A global regulatory compliance firm has named a Hong Kong-based cyber-security expert to push work in this space, and warned that official patience is running out over breaches.

Bovill, the regulatory consultancy for financial services firms, has appointed an expert in cyber-security, and warned that official watchdogs are losing patience with breaches.

David Copland, who is based out of Hong Kong, has joined the firm as a managing consultant, Bovill said yesterday.

Copland previously worked at a risk management consultancy and will be responsible for servicing clients in relation to risk management, cybersecurity, electronic and algorithmic trading for buy-side asset managers and sell-side financial services institutions. In total, Copland has 18 years’ financial experience in hedge funds and brokerage operations. He spent more than nine years at Man Investments on the senior management team as global head of IT and the chief operating officer of the Man Investments Trader Hotel.

Around the world regulators will begin clamping down on financial services firms not observing basic cybersecurity protection policies, he warned. In the European Union, this pressure will intensify because of wider scrutiny on business practice after the EU’s General Data Protection Regulation (GDPR) comes into effect from 25 May. Other regulators around the world also show signs of taking cyber non-compliance seriously, he said. 

“When it comes to cybersecurity, this is something of a crunch period. Despite the saturation of cybersecurity warnings and guidance, there is compelling evidence that an alarming proportion of firms still lack basic protective measures. Regulatory patience with these firms is running out fast,” Copland said. “In the US and Singapore, we’ve seen that regulators have started routinely demanding evidence that financial services firms have procedures on cybersecurity in place. Furthermore, these regulators are bringing prosecutions and fines if they find procedures aren’t being practised or defences are not sufficient. This is a step change. Typically, regulators would explore whether procedures were in place, and punish accordingly, in the event of a breach. They are becoming more proactive,” he continued. 

“In the UK, the FCA already does this in other areas. For example, punishing firms if they don’t follow their policies and procedures to protect client money risk. GDPR is now raising the urgency of this issue when private data is at stake. However, many smaller firms are simply not aware of the need to have cybersecurity policies, or the need to evidence their cybersecurity risk reduction efforts, be that technical measures or policies and procedures,” he said. 

Bovill said its analysis of press data published on major cybersecurity breaches found that almost half – 47 per cent – of them can be traced to an internal firm source, placing extra emphasis on data classification, data archiving strategies, data access, data loss protection, HR recruitment controls and staff IT acceptable use polices.

“Observing cybersecurity defences relating to staff actions is growing in importance. This includes staff who unwittingly email confidential data externally, or who are unware they have clicked on email links which allow the download of malware. And, in extreme cases, rogue staff who maliciously steal data. Time is running out for smaller firms to tighten their cybersecurity procedures. All the signs are that regulators will show little sympathy to firms who fall foul of the rules,” Copland added.

In Copland's home region of Asia, the Hong Kong Monetary Authority and the Monetary Authority of Singapore have in September, and August 2015, respectively, warned about the threats that cyber-criminals present to financial organisations. Last year, the UK's Financial Conduct Authority said a total of 69 material cyber incidents were reported to it, up from 38 in 2016 and 24 in 2015.

As regulations proliferate, so has the business of advising firms about how to comply. (See a recent example of activity here.)

Cyber-security breach risks are a drag on enthusiasm among consumers to entrust financial and wealth management affairs to the digital sphere, as reported recently here.  EY, the professional services firm and accountancy, has reported that while there is much talk among business executives about tackling cyber-security threats, this is not yet backed up fully with action on the ground. 

 The scale of problems is vast. In the US alone, for example, some $3 billion was lost in 2016, touching 22,000 victims, as a result of hacks on business emails, as heard in a recent conference hosted by this news organisation.