Compliance in Finance: How Regulatory Pressures Are Impacting The Sector
As organisations face an increasingly strict regulatory environment, both in the UK and beyond - it is becoming a costly and often stressful task to remain not only secure from cyber threats, but also compliant with legal frameworks and regulations.
The Increasing Financial Impact of Cyber Crime
The rising incident costs of data breaches are not the only financial implication that effected organisations have to contend with. Fines resulting from organisational failures, mishandled data and lack of regulatory compliance can now reach levels far higher than the original financial impact of the breach itself, with potentially tens of millions in fines depending on the scale of the breach and the degree to which the firm was responsible for the breach as a result of security/regulatory negligence.
Firms also have to consider the further long-term impacts sustained by potential reputational damage following a data breach – with these financial implications much harder to measure and in some cases causing indefinite damage to an organisation’s revenue stream.
Incidents involving financial institutions risk eroding consumer confidence, disrupting critical services or even causing a chain reaction of incidents involving other institutions.
Regulatory Pressures
- EU General Data Protection Act (GDPR)
One of the largest and most comprehensive regulation shifts was the introduction of the EU General Data Protection Regulation (GDPR), which (Following the UK’s departure from the EU) gave way to the Data Protection Act 2018 – replacing the original 1998 act and completely overhauling and modernising UK data protection laws. Since then, organisations have had to re-think data protection strategies and invest accordingly to maintain compliance with the growing list of data protection regulations.
- Digital Operational Resilience Act (DORA)
UK based financial institutions are however, still feeling the ripple effect of new data regulations within the EU, despite the UK’s departure from the European Union. In January of this year, the EU introduced the Digital Operational Resilience Act (DORA) – a new regulation aimed at setting a baseline for ICT resilience within the financial sector. The DORA framework applies to over 20,000 financial institutions and ICT service providers within the EU as well as any third-party ICT infrastructure supporting these entities, even if located outside of the EU.
Much like the penalties associated with GDPR, institutions subject to DORA could be fined up to 2% of their total annual worldwide turnover or 1% of their average daily worldwide turnover – with fines in certain cases potentially reaching as much as £1,000,000.
- PRA & FCA Insurance Sector Regulation Consultation 2025
In January this year, the Bank of England’s Prudential Regulation Authority (PRA) issued an open letter aimed at CEOs of firms operating in the UK’s insurance sector – listing insurers cyber security as a priority area for its supervisory focus in 2025. Also highlighting the wider importance of firms being able to detect, respond and recover from cyber attacks, considering it “a cornerstone” of the overall resilience of the financial system.
“To further enhance the sector’s cyber resilience capabilities, the PRA intends to start consulting with the FCA in the second half of 2025 on policy relating to the management of Information and Communication Technology (ICT) and cyber risks”
The methods surrounding management of technology, data and cyber risk are subject to increasing regulation, with the PRA, FCA and BOE having set stringent operational resilience requirements across UK financial services back in 2021.
- Impact Tolerances Deadline March 2025
The operational resilience rules laid out in the 2021 handbook only came into effect on 31 March 2022. However, regulators gave firms in the sector a hard deadline of 31 March 2025 by which to be fully compliant. The PRA’s recent letter outlined their expectations stating:
“By March 2025 firms must be able to show they can remain within impact tolerances for all their important business services throughout severe but plausible disruptions…we expect firms to have made significant progress already to strengthen their response and recovery capabilities to address cyber threats, remediate vulnerabilities exposed by legacy infrastructure and develop contingency procedures when material third party services are disrupted”
Industry Case Studies
Equifax 2017 - £11 million fine (total costs over $1billion)
In 2017, Equifax’s parent company, Equifax Inc., was subject to one of the largest data breaches in history. Hackers were able to access the personal data of approximately 13.8 million UK consumers – a direct result of the organisation outsourcing data to Equifax Inc.’s servers in the US for processing.
This incident was entirely preventable. Equifax (UK) failed to put controls in place to ensure the security of the data being sent to their US based parent company. There were several known vulnerabilities in Equifax Inc.’s data security systems which were overlooked by Equifax (UK), who failed to take the appropriate steps to secure their UK customer data.
Further failings were found in the way Equifax dealt with customer complaints in the aftermath of the breach, with the organisation only finding out about the breach 6 weeks after the initial hack was discovered by their US based parent company.
The ensuing FCA (Financial Conduct Authority) investigation found that the firm had delayed contacting customers due to the overwhelming level of complaints they had received. Additionally, Equifax was said to have given an inaccurate impression of the number of consumers affected and failed to maintain appropriate quality assurance checks for complaints, leading to several instances of mishandled complaints.
“Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so. They compounded this failure by the ways they mishandled their response to the data breach. Regulated firms are on the hook, regardless of whether they outsource or not.”
Therese Chambers, Joint Executive Director of Enforcement and Marketing Oversight
Following a full investigation by the FCA and a court settlement with the US Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau; Equifax were fined over £11 million in the United Kingdom and agreed a settlement in the US to pay out over $425 million to affected customers. Alongside these financial penalties, Equifax were ordered to invest hundreds of millions over the subsequent years to fortify their data security.
British Airways 2018 - $20 million fine
Whilst significantly smaller in scale, British Airways experienced a similar data breach to that of Equifax the following year in 2018. Attackers were believed to have potentially accessed the data of approximately 430,000 customers and staff – including the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Whilst there was no specific failure or vulnerability that BA were responsible for in this instance, the Information Commissioners Office (ICO) investigation identified several measures that BA could have used to mitigate or prevent the risk associated to the organisation and its customers data:
o Limiting access to applications, data and tools to only those which are required to fulfil a user’s role
o Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems
o Protecting employee and third-party accounts with multi-factor authentication
Many of the recommended measures would have had little to no financial or technical implications on BA, with many even available through the Microsoft Operating System used by the airline.
The ICO investigation also found that, similarly to the Equifax breach the previous year, BA did not detect the attack themselves in June 2018 and instead were alerted by a third-party security researcher more than 2 months later in September. However, BA did act promptly and informed the ICO as soon as they became aware of the incident.
The breach was the ICO’s first major fine under the EU data regulation GDPR – watched closely by the European Union in what was expected to be a landmark decision. However, the £183 million fine originally proposed by the ICO was significantly reduced to £20 million when the fine was issued in 2020; with the Commissioner’s Office stating that “the economic impact of Covid-19” had been taken into account.
Introduction of New Reporting Requirements (Cyber Security and Resilience Bill)
As part of the 2024 King’s Speech, the government announced it would be introducing a Cyber Security and Resilience Bill, bringing with it “crucial updates to the legacy regulatory framework”. The existing UK regulations reflect law inherited from the EU frameworks and this new bill represents a full, comprehensive, and cross-sector cyber security legislation.
Some of the key updates being proposed include:
o Expanding the remit of the regulation to protect more digital services and supply chains
o Putting regulators on a strong footing to ensure implementation of essential cyber safety measures
o Mandating increased incident reporting to give government better data on cyber-attacks
This new emphasis on incident reporting, including in instances when an organisation has been held to ransom, will improve both government and industry understanding of the threats and raise the alarm on potential attacks by expanding the type and nature of incidents that regulated entities must report.
The Bill is expected to be introduced to parliament this year.
Solution: Managing Your Organisational Compliance
PureCyber Governance Consultancy:
There are many compliance standards, frameworks and accreditations available to align your organisation with. From more entry-level standards such as Cyber Essentials/Cyber Essentials Plus, and IASME Cyber Assurance, to more in-depth accreditations such as ISO 27001.
Aligning your organisation with one of these frameworks and achieving full certification will give your firm an organisational compliance baseline that will act as a foundation for cyber awareness throughout your organisation, and support future cyber security implementation. Achieving a strong governance standard will not only keep your firm compliant with government regulations; it will also create an across-the-board uniformity within your organisation’s cyber security policy.
PureCyber’s governance consultancy services will guide your organisation step-by-step, throughout the entire accreditation process – from initial consultation to achieving certification. Our team of governance experts will be on hand throughout your accreditation journey to ensure your organisation can achieve compliance with ease.
Having a governance framework in place is an investment that could save your organisation from a potential cyber-attack costing millions and covering your firm from regulatory fines for organisational oversight.
Adhering to a cyber security framework will demonstrate that your firm has taken appropriate steps to ensure data security.
Get in touch with the PureCyber team and find out how we can help your organisation become compliant and secure your business today.
How Can PureCyber Help?
Our team of cyber security experts are here to take over the burden of your cyber security and ensure your organisations data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR) Threat Exposure Management (TEM) & Brand Protection Services, Penetration Testing, & Governance Support.
Keep an eye on our Events & Webinars page for upcoming PureCyber events
Get in touch or book in a call for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.
Email: info@purecyber.com
Call: 0800 368 9397
Sources: