Our services





GDPR – Do not forget the FCA

25th May 2018… General Data Protection Regulation,

What powers do the FCA have?

DATA BREACHES & CYBER INCIDENTS

  • Principle 3 - Management and control
    “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
  • Principle 11 - Relations with regulators
    “A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.”
  • SYSC 3.1 - Systems and Controls and SYSC 3.2 - Areas covered by systems and controls
  • SYSC 8 - Outsourcing (data sourcing arrangements)
  • SUP 15 - Notifications to the FCA
    • Matters that have a serious regulatory impact (SUP 15.1.1R)
    • A significant failure in the firm’s systems and controls (SUP 15.3.8G)
    • A significant breach of any rule in the Handbook (SUP 15.3.11R) – breach notification is immediate
    • Where “significant” fraud is involved (SUP 15.3.17R) – immediate notification

What does the FCA wants to see?

  • a security culture led from the top
  • firms to carry out “robust and comprehensive risk assessments”
  • Risk framework required to manage the risks identified
  • Senior Managers & Certification Regime (SM&CR) = senior management accountability – need to know more on SM&CR click here.

What happens if I get it wrong?

Zurich FSA Final Notice

https://www.fca.org.uk/publication/final-notices/zurich_plc.pdf
  • Based on breaches of Principle 3 and SYSC 3.1/3.2
  • Intra-group data sourcing arrangements
  • Employee lost an unencrypted back-up tape (containing 46,000 customers’ details)
  • Wasn’t spotted until a year later (by internal audit)

What did the FCA decide?

  • No ongoing risk assessment of the outsourcing arrangement
  • Insufficient management information to identify and manage data security risk
  • Inappropriate reliance on group policies
  • Failure to put in place adequate reporting lines between group companies
  • £2.275 million fine (after 30% discount)

Equifax

https://www.fca.org.uk/news/statements/statement-fca-investigation-equifax-ltd
  • FCA announces that it is investigating the circumstances surrounding a cybersecurity incident that led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent.
Need to know more or would like some advice then please feel free to call us here at Automotive Compliance Limited.

CALL US FOR A FREE HEALTH CHECK 01452 671 570