Tesco Bank fined 16.4 million pounds over cyber – attack in UK
October 4, 2018 |
Commonly a data breach affecting an organisation attracts the attention of multiple authorities in the United States and the United Kingdom. A data breach in the United States can attract investigation from the Federal Trade Commission, for misleading representations as to privacy, and the Securities Exchange Commission, for breach of fiduciary duty. And as Tesco Bank well truly understands poor data security can result in an investigation and fine from the Financial Conduct Authority (“FCA”) as well as an investigation by the Information Commissioner. Tesco has been fined £16.4 million by the FCA for failing to exercise due care and diligence in protecting its personal current account holders accounts. A cyber attack resulted in the theft of £2.2 million, which has been refunded. Such a fine is well in excess of what the ICO could impose at the time of the breach. In addition to the swingeing fine the reputational damage to Tesco is significant as regulators are not wont to keep a low profile when they collect a big scalp. And the FCA didn’t keep things quiet here, with a media release titled FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack stating:
The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack. The cyber attack took place in November 2016.
Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said:
‘The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
‘Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.’
Principle 2 requires a firm to conduct its business with due skill, care and diligence. Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime.
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
- Design and distribute its debit card.
- Configure specific authentication and fraud detection rules.
- Take appropriate action to prevent the foreseeable risk of fraud.
- Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Cyber security requires resilience. A financial institution’s board is ultimately responsible for ensuring that its cyber crime controls are designed to meet standards of resilience. The board must set an appropriate cyber crime risk appetite and ensure that its institution’s cyber-crime controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident. Following an attack the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack to reduce the risk of future attacks.
Following the attack, Tesco Bank immediately put in place a comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls. It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.
Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation. In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.
It should come as little surprise that a media report like that would attract grabbing headlines such as Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach, Tesco Bank hit with £16.4m fine for ‘largely avoidable’ cyber attack and Tesco Bank FCA fine proves its not just the ICO that will fine companies for security breaches, say lawyers.
In Australia the Information Commissioner can investigate data breaches and, possibly if she decided to take strong action, bring civil penalty proceedings for a serious data breach, known as a serious interference with privacy. But the Australian Securities and Investment Commission, ASIC, has released its Report 429 Cyber Resilience: Health Check where it makes clear that cyber resilience is part of a company’s legal and compliance obligations. The report states:
and
The problem of course is that ASIC has proven to be a weak regulator on financial regulation. There are no recorded cases of it taking action under Report 429 notwithstanding there being significant data breaches involving companies. There is also the scope for bringing action under the Corporations Act 2001 though shareholders have been reluctant do so to date.