.jpg)
The Financial Conduct Authority (FCA) has fined Tesco Bank £16.4 million over a “largely avoidable” cyberattack that took place in November 2016, it has been revealed.
According to the FCA, Tesco Bank failed to exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack.
Mark Steward, executive director of enforcement and market oversight at the regulator, described the bank’s response as “too little, too late.”
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” Steward said in a statement this morning.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” he said.
Cyber criminals exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls, and in its financial crime operations team to carry out the attack, the FCA said.
Those deficiencies left personal current account holders vulnerable to a “largely avoidable incident” that occurred over 48 hours and which netted the cyber attackers £2.26 million.
The FCA found that Tesco Bank breached Principle 2, which requires a firm to conduct its business with due skill, care and diligence. According to the regulator, Tesco Bank failed to exercise due skill, care and diligence to:
The FCA said that following the incident, Tesco Bank immediately put in place a comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls.
The bank has since made “significant improvements” to enhance both its financial crime systems and controls and the skills of the individuals who operate them.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place,” Steward said.
“The standard is one of resilience, reducing the risk of a successful cyberattack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated,” he went on to say.
Tesco Bank was described as having provided a high level of cooperation to the FCA in its investigation. As a result of this cooperation, combined with a comprehensive redress programme which fully compensated customers and an acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.
In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.
In its statement today, the FCA warned that cyber security requires resilience.
“A financial institution’s board is ultimately responsible for ensuring that its cyber crime controls are designed to meet standards of resilience. The board must set an appropriate cyber crime risk appetite and ensure that its institution’s cyber-crime controls are designed to anticipate and reduce the risk of a successful attack,” the regulator said.
“Where an attack is successful, the board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident. Following an attack the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack to reduce the risk of future attacks.”
