Table of Contents Hide
The Financial Conduct Authority’s cybersecurity requirements could throw a spanner in the works of DFMs trying to improve employee wellbeing by offering the option to work from home.
Last month the Financial Conduct Authority said it would be evaluating firms considering remote or hybrid working models on a case-by-case basis.
As a result, DFMs operating this way on a permanent basis must have their plans vetted by the regulator and reviewed periodically to identify new risks. They must also ensure appropriate governance and oversight is in place, under the senior managers and certification regime (SMCR), that internal risk, compliance, and auditing functions can carry on unaffected and that IT systems are “robust” to support the scale and complexity of its activities.
To drive the point home, the FCA warned it has the powers to drop in on staff working from their residences to check their activities are not causing harm to consumers or damaging market integrity.
Wealth managers prefer hybrid work/life balance
The FCA warning comes as many employers in the investment industry find employee wellbeing has improved significantly under working-from-home policies adopted during the Covid-19 pandemic.
In October, Brewin Dolphin abandoned plans to relocate its London headquarters to a five-storey building on Cannon Street due to the rise in flexible working.
The FTSE 250 wealth manager told Portfolio Adviser it anticipates most employees will work three days in the office and two from home on average. Though some staff will be required to turn up to the office five days a week, such as members of the facilities management teams, a spokesperson says Brewin will be adopting an “agile working approach”.
“We believe most people are at their most happy, healthy and productive when they balance their time working in the office and at home,” the spokesperson says.
Brooks Macdonald and Quilter Cheviot also plan on retaining hybrid working models introduced during the coronavirus lockdown.
Brooks Macdonald chief people officer Tom Emery says the firm requires employees to spend a minimum of 50% of their time at the office across a rolling two-week period, with a minimum of two days each week.
A Quilter Cheviot spokesperson says while more staff have been returning to the office, the firm wants to maintain the benefits of hybrid working, such as reduced travel and a better work/life balance, where it suits people to do so. Many clients also prefer virtual meetings, finding it easier to fit around their schedules.
DFMs falling short on cybersecurity checks
But security breach data shows the downsides of remote working.
“Our recent research has shown that 81% of IT leaders admitted that their organisation had suffered a security breach in the last 12 months,” says senior vice president of international sales at Barracuda Networks Chris Ross. This rises to 85% for companies operating a remote or hybrid working model compared to 65% at office-based companies.
Three quarters of all respondents stated they had been the victim of at least one ransomware attack.
One City portfolio manager told Portfolio Adviser many things that are frowned upon in the office, such as using personal phones and email addresses, which are inaccessible due to websites being blocked, can’t be monitored remotely. There is also nothing to stop employees copying confidential data onto their personal computers.
“The firm has to rely on home PC security, but the reality is that they send an email asking us to say our PCs are secure and then do nothing to check,” they say.
“It is all very fraught from a security point of view, but staff are pretty much demanding to work from home.”
Staff and clients must be given guidance
Tessian CEO Tim Sadler says as well as ensuring the right security systems are in place, it’s essential that staff are fully trained about the risks posed in terms of data security around incorrectly addressed email correspondence as well as external threats like phishing emails, ransomware attacks.
Brooks Macdonald says it has a “continuous book of work” to ensure it has the latest tools and applications to monitor cyber threats and protect clients’ data and its own.
Quilter Cheviot says all employees have received training to help them identify and prevent a variety of cyber-attacks. It also provides ‘Stay safe online’ advice to customers and clients, which includes a list of the Quilter group’s company websites and official email addresses to “allow them to safely navigate the online world and help them identify anything that does not look quite right”.
FCA should concentrate on cyber attackers instead of making house calls
JB Beckett, independent fund board director and former fund selector, thinks senior managers and the FCA should also be targeting threats residing outside the industry, often overseas, attempting to gain access within.
“Data and network security is paramount and FCA would do well to focus on that and leave employee compliance to each firm’s compliance officer, then enhance the reporting framework for cyber risk as is the case for anti-money laundering and with similar sanctions available for wrong-doers.”
This is a better use of the City watchdog’s time than making house calls on remote workers, a prospect he finds “hilarious” considering it “barely enforces and visits firms in their office locations”.
“Ultra vires is the legal term given when an authority, body, individual or entity exceeds or is operating outside of its jurisdiction. The FCA cannot simply ‘drop in’ on private households; even police need a warrant or probable cause for entry.
“Firms will simply have to ensure security by using secure networks and record activities. It might be possible for the FCA to scan logs and files, but the notion of physical remote visits is sheer folly and illegal as far as I can see.”