The Financial Conduct Authority (FCA) announced on 13 October 2023 that it had fined Equifax Limited (Equifax), a credit reference agency and data, analytics and technology business, £11,164,400 for failing to manage and monitor the security of UK consumer data it had transferred to its parent company based in the US, Equifax Inc, for processing.
In 2017, Equifax Inc, suffered a cybersecurity breach, with hackers able to access the personal data of around 13.8 million individuals, including dates of birth, phone numbers, partially exposed credit card details and residential addresses. The breach included data held by Equifax Inc in connection with two of Equifax’s products.
There are lessons from this case, and regulatory enforcement concerning IT issues more broadly, for various phases in a firm’s lifecycle regarding a cyber incident – avoiding, managing and remedying – which we summarise below:
- Cyber security arrangements: FCA regulated firms must have effective cyber security arrangements and, as part of this, they must ensure that their systems are resilient from a technical perspective, including being kept fully up to date to prevent unauthorised access. To assist with this, firms should have a process in place for ensuring that system patches are identified and applied comprehensively and that this is monitored to catch any issues. Regulators also expect to see robust contractual protections for data and prompt action by firms on any suspicious activity.
- Risk management framework for outsourced data: Where a firm outsources the processing of data, including to an intra-group company, there must be in place an appropriate risk management framework that allows the firm to identify and mitigate the risks inherent in that outsourcing. Regulated firms remain responsible for any data that they outsource and, in line with this, they must exercise appropriate oversight of any outsourcing – firms may want to consider, for example, what would happen if there was an issue, including whether back-up is adequate and if they would receive appropriate information if something did go wrong. Where the processing of data has been outsourced intra-group, weaknesses at the group entity level should be treated by the firm with the same degree of seriousness as would be the case if the outsourcing had been to a third party.
- Appropriate governance in place for responding to cyber incidents: How firms respond to a cyber incident can impact the final regulatory outcome and it is therefore essential that firms have in place effective governance arrangements for responding to such incidents. Global firms should have a cross-border coordinated response strategy, including with regards to communications with regulators and customers. Firms must not go into “lockdown” mode where information is not shared across all affected parties – all impacted jurisdictions must be considered and kept updated so that the group as a whole can effectively deal with impacted customers.
- Clear communications in the event of cyber incidents, with fair complaints handling: Firms must promptly identify and notify impacted individuals of cyber incidents in a way which is fair, clear and not misleading and implement fair complaints handling procedures. Any statements issued must be accurate in terms of the number of consumers affected and, if misinterpreted by news outlets or others, clarification must be considered and applied where appropriate in a timely manner. Firms should seek to avoid barriers for customers hindering access to any incident pages set up – for example, cookies should not obscure key links or information.
- Individual responsibility: Finally, for individuals in the regulated sector there is also the risk of enforcement action in connection with cyber breaches. For some years now there has been a regulatory focus on individual accountability and enforcement action has already been taken against individuals in connection with IT issues – for example, the April 2023 decision against the former Chief Information Officer of a retail bank, Carlos Abarca for failing to take reasonable steps to ensure that the bank adequately managed and supervised appropriately its outsourcing arrangements in relation to its 2018 IT migration programme. Senior individuals involved in managing cyber incidents must therefore ensure that they are acting reasonably in carrying out their role and responsibilities. As part of this, senior managers should, amongst other things: obtain appropriate assurance from any relevant third parties; stay alert as to whether any reported issues require taking action; and properly escalate all relevant information, including to the board where appropriate.
Interplay between the FCA and ICO
The Information Commissioner’s Office (ICO) fined Equifax £500,000 in relation to the same breach in September 2018. The ICO’s findings were similar to the FCA’s and the parallels between the issues flagged in the FCA’s Final Notice and the ICO’s Monetary Penalty Notice illustrate that compliance can and should be viewed holistically in the context of cyber readiness and breach response. Steps taken to comply with the FCA’s Principles will generally also assist in demonstrating compliance with the data protection principles and vice versa.
The ICO has also indicated an intention to take action on cybersecurity breaches using the fining powers now available to it under the UK General Data Protection Regulation (UK GDPR). It makes information on its cyber investigations public as part of its complaints and concerns datasets, as well as reporting on insights into data security incident trends. The Information Commissioner recently highlighted the risks of complacency on cybersecurity within companies. He cautioned that organisations that do not regularly monitor for suspicious activity and fail to act on warnings, or do not update software and provide staff training, can expect a fine.
Finally, organisations can be fined for the same breach under different legislation. This could also be the case for organisations not regulated by the FCA, as the ICO has also confirmed that where the UK’s Network and Information Systems Regulations (NIS Regulations) apply, it is possible to be fined under both the UK GDPR and the NIS Regulations. Following Brexit, there is already the possibility of fines under both the EU and UK GDPR, and the position will become more complex when the Digital Operational Resilience Act (DORA) and the revised Directive on Security of Network and Information Systems (NIS2) begin to apply.