On October 24th, the Financial Conduct Authority (FCA) announced in a short statement that they will initiate an investigation into the circumstances surrounding the data breach at Equifax, the consumer credit rating agency.
This massive data breach, which has impacted 143 million and 694,000 customers in the US and UK respectively, appears to be the result of a highly-sophisticated group of hackers exploiting Equifax’s inability to effectively manage and respond to system vulnerabilities. From the now resigned CEO’s testimony in Congress, it is clear that Equifax’s technical protections were lacking, but also the internal and human-driven processes required to rectify them were inadequate as well. This can be evidenced by the fact that Equifax received a warning notice of the vulnerability the hackers were able to exploit, from the US’s Department of Homeland Security, five days before the criminals gained access.
This incident has irreparably damaged the reputation of one of the world’s biggest holders of consumer and business data. But, it has served as a useful reminder to boards in the financial services sector that everyone is vulnerable to this source of operational risk and processes must be improved prior to the enactment of the General Data Protection Regulation (GDPR) in May 2018. GDPR is going to overhaul the way consumer data is safeguarded and protected and Brexit offers no escape. The Information Commissioner’s Office and the Digital Minister have all confirmed this in their pursuit of ‘regulatory equivalence’ and their hope for continued trade in services with the European Union.
So, what lessons can be taken away from this event and how can you safeguard your organisation?
- Firms should implement robust cyber-security procedures and keep appropriate records that they have been executed effectively so as to promote accountability and demonstrate compliance;
- GDPR compliant, clear, and concise policies that can be easily assimilated by members of your team and later utilised as reference tools are critical;
- The lines of communication between the Data Protection Officer, the Information Security Officer, and the Compliance department must be fit for purpose;
- Ensure data processing and protection are, as far as reasonably possible, resilient to business continuity and disaster events;
- Listen to and take seriously any cyber-security or data protection related concerns or issues raised by employees, contractors, government departments, or customers. This can, in part, be assisted by a well implemented Whistleblowing policy and procedure.
Objectivus can assist with GDPR related compliance. Our risk and document management system, Objectivus360, enables a clear demonstration of compliance with components of GDPR reducing your regulatory and legal risk. Additionally, our consultants can ensure all your policies and procedures are up to date, compliant, and assimilated. To find out more visit the Risk and Governance page on our website.