questions you should ask when buying.
Market Abuse Regulation (MAR) Software – 5
questions you should ask when buying.
5th December 2022
Buying Market Abuse Regulation software can be a minefield of technical questions and
considerations, when all you really want is software which works for you, your team, and
your employees.
While you will likely know what you and your team are looking for, you’ll often have to
consider additional demands from your own company security, policy, procurement, and
technical teams. This can make finding the right solution a laborious and complex chore,
making shortlisting potential providers difficult if you do not know what questions to
initially ask to ensure your company’s needs are fulfilled.
As a guide, we have selected five key points to discuss during the buying process to help
you identify the right software for you. Compiled from conversations with prospects and
client Company Secretariat teams, cybersecurity teams and IT experts, these questions
will support a comprehensive understanding of what different providers offer.
If you would like a chat about the buying process, you can always contact us.
1. To what extent can the MAR software align to our Company’s branding and processes?
In any demo or marketing of a product, you will get information on what features the
product offers. It can be easy to overlook how the product may need to fit in with your
company’s existing processes and policies, for example:
Branding
Often the system is treated and presented as a Company system to help increase
engagement, especially if insiders and other employees are system users. It is important
to consider how the product should complement your company’s branding. This may
include aesthetic features such as colour scheme, logos, and brand-aligned wording to
technical features including email branding, signatures, the email domain from which
they are sent, or the URL used for the product. Your marketing team will likely have a clear
set of ‘brand guidelines’ that will need to be followed.
You can expect variation in the levels of branding and customisation available amongst
providers, ranging from an off-the-shelf solution with little to no branding options, through to a bespoke, tailored solution. The level to which you want or need to customise the MAR
software is up to you – but it’s important to know if the supplier can meet those branding
guidelines when they customise your solution.
System Access Policies
How users access the system will often be a critical area which security teams are
interested in during the decision-making process.
You should expect that the provider can integrate with your existing Single Sign-On (SSO)
process if that is your company preference. If, on the other hand, you use password
credentials, or have the need for External Advisors to be part of the system, you should
expect options offered from secure best-practice password rules through to conforming
with your own password rules, no matter how robust these are (and the more robust, the
better!). HWC has experience with handling complex password rules and implementing
Multi Factor Authentication for additional security.
2. Does costing scale with how we wish to use the product?
There is no right or wrong answer to this question, as long as the question is answered
clearly and, crucially, you do not face any hidden costs after the system goes live.
An area to be aware of is tiering. Different tiers of costs could be applied for an expanded
user base, the number of lists you need to run in the product or, in some cases, the feature
set itself. It’s vital to ensure that the features you have been shown or promised are all
inclusive of any costs quoted.
Ensure the supplier has made clear what happens if your user base grows beyond the
initial population. Be aware that some suppliers may judge the user base by the number
of user records in the system, regardless of whether they log in or not.
You may also find certain suppliers treat “administrators” of the system (you and your
team) separately to the “user base” so, if the group of administrators grows as you add
people to your team, make sure you have questioned any charges incurred.
In our case, when designing MARFlow and talking to clients and potential customers, we
found that a cost structure based on how bespoke the product is, was the fairest
approach. We additionally factor in how much support you may need from us day-to-day
(to reduce the resource and admin impact on you and your team) when pricing. Leading
with this approach means you don’t have to be concerned about rising costs as you add
more people to the system.
3. What baseline security does your MAR software provide? Can this be enhanced, if needed, to satisfy our Company needs?
While the provider should be ISO 27001 or CyberEssentials+ compliant at a minimum, your
internal IT and cybersecurity will often have a well-defined list of their own questions.
The best way to handle this need is to involve your IT Security teams in the discovery
process. Having a list of essentials and ‘nice to haves’ from these teams will help shortlist
suppliers who will successfully comply with your security requirements.
Your company security may insist upon certain security features, this might include
discussions around:
● The level of data encryption in place.
● Whether the system integrates with any other systems.
● The supplier’s use of third-party suppliers.
● The product website and database being kept on separate servers.
In addition, internal policies may require enhanced security to be put into place. A couple
of examples of these features include:
● The addition of extra servers to prevent loss of service.
● Hardware security modules (HSM) for further security.
Ensuring the supplier and system meet your requirements in the initial stages of the buying process will ease the procurement, onboarding, and implementation stages.
4. What baseline data privacy and retention procedures does your product provide?
Much like the security considerations, there are some data privacy and retention
constraints which we always recommend addressing upfront Doing so prevents anything
unexpected arising during the procurement stage.
In a post-Brexit era, it is important to ensure that the product is suitable for both UK MAR
and EU MAR depending on what is applicable to your organisation. Additionally, you
should ensure that the protection and security offered by the product satisfies UK/EU GDPR
and your own internal policies.
We recommend bringing a list of basic points from your Data Protection Team/Officer
during early discussions. You might work with them to agree how the personal data is held
in any system used and discuss the retention period (i.e., anything above and beyond the
MAR requirements). While the data relating to insiders should remain within the system
until at least 5 years from the last update to the relevant list, the provider should be able
to accommodate your Company requirements regarding deletion of data. This is a key
consideration for when MAR timeline obligations have passed and there is no legitimate
need to retain the data, and additionally when deleting data relating to other people not
directly affected by MAR (e.g. Confidential Lists) which may be earlier.
5. What is expected of me and my team during the implementation of the MAR software? How will the product impact our activities day-to-day?
If you are looking for a product, it is likely that one of your key aims is to save time for you
and your team. It is important to spend time considering where exactly you are looking to
make those savings. Is it through:
- Process automation; by reducing human error and the consequent painful (and
often lengthy) resolution process - By providing insiders with access to their own information without your team
needing to respond to all queries - Saving time during audit processes.
In our experience, it’s likely to be most, if not all, of the above.
Being clear about the areas you are looking to improve will help in the selection process as you compare features between providers. If you wish to use KPIs to review the system impact, this may be particularly important.
Additionally, one thing which is easy to overlook is the initial time investment needed from you and your team during the onboarding and implementation of the MAR system. Asking what the supplier will need from you can be just as important as asking the supplier what they are offering.
Depending on the supplier, this process will look different. Even amongst our own clients, the implementation process can vary according to their differing needs. Understanding this process and the time frame proposed by the supplier should inform what you are looking for when reviewing options to buy. But we think it’s important to say; don’t be put off by an initial set up period which looks longer than you might have expected. Getting the set up right from the outset will require the investment of a bit more time. However, the long-term time and efficiency savings from getting this step right can be huge and repay that initial extra time investment quickly.
While there is so much more that could be considered, these are some of the areas from
experience we know it’s best to talk about upfront. Hopefully, it helps with some of the less
obvious questions you may be considering when selecting a new supplier for a MAR
product. If you would like to know more about how HWC addresses each of these areas, visit
our MARFlow software page. You can also drop us a message if you would like to discuss
your specific requirements.