Category: News Page 1 of 4

COVID-19: Opportunity Knocks for RegTech

COVID-19: Opportunity Knocks for RegTech

Every cloud has a silver lining. When COVID-19 hit, banks faced an enormous logistical challenge of shifting towards a secure, and efficient work from home environment. However, after the initial pain, they are now seeing the benefits as the pandemic helps accelerate the move towards digital.

Even before COVID-19 and all the chaos that came with it, digitisation represented the future. However, progress was slow. Even those organisations that accepted the need to evolve to keep up, were slow on the uptake. Old practices remained. Teams either failed to see the urgency or were suspicious of new technologies. COVID-19 meant that, like it or not, many had to make the leap and any concerns over security had to be resolved.

The effects have been rapid. Online banking has boomed as customers are shut out of branches. Even those who might have been reluctant before the pandemic found they had little option during it. Equally, teams have embraced remote working with video conferencing and online document editing becoming the norm.

In both cases those who had been reluctant adopters are realising the benefits. Employees who would previously have preferred to print and manage documents by hand are finding out how easy it is to quickly edit and send them online. Firms report relatively few home printers being used which not only reduces paper waste but without so many documents to potentially go missing, it improves security.

Across the board, people involved in digital transformation feel as if a dam has been broken. RegTech had already been growing… Investment doubled between 2017 and 2018 and projections foresaw rapid growth over the next five years. As with other areas of technology, progress was always stymied by a lack of urgency, fear of the new and legacy infrastructure.

Coronavirus has, in various ways, helped to dispel each of these. The most important is trust. In order to work effectively, RegTech firms have to convince banks to allow them to work with their most sensitive data. This carries significant procurement and compliance risk, but with increased use of technology and the sharing of data, it is helping banks to become more comfortable with the concept and to hone their due diligence.

At the same time, with financial and manpower issues becoming critical, the cost and resource savings from automated RegTech solutions also starts to become more appealing. As such, COVID-19 represents a moment of opportunity for the RegTech sector and many companies appear to be grasping this with both hands. Some have been offering open access throughout this pandemic, while others have been cooperating to improve the value they can offer their clients. Waymark Tech has been one of those providers offering free access to COVID-19 regulatory updates.

The result creates enormous opportunity for everyone. Banks have been forced to take the leap, while the specific nature of life during and after COVID-19 has increased the need for automation and technology. Going forward, technology will become even more important in maintaining the know-your-customer provisions, anti money laundering and fraud prevention.

Hackers Have the Financial Sector in their Sights

Hackers Have the Financial Sector in Their Sights

A number of hack-for-hire firms are using the COVID-19 pandemic to infiltrate financial services firms. Defences are not always good enough though.

Two reports this month highlight the problem of a rapidly growing hack-for-hire market which is targeting corporations, government institutions and not-for-profits around the world. It’s a yet another addition in the cyber war powered by highly professional and well-funded criminal organisations – and given the perfect environment by Coronavirus to step up their efforts.

First came a report from Google which identified numerous hack for hire firms, spoofing the World Health Organisation to target business leaders and companies in the US and UK. The report found hundreds of examples of Coronavirus-themed attacks which use WHO branding and encourage individuals to sign up for direct notifications for important announcements. The emails contain a link to an attacker-hosted website that closely mirrors the official WHO site featuring fake login pages, all prompting users to hand over their personal details.

In a blog, Google said:

“Generally, 2020 has been dominated by COVID-19. The pandemic has taken centre stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking.”

Meanwhile, a second report from Citizen Labs highlighted a shadowy hack-for-hire organisation which it termed “Dark Basin” linked to an Indian tech firm, BellTroX InfoTech Services. As well as financial institutions, this group had been targeting rights groups and not-for-profits including Greenpeace, The Rockefeller Family Fund, and the Union of Concerned Scientists as well as a number of organisations involved in the ExxonKnows campaign which asserts that Exxon knowingly hid information about climate change.

Their investigation kicked off in 2017 when a journalist noticed a phishing attack and asked them to investigate. Their study linked the attempts to a network of URL shorteners operated by the group that they came to call Dark Basin. They identified nearly 28,000 additional URLs containing the email addresses of targets around the world. This helped researchers build up a map of who they were targeting and warn some of them.

The evidence linking this group to BellTrox was not hard to find. Employees of BellTrox were found uploading screenshots and taking credit for the attacks on social media. A number of individuals claiming to work for BellTrox could be found on LinkedIn listing services such as email penetration, exploitation and corporate espionage.

Hacking is also becoming an increasingly common occurrence in corporate disputes. The recent case between the Ras Al Khaimah Investment Authority and Farhad Azima included allegations in which Azima claimed RAKIA used the services of hackers to access his emails and leak documents online.

The reports shed light on a world in which hacking is a growth industry backed by well funded and highly professional companies. The underhanded nature of this world makes it extremely difficult to trace responsibility and the current situation makes all companies uniquely vulnerable.

All the sophisticated cyber security technology in the world can be rendered useless by a convincing email. In an environment of high uncertainty in which companies are relying on guidance from trusted organisations such as the WHO, phishing emails can become more effective than ever. All it takes is one click on a malicious link and the hackers are through the defences.

Financial institutions, as always, find themselves in the firing line. If they are breached, they face financial and reputational losses as well as compliance risks.

To counter the attackers, therefore, companies need to get their defences in order, ensure everyone in the organisation is aware of the latest attacks, and that robust measures have been put in place.

The hackers are coming and they have better infrastructure and resources than ever.

Building effective defences will be one of the key challenges of the COVID-19 crisis.

What Can We Expect From the New Head of the FCA?

What Can we Expect From the New Head of the FCA?

Chancellor Rishi Sunak overlooks Chris Woolard and chooses Nikhil Rathi to take the FCA forward into the post COVID-19 world.

There’s a new face at the FCA, but it’s not the man most expected. After a relatively positive stint as interim Chief Executive, Chris Woolard had been favourite to take the role on permanently. However, the decision to shun him in favour of Nikhil Rathi, boss of the London Stock Exchange, could have a number of implications for the future direction of the regulatory watchdog.

Woolard shunned

Woolard had been busy during his time as interim boss. He took on insurers who attempted to shirk responsibility for business interruption cover, he brought in his own QCs and hired law firm Herbert Smith Freehills to help the regulator deal with legal complexities and launched an inquiry into sub-prime lender, Amigo.

However, there is a sense that the FCA needs to be shaken up after the Woodford savings crisis, its failure to pre-empt the London Capital & Finance mini bonds scandal and the slowness of its response to malpractice in the investment sector.

Rathi, by contrast, is an outsider to the FCA and may bring a much needed freshness to the role while his track record of working in the Treasury may also have played a role in Sunak’s decision. Certainly his time at the Treasury may well help him to handle some of the upcoming challenges such as Brexit, although others may fear it makes him a little too close to Government.

The coming years will bring a number of challenges which could create friction between the FCA and Government. Rathi will do well to ensure he is seen to keep his employers at arm’s length and avoid any implication of political influence.

What to expect

As he takes his role, Rathi arrives at a pivotal time. The COVID-19 crisis has placed an enormous pressure on the FCA in maintaining its operations. It has already had to reset its priorities to ensure it can maintain the right focus despite the restrictions of the pandemic.

The financial world faces winds of change in the shape of new technology, climate change and a desire for greater accountability and better conduct. Each of these issues were front and centre of his attention as he set out his goals for the future.

The regulator also is fighting for its reputation. It has faced considerable criticism over the past few years and, like other regulatory watchdogs around the world, is under pressure to improve oversight and accelerate the conduct of cases. Rathi will need to hit the ground running and show that he can steer the regulator through the choppy waters which are on the way.

What Can We Learn From the Commerzbank Fine? - Waymark Tech Blog

What Can We Learn From the Commerzbank Fine?

The Watchdog’s second biggest fine for failing to have proper financial controls in place should serve as a warning to the rest of the sector.

The FCA has made anti money laundering one of its key focuses for 2020 and this month it showed it means business with a £37, 805,400.00 fine to Commerzbank London for failing to implement proper controls over a five year period. It’s the second biggest fine of its kind and offers some key lessons for the wider sector.

Listen to the regulator


The scale of the fine is partly down to the fact that the Bank was aware of the problem, had been warned by the regulator but failed to take action. The FCA said it had warned Commerzbank on three separate occasions about the risk of financial crime going undetected but had “failed to take reasonable and effective steps to fix them.”

Maintaining due diligence


The regulator found that the bank failed to undertake effective due diligence checks on clients. As of March 1st 2017, checks were overdue on 1,772 customers. In the meantime, many of these customers were able to continue doing business with their London branch through their Exceptional Control Scheme which the FCA argues got out of hand.

The rules apply to you


AML requirements have toughened up in recent years, and regulators have very publicly stated this is a priority. However, many financial institutions, for one reason or another, haven’t fully understood the implications of the changes or that these rules apply to them. With the EU’s sixth anti money laundering directive coming into force in December, firms will have to continually update and review their measures to maintain compliance.

Getting the technology right


Companies are increasingly leaning on automated compliance monitoring systems. However, these are only effective if functioning properly. The FCA noted a failure to address known weaknesses with the automated tool for monitoring money laundering risks. In 2015, the bank noticed that 40 high risk countries were missing from its tool and 1,110 high risk clients had not been added.

Enhanced due diligence


Companies will be coming under increasing pressure to ensure their due diligence processes are as good as they possibly can be. This means enhanced ongoing monitoring of any situation which by its nature presents a high risk of money laundering or terrorist financing and maintaining up to date data and documentation.

Prompt action


One area where the bank performed well was in promptly agreeing to resolve the issue. The FCA says that the lender agreed to make changes at an early stage of the investigation, earning itself a considerable reduction of the fine. Without these changes, the FCA says the fine would have been £50 million.

Cooperation is seen in a positive light by the regulator. They are looking to use fines to encourage change rather than as a blunt tool of punishment. Those firms that can demonstrate an understanding of the problem and a willingness to change, will receive kinder treatment.

Most importantly, this fine, coming quickly on the heels of Standard Charter’s £1.1bn fine for violating sanctions and anti money laundering rules, shows regulators are upping their games. The UK is continuing to align itself with the more aggressive approach taken towards anti money laundering within the EU in recent years. Although we do not know how closely the UK will continue to be aligned with the EU after Brexit, their actions do nothing to suggest their approach will weaken.

Why third parties present a risk - Waymark Tech blog

Why Third Parties Represent a Risk

With digital technology evolving by the day, more and more financial institutions are turning to third parties to handle an array of business functions. However, this can open up regulatory vulnerabilities which can be easy to miss – as Raphaels Bank discovered to their cost last year.

Third party risk

The FCA issued the bank with separate fines totalling £1,887,252 for failing to manage their outsourcing correctly. In 2015, one of Raphael’s card processor providers suffered a technical incident which caused the complete failure of the authorisation and processing services it provides to Raphael. This meant 5,356 transactions were not authorised at sales terminals.

The FCA investigation found that Raphaels failed to implement adequate processed to enable it to understand and assess the business continuity and disaster recovery arrangements of its provider. In particular, they had not assessed how that provider would support the continued operations of its programmes during a disruptive event.

Back in March, the FCA published new research on cyber resilience in the financial sector which included statements on third parties. Their research stressed the need for businesses to consider the risks and weaknesses of third party systems and resources when assessing their cyber resilience measures.

In January, they also released a paper explaining the implications of operational resilience for firms using third party service providers. We have more details of the FCA’s stance on the Global Regulatory Platform, but the essential message from the FCA is that every firm has the responsibility for managing its third parties. While you might be surrendering control of operations and data, the responsibility rests with you.

That means that if your third party experiences a problem which results in harm to your customers, you may be held accountable for the damage which results.

This has major implications for any company working with third parties, particularly in relation to their exposure to cybercrime. Data obtained last year from accountancy firm RSM under the Freedom of Information Act, found that a fifth of all cyber breaches occurred due to third parties.

Lessons to be learned

The lessons are clear. As a firm, you should monitor all third parties you’re working with. Each one may potentially represent a vulnerability if their processes and systems are not up to scratch.

Extensive due diligence should be conducted before entering into an agreement. You should have a full understanding of what redundancy measures are in place in the event of any disruption of system failure. You should establish how resilient the company is to cyber attacks and what measures are in place if they suffer a breach.

Failure to undertake these precautions will leave you vulnerable to fines from the regulators and in the age of GDPR, these fines can be considerable.

How AI can help boost compliance - Waymark Tech Blog

How AI Can Boost Compliance

According to the Thompson Reuters, Cost of Compliance report, the most common cited problems by compliance professionals are increasing regulatory burden, compliance with anti money laundering requirements, culture and risk, availability of skilled resources.

Those problems are likely to become even more serious after COVID-19 as financial services companies seek to maintain business resilience throughout this unprecedented crisis. Costs will be cut and the compliance department will be one of the first to face scrutiny.

This was already happening before the outbreak. According to Accenture, most compliance departments are having their budgets cut and are being presented with cost reduction targets.

This comes despite the compliance department moving to the fore in recent years. Since 2008, regulators have been tightening their oversight and are constantly adjusting guidance – and bringing in new regulations. Each update will bring new requirements for firms to comply with. Keeping up to date with the evolving landscape and ensuring your teams are doing everything they can to stay the right side of the rules is a constant struggle.

Secondly, the rise of cybercrime and the increasing tendency of businesses to handle data remotely has also seen regulators ramp up the pressure on firms to ensure clients have control over their data, to keep that data safe and identify where breaches occur as quickly as possible.

Thirdly, the need to comply with regulations and maintain the integrity and resilience of systems has seen a dramatic increase in the data management and administration requirements of firms. More than ever, they need oversight of their key systems and to process information and control their data.

For example, if a client asks for their data to be deleted or altered, as they are able to do under GDPR, firms must be able to retrieve that information as quickly as possible and feel certain that they haven’t left some of that client’s personal data lying around somewhere.

Equally, MiFID II requires that they maintain a complete record of all communications with clients over business dealings. They will have to ensure this data is stored safely and can be retrieved at short notice to satisfy regulators.

Compliance teams will also need to maintain a transparent trail of evidence demonstrating what steps they have taken to comply with the regulations. The burden is heavy. However, all this work drives zero revenue into the company which is why compliance is traditionally one of the first candidates to be trimmed.

The challenge is familiar: to do more with less. At a time when workloads are being upped they are being asked to cut costs.

Unsurprisingly, therefore, firms are investing in AI and automation technologies which can variously reduce costs, streamline operations, improve oversight and reduce the risks of human error.

Some of the most common areas in which AI and automation are being used include:

Monitoring regulatory sources:

Applications can constantly monitor regulators for changes and updates to the regulations. They can notify the compliance team who can then determine what action they should take. Systems use natural language processing (NLP) algorithms to analyse news releases and extract salient information.

Checking compliance with regulations:

Both firms and regulators are making use of applications which monitor a firm’s compliance. Rather than spending time on audits, these applications can alert compliance officers and authorities to breaches, record evidence and prompt the user to take action.

Processing large quantities of text and other data:

New regulations normally get to the market in the form of lengthy documents, often comprising hundreds of pages. Compliance officers and business leaders may not have the time to go through all documents. However, applications can use natural language processing to read through the documents and extract the key actionable highlights.

Such systems are not fool proof. They rely on the AI working as intended in order to deliver value. By automating systems, businesses assume they are eliminating the risk of error. However, they are placing a huge amount of faith in the algorithms underpinning the application. Due diligence will be essential to ensure systems can deliver on their promises.

Even so, automation can significantly improve outcomes for businesses. On the one hand they will be able to reduce the time and attention spent on compliance, while on the other, the increased oversight they offer will provide value in many different ways. It will shine a light on areas of the business which hitherto remained in the shadows. As such, they can even help a business improve performance, cut risks and identify revenues. They help take compliance from being an administrative function and turn it into a proactive tool in driving the business forward.

If you would like to understand more about how AI can help your compliance efforts, please get in touch and we will be happy to guide you. We can offer a trial to demonstrate just how effective our systems are.

Please contact Mark for enquiries.

Was EasyJet Responsible for the Recent Data Breach?

Were EasyJet Responsible for the Recent Data Breach?

Has EasyJet mishandled customer data? Were they responsible for the recent data breach? Could they have done more to prevent a cyber-attack?

These are all questions being asked, among many others.

With an annual global turnover in the region of £6.4 billion in 2019, the airline company is facing a potentially very heavy fine from the Information Commissioner’s Office (ICO) relating to the breach, under General Data Protection Regulation (GDPR). This will not include compensation payouts to affected customers if negligence on the part of EasyJet is proven, which could reach up to £3 billion.

EasyJet has said the breach was due to a:

“highly sophisticated cyber-attack.”

eaSYJET

Around nine million customers have been affected with email addresses and travel itineraries stolen. Furthermore, 2,208 customers who stored their debit and credit card details within their profiles on the EasyJet website, have had them stolen.

Why are we only finding out about this now when EasyJet was first alerted to the attack in January 2020?

Good question.

EasyJet has claimed it was only able to inform those customers whose card details were stolen in early April 2020.

When questioned by the BBC as to why it took so long to notify customers, EasyJet stated,

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”

EASYJET

They added,

“We could only inform customers once the investigation had progressed enough that we were able to identify whether any individuals had been affected. Then, who had been impacted and what information had been accessed.”

EAasyjet

It turns out that even the secure CVV digits (the three verification numbers on the back of cards) of those 2,208 customers had been accessed.

EasyJet has warned all affected customers that their email addresses had been stolen during the cyber-attack and has advised them to be aware of potential phishing attempts. No details on the exact nature of the attack have been provided by the airline company, however, it confirmed the investigation is ongoing and believes the attackers were targeting the airline’s intellectual property. It didn’t believe they were stealing data to use in identity fraud. EasyJet maintains its stance that it does not think that any of the nine million customers’ personal data has been misappropriated and has further advised that it has been acting under the recommendations of the ICO.

Until the ICO has completed its investigation, EasyJet faces a more pressing issue. The law firm, PGMBM has issued a class-action claim against the airline which could mean a possible liability of more than £18 billion. PGMBM has filed the claim in the High Court of London on customers’ behalves. One of the reasons for this lawsuit is the fact that it took EasyJet four months to inform customers of the breach, even though it had informed the ICO earlier than this.

The British Airways cyber-attack and subsequent data breach in 2018 should have been a warning to all airline companies. Unfortunately, passenger trust is extremely low during the current crisis and this breach has most certainly not helped that.

The ICO is still investigating the data breach. It said that the general public has a right to expect companies to maintain their personal data in a secure and responsible manner and where that does not occur, it will “take robust action”. Due to the coronavirus pandemic though, they may need to be more lenient in regard to the EasyJet data breach, considering how badly the airline industry has been affected. They must, nevertheless, act adequately because they have been deemed as having not done enough around GDPR enforcement.

What can we learn from the EasyJet fine?

Keeping on top of data protection under the GDPR rules has never been more important. These turbulent times we are experiencing have meant significantly increased cyber-attack attempts and a growing number of cyber criminals with the majority trying to access stored personal information and intellectual property. If your own business does not have data control protocols in place, it is high time to plan and implement them – without delay.

Final thoughts

EasyJet has advised affected customers that they should be weary of any messages claiming to come from either EasyJet Holidays or EasyJet itself. Regrettably, the COVID-19 pandemic has brought with it an increase in the occurrence of phishing attempts and Google is purportedly blocking over 100 million attempts each and every day. This does not include those phishing emails that manage to slip through the net, so the public needs to be more alert than ever to these potential threats.

No doubt, the trust of most airline customers has been significantly affected and organisations will need to work hard in gaining it back. EasyJet, especially, will need to clarify why it took so long to publicly announce the cyber-attack. Yes, it has been working with the ICO to handle the issue, however its customers’ data was still out there, without them knowing, for months. Perhaps the fact that EasyJet has been liaising with the ICO and NCSC will reduce the impending GDPR fines, but still, a cyber-attack occurred and the customers whose personal data was stolen should have been notified sooner in order to take appropriate safeguarding action.

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

The current crisis created a golden opportunity for fraudsters. A heady cocktail of disruption to business processes, financial pressures and multiple online transactions mean the stage is set perfectly for cyber criminals and money launderers. Regulators, therefore, have been issuing guidance to companies about how they can reduce their exposure.

The Institute for Chartered Surveyors acknowledges where some of the biggest risks will come from. Their guidance document on anti money laundering states:

“In particular, firms should consider whether the current economic climate may make them or their customers more susceptible to financial difficulties or other pressures, thus creating risk and potential weaknesses for criminals to exploit.”

In France, guidance from the Commission de Surveillance du Secteur Financier (CSSR) has identified a number of activities terrorists and criminals can exploit, including:

  • Online payment services
  • Clients in financial distress
  • Mortgages and other forms of collateralised lending
  • Credit backed by government guarantees
  • Distressed investment products; and
  • Delivery of aid through non-profit organisations.

The FCA’s revised business plan for 2020/21 places a firm focus on mitigating problems caused by COVID-19 including the heightened vulnerability to cybercrime and money laundering. It expressly confirms that it will continue to take enforcement in this area. It is also consulting on extending its Financial Crime Data Return to strengthen risk-based supervision in this area.

Stay alert

All the guidance from various authorities hammers home similar messages. The risks are higher and firms must have effective systems and controls to detect and mitigate the risk of money laundering. To avoid enforcement action, firms will have to be able to point to documentary evidence which shows they have taken necessary steps.

Here are the key lessons that firms can take away from this:

  • Identifying weak points: As institutions shift to work from home models, their risks multiply. They will be moving much more data across the cloud as their workforce shifts to a predominantly work from home model. They must maintain system security by establishing clear protocols and endpoint security.
  • Maintain oversight: Disruption to business processes must not be permitted to compromise monitoring and oversight of transactions. This may become more difficult due to the expected increase of online payment transactions as well as interruption to their regular working patterns.
  • Managing delays: The FCA acknowledges that disruption may force firms to prioritise or delay some operations such as customer due diligence. However, where this happens, they must show they have taken a risk-based approach. For example, delays to due diligence to high risk customers should be avoided.
  • Verifying client identity: Travel restrictions can make it more difficult to verify the identity of clients. However, firms should be able to ensure numerous verification procedures are carried out remotely. For example, by accepting scanned documents by email or asking clients to submit digital photos to compare with other forms of ID.

COVID-19 is a gift for a fraudster. It hinders the ability of financial firms and regulators to maintain oversight and to safeguard against the possibilities of fraud. By understanding the challenges and what alternative options are available to them, firms can minimise the interruption to their processes and strengthen their defences against criminals as much as possible.

FCA Warns Banks on Customer Communications - Waymark Tech Blog

FCA Warns Banks on Customer Communications

The COVID-19 crisis has created numerous challenges for the financial sector, but one which often goes unseen is the logistical challenge of maintaining communication with customers. With lockdown in place it is difficult for banks to maintain the speed and efficiency of paper based communications. However, the FCA has reminded the sector of its obligation to do everything it can to comply with communication obligations.

Back in March, the regulator warned financial advice companies not to work in the office, and to avoid face to face contact with clients. Alternative arrangements were to be made online, but this left a gaping hole for those customers who, for one reason or another, were unable to access online services. Maintaining a business as usual service for these clients is proving to be a major problem.

In its recent guidance, the FCA is keen to ensure that despite these problems, offline clients are protected as much as possible.

Notifying the FCA of issues

While the regulator still expects firms to try and comply with paper-based requirements, it acknowledges this may not be possible in every case. There will be flexibility with timescales and they will be more understanding. However, they do expect firms to demonstrate what steps they have taken to minimise the impact as far as possible and to notify them of any problems they expect to encounter by emailing firm.queries@fca.org.uk

For example, a firm would need to collect and send out paper documents as often as possible ensuring that while the service might be slower than normal, offline customers do not miss out. Funds should be returned to clients as quickly as possible if a delay means they cannot proceed with the transaction.

Clear communication

At times of uncertainty, transparency becomes even more important than usual. Firms will be required to provide regular updates about how they intend to treat incoming and outgoing post. Customers should be updated on evolving market conditions and shown how they can check their statements if they arrive late.

Face to face alternatives

Face to face meetings for issues such as suitability assessments may not always be possible. However, the FCA has urged companies to investigate alternative options such as phone conversations or online due diligence checks. Firms should send out the results of any assessment either online or through other means.

The FCA has experienced plenty of problems of its own. Back in April, it admitted it could be many months before it is able to address its key regulatory priorities. It is making its own adjustments and has said it may have to redraw its business plan to take into account the evolving situation.

Maintaining business continuity is an issue for all businesses. While online technology, makes it possible to deliver more services remotely, it is the small minority who can’t access the internet who are at risk of being disadvantaged. Inevitably, these people are more likely to be older or more vulnerable and will be even more adversely affected by delays to their services. The FCA, then, is striking a balance between being understanding for customers but keeping up the pressure to protect those clients who may suffer.

Protecting Against Cybercrime During COVID-19 - Waymark Tech Blog

Protecting Against Cybercrime During COVID-19

Cyber criminals are “making hay while the sun shines” during the pandemic, but regulators promise to be more understanding. What does that mean in practice?

An uncertain economic situation, financial volatility and a workforce working from home all make for a cyber criminal’s dream come true. The number of threats are growing and vulnerabilities are widening. Keeping data secure is more difficult than ever and this may have a number of compliance and regulatory issues for firms.

Home and mobile working

Most companies have dramatically upped their work from home provisions and they have done so with relatively little warning. Most professional people are almost as well connected at home as they are in the workplace. Broadband speeds are fast and people’s personal computers are generally high spec.

However, home networks will usually not be as secure as a company’s. In the home, you will have increased the number of endpoints coming into your central system which is like making lots of holes in the walls of a building. Even the most secure operation can become compromised.

In March, the UK’s National Fraud and Cyber Crime Reporting Centre reported that Coronavirus related frauds rose by 400% in March. This was said to be linked to the increase in home working. They have issued fresh guidance about the steps firms should take before moving to a work from home model.

Compliance issues

Despite these challenges, the Information Commissioner’s Office has confirmed that firms will continue to face the same reporting obligations as always under GDPR. Privacy rights remain ‘paramount’ according to the watchdog which means breach notification rules still apply.

However, the regulator has said they will allow for flexibility given the unprecedented situation we now find ourselves in.

In a statement, the UK’s Information Commissioner, Elizabeth Denham said:

“We see organisations facing staff and capacity shortages. We see the public bodies facing severe frontline pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”

elizabeth denham

What this means in practice is that the regulator will be more understanding when considering action. It says it understands the operational challenges confronting companies including staff shortages, reduced operational capacity and financial constraints. They use this, they say, to foster an ‘empathetic and pragmatic approach’ throughout the pandemic including how enforcement powers are executed and what technical advice they take.

So what does this mean in practice?

Although they are being more flexible, data protection is still vital which means the rules around breach notification still apply. Any organisation which suffers a breach will still have to report it to the ICO within 72 hours of discovering it. Even so, they have ceased all audits and if the problem is caused as a result of the pandemic, they will take this into account. The commissioner appears wary of being seen to chase healthcare organisations while they are trying to save lives.

Any organisation which processes data will still have to pay their annual fee to the ICO, but will not prosecute any organisation failing to do so if they can provide evidence that they cannot pay due to the fallout from the pandemic.

Last but not least, any fines issued are likely to be lower, for all breaches. The ICO says it takes affordability into account before issuing any fine. Given the impact on companies finances, therefore, that is likely to mean any fine issued will be much lower than before the coronavirus outbreak.

Most importantly, this is no get-out-of-jail-free card. The ICO is being more flexible and it will be more understanding, but a company must still meet its obligations to safeguard data and report breaches. Failure to do so will still result in a fine.

More importantly, failure to take adequate measures will have much wider reaching consequences than just the wrath of the regulators. The ICO may be more understanding, but there’s no guarantee customers will be.

The move to a home working situation also makes your systems and the personal data of your customers more vulnerable. The reputational and financial impact of a hack will be just as high as always.

Page 1 of 4

Powered by WordPress & Theme by Anders Norén