The Financial Conduct Authority (FCA) has disciplined four members of staff for committing data security breaches. The financial watchdog, which issues fines for data breaches and regulates UK financial services firms, gave written warnings to its staff on at least four separate occasions between 2022 and 2023, revealed by a Freedom of Information request.
The regulator, headed by executive director Sheldon Mills, reprimanded its staff for “sending FCA data to personal email accounts”, violating its security practices. The FCA oversees the conduct of around 42,000 UK businesses and is responsible for setting standards for firms to meet and holding them to account if they don’t.
It is an independent non-governmental body, given statutory powers by the Financial Services and Markets Act 2000, which is accountable to Treasury Ministers, and through them to Parliament.
Their work helps underpin the UK’s reputation as a leading global financial centre and they operate from a central head office in London with satellite operations in Leeds and Edinburgh, and have staff also based in Belfast and Cardiff.
Patrick Sullivan, CEO of the Parliament Street think tank slammed the “reckless and irresponsible” conduct of the staff responsible for the breaches and called on the FCA to toughen up its data security policies.
In 2020 The FCA admitted accidentally revealing confidential details of 1,600 consumers. The information included names, addresses and phone numbers of some complainants.
Other public sector bodies have recently warned of a heightened risk of data breaches. There have been increased warnings of attacks on the NHS with the service urging stronger cyber defence practices from its suppliers in an open letter last month.
Cyber expert Andy Ward, SVP International at Absolute Security, said: “The FCA is tasked with managing extremely sensitive data, and the use of personal email accounts greatly increases the likelihood of a major security breach.
Against the backdrop of several high profile cyber attacks, it’s vital that all organisations wake up to the very real threat posed by unprotected devices and IT systems, and ensure cyber resilience is at the top of the boardroom agenda.”
Data security has entered the spotlight as major brands from M&S to Harrods face a barrage of cyber-attacks.
“These incidents are unfortunately the tip of the iceberg, with tens of thousands of workers freely sharing corporate information across personal email accounts and AI assistants every day,” added Arkadiy Ukolov, chief executive of Ulla Technology.
“The reality is that most companies have no idea this is happening or the security risks involved. That’s why it’s crucial that robust policies and procedures are put in place, so all information can only be shared through secure channels.”