25th May 2018… General Data Protection Regulation,
What powers do the FCA have?
DATA BREACHES & CYBER INCIDENTS
Principle 3 - Management and control “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
Principle 11 - Relations with regulators “A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.”
SYSC 3.1 - Systems and Controls and SYSC 3.2 - Areas covered by systems and controls
SYSC 8 - Outsourcing (data sourcing arrangements)
SUP 15 - Notifications to the FCA
Matters that have a serious regulatory impact (SUP 15.1.1R)
A significant failure in the firm’s systems and controls (SUP 15.3.8G)
A significant breach of any rule in the Handbook (SUP 15.3.11R) – breach notification is immediate
Where “significant” fraud is involved (SUP 15.3.17R) – immediate notification
What does the FCA wants to see?
a security culture led from the top
firms to carry out “robust and comprehensive risk assessments”
Risk framework required to manage the risks identified
Senior Managers & Certification Regime (SM&CR) = senior management accountability – need to know more on SM&CR click here.