POOR CYBER SECURITY WILL BREACH CONSUMER DUTY

Cyber attacks and data breaches are some of the biggest risks to the financial sector, yet they often go unacknowledged.

When a firm is providing an ongoing service to clients, Consumer Duty obliges them to evidence that they are able to continue offering a reasonable level of support in the event of an issue arising with their services, which might include a cyber attack.

Likewise, the regulations’ cross cutting rules mean firms must prevent foreseeable harm and a cyber incident is a potential catalyst for that. It could lead to the theft of personal data, a fraudulent transaction or even ransomware halting your ability to deliver ongoing services.

With Consumer Duty in mind, you need to start thinking about cyber security as part of your operational resilience. This includes recognising your responsibilities to consumers, recording the risks to data and closing any gaps that could lead to harm.

Learn from mistakes

Financial services firms in the UK reported 640 cyber security breaches between June 2022 and 2023, this is more than three times the number recorded a year earlier.

One such breach happened in February, when Succession Wealth became the victim of a cyber attack on its IT systems. In a statement at the time, the firm confirmed it had notified the appropriate authorities and that it was working to assess and resolve the situation and establish the nature of the attack.

Only the other day, a firm contacted us to say it had been targeted by a phishing email purporting to be from the FCA. The recipient had noticed a spelling mistake and reached out to see if it was genuine. We confirmed it wasn’t and advised them to report the incident.

The email, which is marked as high priority, is entitled ‘FCA Disclosure’ and supposedly sent by the regulator’s supervision office. A PDF letter is attached for firms to download and complete and the unsuspecting are then providing sensitive data to an unidentified source.

Clearly, the sender of this missive has decided to prey on firms’ obligation to deal with the FCA in an open and cooperative manner.

This email goes to show hackers aren’t just targeting big firms. Everyone within the sector is fair game and SMEs in particular can be seen as low hanging fruit, as they are thought to have less infrastructure and controls in place.

Managing an incident

The FCA regards a material cyber incident as a regulatory breach under principle 11 of its Principles for Business. Having poor systems and controls in place to prevent attacks are also likely to breach principle three, which requires a firm to take ‘reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems.’

A material incident is defined as:

• A significant loss of data, or availability or control of the firm’s IT systems
• Incidents that affect a large number of customers
• Incidents that result in unauthorised access to, or malicious software present on, your information and communication systems.

To report a material incident, you must firstly contact your FCA supervisor, if you have one, or get in touch through the ‘contact us’ page, then follow the specific rules that apply to your business. If you are dual regulated, you must also inform the PRA.

Although it is not a legislative requirement, it is good practise to report a data breach to the ICO within 72 hours of the incident, unless you can demonstrate it is unlikely to result in a risk to individuals’ rights and freedoms. You can do this online where feasible.

You may also need to inform the National Cyber Security Centre, which can help victims minimise harm. The organisation has some useful tools available to help you review your approach to cyber risks and ensure your technology, systems and information are protected appropriately. Its advice on managing an incident can be found here.

Prioritise prevention

To determine if your cyber security is resilient enough, firms need to ask themselves what they would do in the event of an attack.

The personal information you hold on clients is subject to the GDPR principles, which oblige you to ensure the confidentiality, integrity and availability of your systems and services. For example, have you pseudonymised or encrypted the data? Do you have appropriate measures in place to deal with risk and are they tested regularly to evaluate effectiveness? Can you restore access to the data in a timely manner?

It is essential you can answer yes to all of the above. To do this, start with a risk assessment to identify any potential weaknesses and how they may impact your ability to deliver good outcomes.

Next, create and test an incident response plan so everyone knows what to do in the event of a cyber attack. Think about how you will support customers and how you might communicate with them during service outages.

Finally, review and enhance, where necessary, your data privacy and governance and strengthen your IT infrastructure. Don’t forget you remain responsible for any data that is outsourced, so ensure any other firms within your distribution chain or key dependents, with whom you share client information, have good IT resilience too.

The FCA has issued guidance on fake communications, which can be found here. If you are one of our clients, you can also find a Cyber Security Resources sheet in our document library.

If would like assistance or more information on reviewing the measures you have in place to prevent cyber attacks, don’t hesitate to contact us on (0161) 521 8641 or email: info@b-compliant.co.uk