In this digital age it can feel like there is not only an individual pressure to keep up to date with tech but to also commercially stay ahead of the game with a fear of losing out to competitors. But the increased reliance on technology has its downsides. Cyber attacks continue to increase in quantity and their sophistication. Action Fraud reported that the number of social media and email hacking offences had increased by 48% over the last year. And the FCA has said there’s been an 18% increase in firms reporting incidents in the last 12 months. While it might be assumed that cyber crime is carried out only by those with technical expertise, the National Cyber Security Centre reported that pre-packaged malware is being sold on the dark web for as little as £7. It is therefore accessible to anyone who wants to attack a firm to steal data and/or money. It is not surprising that financial services is particularly attractive to criminals, including those who might want exact revenge on a company for bad service or a disgruntled employee simply engineering a denial of service attack.
I return to the subject of cyber security due to its continued focus, most recently shown in ombudsman decisions, FCA enforcement action and government investigations. In October the FCA fined Tesco Bank £16.4m for its failure to exercise due skill, care and diligence in protecting customers against a 2016 cyber attack. Last month the Treasury Select Committee launched an inquiry into IT failures in the financial services sector.
Government and regulators are expecting firms, regardless of size and sector, to prioritise cyber and data security. The FCA recently spoke about how firms should understand not only their own recovery plans but also those of outsourced third parties. Firms should therefore be continually reviewing their strategies and making sure that they engage with staff at all levels, from directors to trainee advisers. The conundrum for firms is how to compete in an ever more “tech” based world with a regulator more firmly focused on the need for firms to evidence the steps they are taking to ensure operational resilience.
Head of Policy