Abstract: Information is collected, stored and used through digital media. Our businesses rely on information in this digital space - information that we use to conduct our day to day business; information that lets us make decisions or do things better than our competitors; information that we need to protect and share to comply with the law and regulations placed upon us. There is a growing cyber threat to this media and I agree with the recent KPMG report that a cyber attack could be the next big crisis to befall the financial services sector. But I also contest that cyber, or more accurately information, incidents are already here and having significant impacts across the sector. We need to act now to stave off the near-term and longer term risks.
Many of you reading this will have, like me, read the recent report by KPMG warning of a cyber attack, or massive system outages (which themselves, of course, may or may not be caused by a cyber attack), as being the next catastrophe awaiting the financial services sector. If not the report then you will have probably caught an article about it (such as this one by Computer Weekly, that stated "Cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch". The KPMG report provides some interesting facts and figures on the escalating cyber issues, such as increases in online account fraud.
This got me thinking as to the wider information risks that financial services face. Information is essential for financial institutions to conduct their business. Information is usually held on ICT systems. Manual interaction with the ICT systems, or automated systems, trigger actions based on that information. So whilst we are dependent on the systems themselves, it is the information which is of paramount importance. Arguably, it is the information we need to conduct our business, ICT just streamlines the operations. If we had the information we could, arguably, continue a semblance of our business. So is it right to look at cyber risk, which tends to lead us into the world of IT security, or is cyber risk a sub-element of a broader information risk, which is a much more prominent business-led activity?
Good information management is about having the right information in the right place at the right time and using it effectively - that is protecting it as it gives us a source of competitive advantage, and sharing it when we need to or when it will lead to enhanced business value.
A look over the fines that the FCA or ICO (Information Commissioners Office) have issued recently shows that companies are not getting the right information and / or not keeping it or getting it to the right place at the right time. The conclusion: Information incidents are here and already causing much disruption.
The ICO have, to date, predominantly fined councils and healthcare organisations, but they have issued 3 fines to financial services organisations, as well as some to energy organisations and law firms.
Whilst the ICO fines for breaching the Data Protection Act, a maximum of £500k, may seem relatively insignificant to a large financial services organisation, there can be more significant impacts. In this world of growing on-line banking and fraud, information security has been a source of competitive advantage. I Now I for one consider the security of my personal information when choosing an on-line bank. Banks recognise this consumer behaviour (it isn't just me!) and for some time have deployed variations of passwords, card readers, random password key generating tokens, secret questions and so forth to promise their customers the most secure account log in. So a fine from the ICO, which effectively says to the market "this organisation doesn't look after your personal data quite right" can have far more severe financial impacts than just the fine with loss of reputation, and therefore customer retention and attraction, impacts.
FCA fines are far more significant but rarely are they talked about in information incident terms. Here are some of the top 10 fines issued that could be construed as information incidents.
CPP were fined £10.5m for mis-selling insurance in 2012. One of the two primary reasons, rather ironically, was that CPP "overstated the risks and consequences of identity theft during sales of identity protection". This case of mis-selling could easily be classed as an information incident - a case of not having the right information and not sharing it appropriately with their customers.
Shell were fined £17m for market abuse in 2004, in which FSA accused Shell of making "false and misleading announcements" in relation to its oil and gas reserves. A case of having, we assume, all the right information to hand but sharing the wrong information with key stakeholders.
Goldmann Sachs were fined £17.5m in 2010, where a breakdown in communications led to the FSA, as was, not being informed of an individual working in the UK who was subject to serious fraud charges in the US. Again an incident of not sharing information appropriately.
Of course, who could forget UBS who were fined nearly £30m in late 2012 for serious weaknesses in controls that led to losses of over £1.5bn during three years of illicit trades by a relatively junior employee. Arguably, weak information systems and poor information risk management led to the company not finding, or analysing, data to provide actionable intelligence to identify the issue earlier and address it.
Prudential, in March 2013, were fined £30m for not informing the FSA of a planned acquisition in a timely manner. Another case of not using information that existed in an appropriate manner.
The FSA, as was, has also issued fines directly related to losing customer data, for instance Zurich being fined £2.3m for losing the personal data of 46,000 customers in 2010.
What does all this tell us? Well, we started this exploration of information risk from the recent KPMG report that suggests a cyber attack could be the next big crisis in financial services. I contest that the issue of cyber, or information, incidents is here already. Fines for not controlling our information, and the subsequent reputation and share price damage, have been happening for years - those listed above total over £100m and it would be easy to add more to the list. If we don't get a good control of our information systems (which include people and physical premises, not just IT) now, we will continue to suffer increasing fines and reputational damage in the short term, and fail to protect ourselves against the next big crisis just around the corner.