According to the Financial Conduct Authority (FCA) there has been a staggering 1,700% increase in cyber-attacks reported to it over the past three years. In 2014 there were only five such incidents reported, 27 in 2015 and 90 in 2016. That number will undoubtedly rise further in 2017.
Two weeks ago many organisations in Europe and the US were crippled by a ransomware attack known as “Petya”. The malicious software spread through large firms including the advertiser WPP, legal firm DLA Piper and Danish shipping and transport firm Maersk leading to PCs and data being locked up and held for ransom. It’s the second major global ransomware attack in the past two months. In early May, the NHS was among the organisations targeted by the “WannaCry” ransomware attack which affected more than 230,000 computers in over 150 countries.
Last month the FCA published fresh guidance on cyber resilience which regulated firms should take account of (www.fca.org.uk/firms/cyber-resilience). It highlights that financial services firms are not immune from the threat posed by cyber risk, including ransomware attacks.
Ransomware is a form of malicious software which either blocks access to or encrypts your data until a ransom, typically in Bitcoin, is paid. In some cases the purpose of the attack may not be to make money but simply to wipe all of the data from your servers. While ransomware attacks have been around for over a decade, experts agree that they are becoming increasingly prevalent and more sophisticated. We should not be surprised by the FCA stressing the importance of cyber resilience. Terrifying statistics released by the US Government last year stated that there were 4,000 ransomware attacks per day in 2016. For businesses, it is estimated that an attack occurs every 40 seconds.
For businesses, large and small, public or private, regulated or unregulated, such ransomware attacks can have a devastating effect. Once a single device is infected, your entire computer network can be taken hostage, making it impossible to conduct any business until you pay up. Even where you have a back-up system in place, it can take time to get your network up and running again, resulting in days of lost revenue.
Ransomware attackers usually gain access through a phishing email with an infected link that, when clicked on, will quickly spread throughout the entire system. The software then displays a message, worded to create maximum panic, warning the user that their system has been locked and that they can only access their files if they pay a fine before the deadline. The premise is simple: if you refuse to pay the fine you lose your data. If you don't have a back-up system, this loss could be permanent. Even if you do back up your system, could you afford to go back to a set of tapes that may be a week or even a month old? What would have been lost in that time?
Possibly without exception, businesses today process a significant amount of personal, often sensitive, data belonging to individuals. This may relate to staff, but it can equally relate to customer and client information, some of it capable of being highly sensitive information. Financial services firms are required to obtain detailed information about their clients and the safekeeping of that information is a crucial issue. Last year Tesco Bank found itself embroiled in a cyber security crisis after its systems were hacked. The Bank was subsequently forced to refund £2.5m to 9,000 customers who had seen money withdrawn from their accounts by the hackers. In an unprecedented step for a UK bank, the Bank also temporarily stopped certain online transactions from current accounts.
Leaving to one side the money Tesco Bank has had to refund to customers, it is still unclear whether the Bank will be fined for the breach of its security systems. Reports at the time suggested that the FCA was investigating the breach together with the Bank of England's Prudential Regulation Authority (PRA). In any event, this is not the first time a bank has got into trouble with the regulators for data lapses as data security in financial services has been a hot topic for the FCA (and its predecessor the FSA) for a number of years. Technological change and resilience is cited as one of the main cross-sector themes in the FCA 2017/18 Business Plan, with "cyber" mentioned approximately 67 times in the Business Plan.
In 2014, the FCA and the PRA imposed a combined fine of £56m on RBS, Nat West and Ulster Bank after a computer systems failure lasting a number of weeks left 6.5m customers unable to use the Banks' online banking facilities to access their accounts or obtain accurate account balances from ATM machines. It was held that the Banks had breached Principle 3 of the Principles for Businesses because they failed to have adequate systems and controls in place to identify and manage their IT exposure risks. The fine would have been even greater had the Banks not agreed to settle at an early stage, as a result of which the FCA and the PRA both agreed to apply a 30% discount.
In that case, the actual cause of the IT incident was not a cyber attack but a software compatibility problem with the underlying fault being the Banks' failure to put in place adequate systems and controls to identify and manage their exposure to IT risks. Interestingly the FCA stressed that the incident was not the result of the Banks' failure to make a sufficient investment in its IT infrastructure. At that time the RBS Group was said to be spending over £1 billion annually to maintain its IT systems. The decision highlights that the FCA (and the PRA) are taking the issue seriously and will impose significant fines where appropriate.
Since 2011, the Information Commissioner's Office (ICO) has had the power to hand out fines of up to £500,000. Once the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, the potential fines will rise to up to 4% of the organisation's global turnover or Euros 20m, whichever is the greater. Until now the ICO has let the FCA (and the PRA) take the lead where there have been data breaches involving financial services firms. Whether that will continue to be the case once GDPR takes effect remains to be seen.
As has been emerging in the last couple of years, data breaches are coming out of the back waters. Under Principle 11 of the Principles for Businesses, regulated firms are under an obligation to report to the appropriate regulator anything relating to the firm which that regulator would reasonably expect notice, this would include material cyber incidents. The FCA's guidance notes that a firm may consider an incident to be material if it:
- results in significant loss of data or the availability or control of the firm's IT systems
- impacts a large number of victims, or
- results in unauthorised access to, or malicious software present on, the firm's information and communication systems.
The FCA's guidance makes clear that where a firm considers an incident to be material for Principle 11 purposes, it should report the incident to the FCA and, if dual regulated, to the PRA. It should also report the incident to the Information Commissioner's Office (ICO) if the incident is a data breach involving an individual's data, and to Action Fraud if the incident is criminal. Once GDPR takes effect, there will be an obligation to report to the ICO breaches affecting an individual's data regardless of whether they are material. This is likely to mean firms will also report more breaches to the FCA and/or PRA.
With these serious repercussions in mind, it is important that all firms know how to prevent, prepare for and respond to a ransomware attack. As with most things in life, prevention will always be better than the cure. In this respect, the FCA's guidance raises a number of pertinent questions that firms should consider. For example, do you review who has access to your most sensitive data? Do you understand where you are vulnerable to cyber attack? Do you use encryption software and do you back up your systems? Do you educate your staff on cyber security risks? In the event of a breach, a lack of prevention and preparation will not be looked on sympathetically by the FCA.
Again, the GDPR adds another layer to these requirements. Concepts such as privacy by design (requiring privacy and security to be built into systems and processes), data minimisation and accountability (meaning a firm will have to demonstrate that it has embedded data privacy into its culture) will have to be adhered to.
Responding to an attack
In addition to seeking to prevent cyber attacks, regulated firms should obviously also think about their response strategy in the event of such an issue. There will only ever be a limited window from the point when the first device is infected where you can stop it spreading to the entire network.
Once a ransomware attack has occurred the clock will be ticking, so swift action is essential. This is where an up to date crisis management plan will be invaluable. All businesses should ensure they have a crisis management plan and that it includes cyber security issues. Risk management is an ongoing process and should not be left until the inevitable crisis (big or small) strikes. Businesses should work with their professional advisors to keep these plans updated and test them.
It is important to quickly establish which data has been compromised, which data is backed up and how much can be safely restored. You can then weigh up the loss to the business if you refuse to pay the ransom and lose the data, against the financial cost of paying the ransom. It is worth noting that a 2016 survey of victims who paid ransomware fines found that only 71% had had their files restored.
Whatever action is taken, there is the additional risk of reputational harm if the breach reaches the public domain, leading to a drop in client/customer confidence. It is important that your crisis management plan includes a communications strategy for dealing with stakeholders, the press and the public. GDPR once again comes into play here with the ICO required to be informed of a data breach within 72 hours of discovery. Affected individuals also have to be told without undue delay where the breach represents a high risk to them.
For all organisations, staff training and frequent updates to the cybersecurity policy are essential. Without sound level of awareness and good practice throughout the organisation, preventing a cybersecurity attack like a ransomware infection is almost impossible. Again, all staff should have crisis training so that they know what to do if they suspect a breach has taken place, even if it is simply to report that they have received a suspicious email or communication.
It is impossible to be completely protected from a ransomware attack. However, the right security, training, and preparation can help to minimise risk and mitigate loss. The FCA's new guidance shows the increasing risk that all businesses face. It is case of when not if. However, with sufficient protection and procedures in place, businesses will be better placed to protect their data from the ransomware threat. Coupled with an up-to-date crisis plan, any affected firm will be less likely to suffer long-term damage from a cyber attack.
If you require further information on anything covered in this briefing please contact Julian Pike, or your usual contact at the firm on 020 3375 7000. Further information can be found on the Reputation Management page of our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2017