The Financial Conduct Authority stated that in November 2016, cyber attackers had exploited deficiencies in Tesco Bank’s design of its debit card and financial crime controls.
“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers 2.26 million pounds,” the FCA said concisely in its statement.
This was the watchdogs’ first fine for cyber failings. The Bank of England has put it in priority that lenders become more resilient to cyber attacks.
On its own, Tesco stated that it fully accepted the FCA’s findings and agreed to a settlement of $21mn.
“The FCA recognised… that, once senior management were aware, Tesco Bank responded quickly to stop the fraudulent transactions, updating customers regularly and deploying significant resources to return customers to their previous financial position,” stated the supermarket group.
Tesco has apologised to its customers and stated that it has significantly enhanced its security measures–– stating that it was “very sorry” for the impact the attack had on customers.
Kyle Hastings, a cyber risk partner at Parker Fitzgerald, said that the fine was a serious call to every bank to make cyber security a central priority rather than an issue for its IT unit.
“This contrasts with regulators’ expectations and the prospect that, as an expanding part of operational risk, cyber could attract greater prudential scrutiny and potential capital charges,” stated Hastings.
Mark Steward, the FCA’s executive director for enforcement, stated that the size of the fine reflected the watchdog’s “no tolerance” policy for banks that failed to protect customers from foreseeable risks—further highlighting the seriousness of the situation.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” said Steward.
“This was too little, too late. Customers should not have been exposed to the risk at all.” He added.
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” he concluded.