As increasing regulatory mandates and investor pressures drive investment management firms to implement new security, governance, and compliance policies and technology solutions, firms are experiencing new business challenges resulting from these implementations. Often, these new policies and systems force employees to operate in new or different ways than they are used to. In other cases, investors are asking for even more restrictive rules than the regulators to align with ongoing trends or anticipate future rules. The new rules and requirements cover the following focus areas:
- Cybersecurity – The demands in this space are increasing and becoming more complex and restrictive.
- Data Governance – A new space for many firms that requires firm-wide data to be managed and controlled.
- Personal Trading – Firms are increasingly being required to implement code of ethics policies, including personal trading.
- Surveillance – Firms are being asked to proactively monitor their own activity.
These changes share a common problem: they require a firm’s employees to modify their behavior and processes without necessarily experiencing personal gain. This can lead to resistance and avoidance behaviors from employees, create turmoil within your firm, and put your data at risk if the changes are not handled correctly.
In general, employees will resist implementing security or data governance restrictions, and will push back on changes and requests. More perniciously, employees will look for ways around restrictions, often degrading the benefits of the changes being implemented.
As a security or technology professional, you will find that some of the challenges are unavoidable, but they can be alleviated significantly by following a key set of guidelines:
- Follow the business
- Add value
- Avoid mistakes
Follow The Business
The greatest mistake you can make when implementing new policies/procedures and restrictions is to not factor in how the business operates. For example, it would be difficult to restrict a firm from using mobile devices if employees spend a large portion of their time working remotely. Or requiring that employees use data from a centralized data warehouse that only has monthly or daily data would be a problem for groups that require intraday data.
This means that really knowing how each group within your organization operates is crucial — you need to understand how their business workflows operate, map the data they use and produce, and understand the timelines of how they do what they do. This will ensure that you can make informed decisions on how to best implement new requirements/restrictions and integrate them smoothly into the existing operations and processes of each group.
While there are times that restrictions make life harder for some employees, the transition can be made easier if a restriction is coupled with a new technology or tool. For example, requiring password changes can be coupled with a password management system, or disabling USB access on a laptop can be paired with providing a secure collaboration platform or cloud storage option.
Requiring data to come from a centralized data management tool may be restrictive, but if that tool provides data faster and with more accuracy, then users will buy into it much more quickly and with less resistance, because they have received added value. This should be incorporated into your firm’s business strategy as a core value, and it should be taken into consideration when budgeting for the implementation of new policies/procedures.
No one likes to make mistakes, but having this happen when implementing something that restricts what people can do can be extremely damaging from a reputational standpoint and can make it harder to implement future policies. Rolling out firm-wide changes to employees requires careful planning, robust rollback plans, and adequate support capabilities to handle any questions or problems that may arise during and after the implementation process.
How ACA Can Help
ACA can help your firm navigate the complexities of safeguarding your firm’s data and complying with regulatory requirements. Our services include:
- Cybersecurity policies, procedures, and governance
- ComplianceAlpha® risk and compliance program management platform
- Cybersecurity and technology risk assessments
- Mock regulatory cybersecurity exams
ACA recently conducted a webcast on best practices your company can implement to protect your data and comply with regulatory requirements. You can view the replay here: Webcast: Safeguarding Data: Protecting Your Company’s Crown Jewels.