The information contained in the Panama Papers leaked documents has already led governments, regulators and investigative authorities to reinvigorate challenges to previously acceptable practices and to accelerate efforts to enhance transparency standards and accountability. Additionally, the leak itself highlights cybersecurity vulnerabilities around the globe.
If a cyber hack is proven, Mossack Fonseca could be faced with claims from customers and regulators for having failed to protect confidential data. In addition to the reputational damage caused to Mossack Fonseca by this incident, the financial consequences could be considerable.
This case reinforces the importance of cybersecurity, as increasing volumes of information are available electronically. Fiduciary businesses have a duty of care to act in the best interest of their clients which includes protecting confidential data from being accessed unlawfully.
The JFSC also recently issued a Dear CEO letter to highlight the growing importance of cybersecurity arrangements and expectations of registered persons in this regard. At a minimum, licensees should understand and document the risk of a cyberattack, have contingency arrangements and ensure that the firm adequately addresses cybersecurity risks. Given recent events, however, we feel it is important to revisit the issue of cybersecurity.
What should you be doing?
A 3-step approach is recommended to mitigate the risks and impact of a potential cyberattack and therefore satisfy regulatory expectations:
- Preparation: This should involve an analysis of the data workflow in order to identify vulnerabilities and implement tailored cybersecurity systems.
- Response: In the event of a cyberattack, a customized action plan should be implemented to successfully restore business operations, respond to customers and regulatory bodies, and communicate accordingly to protect the firm’s reputation.
- Recovery: A plan to restore the business environment as it was pre-compromise should be developed and implemented, with an inclusive report for customers and regulators on how risks have been addressed, remediated, and threats reduced for future attacks.
How can Duff & Phelps help?
Our experienced global cybersecurity and regulatory team will work with your firm to help understand your business workflow, deliver the appropriate risk management approach and meet regulatory standards. This approach will help create a robust cybersecurity framework with the following components:
- Sensitive and critical data identification
- Penetration testing and vulnerability assessment
- Create a Written Information Security Policy (WISP)
- Development of an Incident Response Plan (IRP)
- Deliver an Acceptable Use Policy
- Identify critical third parties and provide a comprehensive Risk Management Review (RMR)
- End user cybersecurity training (in-person or online)
- Phishing and spear-phishing email tests
- Ongoing cybersecurity advisory services