The FCA’s recent decision to fine Equifax Limited (“Equifax”) £11,164,400 for failing to manage and monitor the security of UK consumer data outsourced to its US-based parent Equifax Inc. - six years after the investigation was first announced - raises the compelling question of when the UK financial regulators will pursue cybersecurity incidents at regulated firms.
What happened?
In September 2017, Equifax Inc. revealed that it had been subject to one of the largest cybersecurity breaches in history. Approximately 13.8 million UK individuals had their personal data accessed by cyber-hackers in an attack the FCA deemed “foreseeable and entirely preventable”. The data (including names, dates of birth, phone numbers, Equifax membership log-in details, addresses and partially exposed credit card details) had been outsourced by Equifax to its US parent’s servers for storage and processing.
Despite being alerted to the hacking six weeks prior, Equifax Inc. only informed Equifax of the breach five minutes before it publicly announced the incident. The short notice left Equifax unable to cope with the complaints it received following the announcement and led to delays in contacting UK customers.
The FCA’s decision
The FCA concluded that Equifax had breached Principles 3, 6 and 7 of the FCA’s Principles for Businesses - not only for failing to exercise appropriate oversight of the outsourcing arrangement but for exposing customers to the risk of unfair outcomes (it ceased quality assurance checks of the complaints handling process in the aftermath of the announcement) and for publishing several public statements following the incident which gave an inaccurate impression of the number of individuals affected.
Notably, the Information Commissioner's Office ("ICO") had already fined Equifax £500,000 - the maximum penalty available under the old Data Protection Act 1998 and a figure that rather pales in comparison to the FCA’s fine - in September 2018, for failing to take appropriate technical and organisational measures against unauthorised and unlawful processing of the data.
A sign of the times or a case confined to its facts?
First and foremost, the Equifax case underlines the importance to regulated firms of ensuring that outsourcing arrangements provide the ability to monitor and manage the security of outsourced data, even in an intra-group context. Regardless of any outsourcing arrangements, authorised firms remain responsible and accountable for discharging their regulatory responsibilities at all times.
This decision also serves as a stark reminder to regulated firms that the risk of enforcement action for cybersecurity breaches is not confined to the ICO. The FCA’s enforcement action in this area has been limited to date, with a fine for Tesco Bank in 2018 being the most recent pre-Equifax example, but firms should not assume that enforcement action for cybersecurity failings will be limited to, or even led by, the ICO.
What, then, will prompt the FCA to take action, whether independently or alongside the ICO? The answer surely lies in the different enforcement priorities of each regulator, reflecting their respective remits. The case of Tesco Bank provides an instructive comparison in this regard. Here, Tesco Bank's failure to respond to the incident (involving hackers generating authentic debit card numbers to initiate unauthorised transactions) with sufficient rigour, skill and urgency - contributing to customers suffering distress, embarrassment and inconvenience, as well as long call queues - was flagged as central to the FCA's enforcement action. While the breach was reported to the ICO, the case was closed because no personal data was involved. Could this suggest that the FCA is more likely to flex its muscles where the fall out of a cyber attack is mismanaged and the customer bears the brunt? This suggestion perhaps finds some support in the fact that, as the Equifax decision notice tells us, a staggering 94% of the (relatively few) complaints Equifax assessed for quality assurance purposes across October-November 2017 failed to meet the required standards.
And yet this hypothesis, with its focus on the customer experience and conduct of business, leaves several loose ends. For example - how important was the magnitude of the breach, and Equifax's failure to manage its outsourcing arrangements, to the FCA's decision to pursue enforcement action? Why did the FCA's investigation take six years? Moreover, the FCA does not comment on if (and how) it consulted or coordinated with the ICO before reaching its decision to fine Equifax, although the two regulators do have a Memorandum of Understanding in place. Was it relevant that Equifax had previously only been fined £500,000?
For now, we wait to see whether this case is a sign of the times or confined to its facts. What can be said is that, with the introduction of the new Consumer Duty, it seems inevitable that firms’ communications with customers in the aftermath of a cybersecurity crisis and remedial action will be subject to enhanced regulatory scrutiny.