By Bruce Penson, Managing Director of Pro Drive IT
If there were a major cyber security breach at your company, what would happen? Chances are it would be very difficult to pinpoint the exact person or people responsible, meaning those involved could potentially get off scot-free.
Now, what if the responsibility of any wrongdoing wasn’t placed on your firm but lay solely on senior managers? Suddenly it’s a whole different ball game. The Senior Managers and Certification Regime (SMCR) has created a real culture of fear within the financial services industry – and rightly so. We’re not just talking a slap on the wrist; concerns include a hefty fine at best and potentially imprisonment in the worst-case scenario.
By now, anyone working within the sector will already be well aware of the extended SMCR regulations coming into force from 9th December 2019. But the question is: are you really prepared for them?
Why was the regime introduced?
When years of irresponsible lending by banks came to a head in the great financial crisis of 2008, an opaque and bureaucratic system meant people were able to easily hide behind others. As a result, regulators struggled to find the individuals responsible and it was the taxpayers who ended up bailing out the banks.
To help drive governance and accountability within financial services firms, the Financial Conduct Authority (FCA) then introduced the SMCR, which aims to deter misconduct and improve awareness of conduct issues across firms – as well as ensure retail customers are protected.
Banks and the larger regulated insurance firms are already subject to the SMCR. But this will now be extended in December 2019 to cover all other FSMA authorised firms too, as the FCA seeks to place an even greater emphasis on personal accountability.
For too long, it has been easy to pass the buck or hide behind other individuals. Not anymore. Senior managers must start taking active measures NOW to show their firm is acting according to the clients’ best interests, within suitable conduct rules.
Who is most likely to get caught out?
Although other members of staff are subject to the certification part of the regime, it still ultimately goes all the way to the top – and this is where the regulators will come knocking should something go wrong. As such, the prospect of the SMCR is perhaps scarier for large corporations. Would you feel comfortable having ultimate responsibility for the hundreds of employees beneath you who could potentially do something wrong?
However, big organisations will also have a whole team dedicated to ensuring the correct processes are in place and that they are carried out to the letter. But what if you’re a small to medium FCA solo regulated firm or a one-man IFA? Chances are you’ll have to take on all these responsibilities and do a lot of the work yourself.
Smaller firms often won’t have the necessary knowledge or resources needed to ensure the company practices are compliant or to continually monitor processes. But if it’s your neck on the line, then you definitely won’t want to be cutting any corners, so outsourcing can prove invaluable.
How can Pro Drive IT help?
Most firms already have suitable systems to spot and deal with typical financial crime like money laundering and insider dealings but are completely out of their depth when it comes to cyber crime.
Cyber security is a growing and constantly evolving industry though and a significant threat to companies big and small.
So, to protect the integrity of your financial system, you’ll need the help of someone with expertise in the field who you can trust to outsource these prescribed responsibilities to. Someone who can run a full diagnostic and help you get all the right documentation in check to ensure you’re covered in the event the regulators come after you – and who understands the repercussions of getting it wrong.
This is where we come in. Our services include a range of Cyber Essentials packages that help you prepare for the UK government standard. Not only will this help you guard against the most common cyber threats (the certification can reduce the threat of attack by up to 80%), but it will also demonstrate and prove to regulators that you are committed to cyber security and have taken the appropriate measures to ensure compliance.