By Xi Yu, Compliance Consultant within IQ-EQ’s UK Regulatory Compliance team
You run a good business in a growing sector. All is going well. However, just as you cover risks for your clients, so must you consider the risks your own firm faces in the form of cybersecurity. It isn’t just about the reputational damage of failing to protect client data, but also the regulatory risk, limiting your ability to continue doing what you do, therefore putting your whole business in jeopardy.
In Q2 2023, the UK Information Commissioner’s Office (ICO) received 2,893 reports of data security incidents – an increase of 41% compared to Q2 2022. In particular, the ICO noted the prevalence of cybersecurity breaches, which rose by 157% compared to last year.
IQ-EQ has seen first-hand how clients can be impacted by such breaches, including a recent incident where an insurance distributor operating in the UK and EU sustained a data breach caused by ransomware. With cybersecurity incidents a very real risk for firms today, it’s critical that teams know what to do if the worst happens. In this article, we harness our recent client experience to provide a case study outlining the steps that regulated firms may wish to take in response to such an attack.
Timeline of the cyber attack
On a July Monday morning, our client’s servers were not operational – the firm’s IT service provider notified our client that its networks and systems purportedly shut down due to unknown security-related reasons. Near midday, the firm received a seemingly unsubstantiated ransom threat by telephone, which was promptly dismissed as a prank call.
By Thursday of the same week, our client successfully rebooted its servers. Upon recovering the system, however, our client discovered that its networks had been infiltrated and parts of the data stored thereon had been encrypted by external parties. Linking back to the telephone call on Monday, the firm believed that it had been the victim of a ransomware attack.
On that same day, the National Crime Agency (NCA) informed our client that copies of passports and policy cover details associated with the firm had surfaced on darknet markets. Our client didn’t know the extent of data that had been stolen or destroyed. Nevertheless, it was clear that the incident involved the unlawful movement of personal data.
Incident response: five key steps to ensure regulatory compliance
IQ-EQ intervened to guide the client through the incident response process from a regulatory perspective. This process involved five key steps, which you can also use as a guide should a data breach impact your company.
Click each step below to discover the actions taken:
1. Mapping out an incident response
2. Reporting a personal data breach to the ICO
3. Communicating a personal data breach to data subjects
4. Notifying the FCA of a cybersecurity breach
5. Preventing future data breaches
Conclusion
No organisation is immune to data breaches, including financial services providers. In our experience, the financial services industry may tend to dismiss data privacy as a secondary matter. However, the systemic detrimental effects of a potential breach and the increasingly heavy enforcement actions taken by the ICO should convince even the most sceptical management teams to revisit their data protection systems to ensure client and staff information remain safeguarded.