23 December 2021
The FCA has alerted us to an international data security breach that the National Cyber Security Centre (NCSC) has warned could be the most severe threat in years.
A vulnerability in the Java logging framework, Log4j 2, was found earlier this month, which if left unfixed, could allow attackers to break into systems, steal passwords, extract data and add malware, with very little expertise required.
Why are we telling you this? Put simply, because financial firms are responsible for keeping client data safe, so now would be a good time to check the quality of your firewall!
Understanding the risk
Log4j is an obscure, but crucial, piece of software produced by Apache, which is used on servers to keep records of activity and applications’ behaviours, so they can be reviewed by security and software developers.
Apache volunteers were alerted to the flaw in late November and disclosure of the bug soon after prompted a global race to strengthen the weak point it created in commonly used apps and services across the internet.
Experts are comparing the level of threat to the 2017 issue that led to the Equifax hack, during which the personal details of 150 million people were exposed.
What action should you take?
You may be thinking this kind of technical issue is way beyond your pay grade, but it is important you are aware of the breach and take responsible action to keep your clients’ data secure. This includes personal information held in any format, including addresses, dates of birth, bank details, etc.
Data protection, via appropriate cyber security measures, should be part of your systems and controls and you should assess the security products you are using regularly to make sure they are adequate. We would also recommend contacting any third party software providers that hold client data to find out what action they are taking.
To comply with the current regulations, you need to incorporate potential cyber threats into your disaster recovery/business plan and detail an appropriate response in the event of a breach.
Although you may never have heard of Log4j, it underpins much of the digital economy and the FCA is recommending that any firms using it review the NCSC guidance to ensure the safety of your systems. To find out more, visit https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know
For more information about your data protection responsibilities and compliance with the FCA regulations, don’t hesitate to contact us on (0161) 521 8641 or email: [email protected]