The details of the fine imposed on Equifax Ltd by the Financial Conduct Authority

Equifax Ltd, the UK subsidiary of US company Equifax Inc, has been fined £11m by the UK Financial Conduct Authority (FCA) six years after the 2017 data breach which affected over 13.7m UK consumers.

The fine drives home some important learning points for businesses – all of which are in line with global trends in cyber and data security law and regulation:

• Outsourcing and third-party arrangements, including between entities within the same group – or 'intragroup' arrangements, must be handled carefully.
• Regulators expect prompt notification of, and accurate information about, cyber and data security incidents.
• Regulators will come down hard on failures in ‘cyber basics’.

There are also clear messages to entities in the financial sector:

• ????Retail customers must be treated fairly.
• The financial services regulatory environment has changed significantly since the incident, not least following the introduction of a specific and enhanced operational resilience regime. 

During the incident, threat actors gained access without authorisation to personal data held about millions of US, UK and Canadian citizens. The records relating to a maximum number of 13,764,291 UK consumers were accessed. While the content of the individual data impacted varied from customer to customer, the types of data included UK consumers’ names, date of birth, phone numbers, Equifax login details, partially exposed credit card details and residential addresses.

The FCA held that Equifax Ltd had breached Principles 3, 6 and 7 of its Principles for Businesses, which are a general statement on the fundamental obligations of regulated firms.

• Principle 3 – Management and control – provides that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management procedures.
• Principle 6 – Customers’ interests – provides that a firm must pay due regard to the interests of its customers and treat them fairly.
• Principle 7 – Communications with clients – says that a firm must pay due regard to the information needs of its clients, and communicate information to them in a way which is fair and not misleading.

The FCA gave Equifax Ltd a 30 per cent Stage 1 discount under executive settlement procedures, and a 15 per cent credit for mitigation ‘in acknowledgement of its high level of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident’.

The fine follows the Information Commissioner's Office (ICO) monetary penalty of £500,000 (the highest available under the regime at that time) in relation to Equifax Ltd in September 2018 under Section 55A of the Data Protection Act 1998, reduced to £400,000 for prompt payment.

Had the incident happened when the UK General Data Protection Regulation (UK GDPR) was in place, then the ICO would have been able to impose a larger fine – up to £17.5m or 4 per cent of annual worldwide turnover, whichever is higher, although, to date, the ICO has chosen not to impose ‘mega fines’.

Intra-group outsourcing (or similar) arrangements

Firms remain responsible for compliance with the FCA rules and may not delegate responsibility for compliance when outsourcing or engaging in an outsourcing or other third-party arrangement.

In this case, the FCA found that Equifax Ltd failed to put in place an appropriate risk management framework that allowed it to identify, manage, monitor, and mitigate the risks inherent in outsourcing the processing of data to its parent.

At the time of the incident Equifax Ltd’s only controls in place for the oversight and management of outsourcing UK consumer data to Equifax Inc were those provided under:

• The data protection agreements;
• The global policies; and
• Equifax Ltd’s security function, which included the security executive that had a hard reporting line to Equifax Inc.

Equifax Ltd had the power to audit Equifax Inc but the UK company never exercised that power. A senior individual with responsibility for data protection explained that audit would not have been possible given the relationship between the two companies and that Equifax Inc’s ‘what's it to do with you […] you are not going to come along and audit your parent’ attitude caused the individual to resign.

When it came to incident response, the UK company was subject to Equifax Inc’s security incident handling policy and procedures and the person responsible for its security function reported to Equifax Inc’s global security executive. When the incident was discovered, Equifax Ltd lost the remote access it had ordinarily to Equifax Inc’s servers, so it could not obtain the subset of UK data residing on Equifax Inc’s server, which had been accessed in the incident, and Equifax Inc didn’t make it aware in a timely manner that UK customer data had been accessed (see further below).

Equifax Inc was unable to make its own assessment of the risk of harm to customers, take action to mitigate harm and fulfil its regulatory obligations properly (both in terms of managing the outsourcing risk and in handling customer complaints that resulted from the breach).

The Board had concluded following a ‘detailed discussion’ at an October 2016 Board meeting, prompted by Equifax Ltd’s compliance function, that it had ‘considered the specific issue of potential influence of the firm’s US parent upon the decision making process within the UK Board and governance structures’ and were ‘satisfied that, in relation to directions that the firm received from time to time in the normal course from the Corporation, it had appropriate autonomy to exercise its discretion, oversight and decision making in the interest of the firm’.

The FCA noted that had Equifax Ltd treated the arrangements as outsourcing it would have had to follow its outsourcing policy and risk management framework. This would have resulted in better outcomes.

Notification

The FCA criticised Equifax Ltd both for the failure to promptly identify and notify individuals and what it said to the customers it did notify.

The regulator expects prompt notification of, and accurate information about, incidents of the type to which Equifax Ltd was exposed. Firms and individuals performing senior management functions (SMFs) are expected to ensure that their outsourcing and third-party arrangements facilitate rather than hamper the ability to make such notifications.

When a firm becomes aware of a data breach, it is essential that a firm pays due regard to the interests of its customers and treats them fairly (Principle 6), including promptly notifying affected individuals and informing them of the steps they can take to protect themselves, as well as handling customer complaints in accordance with the regulatory requirements.

Communication with customers, particularly retail customers, is expected to be accurate and timely.

It is very common for the facts about what has happened to emerge slowly following a cyber attack. However, the timeline in relation to notification in this instance is a case study in how not to handle this important aspect of incident response.

• 29 July 2017: Equifax Inc detected the cyber attack and secured its systems.
• 30 July 2017, Equifax Inc told its senior management about the incident.
• By 11 August, Equifax Inc had determined that the personal identifying information of its customers may have been accessed.
• By 29 August, Equifax Inc determined that UK customer data may have been accessed during the incident but did not seek legal advice on whether an obligation to notify the ICO had arisen.
• 4 September 2017 (the US federal holiday Labor Day), Equifax Inc asked for external legal advice on UK notification obligations.
• 5 September, Equifax Inc received external legal advice that a requirement to notify the ICO had arisen.
• 7 September, Equifax Ltd was told about the incident that night, approximately a mere five minutes before Equifax Inc made a market announcement to the general public.

The FCA and the ICO learned about the incident on 8 September. In the FCA’s case this was via a press report at 9.45am, which prompted it to get straight on the phone with Equifax Ltd’s compliance department and organise a series of discussions with the company. (The FCA notification process had been put in motion but sign off to make the notification had not been received prior to the 9.45am call.)

Further:

• Equifax Ltd failed to inform over half a million individuals whose names, date of birth and telephone numbers were accessed without authorisation altogether, on the basis that this subgroup’s addresses could not be confirmed without applying a special process to the data, which it considered to be too ‘resource intensive’. It had, however, applied those processes to the data which applied to thousands of other affected individuals.
• Equifax published several public statements regarding the impact of the incident on UK consumers from 15 September, which gave an inaccurate impression of the number of UK consumers affected by the incident.

The FCA was particularly critical of Equifax Ltd stating that it had ‘established that it is likely to need to contact fewer than 400,000 UK consumers’ at a time when it knew that the incident potentially affected over 15.1m consumers.

Cyber basics

The FCA said that ‘the cyber-attack and unauthorised access to data was foreseeable and entirely preventable’. It noted that the threat actors obtained initial access to Equifax Inc’s systems via a known vulnerability for which the software provider had provided a patch.

Fixing the vulnerability was delayed because:

• Individuals within Equifax Inc that should have been notified were not notified, as the company’s list of those who should receive such notifications was not up to date;
• An employee responsible for patching software on the relevant part (a sub-directory) of the server did not identify the vulnerability and therefore the patch was not applied;
• An expired certificate prevented the correct operation of a security rule, which would have blocked the intruders; and
• Vulnerability scanning software used by Equifax Inc did not scan all parts of the server with the result that only some, rather than all occurrences of the software vulnerability on Equifax Inc servers, were patched.

The ICO monetary penalty notice covered the deficiencies in security in more detail, which included inadequate encryption, failure to ensure appropriate network segregation, permitting accounts to have more permissions than needed – each of which would have constituted a breach of Data Protection Principle 7, which provided that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Financial services-specific points

Individual accountability

There is a trend globally towards holding directors and senior managers personally to account for cyber security in order to deliver greater resilience.

The UK financial services sector has led the way on personal accountability with the introduction of the Senior Managers and Certification Regime (SMCR) for banks in 2016. The regime is aimed at reducing harm to consumers and strengthening market integrity by making individuals more accountable for their conduct and compliance. It was extended to capture all firms, including firms such as Equifax, in 2019. If the same incident were to happen today, individuals holding SMF roles (which are specified under the UK regime) may be more likely to face enforcement action as individuals.

An example can be seen in the action taken by the Prudential Regulation Authority (PRA), the FCA’s sister regulator. In April 2023, the PRA fined a former Chief Information Officer (CIO) £81,620 for failing to take reasonable steps to ensure that their firm adequately managed and supervised appropriately its outsourcing arrangement in relation to an IT migration programme. The CIO was found by the PRA to be in breach of Senior Manager Conduct Rule 2.

It is not possible to predict the precise level of sanction which either the FCA or the PRA might impose in relation to any individual involved in a similar incident in the future, but the fine provides a reference point (noting that the number of customers impacted in relation to Equifax was higher than in the previous PRA case). Other sanctions are available to the FCA and the PRA, including industry bans and public censure.

Consumer protection/consumer duty

One of the FCA’s operational objectives is consumer protection (see Section 1C of the Financial Services and Markets Act 2000 (FSMA 2000)). At the time of the incident, this objective was further articulated by Principle 6. However, since July 2023, the newly introduced Consumer Duty (Principle 12) would be applicable; the Consumer Duty introduces a higher standard.

The failures in relation to outsourcing arrangements and notification were a key part of the finding that there was a breach of Principle 6, but the failure to handle complaints well was also key. Quality assurance in relation to the oversight of complaints handling by a third party fell short and the company failed to act immediately after concerns were raised by the compliance team.

Impact of the operational resilience regime

The UK financial services regulators have introduced new rules on operational resilience; these came into force on 31 March 2022, and firms are currently working towards the 31 March 2025 compliance deadline.

Operational resilience is the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. The rules require firms to:

• Identify their important business services that, if disrupted, could cause intolerable harm to consumers of their firm or a risk to market integrity, threaten the viability of firms or cause instability in the financial system;
• Set impact tolerances for the maximum tolerable disruption to these services;
• Carry out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in the company’s operational resilience;
• Conduct lessons learnt exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible;
• Develop internal and external communications plans for when important business services are disrupted; and
• Prepare self-assessment documentation.

Firms should note that in another recently concluded enforcement action, the UK PRA specifically highlighted its operational resilience requirements even though the incident which that enforcement action is concerned with occurred prior to the introduction of the current regime. It said: ‘the PRA’s requirements and expectations as regards managing operational resilience consolidate many long standing and well understood areas of prudential regulation that have formed part of the PRA Rulebook for several years'.

The operational resilience approach in financial services represents a methodology which could be usefully applied to deliver cyber security resilience in any sector.

Hywel Jenkins is partner and head of contentious financial services regulatory, London, and Kate Macmillan is a consultant and cyber risk advisory lead for the UK, US and EMEA at Herbert Smith Freehills
herbertsmithfreehills.com