IT Systems & Data Security Under MiFID II – The new SYSC rule you need to know.

The “near final” rule 4.1.1 in the FCA SYSC handbook post MiFID II explicitly mention two important things in regards IT & Data

  • That a firm has to have “effective control and safeguard arrangements for information processing systems”
    in Regulator speak a Firms IT System – which mitigates against the throw together a few web based services to make it all work model.
  • That a Firm must have a strong focus on Data security.  
    That means no plain username & password web based services such as webmail, Box, DropBox, LiveDrive, Gmail, o365 etc etc will be good enough unless secured with MultiFactor Authentication.  Also it seems like a good Data Loss system such as Sophos Cloud or the like will be requited to meet the information leakage provision.

The “near final” rule is this:
4.1.1 R (1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

(3) Without prejudice to the ability of the FCA or any other relevant competent authority to require access to communications in accordance with MiFID and MiFIR, a common platform firm must
have sound security mechanisms in place for the following, while maintaining the confidentiality of the data at all times:

(a) to guarantee the security and authentication of the means of transfer of information;
(b) to minimise the risk of data corruption and unauthorised access; and
(c) to prevent information leakage.

Or this
4.1.5 R A MiFID investment firm and a management company must establish, implement and maintain systems and procedures that are adequate to safeguard the security,  integrity and confidentiality of information, taking into account the nature of the information in question.

PS17/5: Markets in Financial Instruments Directive II implementation – Policy Statement I