Today, this simple business imperative remains, but the introduction of government and industry regulations creates even greater pressure on organisations. Not only are they forced to retain specific business records but also they must be able to defend the authenticity of this information. Failure to do so can have very serious consequences in the form of fines and litigation, which can have devastating financial and political consequences. Recent, high visibility, court cases have graphically demonstrated just how damaging this can be to the wallet and reputation of an organisation.
As part of the financial services industry, insurance agencies are subject to regulation by the FSA and its industry specific agencies such as the IMRO, PIA, SIB, RPB, SRO and LAUTRO to name just a few. In addition, the retention of insurance records is subject to the guidelines defined in the COBS (Conduct of Business Sourcebook).
Depending on the records in question and their specific use, these agencies and guidelines typically require the retention of records for between three and seven years, and in some cases much longer. In practice, many of these firms retain records well beyond the regulation requirements.
The FSA acknowledges this reality in a recent report: "Market participants also say that it helps them with issues related to the Inland Revenue to store certain records electronically for longer than the minimum retention period. However, because it is not cost-effective to sift through records and retain some while discarding others, firms tend to keep all records beyond their minimum retention period. (FSA Handbook, Release 019, Annex C, May 2003)"
This situation has created a real dilemma for all financial services companies. On the one hand they're being forced to securely retain more data for longer periods of time, yet on the other hand they're expected to accomplish this with fewer people and smaller budgets. How can organisations respond effectively to this dilemma?
Solving this problem is not trivial since it involves several different, but interrelated concepts. An effective data archival storage strategy must meet regulation demands for retention, while being easy to manage, scalable and cost effective. It must be grounded in processes and procedures that establish and maintain the authenticity or "trustworthiness" of the archived records. This is made difficult since many electronic documents are dynamic and can be updated or altered during different stages of their life.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.