White Paper

7 ways to better meet FCA

and ICO/DPA technology
guidelines
Technology compliance for alternative investment companies
and other organisations in scope of FCA and ICO/DPA
regulation

www.servicedcloud.com
Introduction
Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the
uently, the rationale for robust regulatory oversight of the

ancial system is interwoven with and highly reliant on technology.

Technology changes quickly and the threat environment may be characterised as agile and blended, with a need for constant
vigilance.

Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary
tools governing the core business of UK domiciled alternative invest
Authority (FCA) guidelines in conjunction with the Information Commis
for breaches of the Data Protection Act (DPA).

As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.

The objective of this regulatory approach appears to be to create a cu

a responsible approach and a willingness to consider their use of systems and any risks that need to be mitigated.

In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services
O/DPA regulatory guidelines for using technology
within their businesses.

1. Drive it from the top down

Where ever there is a failure of leadership to assert control and set high standards for a business and its employees,

Take responsibility at board level

Ultimately, FCA/ICO compliance is a governance matter and it needs to be Enforcement action
owned by the board and driven from the top down. Leave no doubt about
standards by promoting a culture of resilience and security. There should never The Money Shop
be complacency around the value of information and cyber security.
Date: 06 August 2015
ies and Type: Monetary penalties
procedures for protecting information, especially where dependencies lie with Sector: Finance insurance and credit
third parties or with a parent group. Cyber security should be under the control
ccountability The ICO has issued a 180,000 civil
at board level, monetary penalty to The Money Shop
in response to the loss of computer
It is important that for procedures to deal with cyber-attacks; the prevention of
fraudulent communications through both voice and email; and safeguarding amount of customer details.
against money laundering activities are all in place.

40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
2. Keep your systems up-to-date
to prevent hacking. Hackers often exploit vulnerabilities
(thats IT code for holes in security) to gain unauthorised access to networks, systems and data.

Simple to plug security gaps

One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software versions. This is done by
regular updating or patching with updaters downloaded or automat
he reasonable step of ensuring systems were kept up-to-date.

3. Tighten up staff security

Employees are only human, and even in the most secure environments, people are often responsible for breaches,
either through deliberate action or failing to observe security policies and procedures.

Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users should not use the
same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company
data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option,
or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a
user/password combination is not enough to permit access.

Data loss
laptop) and then losing it are frequent. Consider prohibiting
the practice or only allowing download to secure devices - those managed by the business and with encrypted storage
- that are only accessible using a username/password combination.

Activity monitoring
Consider monitoring communications activity. Record all telephone calls and
archive all email. Some companies record all network activity, although this is Enforcement action
more for internal security rather than for FCA compliance.
Jala Transport Limited

HR Policies Date: 26 September 2013

Type: Monetary penalties
Consider consulting with HR to review any points where security has touch points Sector: Finance insurance and credit
with HR policies. Some examples where issues may arise include:
A monetary penalty notice has been
Hiring served on Jala Transport, a small
New hire induction money-lending business, after the
Ongoing training theft of an unencrypted portable
Disciplinary procedures hard drive containing its customer
Termination of employment database.
Dual Factor Authentication

Online working with data encryption

Activity Monitoring

40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
4. Keep on top of Enforcement action

documentation Think W3 Limited (Thomas

Cook subsidiary)

Always ensure up-to-date network documentation is available. Date: 23 July 2014

Similarly, request documentation from your partners Type: Monetary penalties
and any other 3rd parties. Sector: Online technology and
telecoms
Typically, documentation should include information on:
Think W3 Limited, an online travel
Who has access to what? services company, has been served a
What is the update procedure? 150,000 monetary penalty after a
How is data secured? serious breach of the Data Protection
What is the backup procedure? Act revealed thousands of peoples
What is the disaster recovery plan? details to a malicious hacker.

RFI
mmencing trading with your company. This will almost certainly
include questions on software, versioning and IT security. Likewise, your business should consider issuing an RFI to any new partner
before doing business. Also consider formalising documentation for existing partners if an RFI has not previously been part of the
partner engagement process.

Demonstrating a responsible approach

Maintaining up-to-date documentation means you have the right information to hand whenever it is requested from your business.
It reassures senior management everything has been given reasonable thought and appropriate systems are in place.
Documentation can easily be passed to the FCA if required, to demonstrate a responsible approach.

5. Plan for disaster

Data backup, disaster recovery (DR) and business continuity (BC) planning are closely inter-related. Like many areas of IT there
is no absolutely right or wrong way. There is a menu of different elements that may be mixed and matched together to form

? Once you establish this maximum tolerance

to a loss of IT services, you work backwards from there. Some points to consider are:

Avoid backup tapes

A credible backup tape regime requires tapes to be physically taken offsite, inviting the potential for loss. There are a number of
toloaders are also expensive and prone to failure because they
are mechanical. Online backup is more reliable and secure.

Data retention
Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for compliance with FCA data
retention rules. Ideally, legacy data needs to be kept accessible but out of the way and this could guide the design any hierarchical

40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
 FCA retention periods for data

Record type Retention period

Emails 6 years

Record of election to comply

3 6 years

MiFID 1 5 years

Basel II risk legacy data 2 5 years

Telephone & electronic communications 6 months

Identify single points of failure

Typical single points of failure include power, network and servers. Search for anything where there is just one of. At the top level, the

another site. Then comes the question How far away is far enough?

Data replication
The potential for disasters both natural and man-made - is a key consideration when determining the distance to the replication
site. Many businesses in the UK conclude that a distance of 50 miles is appropriate. For even better risk reduction consider replicating
in more than one place. Remember to include telephone systems.

Document disaster recovery plans

nt the disaster plan.

Key DR plan information includes:

Who instigates the plan?

Where is the recovery site?

How long before the business returns to operational status? (Sometimes referred to as the Recovery Time Objective, RTO)

6. Commission an external audit

Consider assessing your systems against ISO27001, the management system for IT security, by checking credentials,
external audit or penetration testing.

External IT partner
If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and should adhere closely to
industry best practice for information security.

40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
Internal IT team
If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited company to audit your
network. An internal IT team may only have in depth experience in your environment. Employing an external team to check the
systems often gives an insight into your own network you may otherwise not be able to obtain.

Penetration testing
Consider penetration testing or pen testing. This is the process of stress testing your systems to see if a tiger team of computer
security professionals acting as hackers is able to break through to gain access to your network, servers and data.

7. Review physical security

ecurity
with an audit. Some typical questions that might be used to audit physical
Enforcement action
security include:
Staysure.co.uk Limited
ity
guards) Date: 24 February 2015
Are all computer workstations including laptops and tablets locked Type: Monetary penalties
when not in use? Sector: Finance insurance and credit
Who has access to the server cupboard, comms room or data centre?
Are there access control records documenting entry and exit of the premises? An online holiday insurance company

after IT security failings let hackers

Offsite datacentre access customer records. More than
5,000 customers had their credit
cards used by fraudsters after the
offsite data centre. Any choice of data centre should be governed by accreditation attack on Staysure.co.uk.
to ISO 27001 and means the facility is audited for physical security in line with the
management system standard.

Data sovereignty
It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored. When evaluating offsite
data storage it is essential to understand where data may be stored by service providers. Changing legislation and challenges to
agreements such as Safe Harbour mean the landscape may shift suddenly.

Why is Serviced Cloud a preferred technology

Serviced Cloud is a specialist provider of cloud technology solutions

experience to help alternative investment companies and those supplying services to regulated businesses to meet their regulatory
obligations or follow guidelines on the use of technology.

or compliance team. This means FCA compliance is highly subjective. Getting it wrong can be a costly mistake.

40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
Serviced Cloud works with in-house compliance experts or external consultants to ensure any solution exceeds interpretation of
the regulatory code. Serviced Cloud is able to provide the appropriate level of services required by the majority of SME FCA regulated
businesses.

About Serviced Cloud

Serviced Cloud is a close knit and highly professional team of technology professionals that are evangelists for cloud solutions.
This is because we believe the benefits are unrivalled by equivalent on-premise approaches to provisioning business technology.

The business benefits of the cloud are regularly highlighted in the press and deliberated in boardrooms.
Cloud technology is a topic about which the vast majority of business leaders are likely to have more than a passing interest.

Based in the heart of London in Canary Wharf, Serviced Cloud was incorporated in 2009 with a clear and simple vision.
We are dedicated to helping business leaders in financial service organisations find the best way of successfully adopting cloud
technology in their businesses. We offer best of breed Hosted Cloud Services in our ISO27001 London data centres, and help
clients to create their own Private Cloud systems in their own offices or data centres.

Our friendly and professional engineers and consultants have extensive experience, proven track records and can-do attitudes.
We offer independent advice but partner with the leading cloud technology companies to ensure seamless support.
We are serviced focused; our clients satisfaction is paramount.

References and further reading

Financial Conduct Authority
http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/information-gathering/data-security

http://www.fca.org.uk/your-fca/documents/fsa-data-security-factsheet

http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/information-gathering/call-taping

https://www.fca.org.uk/your-fca/documents/guidance-consultations/gc15-06

Information Commissioners Office

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

Miscellaneous
http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is-Far-Enough.htm

http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

https://www.watsonhall.uk/resources/downloads/paper-uk-data-retention-requirements.pdf

www.servicedcloud.com