The banking and finance industries are synonymous with security especially when it comes to technical aspects of service including the growing use of online and in-app banking. This, however, hasn’t prevented both TSB and Visa Europe from having serious IT issues in recent months. Following cyber incidents, both organisations and other banking and finance institutions in the UK have been told to explain their cyber-security plans and strategies for dealing with disaster.
In conjunction with the Bank of England (BOE) the Financial Conduct Authority (FCA) has given financial institutions three months to detail IT systems and how they will deal with an outage or major IT incident. Firms must implement plans to ensure that when an incident recovers, they are able to continue operating as quickly and smoothly as possible. In a joint statement Andrew Bailey, Chief Executive of the FCA and Jon Cunliffe from the BOE said:
“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers”
Going on to suggest that in some instances a two-day period of disruption may be acceptable. However, with the possible effects of outages in this sector so severe banks and financial organisations will be held accountable. The National Cyber Security Centre will also be involved in discussions between organisations. The UK’s rapid-response team, the BOE, FCA and treasury are being called together increasingly often to deal with major incidents including both of the incidents involving TSB and Visa.
What happened at TSB?
In late April around 2 million TSBs customers were faced with disruption to their banking experience as the organisation attempted and failed to migrate IT systems following the organisations’ sale from its parent company. The scheduled outage which was set to last a few hours instead lasted for some 6-days causing huge amounts of disruption for both online banking systems and payment systems.
The FCA at the time stated:
“We will be talking to the firm to understand exactly what went wrong and the steps that they are taking to ensure something like this does not happen again.”
What happened at Visa?
In early June global payments firm Visa was hit with an unpredictable outage in their primary data centre causing chaos for customers all over Europe. An issue developed on a switch which in turn prevented systems from failing over the secondary systems. The disruption lasted for around 10 hours and during that time a total of around 10% of 50 million transactions failed, at two peak times this was about 30%.
Visa ordered an independent review of its systems by Ernst & Young following the incident.
The growth of cyber-security incidents
As the use of technology grows across business and everyday life there is an increase in the threats that organisations face. Well organised and well-funded cyber-criminals know how best to target organisations and attacks are often planned over a series of months and include several phases. Data protection and cyber-crime incidents have been on the rise and large-firms have fallen victim along the way.
In Australia, the Commonwealth Bank recently came under fire after two tapes containing 15 years of data went missing. Data included on the tapes was highly sensitive and it is known that addresses and account numbers were stored. The incident is thought to have potential knock-on effects for up to 20 million people. Following a review by KPMG, it was deemed that the missing tapes had likely been ‘disposed of’ but that this could not be guaranteed.
Cyber giant, Facebook has faced their own share of data protection scandal in recent years. None more so than with the Cambridge Analytics scandal which involved the unauthorised access to millions of user’s data. Data was then used and sold onto further companies and in some instances used to target users for political gain. UK privacy watchdog and supervisory authority the Information Commissioner’s Office has stated they will levy the maximum fine of £500,000 for the incident.