The Financial Conduct Authority (FCA) recently imposed a significant fine of £16.4 million on Tesco Bank for its 2016 cyber-attack: something the FCA has called "a largely avoidable incident". The FCA found that Tesco Bank had breached Principle 2 of the FCA handbook through failing to properly address the risk of fraud and failing to respond to the attack "with sufficient rigour, skill and urgency." What is of particular interest here is that, had Tesco Bank not cooperated with the regulator by agreeing to an early settlement and implementing a comprehensive redress programme, the fine would have been more than double: £33.6m. This will have not gone unnoticed by other banks fearing a similar fate.
When considering the quantum of the fine, it is worth referring to the recently implemented Network and Information Systems Regulations (NISR). These regulations, put in place to protect critical national infrastructure from a cyber attack, make it clear that Operators of Essential Services (OESs) and Digital Service Providers (DSPs) that fall under its scope are obliged to: 1. take appropriate and proportionate measures to manage the risks posed to their cyber security and: 2. to have such measures in place to prevent and minimise the impact of such an incident. The FCA press release on the Tesco Bank fine clearly highlights many of the same themes when explaining its reasoning behind the fine.
It is worth mentioning, however, that under the NISR, the ultimate financial sanction for a breach is £17 million. Furthermore, such a fine is reserved for situations where there is an immediate threat to life or significant adverse impact on the UK economy. In comparison, the Tesco Bank FCA fine is almost equivalent to this (and may have been considerably higher) in a situation where it is hard to see that there was an immediate threat to life or significant adverse impact on the UK economy. This poses an interesting juxtaposition and raises a question as to why the FCA has adopted a different sanctions approach to their regulated sector than that enacted for OESs and DSPs in the country's most specific cybersecurity legislation enacted in May this year. Is this a case of one rule for one sector and another for the rest? It also raises a further question as to how sanctions will be imposed and are balanced when multiple regulators may be involved in consideration of a single incident: in this case the ICO pursuant to the pre-GDPR DP legislation (pre-GDPR) and the FCA.
Today cyber-crime is sadly a common occurrence and presents a major business risk. Aside from the cost of the attack itself, this eye-catching fine is an 'encouragement' for the regulated sector to take their cybersecurity seriously and, importantly, to focus not only on protection but also on how to deal with an incident when it occurs.