Plan for disruption and keep the plan under review
Demonstrating adequate steps taken to avoid incidents is key. In one high profile banking systems outage, a software compatibility problem led to an IT failure affecting over 6.5 million customers for several weeks. Amongst other things, the FCA considered that the banks’ IT risk appetite and policy should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident.
Even with such steps, cyber-attacks may strike at some point and occasionally system changes will not go as smoothly as they should. Planning for such eventualities should include consideration of how best to ensure effective communication and coordination between relevant teams and stakeholders during an incident. Any plan should also be subject to rigorous and regular review, including in light of organisation changes and experience.
Incident management procedures must be kept up to date and tested with regular run-throughs to identify any practical issues or potential pitfalls that otherwise may only emerge in the heat of responding to a real life incident. Examples that have been cited by the FCA include the incident management rota having the wrong telephone number for the business incident manager. Out of date information like this can lead to unnecessary delay in invoking crisis management procedures. In the same case, the FCA also highlighted the fact that emails were sent to an inbox that was not manned over the weekend (instead of following the correct procedure and calling the on-call fraud analyst).
Be alert to warnings and map risks
Where operational risks are identified in one part of the business or more widely within the industry, firms need to consider the full extent to which those risks may arise within the organisation and, if so, ensure those risks are communicated and appropriate action is taken. In a number of enforcement cases in recent years, there had been prior incidents or warnings which should have been properly addressed and the firms in question were criticised by regulators for failing to deal with foreseeable risk.
Consider your outsourced business up front
Outsourcing adds another layer of complexity in that, when considering operational resilience, firms will need to give detailed thought as to: (i) how their systems depend on those of their outsourcing providers, particularly where services they provide are critical (such as any outsourced business continuity and disaster recovery arrangements); and (ii) defining at the outset the firm’s outsourcing risk and tolerance levels.
Be proactive and coordinate when incidents occur
If, despite best efforts, an incident does happen, following the immediate aftermath, firms still have the chance to manage the situation and the actions firms take in reacting to an incident can impact the overall outcome from a regulatory perspective. In one cyber-attack case, proactive remediation steps taken by the bank included: (i) commissioning a root cause analysis of the weaknesses that made the bank vulnerable to the attack and an evaluation of its financial crime controls; (ii) carrying out a comprehensive redress programme; and (iii) demonstrating high levels of senior level cooperation with the FCA, which all contributed to a 30% mitigation discount to the FCA fine (on top of a 30% discount for early settlement).
Firms may also need to co-ordinate responses on a number of fronts and jurisdictions and consider how decisions will impact all interested or potentially interested bodies and parties, recognising that information may be shared between them. Depending on the nature of the incident more than one regulator may become involved, including, in the UK, the PRA, FCA and, where personal data has been lost, the Information Commissioner’s Office. In addition, complaints may be made to the Financial Ombudsman Service, a body set up by Parliament to assist consumers with resolving disputes with financial services providers. Customers may also bring litigation in connection with the incident (whether as part of a class action or otherwise).
In terms of future enforcement in this area, we expect higher fines from the FCA. In one of the cases mentioned above, the FCA made it clear that there was no loss of personal data and yet the outcome was a £16.4 million fine. It seems likely that if a regulated entity loses personal data as part of a cyber-breach in the future, the magnitude of the FCA fine would be increased to reflect this.
In addition, we anticipate enforcement against individuals and in particular, senior management. Both the FCA and PRA have stressed the importance of understanding these particular risks (despite their technical nature) and the need for effective challenge at Board and senior management level in relation to cyber risk. For some years now there has been a regulatory focus on individual accountability and enforcement action has already been taken against individuals for systems and controls failings in other areas.
Therefore, firms and senior individuals should take heed from the mistakes of others where they can by monitoring enforcement in this area and learning relevant lessons, in particular where any significant system changes are on the horizon or potential weaknesses have been identified.