The United Kingdom’s Financial Conduct Authority fined Tesco Personal Finance plc GB £16.4 million (US $21.5 million) for failing to exercise “due skill, care and diligence” in protecting its customers from the consequences of a cyber-attack in November 2016 involving bank-issued debit cards.

According to the FCA, because of a design flaw in the debit cards, the attackers used an algorithm to generate authentic debit card numbers, and used these numbers to engage in thousands of unauthorized customer debit card transactions. After the cyber-attack began and was first detected early on Saturday, November 5, 2016, staff committed a number of errors which delayed fully stopping the cyber-attack and restoring normal debit card use by all customers until November 9. Among these errors was that, once the cyber-attack was discovered, the internal team responsible for helping to resolve the cyber-attack emailed a fraud strategy inbox as opposed to telephoning the internal fraud analyst, as required by procedures. This, claimed the FCA, delayed resolution by 21 hours as the email was not reviewed promptly over the weekend. Additionally, once the cause of the cyber-attack was recognized, a number of initial fixes were ineffective. However, because the first fix was not monitored, Tesco did not recognize until only after a “few hours” that the fix did not work and that fraudulent transactions were increasing.

Although the FCA acknowledged that Tesco’s cybercrime framework was “appropriate,” it said that relevant individuals did not follow it. According to FCA, “[Tesco’s] financial crime framework was clear and each body within the framework had an appropriate role and each body worked together to achieve the common purpose of mitigating the risk of cybercrime.” Unfortunately, said the FCA, a cybercrime framework “is only as good as the individuals who work within it.”

Ultimately, 8,261 current accounts were impacted by the cyber-attack. The bank reimbursed customers for direct losses and removed all pending debits, as well as refunded all fees, charges, and interest that had been charged.

The FCA indicated that it would have fined Tesco GB £23.5 million (US $30.9 million) but for Tesco’s “high level of cooperation” during the FCA’s investigation, immediate retention of a third-party consultant to review the incident, implementation of the consultant’s recommendations, and other mitigation measures.

Compliance Weeds: Last month, the Securities and Exchange Commission settled an enforcement action against Voya Financial Advisors, Inc. – a registered broker-dealer and investment adviser – related to purported deficiencies in the firm’s cybersecurity procedures that the SEC alleged contributed to a cyber intrusion and compromise of customers’ personal information. These deficiencies constituted violations of the SEC’s Safeguard and Identity Theft Red Flags rules. (Click here for background in the article “Broker-Dealer Resolves SEC Charges That Inadequate Cybersecurity Procedures Led to Cyber Intrusion, Compromising Customer Personal Information” in the September 30, 2018 edition of Bridging the Week.)

Voya agreed to pay a fine of US $1 million to resolve the SEC’s enforcement action.

Earlier this year, AMP Global Clearing LLC, a Commodity Futures Trading Commission-registered FCM, agreed to pay a fine of US $100,000 to resolve an enforcement action brought by the Commission claiming that it failed to supervise a third party’s implementation of “critical” provisions of its information system security program. As a result of this failure, said the Commission, AMP’s technology system was compromised by an unauthorized individual (Infiltrator) who impermissibly copied approximately 97,000 files, including many files that contained confidential personal information. (Click here for background in the article “CFTC Says Futures Brokerage Firm’s Failure to Supervise Led to Unauthorized Cyber-Attack” in the February 18, 2018 edition of Between Bridges.)

Both SEC and CFTC-registered entities should ensure they maintain a robust information system security program to minimize the likelihood of a cyber-attack as well as policies and procedures expressly designed to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution and nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”

All policies and procedures should be regularly reviewed and updated, as appropriate, and at least annual firm-wide training and ongoing evaluations of critical systems should be implemented. Firms should consider in advance how they would respond to different types and degrees of cyber-attacks. Periodic drills involving mock phishing episodes and cyber-attacks should also be considered to heighten employee readiness.