analysts, who are less aware of the need to maintain data integrity, said PJ Di Giammarino, chief executive at consultancy JWG-IT.
"The problem is that Mifid does not define accountability or measures for ensuring IT systems are secure," he said. "Maintaining the security of data is implicit in the directive, but it is not made explicit."
Although Mifid does not spell out what steps IT departments should take to secure data, organisations need to be able to show that they have systems in place to ensure that any sensitive data they are holding has not been compromised. Failure to do so could leave organisations exposed to lawsuits.
"Mifid is not simply about retaining and retrieving the records associated with a transaction. It is also about being able to prove that while that data is being held, its integrity has been maintained," said Philip Higgins, executive partner at systems integrator BrookCourt Solutions, which has worked with firms in preparing IT systems for Mifid.
"This is not only about securing IT hardware and software, but also business processes," said Di Giammarino.
However, David Lacey, former head of IT security at Royal Mail, said there were advantages in regulations not being overly prescriptive. "The more prescriptive the guidance, the more likely it is to upset the level playing field across industry. Regulators have to focus on high-level principles that can be implemented in alternative ways.
"There is nothing wrong with that. It is just frustrating when you cannot establish what will be adequate," Lacey said.
Specialists have advised companies to implement measures such as restricting employee access to Mifid data, building in the ability to audit what data is consumed by whom and when, and providing incentives to support best practices when handling data.
They should also keep a close eye on how budgets for Mifid compliance are being spent to ensure they are not "throwing away money" on insecure systems, said Di Giammarino.
Mary Knox, research director at analyst firm Gartner, said that Mifid posed risks that required firms to rethink business strategies and restructure their technology architectures, including IT security.
Investment firms that do not comply with Mifid will be closed down, she said.
Comment on this article: [email protected]