Media reports suggest that the Financial Conduct Authority (FCA) may have imposed its recent £16.4 million fine as a warning to other firms that it is taking the issue of cybersecurity seriously.

The £16.4 million fine – the first time the FCA has taken enforcement action over a single cyber-incident – was of course issued to a relatively large bank, but firms of all sizes across all business sectors need to take careful note of the issues involved. No firm can afford to neglect the ever-growing threat of cyberattacks.

The November 2016 attack was described by the FCA as a failure to “exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack.” This is a breach of FCA Principle 2, which requires firms to act with due skill, care and diligence. The regulator goes on to refer to deficiencies in the bank’s financial crime controls and describes the incident as being “largely avoidable.”

The criminals appear to have generated authentic debit card numbers and then, using those “virtual cards”, conducted thousands of unauthorised debit card transactions. A total of 8,261 customers lost an average of £1,830.

One of the main criticisms the FCA makes of the bank is that nothing was done to stop the attack during the first 21 hours. It was only at this stage that the bank’s Fraud Strategy Team were alerted. It was later identified that the issues were compounded by a coding error made by the bank’s Financial Crime Operations Team when it originally programmed the fraud detection system.

The fine was reduced because the bank co-operated with the FCA investigation and put in place a comprehensive redress programme to compensate affected customers.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said:
“The fine the FCA imposed on [name of bank] today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that [name of bank] did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyberattack occurring in the first place, not only reacting to an attack. Subsequently, [name of bank] has strengthened its controls with the object of preventing this type of incident from being repeated.”
A firm that is hit by a cyberattack may well feel like the victim, in that the true criminal is the attacker. However, the FCA might decide that the true victims are the firm’s customers, and the firm does of course have a duty to protect the interests of its customers at all times. Firms need to devote appropriate resources to reducing the risks of cyberattacks, and need to have robust business continuity plans explaining how they will respond promptly should an incident occur.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article