FCA Says Employees Can’t Use Their Own Devices for Work, So Now What?

Most employers allow their workers to use their own devices for company operations purposes, the most common being sending emails when they’re not in the office. However, new FCA rules now prohibit the use of own devices in the financial sector. Daren Howell, Solutions Marketing Manager at Sungard Availability Services, explains more below.

Barely into 2018 and a new challenge has been presented to UK organisations already. A new Financial Conduct Authority (FCA) ruling announced at the start of January means that employees working within the UK Financial Services sector are being prohibited from using their own devices for work or external communication. Initially introduced as a ban on Bring Your Own Device (BYOD) within investment firms, the MIFID II has been extended to give the ruling jurisdiction to all regulated FS businesses.

While initially only targeted at the FS sector, it does raise a wider question about how organisations will have to manage their recovery in the immediate future. With the European Union’s General Data Protection Regulation (GDPR) also becoming a legal requirement later this year, how FS businesses will manage data and protect it is now a critical management process and discipline within business.

The BYOD Boom

The past decade saw a sharp rise in BYOD initiatives across businesses of all sectors and sizes. Allowing staff to bring in their own devices not only carried the obvious benefit of not having to procure and manage a range of PCs and devices for staff – it also offered a degree of business resilience.

For example, at the time of a disaster employees could work from home, or remotely from another location with little disruption to day to day activity. This was a cost-effective approach to extending recovery beyond critical staff who are typically housed in a Workplace Recovery centre.

For some businesses, BYOD may well have served as the primary recovery tool for all staff and whilst it mitigates some disruptive workplace threats, it also had its limitations. That said, it might have got you a tick in the box from the auditor’s operational risk management perspective.

What does the new ruling mean?

The FCA’s regulation extension now stops FS firms using BYOD for recovery because the business cannot control, lock or if need be, wipe the device to protect the business data. Therefore, company and customer data is potentially at risk if the device is hacked or stolen.

So what are the alternatives?

• Lease a spare redundant office? This could work if you are up for the cost. Rents are currently sky high in London, without even taking into consideration the total cost of running a redundant office facility with all the standby technology and staffing.
• Shift the workload to another office in a different time zone? But this could have compliance regulation implications when you shift data out of the country to another jurisdiction.
• Issue employees with a spare laptop? Yes, it’s ready to use, but may not be readily available in times of an emergency. For example, if you keep them in the office and there is a fire then you would have to leave these behind – or if your business in cordoned off due to a crime scene or chemical spill then you would struggle to get access to it. You could keep a stash of devices in a separate building, but how quickly can you get them up and running with all the latest updates and security features to be added when you switch them on.

These options are certainly considerations – but do carry with them their own risks. In this age of uncertainty, compounded by these restrictions in flexibility – businesses will need to have a recovery plan that can offer all of the following:

• A secure working environment
• Technology that’s fit for purpose and ready to use
• Resilient connectivity to your apps in the cloud or data centre
• A team environment for smart decision making and emotional peer support when the pressure is on.

It is with these factors combined with the current levels of uncertainnty that we are very likely to see a “mini-renaissance” in the Workplace Recovery market.

How the market has changed

Those venturing back into the Workplace Recovery market will find that it has changed significantly. When the market softened, vendors merged, recovery centres closed and customers were consolidated into the remaining centres. Vendors that espoused and claimed the lowest levels of seat subscription ratios to attract buyers, suddenly had to be far more commercial and increase the levels of subscription risk. When you now combine the effects of fewer sites, fewer seats left to sell and rising property prices in London along with buyers looking to increase their number of seats as a result of the FCA’s regulation change, prices will inevitably stabilise and increase to levels last seen ten years ago. Workplace Recovery still represents excellent value when compared to the price of a high-end spec laptop.

From a data protection standpoint, and especially for those businesses handling sensitive data it’s now patently obvious that your people can’t just work from anywhere at time of test or disaster. You have to think about how and when customer data can be seen, and by whom. Recently there was a picture posted on Twitter of someone using their laptop on a train and typing what looked like a confidential document. The picture was a clear shot of the person’s screen for all to see.

Clearly there is a degree of complacency here that is going to cost some businesses a great deal of money if behaviours don’t change. So, whilst some businesses will remain complacent, those that are more diligent and have the right recovery assets at their disposal should be in a stronger position to attract more business from customers who entrust vendors with their personal information and wealth assets.