Choosing a new colocation provider or reviewing your current one? That’s a difficult proposition for most businesses, let alone a financial services firm. You have masses of confidential client data to protect, various security and compliance concerns to address, and a complex set of regulatory requirements.
Here, we explain the best way to audit a potential data centre to cover all of these factors, in line with guidance from the Financial Conduct Authority (FCA) and the Information Commissioner's Office (ICO).
Many financial services firms process a vast amount of personal data on a day-to-day basis. As such, compliance with the Data Protection Act (DPA) is one of their most significant legal obligations.
There are eight principles that make up the DPA, including requirements to protect personal data against unauthorised access and damage. The FCA advises that firms ensure compliance with these eight principles and follow relevant guidance from the ICO, which enforces the DPA.
In order to meet these obligations, financial firms should look for a colocation provider that can demonstrate an in-depth understanding of the DPA and clearly outline the ways in which it can help customers comply with them.
It should be straightforward to distinguish which data centres take legislation seriously, because they’ll go the extra mile by including things like confidentiality in your written contract. This prevents them from discussing your firm with other clients that they host.
Also under the DPA is the matter of data sovereignty. The eighth principle makes it obligatory that personal data remains within the European Economic Area or within a country with appropriate levels of protection.
Financial firms should also take note of the new General Data Protection Regulation (GDPR), which the UK is planning to implement and enforce from May 2018 onwards. This will be similar to the DPA, but includes new stipulations like the so-called “right to be forgotten” and also calls for higher fines for organisations found to be non-compliant. The ICO has made it clear that Brexit will not affect the importance or validity of the GDPR in the UK.
Adherence to security standards
Last year, Tesco bank suffered the worst cyber attack ever faced by a UK bank, with over £2.5 million lost and 9,000 customers affected – figures that highlight how serious a threat cybercrime can be in the financial services industry. Whilst there’s no fool-proof way to protect against breaches, there’s a clear argument that you should use a colocation provider with exceptional security controls and accreditations to minimise the chances of your firm falling victim to a similar attack.
The ISO27001 accreditation is a good place to start. It’s a stamp of approval that a facility meets the minimum acceptable requirements in managing an information security system, and it demonstrates that your colocation provider is organised and has the right policies and processes in place to manage the security of your data. If your firm works with payment card data, checking that your provider is also PCI-DSS compliant is mandatory.
Alongside formal accreditations are the physical controls to supplement them. Financial firms should look for a data centre that invests in the latest technology and has multiple layers of controls around data to safeguard against unauthorised access via entry points.
Teledata’s Manchester colocation facility, for example, is protected by biometric access controls, multi-factor authentication and mantraps, and is the only data centre in the UK with a police-linked, NSI Gold BS5979 accredited control room.
For some firms, providing auditor and regulator access to the data centre is a requirement. In order to comply with the FCA’s guidance on this topic, you should:
- Clarify what the procedure is in gaining access to servers – is there a notice period that you need to give, or are you granted admission whenever you wish, for example? Whatever the procedure, it’s important to ensure that it’s neither overly lax nor overly restrictive. You should also be allowed an unlimited number of requests to see your data.
- Make it known to the colocation provider that the regulator (the FCA) will not enter into a non-disclosure agreement with them and that they are able to contact them directly.
- Ensure that data is not stored anywhere that may prohibit regulators in the UK from accessing it.
Outside of compliance, having the ability to audit a site is a crucial part of the decision-making process. It is, after all, the place that your all-important data will be living. It gives you the chance to review security controls and check over relevant documentation.
Most importantly, you will meet the people who are handling your data on a day-to-day basis. No amount of paperwork, accreditations or over-the-phone communication will do more to reveal how a data centre operates than a site visit. What’s more, a colocation provider who is open to this shows that they have nothing to hide and are more likely to be cooperative with your organisation in the future.
The AWS outage was a catastrophe for financial services firms in the US, which lost approximately £130 million, according to The Register. This demonstrates how the consequences of downtime for organisations in the financial industry are far too costly to ignore – especially if the disruption affects your ability to uphold regulatory requirements.
The reality is that outages can and do occur. But if you have a colocation provider with a robust back-up plan, who can act quickly in times of crisis, then your business is much less likely to feel the impact. Therefore, look for a provider with a high level of redundancy and a strong uptime track record (Tier classification is a good starting point, but may not tell you the whole story) and who also has a business continuity plan of their own.