Boards should take note of the FCA’s (Financial Conduct Authority) £16.4 million fine of Tesco Bank for failing to prevent a cyber attack that, in the end, directly affected only 34 customers (although it did disrupt services for many others) and which apparently did not lead to the theft or loss of any customers’ data.
There are two important lessons:
- Even small data exposures can lead to significant fines – particularly where known vulnerabilities are concerned. Boards need to satisfy themselves that their organisations have appropriate measures and frameworks in place to minimise risk and maximise assurance.
- Organisations must be breach ready: Tesco’s fine would reportedly have been £34 million if it hadn’t taken such prompt and comprehensive action to address the consequences of the breach.
We’re still waiting to see whether the ICO (Information Commissioner’s Office) will also levy a fine under the Data Protection Act 1998 but we suspect probably not. In previous instances where the FCA and ICO have jointly regulated, only one has levied the fine. The money usually goes to the Treasury anyway, so it’s not as though one of the regulatory bodies will lose potential income!
Coming so soon after the £500,000 fine handed to Equifax UK (the highest penalty available to the ICO under the DPA 1998), the size of the FCA’s fine does raise the regulatory bar; boards should not be surprised if some of the first fines under the GDPR, when they emerge in the first half of 2019, are breathtaking.
Given the offensive capabilities of cyber criminals (see British Airways, TV Licensing, etc.), the time to get breach ready is now.