Appital

By: Matt Palmer, Cyber Security Advisor, Appital

The financial services industry has always been heavily reliant on information flows, and is becoming increasingly dependent on the technology that delivers that intelligence. We need to recognise that this technology is changing away from legacy on-premise systems equipped with an on-site IT desk. Indeed it is only within the last few years that many large banks have considered any kind of non-private cloud.

At the same time, firms are also facing significant regulatory requirements such as the EU’s General Data Protection Regulation (GDPR), which is the largest change to data protection legislation in the last 20 years, as well as financial services specific rules such as FCA handbook requirements in the UK, EU directives and regulations in Europe, or Sarbanes Oxley, New York Department for Financial Services (NYDFS) and FINRA cyber security requirements in the USA.

On a wider scale, organisations have serious concerns about being the subject of a potential cyber attack; for trading activities, in particular, there is a need for strong connectivity and resilience.

Appital’s risk management processes and key controls

Cybersecurity platform resilience is a topic that we take very seriously at Appital. Because of our modern infrastructure, all information passes through a single platform, rather than disparate legacy systems. All data and transactions are transparent, running on a secure, cloud-based infrastructure.

What’s more, we base our security on a risk management perspective. As such, our single application is subjected to a number of risk management processes and key controls around the development testing and operations processes. All of Appital’s risk management practices are aligned to ISO 27001 (ISO/IEC 27001:2005) specifications for information security management systems. These security aspects have been incorporated into the design phase of our platform from inception, before we proceed with the build. In addition, our client onboarding processes provide us with insights into potential risk scenarios such as data breaches, IT outages or cyber attacks. This helps us ensure that the right controls are in place to mitigate against them.

At Appital, we also ensure that key controls are in place around development processes - we carry out regular code reviews, coding standards and third-party penetration testing. In terms of our operating application, we have selected Google Cloud, a leading provider of cloud computing services, due to its in-built security tools and the high level of assurance provided (including SOC2 certification).

Appital is GDPR compliant and maintains clear client data segregation. When it comes to data control access, there are strict operational controls for running the application. Strong user provisions are in place so that portfolio managers and traders can only see and do what they are supposed to see. These can be mapped to individual users, so that participants can determine the right levels of access for their organisation. Some participants will require single sign-on that is controlled on their side, while others will want to own the encryption keys to encrypt data at rest, which allows them to disable Appital’s access to their data.

Collectively these measures are designed to ensure that using Appital makes a positive contribution to the overall cybersecurity posture of clients and other organisations we work with, and seek to reduce cybersecurity risk to a lower level than would have been the case with legacy processes.

Digital security

By using Appital, legacy processes are replaced by fully auditable, structured online dealmaking. All data on the platform is completely transparent and stored in a central, secured infrastructure, which improves both the protection and compliance of organisations. Essentially, our platform provides a high level of resilient security by design, including strict controls over data access and use of data within the platform.

Appital’s digital approach is designed to support and integrate with regulatory compliance and auditing processes and systems - but most importantly, provides our clients with a high level of confidence in the security of our platform.

For more detail about our security practices, please contact us for Appital’s detailed policy documents covering data security, processes, and certifications in cyber security.

About the author

Matt Palmer is an experienced chief information security officer (CISO) for financial services organisations. He serves as an advisor to Appital, a Commissioner at the Jersey Financial Services Commission (JFSC) and Head of Jersey's Cyber Emergency Response Team (CERT).