IFA Business Owner? How to ward off FCA and ICO attention

We all know trust drives growth, especially in matters financial. But it’s more than being relied upon to give great advice. Trust in your technology is part of the trust people have in you and your brand. Sadly, embarrassing losses of extremely sensitive and valuable data occurs with unnerving frequency in Financial Services.

To combat this many large corporations are introducing the role of Chief Trust Officer (CTO) as customers emphasis the need to know their data is safe. We looked at how you can be your own CTO and enable your clients to continue to have their trust in everything you do. This also makes it easier to recommend you to others when they are choosing an Independent Financial Advisor (“IFA”).

In a recent study, the average total cost of a data breach increased and is nearly £4 million, the highest ever recorded. Moreover, costs were even higher when remote working was presumed to be a factor in causing the breach. The financial impact of a data breach can be devastating to a business. The continuous increase in digital communications is providing plenty of opportunities for breaches to occur. In addition, the change to working practices contributes to organisations experiencing a data breach due to a remote employee and incidents are taking on average 29 days longer to identify and contain.

Through our proven, Efficiency, Compliance and Security (ECS) Assessment, LDW help IFAs quickly find a significant number of issues that explain often deeply woven and multi-layered problems.

The UK’s financial markets are stringently regulated by the Financial Conduct Authority (“FCA”) and The Information Commissioner’s Office (“ICO”) who work closely together, one reporting to the other any mismanagement of funds (proven via financial data flows) and evidence of poor security around data, IT, technical and ways of working.  Failure to demonstrate activity in your control framework (even where the underlying policies are well-written documents), will mean the Regulators home in on a business – more demand is put on an already stretched Executive team.

Recently, LDW engaged with an IFA Group whose top executives are almost entirely focused on growth by acquisition, strategic planning and the bigger picture.  They love the buzz of a constant stream of new acquisitions and investments.   They do not get involved in the post deal integration, or the day-to-day steep compliance demands their business continually faces.  Living on the highs of ‘new deals buzz’ the stark reality of the Company’s (and directors’) legal duties relating to financial and data protection compliance became underestimated.

The Problem
Highly acquisitive, fast paced, forward looking IFAs find their internal teams taking the strain on managing the ‘operational flow’ and juggling the multi-layered things that need time to think through that go right to the heart of IT, security, data protection and people, including culture. It is without doubt through the collapse of Asset Wealth Portfolio businesses reported in the press, that many of these complex problems leave people exposed to cyber threat (as easy as a single click on a phishing email), embarrassing data breaches, and reputational damage.

This is not ‘scare mongering’ – this is a real threat.   95% of e-mail breaches are caused by human error. Although cybersecurity solutions often focus on email threats such as phishing and malware, it is important to recognise that the majority of data breaches stem from people, with half of individuals at work admitting to unintentionally wrongly sending an email containing sensitive information.  Reputation is an IFA’s greatest asset – the foundation for acquiring and retaining clients. However, it has been revealed that businesses who do not take the right steps to protect their clients’ data are suffering the consequences; losing customers due to security issues.

When these threats become reality, then the group, and its top executives will be embroiled in having to deal with the ICO and FCA to explain themselves. Calling investors and portfolio businesses to announce they have been victims of a cyber-attack, or a serious data breach is a very unpleasant task for an IFA business leader - causing intense stress and worry for them, their team, their families as well as their clients.

When IFAs continue to build and execute on their acquisition targets without addressing these risks, they only become deeper and more expansive.   

How can IFAs Shore up their Security Posture Fast?
Through our proven, Efficiency, Compliance and Security (ECS) Assessment, LDW help IFAs quickly find a significant number of issues that explain often deeply woven and multi-layered problems. These are presented in a way that is easy to understand showing their impact (critical, high, medium, low) based on a logical division of business departments and functions.  The ECS Assessment findings provide the insight to inform pragmatic security and data protection compliance recommendations, and both are presented in a ‘plain English’, succinct report  for the Executive and Board to grasp the risks and work out the path to green and stabilise their business.

A detailed roadmap including a plan of urgent remedial actions to address key priorities quickly move the IFA into a safe and secure operational ‘status quo’ and can normally be executed within 1 -3 months. The remedial works form the foundations of a longer term, 360-degree holistic data protection and cyber security framework.  One IFA we worked with used this to help them successfully establish how they would grow to achieve their target of portfolio wealth management to £25bn within their target timeframe.      

LDW’s Digital Risk Committee – Highly Effective, No Cost
A highly effective tool that LDW has implemented with many clients is the implementation of our Digital Risk Committee solution, alleviating siloed working and poorly instructed and therefore expensive third-party services.  Because it brings together an internal multi-disciplinary team of legal, IT, compliance, finance, HR and marketing, the elected Chair, (usually Legal since all problems normally land back at Legal’s desk!) can hear the past and envisage the future of the business using multiple pieces of insight. A Digital Risk Committee proactively manages broad, complex topics like security and privacy, that every part of the business is immersed in and find hard to control even with strategic plans in place. 

A monthly meeting and a tracked agenda to manage initiatives and risks can really help unlock unseen business potential through this collective ‘eye’ into the business.

It is all about the customer and our day to day activities should be designed to enable their needs to be met. Doing that and protecting yourself can make for challenging decisions. We believe ECS helps make sure that there is never a choice between what’s best for the company and what’s best for the customer.


Feel free to contact Lisa or Andy (details below) to discuss how an ECS Assessment might help IFA leaders sleep soundly at night!

CEO Lisa Burton. Mobile: 07557 094635. E-mail: lisa@legaldw.com

Andrew Mills. Mobile: 07947 804792. E-mail: andy@legaldw.com

Recent Posts

DRE joins with Savient to develop Savitrace

With deep domain experience in understanding how software is created and built, including the use …

Read more »

Are Your Employees Inadvertently Adding Holes In Your Security?

The two best assets of any business, people and data are where most risk lurks. 80% of corporate …

Read more »


At DRE, we're fully aware of the urgency of environmental issues. Trees play a crucial role in …

Read more »

How to protect your business when cyber insurance premiums sky rocket

An organisation’s capacity to manage and contain cyber risk has become a commercial imperative. …

Read more »

Data and digital risk prevention: a business risk and a business opportunity

We all know, data breaches and digital controversies can be brand affecting and detrimental to …

Read more »