By Xi Yu, Compliance Consultant within IQ-EQ’s UK Regulatory Compliance team
You run a good business in a growing sector. All is going well. However, just as you cover risks for your clients, so must you consider the risks your own firm faces in the form of cybersecurity. It isn’t just about the reputational damage of failing to protect client data, but also the regulatory risk, limiting your ability to continue doing what you do, therefore putting your whole business in jeopardy.
In Q2 2023, the UK Information Commissioner’s Office (ICO) received 2,893 reports of data security incidents – an increase of 41% compared to Q2 2022. In particular, the ICO noted the prevalence of cybersecurity breaches, which rose by 157% compared to last year.
IQ-EQ has seen first-hand how clients can be impacted by such breaches, including a recent incident where an insurance distributor operating in the UK and EU sustained a data breach caused by ransomware. With cybersecurity incidents a very real risk for firms today, it’s critical that teams know what to do if the worst happens. In this article, we harness our recent client experience to provide a case study outlining the steps that regulated firms may wish to take in response to such an attack.
Timeline of the cyber attack
On a July Monday morning, our client’s servers were not operational – the firm’s IT service provider notified our client that its networks and systems purportedly shut down due to unknown security-related reasons. Near midday, the firm received a seemingly unsubstantiated ransom threat by telephone, which was promptly dismissed as a prank call.
By Thursday of the same week, our client successfully rebooted its servers. Upon recovering the system, however, our client discovered that its networks had been infiltrated and parts of the data stored thereon had been encrypted by external parties. Linking back to the telephone call on Monday, the firm believed that it had been the victim of a ransomware attack.
On that same day, the National Crime Agency (NCA) informed our client that copies of passports and policy cover details associated with the firm had surfaced on darknet markets. Our client didn’t know the extent of data that had been stolen or destroyed. Nevertheless, it was clear that the incident involved the unlawful movement of personal data.
Incident response: five key steps to ensure regulatory compliance
IQ-EQ intervened to guide the client through the incident response process from a regulatory perspective. This process involved five key steps, which you can also use as a guide should a data breach impact your company.
Click each step below to discover the actions taken:
1. Mapping out an incident response
Our first advice was to document the breach in writing with the help of the firm’s IT team. Beyond record retention – which is an obligation in its own right – documenting the breach is essential for determining the scope and impact of the cybersecurity incident.
A record of a breach should contain at least the essential information that the firm will need to submit to the ICO where the breach is reportable (see step 2). This includes:
- A description of the nature of the data breach and its timeline if applicable
- A description or estimate of the categories of personal data being subject to the breach
- A description of the number of data subjects affected by the breach
- A list of the individuals associated with the breach (e.g. data protection officers, IT engineers)
- The impacts of the breach and the likelihood thereof
- Any existing controls or measures taken immediately in response to the breach (e.g. password change, disaster recovery plan)
- The obligation to report to any regulatory bodies, if any
This process is likely to be easier if the organisation has maintained a comprehensive register of processing activities, in which business processes, data owners, departments with granted access, and types of data and data subjects are identified.
Further to devising a record of the breach, we worked with our client to establish a communication plan addressed to the affected data subjects, including its customers. The communication plan is critical for the following reasons:
- Complying with the firm’s legal obligations under the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) – in particular, the principle of accountability
- Preventing further harm being caused to or sustained by the individuals whose data was stolen
- Potentially minimising the degree of reputational damage caused to the firm if the breach was not acknowledged
2. Reporting a personal data breach to the ICO
In response to a personal data breach, firms are expected to undertake a risk assessment of the likely impacts on the affected individuals. A risk-based approach is essential as it will inform the organisation’s remediation plan.
Under Article 33 of the GDPR, organisations must report a personal data breach to the ICO “without undue delay” and, where feasible, no later than 72 hours after becoming aware of the breach where the latter is likely to result in a risk to the rights and freedoms of any natural persons.
A risk to the rights and freedoms is broadly defined by Recital 75 as any utilisation of personal data that could cause any physical, material or non-material damages or losses to an individual. In the presented case, the leakage of passport and policy cover details exposed the firm’s clients to identity theft, fraud and the disclosure of special categories of personal data (i.e. medical history).
Consequently, a notification to the ICO was inevitable. We advised our client on drafting the initial standardised notification form and on subsequent correspondence with the ICO.
Similar to many organisations, our client was initially wary of providing details to the ICO in their notification form. The key during this phase is to remember that the ICO does not take enforcement actions against firms for having sustained data breaches unless the incident was caused by a material deficiency on the organisation’s part.
In the case of our client, the ICO provided constructive recommendations to enhance the firm’s cybersecurity controls.
3. Communicating a personal data breach to data subjects
Article 34(1) of the GDPR requires organisations to notify affected data subjects where the breach is likely to result in a high risk to the rights and freedoms of natural persons. A ‘high risk’ will likely cause greater impact to data subjects, e.g. access to special categories of personal data resulting in discrimination, enabling individuals to be located or tracked, and/or disclosing data about vulnerable persons.
An argument in favour of such a communication would highlight the fact that special categories of personal data such as medical information may have been leaked to the dark web.
Note, however, that such a communication need not be one-to-one with the data subject where any of the following conditions are met (Article 34(3)):
- The firm maintains appropriate technical and organisational measures that cover the type of personal data affected by the breach (e.g. encryption at rest or during transit)
- The firm has taken remediation or mitigating measures to ensure that the identified risks are no longer likely to materialise
- It would take a disproportionate effort for the firm to separately notify each data subject affected by the breach
IQ-EQ and the insurance distributor came to the conclusion that the most sensible approach would be to release a communication to its customers, alerting them that they may receive in the upcoming days or weeks phishing emails or otherwise fraudulent inquiries.
4. Notifying the FCA of a cybersecurity breach
UK-regulated firms are required to notify the Financial Conduct Authority (FCA) for various categories of events, as set out in Chapter 15 of the Supervision Sourcebook. For instance, SUP 15.3.1R requires notifications to be made where an event will lead to:
- The firm being no longer able to satisfy its threshold conditions
- Significant reputational damage to the firm
- Significant disruption to the services provided to its customers
- Negative impact on the firm’s ability to treat its customers fairly
- Negative impact on the firm’s ability to meet its capital adequacy requirements
- Significant failure of the firm’s systems and controls
- The firm breaching or contravening any of its regulatory obligations
- The disclosure or dissemination of market-sensitive information
- Significant harm to the wider UK financial system
Depending on the type of data breach, a notification may be required for one or more of the grounds listed above. In our case, the most applicable grounds were the negative impact on customers and the firm’s ability to abide by the treating customers fairly (TCF) framework.
IQ-EQ worked with the insurance distributor to draft and submit the initial SUP 15 form to the FCA. However, given the ‘contained’ scale of the breach, no follow-ups were received by the regulator.
5. Preventing future data breaches
As part of our consulting services, we advised our client on the following tasks to ensure that the likelihood of such a disruptive event occurring in the future is minimised:
Training and culture – It will be no surprise to anyone that most data breach incidents occur despite a firm implementing the most stringent cybersecurity controls. The 2020 ‘Psychology of Human Error’ study conducted by Tessian found that 88% of data breaches are caused by staff mistakes. The study cites that the top reasons phishing emails are clicked relate to the fact these messages purport to be sent from internal addresses or from reputable brands. Therefore, periodic training and staff-focused cybersecurity tests are a good way to ensure the firm is committed to a strong security culture. IQ-EQ delivers online and live training sessions on data protection and cybersecurity controls.
Record retention – We advised our client on building and maintaining a comprehensive record retention system in relation to data security. In the event of a breach or a data subject access request, organisations struggle the most when there is no up-to-date record of processing activities. IQ-EQ assisted the firm in identifying the various business procedures where personal data was processed, the purpose of those procedures, the types and categories of personal data and data subjects, and assigning those purposes to individuals and departments to establish accountability. We were then able to produce a report assessing the risks deriving from the various processing of personal data and their disclosure to internal and third parties. Based on our findings, IQ-EQ advised the client to assess the effectiveness of its current data security controls.
Controls and access restrictions – Insurance companies are critically exposed to cybersecurity attacks due to the wealth of personal data they process on behalf of their clients, ranging from health records to financial information. Insurance Business Magazine reported on 12 June 2023 that recent attacks had become increasingly more damaging, specifically targeting the insurance industry. We worked with our client to implement basic but important mitigating measures such as:
- Segregation of work-related data/prohibition of using personal devices for work
- Consistent document naming and filing system to spot unusual activities or suspicious files
- Redacting sensitive information such as special categories of personal data
- Maintaining up-to-date access controls for current and former staff
- Ensuring departing employees return all devices, information and equipment
- Periodic training and assessments (as discussed above)
- Monthly cybersecurity testing (e.g. DDoS attacks, penetration tests)
- Annual data protection compliance testing (as part of the compliance monitoring review)
No organisation is immune to data breaches, including financial services providers. In our experience, the financial services industry may tend to dismiss data privacy as a secondary matter. However, the systemic detrimental effects of a potential breach and the increasingly heavy enforcement actions taken by the ICO should convince even the most sceptical management teams to revisit their data protection systems to ensure client and staff information remain safeguarded.