Bridging the gap between Consumer Duty and cyber security

Aerial photograph of stone bridge over wide river, with orangey brown trees either side
For financial professionals only

Consumer Duty demands that we all act to deliver good outcomes for consumers, and that means protecting customers from foreseeable harm.  The FCA is likely to view a data breach or cyber attack as something that will cause harm to your customers, and a failure of your Consumer Duty.

FCA fines for cyber security incidents

Recently, the FCA fined Equifax £11 million for a major cyber breach that took place in 2017. They referred to breaches of Principles 3, 6 and 7 of the Principles for Business in its reason for the regulatory fine. 

In 2018, the FCA fined Tesco Bank £16.4 million [SC1] for a major cyber breach that took place in 2016.  They referred to a breach of Principle 2 of the Principles for Business in the reason for the regulatory fine. 

Both incidents took place before Consumer Duty.  As the Principles for Business now include the Duty as Principle 12, it’s really worth making sure your cyber security controls are appropriate and able to protect your customer data. They’re very likely to be reviewed by the regulator when deciding on fines for a cyber breach. 

Establishing strong security controls

Think of security as something that’s built in layers, with controls designed to reduce the risk of a cyber incident at every level. For example, you might have multi-factor authentication (MFA) on your financial platforms and emails, and a rehearsed incident response plan if there is a data security breach.

Once you have controls in place, you need to consider how you can demonstrate their effectiveness to the regulator.   

Here are some examples of controls and metrics that could help to show your culture is focused on good customer outcomes in relation to cyber security:

  • Educating your customers on cyber security so they can make informed decisions.
    • Including cyber security discussions as part of onboarding new customers, ensuring they're aware of the risks of not enabling MFA and reusing passwords
    • Evidence of vulnerable customers (e.g. less tech savvy older generation who are more susceptible to scams) receiving more detailed discussion on security.
    • Letters or emails offering support on how to spot phishing attacks or how you communicate with customers so they can identify suspicious communications.
  • Providing customer support with client security needs.
    • A cyber incident response process which assists clients if they've been hacked, including advising them to be on high alert for suspicious calls or to contact you before taking any unusual requests like transfers and encouraging them to increase their platform security by enabling MFA. 
  • Choosing suppliers who can demonstrate cyber security and resilience controls when you're doing supplier due diligence.
    • Evidence of your suppliers confirming good security controls, for example aligning to security standards such as ISO 27001, offering MFA or Single Sign On (SSO), having a dedicated role for information security etc.
  • Making sure employees are aware of their security roles and responsibilities.
    • % of staff who complete information security training when they join the business and annually thereafter.
    • Number of phishing exercises you run and the % of staff engagement.
    • Feedback mechanism for staff to identify security issues, such as a Report Phishing mailbox.
    • % of staff using MFA to access their financial platforms.
  • Conducting regular risk assessments to identify potential weaknesses and how they impact the delivery of good outcomes.
    • Internal and external audit reports focusing on IT, cyber security and resilience, and action logs showing vulnerabilities after being discussed and closed.
    • Risk registers demonstrating cyber security discussions.
    • Cyber security discussed by the Executive team or at management board.
    • Assessment of vulnerable customers to make sure they aren't receiving worse outcomes.
    • Gap analysis of cyber security controls through standards like ISO 27001, and how your business aligns.
    • Evidence of system and user access reviews, ensuring access is appropriate and removed when staff leave the business. 
  • Practicing your resilience so consumers can still access important services.
    • Having incident response plans that demonstrate a focus on cyber security.
    • Number of exercises completed annually, including scenario walkthrough exercises and disaster recovery testing.
    • Documented internal and external communication plans which include how quickly you can inform consumers about data breaches in line with regulatory requirements. 
    • Number of clients reporting breaches and actions that were taken to rectify the cause of the poor outcome.
  • Securely transmitting financial or personal information.
    • A Data Classification and Handling policy in place, including when staff should password protect information sent externally.

Your ability to implement security controls will vary depending on the resource available, but it’s important to understand where you might be exposed and align your cyber security measures with the regulatory requirements to protect consumers.

Improving your security creates a better outcome for them - and saves you a lot of stress by avoiding cyber security incidents, and the punishing regulatory fines that can come along with them.

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.