Following several recent high-profile data breaches, including two which resulted in large fines and demonstrated the intent of the Information Commissioners Office (ICO), I thought it would be useful to delve a little deeper into the world of regulation with regard to data privacy.
Whilst the obvious place to start for most organisations is the year-old General Data Protection Regulations (GDPR), I’m going to explore the Financial Conduct Authority’s (FCA) Principles.
Prior to the large GDPR breach fines imposed by the ICO on British Airways and Marriott, it was always the FCA whose eye-watering fines previously dominated the news. In essence, the FCA Principles define the fundamental obligations that financial services’ firms must meet under its Regulatory System.
Two of the key principles relevant to data privacy are:
• Principle 2 – this states how a firm must conduct its business with due skill, care, and diligence.
• Principle 11 – this covers the relationship a firm has with regulators and states:
“A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.”
A sub-note (3.4.5) within the handbook states: “Where Principle 11 refers to regulators, this means, in addition to the FCA, other regulators with recognised jurisdiction in relation to regulated activities, whether in the United Kingdom or abroad.”
So why did I choose regulation that just focuses on financial services rather than GDPR, which affects all?
Well, my immediate answer is because a firm must declare a data breach (as a consequence of either a break down in internal process due to a lack of skill or the result of a cyber-attack) to the FCA. This could then invoke the prospects of ‘double jeopardy’ in the form of sanctions from both the FCA and the ICO. The FCA released their cross-sector Cyber and Technology Resilience report in 2018 based upon a survey to firms and issues previously reported. They discuss Principle 11 early on and state that they “expect firms to report major technology outages and cyber-attacks to the FCA.”. They also go on to say that they believe these items are under-reported to them, suggesting firms aren’t meeting this Principle.
Around 600 incidents were reported and the results highlighted a disconnect between the self-declared ‘mature’ IT change management processes and controls (referenced in the survey responses) and the number of reported incidents (91) that stemmed back to IT change in the first place. Cyber-attacks followed software issues with 60 reported incidents, and human error was still responsible for 26.
In October 2018, the FCA fined Tesco Bank £16.4million for breaching FCA Principle 2 which requires a firm to conduct its business with due skill, care, and diligence. This was due to a flaw in the design of its VISA card which was then exploited by cybercriminals. The criminals netted £2.26m from the attack which took place in 2016. GDPR wasn’t in place then so we can’t say for sure if the ICO would have also imposed a fine, but it would be highly likely if the Marriott incident is anything to go by. Tesco Bank was transparent and cooperated with the FCA and so didn’t breach Principle 11, it was also reported they received a discount on the fine which was originally due to be £33m due to their cooperation with the regulator.
At the end of the day, the critical advice is that firms ensure that they are aware of their regulatory responsibilities and adequate controls and processes are in place to handle cyber and physical security threats. Internal monitoring is also essential to ensure that the whole iceberg is visible to enable a transparent relationship with the FCA and other regulators. The parallels with GDPR also dismiss the myth that these are solely IT problems and are, in fact, most often organisational problems.
If you’d like to know more about Cyber Security, current risk vectors and steps you can take to protect your business, fill out our form below and we’ll send you a copy of Purple’s Cyber Security Guide.