Regardless of whether any damage is sustained to a firm or its customers, a cyber-attack may require a prompt regulatory notification to the FCA and/or the PRA and may also give rise to concerns regarding potential weaknesses in a firm’s systems and controls. An investigation may be needed in order to identify root causes, any wider implications and remediation requirements.
One key consideration will be whether there has been a potential failure to comply with Principle 3, which requires that firms take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems, and related rules set out under the Senior Management Arrangements, Systems and Controls (SYSC) section of the FCA Handbook. These rules include requirements relating to arrangements for and supervision and management of the outsourcing to a service provider of critical or important operational functions and the protection of confidential information relating to the firm and its clients .
Whilst no enforcement action has yet been brought for failures relating to cyber security, there is clearly scope for regulatory sanctions, including the imposition of considerable fines. The FCA has already fined a number of firms in relation to data and information technology-related failures
- In November 2014, following a joint investigation, the FCA and PRA imposed fines totalling £56 million for a breach of Principle 3 arising from an IT failure which led to certain bank customers variously being unable to withdraw cash from ATMs, drawdown loans or make transfer payments. The regulators found, amongst other things, that the incident had been caused by a failure to check the effectiveness of a software upgrade and a failure to implement effective systems and controls for testing software or identifying, analysing and resolving IT incidents.
- In September 2010, the FSA imposed a fine of over £2 million on an insurance company for a breach of Principle 3 arising from a failure to have adequate systems and controls in place to prevent the loss of confidential customer information. The fine related to the outsourcing of security over customer data storage to a foreign subsidiary and on to a sub-contractor and the loss of back-up tape by that sub-contractor. Although there was no evidence that the lost data was compromised or misused, there was a risk that customers could have suffered serious financial detriment. The insurance company did not carry out ongoing assessment of the risks connected with the outsourcing arrangement, conduct adequate due diligence on the sub-contractor’s data security procedures or obtain sufficient management information to enable it to manage and control data security and financial crime risks. It also failed to put in place proper reporting lines between the subsidiary and the UK business (resulting in the data loss incident not being reported to the UK business for twelve months); and there was a lack of clarity over who had responsibility for providing assurance to management that data security issues were being appropriately identified and managed.
- In July 2009, the FSA imposed fines totalling over £3 million in connection with breaches of Principle 3 due to inadequate systems and controls to protect confidential customer data from being lost or stolen. In particular, the FSA found that the relevant firms had variously failed to put in place adequate and effective procedures, guidance and resources to ensure that, among other things, customer data sent to third parties on portable electronic media was secure in the event that it was lost or intercepted, customer data that was sent to third parties in hard copy form was sent securely, customer data kept in their offices was at all times secure from the risk of internal fraud or theft and an appropriate due diligence process was followed prior to contracting services to third parties such as waste disposal firms.
Further, the FCA has issued a number of fines against firms for systems and controls failures relating to a range of other issues, including outsourcing and financial crime, which could equally apply in circumstances involving a cyber security breach. In the context of cyber risk, this consideration will be particularly relevant for firms storing data through third party ‘cloud’ service providers.
Since the calculation of a fine may be based on the revenue derived by the firm during the period of the breach from the relevant business areas, there is clearly potential for significant sums to be levied. Fines can also be imposed or increased in respect of any notification failure including where information provided to the regulator regarding processes in place is found later to be inaccurate.