Financial regulation and cyber-crime

As the number and profile of cyber-attacks increases, so the financial regulators focus their attention on the risks posed to authorised firms and how these should be managed. The number of cyber-attack reports by firms to the Financial Conduct Authority (FCA) has risen from just five in 2014 to over 75 in the nine months from January to September 2016 alone and these include high profile incidents which have left customers temporarily unable to access bank services and allowed hackers to access funds in customer accounts.

Against this background, cyber risk is firmly on the agendas of both the FCA and the Prudential Regulation Authority (PRA) in the coming year. This article provides an outline of some regulatory expectations in relation to cyber-crime and considers the potential for adverse regulatory consequences for those who fail to meet these expectations.

In light of the potential exposures described above, firms may wish to consider carrying out a review of

• IT systems and controls, to establish whether they provide sufficient protection against and adequate detection of cyber-attacks. The FCA has also suggested that firms should consider regular testing of their IT systems and controls to determine how they would function in a cyber-attack, and the Bank of England has noted that assurance control sampling is often not sufficient in this area.
• Business continuity arrangements and plans, to ensure that they deal with the eventuality of a cyber-attack and will enable the firm to recover from such an attack.
• Existing governance arrangements, to check that the risk of cyber-crime is adequately dealt with and reported on, for example in risk committees.
• Existing training for staff, to ensure that they are informed of cyber risks, such as phishing emails, and how to recognise potential attacks.
• Allocations of responsibility among Senior Managers, to establish who has or should have responsibility for cyber risk and ensure that they are fully informed and receive relevant Management Information.
• Existing insurance arrangements, to establish whether these policies adequately cover cyber risk and the extent to which the firm may require separate specialist cover.

Regardless of whether any damage is sustained to a firm or its customers, a cyber-attack may require a prompt regulatory notification to the FCA and/or the PRA and may also give rise to concerns regarding potential weaknesses in a firm’s systems and controls. An investigation may be needed in order to identify root causes, any wider implications and remediation requirements.

One key consideration will be whether there has been a potential failure to comply with Principle 3, which requires that firms take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems, and related rules set out under the Senior Management Arrangements, Systems and Controls (SYSC) section of the FCA Handbook. These rules include requirements relating to arrangements for and supervision and management of the outsourcing to a service provider of critical or important operational functions and the protection of confidential information relating to the firm and its clients .

Whilst no enforcement action has yet been brought for failures relating to cyber security, there is clearly scope for regulatory sanctions, including the imposition of considerable fines. The FCA has already fined a number of firms in relation to data and information technology-related failures

• In November 2014, following a joint investigation, the FCA and PRA imposed fines totalling £56 million for a breach of Principle 3 arising from an IT failure which led to certain bank customers variously being unable to withdraw cash from ATMs, drawdown loans or make transfer payments. The regulators found, amongst other things, that the incident had been caused by a failure to check the effectiveness of a software upgrade and a failure to implement effective systems and controls for testing software or identifying, analysing and resolving IT incidents.
• In September 2010, the FSA imposed a fine of over £2 million on an insurance company for a breach of Principle 3 arising from a failure to have adequate systems and controls in place to prevent the loss of confidential customer information. The fine related to the outsourcing of security over customer data storage to a foreign subsidiary and on to a sub-contractor and the loss of back-up tape by that sub-contractor. Although there was no evidence that the lost data was compromised or misused, there was a risk that customers could have suffered serious financial detriment. The insurance company did not carry out ongoing assessment of the risks connected with the outsourcing arrangement, conduct adequate due diligence on the sub-contractor’s data security procedures or obtain sufficient management information to enable it to manage and control data security and financial crime risks. It also failed to put in place proper reporting lines between the subsidiary and the UK business (resulting in the data loss incident not being reported to the UK business for twelve months); and there was a lack of clarity over who had responsibility for providing assurance to management that data security issues were being appropriately identified and managed.
• In July 2009, the FSA imposed fines totalling over £3 million in connection with breaches of Principle 3 due to inadequate systems and controls to protect confidential customer data from being lost or stolen. In particular, the FSA found that the relevant firms had variously failed to put in place adequate and effective procedures, guidance and resources to ensure that, among other things, customer data sent to third parties on portable electronic media was secure in the event that it was lost or intercepted, customer data that was sent to third parties in hard copy form was sent securely, customer data kept in their offices was at all times secure from the risk of internal fraud or theft and an appropriate due diligence process was followed prior to contracting services to third parties such as waste disposal firms.

Further, the FCA has issued a number of fines against firms for systems and controls failures relating to a range of other issues, including outsourcing and financial crime, which could equally apply in circumstances involving a cyber security breach. In the context of cyber risk, this consideration will be particularly relevant for firms storing data through third party ‘cloud’ service providers.

Since the calculation of a fine may be based on the revenue derived by the firm during the period of the breach from the relevant business areas, there is clearly potential for significant sums to be levied. Fines can also be imposed or increased in respect of any notification failure including where information provided to the regulator regarding processes in place is found later to be inaccurate.

Cyber-crime also poses a potential regulatory risk for senior management. As set out above, both the FCA and PRA have stressed the importance of understanding and effective challenge at Board and senior management level in relation to cyber risk. Any individuals holding relevant responsibilities under either the approved persons or the senior managers and certification regimes may face scrutiny in the event of a cyber-attack in terms of potential breaches of the Code of Conduct or Statements of Principle and Code of Practice for Approved Persons.

In light of the potential exposures described above, firms may wish to consider carrying out a review of

• IT systems and controls, to establish whether they provide sufficient protection against and adequate detection of cyber-attacks. The FCA has also suggested that firms should consider regular testing of their IT systems and controls to determine how they would function in a cyber-attack, and the Bank of England has noted that assurance control sampling is often not sufficient in this area.
• Business continuity arrangements and plans, to ensure that they deal with the eventuality of a cyber-attack and will enable the firm to recover from such an attack.
• Existing governance arrangements, to check that the risk of cyber-crime is adequately dealt with and reported on, for example in risk committees.
• Existing training for staff, to ensure that they are informed of cyber risks, such as phishing emails, and how to recognise potential attacks.
• Allocations of responsibility among Senior Managers, to establish who has or should have responsibility for cyber risk and ensure that they are fully informed and receive relevant Management Information.
• Existing insurance arrangements, to establish whether these policies adequately cover cyber risk and the extent to which the firm may require separate specialist cover.