The term "cyber" covers all manner of sins. It is variously used to refer to cyber attacks, cyber security, cyber resilience and a raft of other concepts related to how companies protect digitally stored data.
What it means to one company can be quite different to what it means for another.
In general, though, when people – individuals, businesses, lawyers and governments – refer to cyber, they are usually talking about cyber security.
The question of how businesses protect customer data has become increasingly important as the number of attacks continues to rise and regulators have started to take a tougher stance on companies they feel are not doing enough to safeguard data records.
This trend accompanies the expanding risk of financial loss represented by the growth of online financial services.
In the UK, how cyber security obligations affect financial services firms and how the Financial Conduct Authority (FCA) is approaching the issue is currently open to interpretation.
The recent Tesco Bank case provided some clarity on how the FCA treats cyber security from a regulatory perspective.
Perhaps unsurprisingly, their approach is very broad.
Here, we examine what we can learn from the FCA's treatment of the Tesco Bank case and consider differences in the approaches taken by the FCA and the UK Information Commissioner's Office (ICO) in regulating cyber security.
We also offer some guidance for companies wondering what their next steps should be to ensure their cyber resilience is up to scratch in the eyes of regulators.
The Tesco Bank case: A recap
In the Tesco Bank case, the company's customers were hit by a cyber-attack in November 2016, when international hackers exploited deficiencies in the security design of Tesco Bank's debit cards.
The cards were numbered and distributed in a way that made it possible for hackers to "guess" those numbers (most likely using an algorithm) and use this information to attempt thousands of unauthorised remote transactions.
8,261 out of around 131,000 Tesco Bank accounts were affected and fraudulent transactions with a total value of £2.26 million were attempted over a 48-hour period.
During the attack, Tesco Bank took the decision to suspend all its debit card accounts until it had halted the breach and rectified the problem.
Although the actual amount taken from the accounts of Tesco Bank customers only amounted to £1,830, the attack caused significant distress to many of its customers who had been notified of the breach and feared they had lost thousands of pounds from their current accounts.
Following an investigation, in October 2018, the FCA fined Tesco Bank £16.4 million "for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack".
Principle 2 of the FCA Handbook requires a firm to "conduct its business with due skill, care and diligence.
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
-
Design and distribute its debit card
-
Configure specific authentication and fraud detection rules
-
Take appropriate action to prevent the foreseeable risk of fraud
-
Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency
How do companies approach cyber security?
Different companies deal with cyber security in different ways.
For some, responsibility for cyber is a standalone function, entirely separate from other parts of the business.
For others, it forms part of one or more other business functions, such as IT, risk, board or financial crime units.
Many medium-to-large sized businesses now have a chief information security officer (CISO), who either run their own department or sit within another part of the businesses.
For those with separate cyber security functions, this can range from being a single person at an SME – such as a fintech business or challenger bank – to a team of thousands at a multinational financial services company.
Feedback from the financial services sector suggests that most companies in this area now have cyber security as one of the top three items on their risk registers.
Many also have some level of C-suite engagement when it comes to cyber issues.
A growing number of companies also have some form of incident response plan (including when and how to report suspected breaches to the ICO, but not necessarily the FCA), although awareness of these plans across all layers of business remains limited.
Anecdotally, it seems that significantly fewer companies currently involve their legal teams with their cyber strategies.
Changes in the UK regulatory approach to cyber
On 18 February 2019, the FCA and the ICO published a memorandum of understanding (MoU) which "establishes a framework for cooperation, coordination and information sharing" between the two regulators.
The document is intended to help the FCA and ICO swim in their respective lanes when it comes to regulating, among other things, cyber security, while also recognising areas where their interests overlap.
Specifically, the MoU outlines how the two bodies share information; how they deal with areas of common and separate interest; how they conduct investigations; and how they levy fines.
The issue of fines has become more prominent since the EU General Data Protection Regulation (GDPR) came into force in May 2018.
Cyber security is a very important part of GDPR. The UK government's published Guide to GDPR urges businesses and organisations to consider the security of their systems, data, online platforms and devices and to take appropriate measures to ensure that information is protected.
While the ICO has a remit to enforce GDPR, the FCA has no specific statutory responsibility in this area.
At its very highest level, the FCA is there to ensure that markets function properly. It uses financial crime, which affects the functioning of markets, as one of the hooks to bring cyber security (and with it, GDPR) within its remit.
In the Tesco Bank case, the FCA used this broad principle of market efficiency to impose a large fine where the ICO lacked the power to do so.
Fine lines
When the FCA revealed the size of its fine on Tesco Bank last November, many were taken aback by the severity of the penalty given the relatively tiny financial loss incurred as a result of the November 2016 cyber attack.
It is worth noting that Tesco Bank received a 30% mitigation credit for the actions it took to reduce the impact of the cyber breach and a further 30% (Stage 1) discount for agreeing to an early settlement. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.
The Tesco Bank cyber attack happened before GDPR came into force – at a time when the maximum fine the ICO could impose was £500,000.
Most people are by now familiar with GDPR and the obligation to take reasonable steps to protect the integrity of personal data.
Under GDPR, fines for non-compliance have been set at a maximum of €20 million or 4% of a company's global annual turnover the previous financial year, whichever is higher.
The FCA made the point that there was no theft of personal data in the Tesco Bank case. However, the on-screen adjustments of customer bank balances did in effect constitute an alteration of personal data.
It remains to be seen whether the FCA will be more robust about deciding when personal data has been lost, in addition to financial loss, in its investigation of future breaches.
If a similar breach happened today, is seems quite possible the Tesco Bank would face a much higher penalty – as evidenced by the decision by France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) to impose a €50 million fine on Google in January 2019 for breaking GDPR rules on targeted advertising.
The CNIL's calculation of its fine against Google was arguably much less scientific than that performed by the FCA in the Tesco Bank case, but we will have to wait to see how the ICO and European regulators' thinking on this develops.
Lessons from Tesco Bank
Changes in regulation brought about by GDPR and the evolving approaches of the FCA and ICO in the UK mean that all businesses now have to take appropriate technical and organisational measures to protect data.
In particular, as was demonstrated by the FCA's criticism of the design of Tesco Bank's debit cards, there is an obligation to design in privacy at the beginning of a new programme or product.
Further, it should be noted that the obligations do not stop with the primary service provider.
Under Article 28 of GDPR, any service providers or "controllers", wishing to use external data processers are required to flow down the security obligation and ensure that any processors they use adhere to appropriate security standards.
Another important lesson from the Tesco Bank case is that, if something does go wrong, the intention of the company that has suffered the cyber breach is irrelevant.
Tesco Bank claimed that it had not envisaged its debit cards being used to make remote payments and had therefore not designed the security features of the cards to withstand such circumstances.
But in its decision to fine Tesco Bank, the FCA said that in designing the card and the configuration of its authentication rules, the company had failed to take appropriate action to prevent a foreseeable risk of fraud or to prepare an adequate response in the event of these risks being realised.
The FCA decided that Tesco's decision to suspend all its debit card accounts had the potential to affect the functioning of markets, bringing it within the scope of the FCA's statutory responsibility to prevent "financial crime" (a term which the FCA uses synonymously with "cyber crime" in the Tesco Bank decision).
One aspect of the FCA's approach in the Tesco Bank case which raised eyebrows was the regulator's reference to the UK Corporate Governance Code (the Code) in its consideration of Tesco Bank's risk management framework.
Tesco Bank is not a premium listed firm and therefore not required to comply with the Code. However, the FCA still decided to use the Code to provide context in this case and to ultimately conclude that Tesco Bank had fallen short of standards it should have met.
Finally, the Tesco Bank case highlighted the importance of having good, well-drilled incident response procedures.
In deciding that Tesco Bank had failed to respond to the November 2016 cyber attack with sufficient rigour, skill and urgency, the FCA highlighted the disjointed efforts of the company to halt the attack and reassure debit card holders that the matter was under control.
Under GDPR, organisations now have a duty to report certain types of personal data breach (as defined by GDPR and the ICO) within 72 hours of becoming aware of the breach – a notification period during which the clock ticks very fast if businesses to not have a well-oiled response plan to follow.
ICO or FCA?
Reporting security incidents to the ICO relies on fulfilling the criteria of a personal data breach. These are clearly outlined in ICO guidance for organisations.
By contrast, the FCA takes a principles-based, non-prescriptive approach to cyber resilience. Although it has no explicit remit for cyber security, Principle 11 of the FCA Handbook states:
"You must report material cyber incidents. An incident may be material if it:
-
results in significant loss of data, or the availability or control of your IT systems
-
affects a large number of customers
-
results in unauthorised access to, or malicious software present on, your information and communication systems."
Other regulators that companies may be obliged to inform include the Prudential Regulation Authority (PRA), if they are PRA-regulated and Action Fraud, depending on the type of incident.
Additionally, companies are encouraged to share their experience on the government's National Cyber Security Centre.
Essentially, which regulator or body you report to is something of a formality, governed by the industry in which a business operates, as sharing the information with one will mean that you ultimately share it with all those who need to know.
Companies should bear in mind that regulators will expect them to document and present their cyber controls in a way that is clear and easy to compare against their standards.
The size of the Tesco and Google fines may have come as a shock to many, but businesses can perhaps take some comfort from the fact that the ICO has said it will not impose massive fines for the sake of it and intends to take a measured approach to calculating penalties.
For more information about how cyber security regulation affects financial services, please visit the cyber security pages of the Fieldfisher website.