Today, this simple business imperative remains, but the introduction of government and industry regulations creates even greater pressure on organisations. Not only are they forced to retain specific business records but also they must be able to defend the authenticity of this information. Failure to do so can have very serious consequences in the form of fines and litigation, which can have devastating financial and political consequences. Recent, high visibility, court cases have graphically demonstrated just how damaging this can be to the wallet and reputation of an organisation.
As part of the financial services industry, insurance agencies are subject to regulation by the FSA and its industry specific agencies such as the IMRO, PIA, SIB, RPB, SRO and LAUTRO to name just a few. In addition, the retention of insurance records is subject to the guidelines defined in the COBS (Conduct of Business Sourcebook).
Depending on the records in question and their specific use, these agencies and guidelines typically require the retention of records for between three and seven years, and in some cases much longer. In practice, many of these firms retain records well beyond the regulation requirements.
The FSA acknowledges this reality in a recent report: "Market participants also say that it helps them with issues related to the Inland Revenue to store certain records electronically for longer than the minimum retention period. However, because it is not cost-effective to sift through records and retain some while discarding others, firms tend to keep all records beyond their minimum retention period. (FSA Handbook, Release 019, Annex C, May 2003)"
This situation has created a real dilemma for all financial services companies. On the one hand they're being forced to securely retain more data for longer periods of time, yet on the other hand they're expected to accomplish this with fewer people and smaller budgets. How can organisations respond effectively to this dilemma?
Solving this problem is not trivial since it involves several different, but interrelated concepts. An effective data archival storage strategy must meet regulation demands for retention, while being easy to manage, scalable and cost effective. It must be grounded in processes and procedures that establish and maintain the authenticity or "trustworthiness" of the archived records. This is made difficult since many electronic documents are dynamic and can be updated or altered during different stages of their life.
One proven approach is to establish a process-based "Chain of Trust" (Trustworthy Storage and Management of Electronic Records, Cohasset Associates, Inc., April 2003) that guides records throughout their life and clearly documents their authenticity. This Chain of Trust is comprised of both processes and products that work together to establish record trustworthiness. The primary components within the chain can be divided into four 'links':
- Record Management Application
- File Management
- Storage Management
- Storage Media
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.