Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

CYBER SECURITY – THE LITIGATION AND REGULATORY RISK IN FINANCIAL SERVICES

The number of security breaches is down, according to the Institute of Risk Management, but the severity of attacks has increased. At a recent event co-hosted by Business South, Institute of Risk Management, Invest in Hampshire and IBM, businesses were told that cyber security should be the subject of board room discussion, understood by the CEO, CFO and HRO, as, all too often it is seen as something for the IT specialists to deal with.

Every business can and should address cyber security, taking some basic steps to minimise its threat profile and in doing so keep the risk and compliance officer happy as well as creating competitive advantage. Is this a message which is getting through to businesses in the financial services sector?

[Kim Walker, partner in the technology team in law firm Thomas Eggar’s Southampton office, looks at some of the issues and their potential impact on a regulated business either based in the or whose international business requires it to deal with the UK]

A business that suffers a cyber attack may find it is at increased risk of litigation from its customers or suppliers. This might take the form of:

  • Breach of contract. Even where the security breach does not result in loss of data, there can be disruption to business which could expose a business to a breach of contract claim if that disruption means they fail to perform contractual obligations. So far, reported disruption to customers in the banking industry resulting in compensation payments have been the results of internal software or hardware failures, but the impact of an external event could be much greater. The English courts have decided that non-performance of obligations relating to data protection can be sufficient cause for a customer to terminate an agreement for material breach. This is a particular risk if the subject matter of the contract is the operation of some form of electronic platform but even obligations which do not, on first inspection, appear to be cause for termination can lead to a contractual loss.
  • Breaches which result from errors by third parties with whom a business has a commercial relationship holding data under a processing or other related agreement is an area of increased risk as the collaborative chains of suppliers envisaged by the growing use of the Internet of Things and mobile payment technology facilitates multiple touch-points for data. The impact on the supply chain is likely to be such that a business will have to face legal disputes with customers and may have to bring claims against suppliers who have caused an incident.
  • A claim for negligence, if the customer can prove the damage and losses suffered. This will be a consequence of the failure to take reasonable steps to ensure adequate security when storing customer information being a breach of Data Protection Act principles.
Kim Wallker
Kim Wallker

Minimum IT security mechanisms, mandatory reporting of data security breaches and, it is proposed, collection and sharing of information on attacks and threats are all requirements of the European Data Protection Directive due to come into force in 2015 and the European Cyber Security Directive, under discussion. Failure to meet the requirements could result in substantial fines. Under the Data Protection Directive, this can be as much as 5% of annual global turnover or €100 million, whichever is greater. In the United States, privacy and data security is also being considered by regulators with the focus on the same key issues.

In the UK businesses which are regulated by sector-specific bodies such as the Financial Conduct Authority (“FCA”) or listed on the stock exchange, will have further compliance requirements and standards. These are to limit the risk that the business might be used, possibly without its knowledge, in financial crime. A listed company which is the target of a cyber attack will also need to consider if this amounts to price sensitive information and what impact disclosure of the breach might have on the market. Under stock market rules companies need to release relevant information as soon as it is available; and all those who want to deal in shares should have access to the same information at the same time. A business will need to decide if a cyber attack could affect its underlying value if, for example, it caused a security breach or made it impossible for the company to fulfil its contractual obligations. Then it will need to consider the timing of the announcement; whilst delays are generally unacceptable under market rules an ongoing cyber attack could still be the subject of investigation and ‘tipping off’ those responsible may not be the best course of action.

This only serves to emphasise how important it is that the IT department has a direct line to the board once it has identified that a security breach has occurred. A cyber security response policy should be considered, alongside other disaster recovery plans and a business should ensure that legal advice is obtained at an early stage in anticipation of possible claims.