Circular to licensed corporations Data risk management

In view of the findings from a recent thematic review of data risk management practices of licensed corporations (LCs) (please see the enclosed findings report for more information), the Securities and Futures Commission has published a circular in this context. Therein, the Commission describes its expectations as regards such practices, including expectations pertaining to data collection, classification, usage, retention, transfer, and disposal. Before outlining its expectations, the Commission defines „data risk“ to ensure a common understanding of the term, which – according to the regulator – refers to „the risk of operational disruptions and reputational or financial losses due to LCs’ inadequacy in managing the data lifecycle“.
##### The key expectations are briefly outlined below:
(1) Data risk governance: To ensure prompt identification, communication, and mitigation of data risk incidents, it is crucial that firms develop and enforce corresponding policies and procedures. Such policies need to address – at the least – the assignment of responsibilities as regards data risk management and the drafting and implementation of „structured protocols“ for above noted identification of data risks and communication of incidents to both senior management as well as to regulators.
(2) Data life cycle management: As many firms collect a large range of data to conduct business and to perform certain business and regulatory functions, it is important, so the SFC, that they monitor AND manage the entire data life cycle as noted above. Only then will they be able to adequately monitor the risks associated with the collection and maintenance of data such as unauthorized access risks or risks of data loss or leakage.
– Data collection: LCs must ensure that the data collected from customers or other third parties is accurate and complete (and safe).
– Data classification: LCs should classify their data according to its sensitivity and align their data protection measures with such classification.
– Data usage: LCs should establish processes to ensure that data can only be accessed by authorized parties (e.g. via access control restrictions).
– Data retention: LCs should ensure that they are able to recover any lost data within legal time limits to minimize the risk of business disruptions. The establishment of corresponding back-up policies and data retention times is essential in this context. It may even be advisable to install different retention times for different types of documents.
– Data transfer: As data transfers pose the greatest risk as regards data loss or leakage, it is essential that firms deploy adequate technical measures to ensure the safekeeping of data such as data encryption tools.
– Data disposal: Once data must be disposed of, LCs should take adequate measures to ensure that data truly is disposed and cannot be retrieved or re-established.
– Use of third-party services: When relying on third-party service providers for any of the above noted functions in the data life cycle, LCs must ensure that such service providers have the capabilities and abilities to perform such functions. They must closely monitor the operation of the third party and apply an adequate level of due diligence in this context.