[co-author: Michael Calladine]
On 1 October 2018, the FCA fined Tesco Personal Finance plc (Tesco Bank) £16.4 million for failures relating to a cyber attack. Over a 48-hour period in November 2016, cyber criminals stole £2.26 million from more than 8,000 of Tesco Bank's 131,000 personal current account customers. The incident received significant press attention at the time. Nearly two years later the FCA has delivered its verdict that, in summary, Tesco Bank should have done more both before the attack and in response to it. These attacks are a growing threat and we are seeing a big increase in requests for advice and assistance in this area. This is also driven by GDPR (see below).
The fine was heavily discounted from £33,562,400 which the FCA states that it would have imposed were it not for mitigation credit (to reflect co-operation and remedial action and a discount for early settlement). Nonetheless it sends a strong message to the market about the FCA's stance on cyber security breaches, and the importance it places on firms taking such threats seriously. It also reminds the market to put in place proper systems and controls to (i) mitigate the risk of an attack arising in the first place; and (ii) limit any harm to customers in the event of an attack.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said:
"… the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late."
Key rules and breaches
Principle 2 of the FCA's Principles for Businesses requires firms to conduct their business with due skill, care and diligence. The FCA found that Tesco Bank had breached Principle 2 because it failed to exercise due skill, care and diligence:
in the design and distribution of its debit cards;
to configure specific authentication and fraud detection rules;
to take appropriate action to prevent the foreseeable risk of fraud; and
to respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
The Final Notice explained Tesco Bank had been warned of the risk of attack in November 2015. While Tesco Bank made changes to its credit cards to mitigate this risk, it did nothing in relation to its debit cards.
The FCA also expressed concern that Tesco Bank decided its debit cards would not be contactless but then did not configure its authorisation and fraud analysis systems to decline such transactions. Tesco Bank was also found to have not taken sufficient steps to prevent mimicked transactions (which formed a key part of the attack). For example, some of the cards in circulation had sequential card numbers, making things easier for the attackers.
The FCA found that Tesco Bank's response to the attack had also been insufficient. It took 21 hours for the financial crime team to speak to the fraud strategy team as a result of failure to follow set procedures. The fraud strategy team then failed to take effective action and did not properly monitor the action they had taken. Crucially this included a coding error which meant that the preventative action did not work to block transactions. External experts eventually had to be called in and identified this. In addition, crucially Tesco Bank's systems could not deal with the volume of customers trying to contact the bank which heightened concerns rather than enabling the bank to deliver appropriate reassurance.
Cyber crime is a growing threat; it is difficult to anticipate and plan for but this does not mean it can be ignored. Firms need to give cyber breaches proper consideration and develop and test appropriate protections and contingency plans. These should be tailored to different parts of the business where they present different risks. A key lesson from the Tesco Bank Final Notice is that contingency plans must be able to deal with attacks that occur on non-working days (cyber attackers often attack on weekends or out of hours). It may also be necessary to take external advice from cyber security experts in preparing these plans. Following an attack it is also critical to conduct root cause analysis to understand and address the vulnerabilities which made the attack possible in the first place.
There are also important lessons from a governance perspective (another hot topic with the Senior Managers and Certification Regime (SMCR) due to apply to insurers from December 2018 and all FCA-authorised firms from December next year). The FCA comments in its press release that a financial institution's board is ultimately responsible for setting an appropriate cyber crime risk appetite and ensuring the institution's cyber crime controls are sufficiently resilient to anticipate and reduce the risk of a successful attack. However, we also think cyber security is something which is (for banks) and will be (for Enhanced Regime firms once the SMCR is extended to all FCA-authorised firms) relevant to some individual senior managers (in particular, Risk and Operations). In this instance the FCA found Tesco Bank had in place an appropriate approach to risk management but does not appear to be taking action against senior individuals. However, it is worth bearing in mind that any senior manager who holds the SMF24 Chief Operations Function will be subject to a duty of responsibility and needs to be able to satisfy the FCA that they have taken "reasonable steps", in relation to the systems and technology of the firm, to mitigate the likelihood of an attack happening in the first place.
Interestingly, although Tesco Bank is not a premium listed firm and the UK Corporate Governance Code does not strictly apply to it, the FCA nonetheless noted that "the code sets the context for examining Tesco Bank's approach to the governance of the risk of financial crime and, more particularly, the risk of cyber crime". This approach is one which other firms may also wish to take into consideration when considering whether they have done enough. Firms (and any individual with responsibility for oversight of cyber security-related aspects of risk, technology and operations) need to consider and satisfy themselves that:
they have adequate procedures;
those procedures are adequately tested and withstand those tests;
staff are properly trained and know how to recognise and respond to a crisis; and
there is appropriate insurance in place.
This case was decided under applicable FCA requirements as is typically the case in the financial services sector. However, the market also needs to take account of GDPR which applies to personal data. GDPR mandates an expanded duty to ensure appropriate security is in place. This includes pseudonymisation, encryption, assurance as to data confidentiality, integrity, availability and resilience of systems. GDPR also requires regular testing, assessment and evaluation of risk. There are also new legal duties to notify the competent Supervisory Authority (eg. the ICO) and data subjects of personal data breaches. The ICO can fine up to 4% of annual turnover for poor data security and 2% of annual turnover for failure to notify as required. We expect future incidents affecting authorised firms to be determined by the FCA, but the ICO is likely to step in where the FCA does not. In any event, firms should comply with notification duties under both regimes if applicable.