Cybersecurity regulation expert joins Bovill with warning for small firms
1 May 2018
Global financial services regulatory consultancy Bovill announces that David Copland, cybersecurity regulation expert, has joined the firm as a Managing Consultant.
David joins from a risk management consultancy and will be responsible for servicing clients in relation to risk management, cybersecurity, electronic and algorithmic trading for buy-side asset managers and sell-side financial services institutions. David has 18 years’ financial experience in Hedge Funds and Brokerage operations. He spent over nine years at Man Investments on the senior management team as Global Head of IT and the COO of the Man Investments Trader Hotel.
David joins with a warning that around the world, regulators will begin clamping down on financial services firms not observing basic cybersecurity protection policies. In the EU, this will accelerate as part of wider scrutiny after General Data Protection Regulation (GDPR) comes into effect later this month – but other regulators around the world also show signs of taking cyber non-compliance seriously.
According to David, smaller firms are most likely to fall under regulators’ glare.
David Copland, Managing Consultant at Bovill, comments:
“I’m thrilled to be joining this exciting organisation, with such a breadth of regulatory expertise. When it comes to cybersecurity, this is something of a crunch period. Despite the saturation of cybersecurity warnings and guidance, there is compelling evidence that an alarming proportion of firms still lack basic protective measures. Regulatory patience with these firms is running out fast.
“In the US and Singapore, we’ve seen that regulators have started routinely demanding evidence that financial services firms have procedures on cybersecurity in place. Furthermore, these regulators are bringing prosecutions and fines if they find procedures aren’t being practised or defences are not sufficient. This is a step change. Typically, regulators would explore whether procedures were in place, and punish accordingly, in the event of a breach. They are becoming more proactive.
“In the UK, the FCA already does this in other areas. For example, punishing firms if they don’t follow their policies and procedures to protect client money risk. GDPR is now raising the urgency of this issue when private data is at stake. However, many smaller firms are simply not aware of the need to have cybersecurity policies, or the need to evidence their cybersecurity risk reduction efforts, be that technical measures or policies and procedures.”
Bovill analysis of press data published on major cybersecurity breaches finds that 47% can be traced to an internal firm source, placing extra emphasis on data classification, data archiving strategies, data access, data loss protection, HR recruitment controls and staff IT acceptable use polices.
David Copland adds:
“Observing cybersecurity defences relating to staff actions is growing in importance. This includes staff who unwittingly email confidential data externally, or who are unware they have clicked on email links which allow the download of malware. And, in extreme cases, rogue staff who maliciously steal data.
“Time is running out for smaller firms to tighten their cybersecurity procedures. All the signs are that regulators will show little sympathy to firms who fall foul of the rules.”