10 November 2023
There is no doubt that cyber security breaches can present significant operational, financial, data and reputational threats for companies in the UK. In particular, where cyber incidents have, or may have, resulted in personal data breaches, companies are answerable to the Information Commissioner’s Office, which has issued fines as high as £20 million (to British Airways in 2020) for failing to protect personal data.
For firms regulated by the UK financial services regulators, weaknesses in cyber security may also present regulatory risks. In recent years, the Financial Conduct Authority and the Prudential Regulation Authority have made it clear that they expect regulated financial services firms to have effective cyber security controls and to report material cyber incidents. Failure to comply with the Regulators’ expectations in relation to cyber risk may result in firms facing enforcement action and sanctions, which has been highlighted by the recent FCA decision to fine Equifax Ltd £11.2m for failing to manage and monitor the security of UK consumer data in relation to a cyber breach which allowed hackers to access the personal data of millions of people in the UK.
This briefing further explores the Regulators’ powers in relation to cyber security, and looks at their enforcement decisions, including the Equifax case. It also considers how firms should seek to manage cyber risk by implementing measures both to reduce the risk of a cyber incident occurring and to minimise the impact should one arise.