The Financial Services Authority has warned UK institutions to improve their data security practices after a review of systems and controls at 39 firms uncovered slipshod practices at banks, building societies, insurance companies and financial advisers.
The watchdog says that "many firms" still underestimate the risk of data loss and fraud to their businesses, and especially to their customers. This includes senior management at firms not recognising the value of their customers' data to fraudsters or that staff could pose a similar threat to data security as that posed by computer hackers and burglars.
"On occasions of significant data loss, firms seem more concerned about adverse media coverage than on being open and transparent with their customers," states the FSA, which referred one firm for enforcement following the latest review.
Speaking at the FSA's annual conference on financial crime, Philip Robinson, director of its financial crime and intelligence division, says: "It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously. Customers have a right to be confident that firms are doing everything reasonably possible to keep their personal and financial details safe.
He says the watchdog will not hesitate to take action if future breaches are found.
In February 2007, the FSA fined Nationwide £980,000 for information security lapses and in December 2007, Norwich Union was fined £1.26 million for exposing its customers to the risk of fraud.
In the latest review, the FSA discovered that:
- Many firms are not proactively checking that third party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data;
- Many large and medium sized firms devote adequate resources to data security risk but placed too much emphasis on IT controls and not enough on staff awareness and training or regular risk assessments;
- Many small firms were wholly reliant on compliance consultants, who did not understand the importance of data security within the firm.
Robinson says the FSA plans to publish a factsheet to help senior management at small firms understand their data security responsibilities.