Enforcd RegTech Blog - Regulatory Thinking and News

FCA Threatens Huge Fines on Cyber crime

By The Enforcd Team

£30 million – that’s a fair bit of money for anyone, even a bank. But that’s how much the FCA is considering fining Tesco Bank for failing to prevent a major cyber-attack back in 2016. It’s a clear warning to the entire banking system to up its game in the face of the rising tide of cyber crime.

The record fine relates to an incident back in 2016, when cyber criminals broke into the bank’s internal systems and managed to empty a number of savings accounts. At first, estimates suggested as many as 40,000 accounts had been affected, but this was quickly revised down to 20,000 until the bank finally finally came up with a much less dramatic figure of 50. Tesco funded them immediately.

Shot across the bows

It is, then, a relatively minor incident, which is why the scale of the suggested fine has caused such alarm. But of course, that’s probably the intention.

Tesco, for its part, contests the scale of the proposed fine and is continuing negotiations with the regulator. In all probability the final figure will be substantially less than the one that the FCA is threatening. However, just by floating this figure, it is sending a clear message.

Regulators have been warning banks over cyber security for some time. Back in May, the regulator called on banks to leverage the power of innovative technology to fight back against the cyber criminals. In July they gave banks three months to start reporting on their readiness to deal with outages and protect customers.

The message is clear – up your game or feel the consequences. It’s a firm message, but banks could be forgiven for pointing out that it’s easier said than done. Cyber crime is booming. Half of all crimes are now cyber crime and they are becoming more sophisticated. Technology is creating a host of opportunities for the would-be cyber criminal and they are embracing them turning to machine learning, AI and other next generation tech. The sense is growing that it’s a case of when rather than if a bank suffers an attack.

Building defences

There are options. Just as tech is spawning a new, sophisticated generation of cyber criminals it is also being used to build defences. Machine learning can be harnessed to monitor vast quantities of data and gain an early warning when attacks occur. They can then spring into action to minimise the damage when a system is breached.

Mastercard, for example, has created a new ‘fusion centre’ where experts in cyber security work alongside their legal team in a windowless bunker full of the latest tech tracking all the threats coming their way. They receive hundreds of thousands of different threats every day – or three per second.

The volume of threats the financial sector faces, therefore, is huge and it is hard to escape the conclusion that sooner or later one will get through. The onus, then, is on the banks to not only build their defences, but ensure contingency plans are in place when things go wrong. A look at recent history – whether it’s the TSB computer upgrade debacle or the Experian hack – shows that this is one area where many are struggling.

This latest move from the FCA, suggests those which fall behind could face much harsher penalties than they expected.