No-one could have missed repeated media headlines over recent months concerning successful cyber attacks on high profile organisations.
It has been known for some time that firms’ operational risks in this area have been growing. The UK government has issued repeated warnings about the need for UK companies to protect themselves from growing cyber security threats (see, for example, here and here). The ICO has also taken enforcement action against firms for failings in relation to data protection (see here).
An area of focus for the FCA
For its part, the FCA (and its predecessor the FSA) has also repeatedly underlined data security as a key area of risk for firms that it regulates. It receives high profile treatment, for example, in ‘Financial Crime: a Guide for firms’ (see here), the FCA’s 2014 Risk Outlook (see here), the 2014/2015 Business Plan (see here) and then again in the 2015/2016 Business Plan (see here). The FCA has highlighted the age and complexity of some regulated firms’ systems, as well as a perceived failure to invest in and maintain them, as particular risks. The FCA has also clearly been involved in numerous related projects, including recent thematic work with the PRA to increase the visibility of IT risks to firms’ boards. The FCA and PRA have both indicated that their supervision of firms involves looking at systems and controls, including IT vulnerabilities that could facilitate cyber crime.
The enforcement risk
But what of enforcement action? The activities of the FCA and FSA in this field have, to date, been more muted. They have certainly taken enforcement action against regulated firms for IT- and data security-related issues, but to date these have often concerned weaknesses in controls over physical equipment and physical data storage media. For example, the FSA fined a firm just under £1m in 2007 in respect of an unencrypted laptop stolen from the home of an employee. A further firm was fined about £3m (over 3 different businesses) in 2009 in respect of a number of issues including the loss of an unencrypted CD in the post. Another firm was fined £2.3m in 2010 in respect of the loss of an unencrypted backup tape in an outsourced operation. The sums here look modest but many of these cases date from some time ago, prior to the introduction of the FCA’s current penalties policy, and before the relentless march of technology facilitated the transfer of large amounts of data into the ‘cloud’. The largest IT-related enforcement action to date was in respect of an upgrade problem with a bank’s IT system, with combined FCA and PRA fines of approximately £55m imposed in November 2014. However the facts there were not directly concerned with cyber security.
To date, the FCA has not issued a final notice to a firm specifically for a failure to harden its systems sufficiently to prevent a cyber crime (during which, for example, customer data was lost from a live server to a hacker or a terrorist). A case in which a firm used industry standard software containing an unknown vulnerability exploited by the hacker might well be a difficult one for the regulator to bring. The exact standard of culpability in this technical field is likely to be highly controversial. However, political pressure on the FCA and/or PRA to act alongside (for example) the ICO and the Police might well prove impossible to resist, particularly if the successful exploit caused widespread consumer detriment and evidence then emerged that the firm had deliberately chosen not to upgrade the attacked system, or had failed to patch it in a timely way. The regulator’s case in all of the matters mentioned above featured Principle 3, and the potential for read-across is clear.
The fallout
Dealing with the fallout from a serious online data breach incident is a difficult and thankless task for any firm, given the number of authorities to handle (the Police, ICO, FCA, PRA and, given the often cross-border nature of the problem, other authorities internationally), the intense media coverage, customer concerns, likely demands for compensation and the potential for follow-on civil claims. When it happens, it is likely to be even more difficult – and expensive – for a UK regulated firm.
