On 01 October 2018, after a long-running investigation, the FCA fined Tesco Bank £16.4m for weak cybersecurity controls that enabled an “avoidable” cyber-attack affecting 8,261 out of 131,000 customers with personal current accounts in November 2016. The attackers used an algorithm to generate authentic Tesco Bank debit card numbers and, using those “virtual cards”, engaged in thousands of unauthorised debit card transactions to net £2.26m.
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
- design and distribute its debit card
- configure specific authentication and fraud detection rules
- take appropriate action to prevent the foreseeable risk of fraud, and
- respond to the November 2016 cyber-attack with sufficient rigour, skill and urgency (in this case, the Financial Crime Operations team did not respond to a specific warning until after the attack started).
A key theme to emerge in the FCA’s Final Notice is “resilience”. The FCA highlighted that the Board of a financial institution is responsible for ensuring that its cyber-crime controls are designed to meet these standards of resilience. Mark Steward, Executive Director of Enforcement and Market Oversight, commented that ‘banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring…and not only reacting to an attack.’ The FCA reminded banks and their Boards to set an appropriate cyber-crime risk appetite and ensure that cyber-crime controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the FCA said that the Board should ensure that the bank’s response plans are clear, well designed, well-rehearsed and recovery is quick. Following an attack, banks should commission a root cause analysis to understand and improve the vulnerabilities that made the institution susceptible to the attack, and thereby reduce the risk of future fraud.
Tesco Bank has since put in place a “comprehensive redress” programme and devoted resources to improving the deficiencies that left the bank susceptible to the attack. As a result, the FCA more than halved the penalty of £33,562,400 that Tesco Bank was initially facing because it agreed to settle, co-operated with the regulator’s investigation and compensated customers who lost the money in the hack.
The outcome of this investigation is a salient reminder for financial institutions that their cyber security measures must be robust, resilient and vigilant. The ICO may have stolen headlines of late, but it is not the only regulator with the ability and appetite to levy large fines for weak cyber resilience that leads to customer vulnerability and loss. The FCA has made clear in this Final Notice, as it did in its 2018/2019 Business Plan, that it is committed to improving the financial industry’s operational resilience to cyber-attacks.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.