The Financial Services Authority has warned the banking industry to shape up their attitudes to securing sensitive data and customer information.
Following an audit of 39 banks, building societies, insurance companies and financial advisors, the FSA called on financial services firms to adopt a more transparent stance towards customers, rather than fearing adverse media coverage when data breaches occur.
As a result of the audit, one firm has been referred to enforcement.
Instances of bad security practice found in the audit included a lack of due diligence in checking third-party suppliers vet their employees or have adequate security arrangements; too much emphasis on IT controls at the expense of staff awareness and training; and in some areas, an over reliance on compliance consultants who did not understand the importance of data security.
One of the recommendations the FSA made as a result of the audit was that finance firms should appoint a senior manager with overall responsibility for data security.
Speaking at the FSA annual conference on financial crime, FSA director, financial crime and intelligence division Philip Robinson said: "It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously. Some firms have made progress by adopting good practice, while others need to do more in the area… we expect the industry to raise its standards. We will follow up on this [audit] with firms and will not hesitate to take action if future breaches are found."
The FSA audit is in conflict with another survey conducted by BT and YouGov on staff awareness about what to do when things go wrong. This report found staff in financial sector companies were 27 percentage points more likely to have a high awareness of their company's business-continuity strategy than the cross-industry average.
BT Global Services finance industry sector managing director Andy Nicholson said in a statement: "With an ever-increasing regulatory environment, operational risk and business continuity planning must extend to every employee, business process and ICT asset."