Equifax UK just got an £11m FCA fine over the 2017 cyberattack against its US parent involving disclosure of data on numerous individuals including almost 14m UK individuals.
Five years after the ICO's £500k fine for the same incident. But perhaps it was worth the wait. The action builds on groundwork laid in the actions against TSB and its former CIO for outsourcing risk management failures, offering further important messages about outsourcing for firms, senior managers in relation to their responsibilities, and all those managing enforcement risk through a crisis. Let's dive in.
The findings in a nutshell
According to the FCA, Equifax UK didn't assess and address relevant risks of outsourcing some data handling to Equifax US. Then, Equifax UK's arrangements with Equifax US allowed Equifax US to delay passing on details of the incident, affecting Equifax UK's customer communication and complaints handling. Equifax UK's complaints-handling fell short including due to absence of relevant quality assurance. And Equifax UK didn't correct its public statements about the incident in a timely way. The FCA found breaches of Principles 3 (organisation, control and risk management), 6 (TCF) and 7 (customer communications).
The ties that bind
This is the FCA's most strident message: UK-regulated firms are on the hook for UK regulatory obligations regardless of their relationship to foreign parents.
When a firm outsources services to an intra-group entity - even the firm's parent - the firm should treat it as it would any other outsourcing arrangement to which the FCA's rules about outsourcing should be applied.
This includes the firm keeping its compliance efforts in this regard robustly independent from its parent. In this case, the FCA levelled specific criticism at Equifax UK adopting Equifax US policy that enabled the interests of Equifax US (as outsourced service provider) to supersede those of Equifax UK during the Incident. And it set out evidence of Equifax US exerting influence upon Equifax UK's relevant Security Executive to keep quiet about the incident (of course, we may not have heard Equifax US's side of the story in all this).
A key takeaway here: if a senior manager is responsible for a UK firm's UK regulatory compliance (in other words, just about every UK senior manager), then on that responsibility make sure they report to someone within the UK firm (rather than an overseas head office or parent, as was the case for the Security Executive here).
Senior managers: show your working
Senior managers need to verify the basis for assurances received from others about the standards that IT systems are meeting. The FCA found that the Security Executive relied upon an auditor's ISO certification of Equifax US's systems rather than independently obtaining assurance that they met the Equifax UK's needs. (Something similar arose in the Abarca action in relation to the CIO needing to verify the basis for third (and fourth!) party suppliers' confirmations of IT migration readiness.) And senior managers need to include sufficient detail in Board reports to enable meaningful Board oversight of the subject matter. Here the FCA considered the Security Executive's Board updates to be high-level and unstructured. (Similar points were made in the Abarca action also.)
The FCA may not have fully grappled with how challenging these areas really are for senior managers. Inevitably, a senior management role requires reliance on the expertise and diligence of others (and who better than auditors!) and Board reporting requires brevity and concision especially on technical matters.
Engage and remediate
To mitigate enforcement risk, engage constructively and responsively with regulators throughout a crisis. Conclude and implement the findings of internal fact-finds. And implement the suggestions of regulators. Here, according to the FCA, Equifax UK did not amend its consumer-facing statements promptly and in line with FCA suggestions for accuracy. And Equifax UK failed to finalise a past business review into its suspension of quality assurance and then implement its findings.
The Equifax UK action is an example of UK regulators' converging areas of responsibility.
It follows a £500k ICO fine (several years ago!) about the same incident. Given the FCA's focus on conduct regulation, various of the technical aspects of Equifax US's server security in the ICO notice unsurprisingly didn't make it into the FCA's notice. Other than that, the FCA's findings generally replicate all of the ICO's findings, then build on them by making findings specifically through the lenses of oversight of outsourcing, intra-group organisational risk management, clarity of public communications and complaints-handling issues.
The more this convergence happens, the more contentious regulatory teams will need to apply investigation management strategies historically deployed more frequently in larger cross-border regulatory investigations - including ensuring consistent productions to different regulators and coordinating multi-regulator investigation timetables and settlement negotiations. And the more it will be a real advantage to have a legal team with multiple specialisms (here, financial regulation plus data protection and a healthy side dose of tech).