After a six-year investigation, the FCA has recently fined Equifax Ltd more than £11 million for failing to manage and monitor the security of UK consumer data which it had outsourced to its US parent company. Equifax was found to have breached Principles 3, 6 and 7 of the FCA's Principles for Business. The fine would have been even greater has Equifax not co-operated with the FCA, offered voluntary redress to consumers and introduced a global transformation programme after the incident. The company had already received a £500,000 fine from the UK Information Commissioner's Office in 2018 for the same incident. Please click here to read more.
Equifax Inc, Equifax Ltd's parent company, was subject to one of the largest known cybersecurity breaches in 2017, with approximately 13.8 million consumers affected in the UK alone. The event the Financial Conduct Authority (FCA) refers to as "foreseeable and entirely preventable" arose as a result of a lack of an appropriate outsourcing framework in place between Equifax Ltd and Equifax Inc.
The incident
Equifax Ltd had outsourced data to Equifax Inc in the US for processing. The intra-group relationship was not, however, classed as an outsourcing and appropriate safeguards for monitoring and managing customer data were not implemented. Hackers were able to access data held by Equifax Inc over a period of time due to a known issue in the software Equifax Inc was using. Due to procedural failures, Equifax Inc failed to remedy the known issue in a timely manner. Once the breach was known to Equifax Inc, it did not prioritise appropriate notifications to Equifax Ltd, resulting in Equifax Ltd failing to take appropriate action to protect UK customer data and respond appropriately to follow on customer complaints. Equifax Ltd also failed to correct public statements on the extent of the impact of the incident on UK consumers.
Both entities followed the Equifax Security Incident Handling Policy & Procedures ("SIHPP") which outlined the process the entities were to follow when an incident occurred. However, the SHIPP failed to account for the risks of competing interests of the Equifax group with one entity reporting into the other. In addition, Equifax Inc was not listed as a supplier in the Third Party Reliance Risk Policy and the controls in the policy (such as monitoring plans and site audits) were not applied to Equifax Inc. To compound matters, officials at Equifax Ltd did not believe that requesting such controls would be appropriate. The result was that Equifax Ltd failed to provide sufficient oversight with regard to Equifax Inc's data management and monitoring arrangements.
Key takeaways:
Maintaining the operational resilience of the financial sector is critical for regulators such as the FCA and regulated entities should be mindful of their data protection, operational resilience and consumer duty responsibilities:
- Firms remain responsible, regardless of a function being outsourced.
- Intra-group arrangements may be classed as an outsourcing and will require appropriate oversight.
- Firms must have effective cyber security arrangements to protect the personal data they hold.
- Firms must keep systems and software up to date and fully patched to prevent unauthorised access.
- Firms must promptly notify affected individuals on becoming aware of a data breach in a way which is fair, clear and not misleading and implements fair complaints handling procedures.
Practical steps firms should take:
- Review any intra-group arrangements to confirm whether any are outsourcings.
- Ensure any intra-group outsourcing is covered by an appropriate agreement and policies.
- Ensure risks are appropriately covered in the relevant agreement and policies.
- Ensure appropriate oversight and escalation processes are in place.
This article was co-written by Helen McBrierty, Trainee Solicitor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
