Industry Updates
CBI Enforcement Firm Hit with Fine for Cyber Security Failures
06 Aug 2020
The Incident
Administrative Sanctions Procedure
It can impose various sanctions (by way of settlement or on foot of findings at an inquiry), ranging from reprimands to financial penalties of up to €10 million or 10% of turnover on a regulated financial service provider (whichever is the greater), and fines of up to €1 million on individuals involved in that firm’s management.
The Central Bank investigation identified five contraventions of the client asset rules and organisational requirements in the MiFID Regulations3 by BOIPB. It found that BOIPB failed:
- to implement sound administrative procedures and internal control mechanisms for third party payments;
- to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud;
- to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details;
- to establish, implement and maintain adequate internal control mechanisms to comply with its obligations in relation to reporting of offences under section 19 of the Criminal Justice Act 2011; and
- to monitor and regularly assess the adequacy and effectiveness of the procedures and the actions taken to address deficiencies in respect of third party payments.
The Central Bank determined the fine to be €2,370,000, which was then reduced by 30% in accordance with the ASP's early settlement discount scheme.
This is the second time the Central Bank has imposed a sanction where a client has suffered a loss from cyber fraud as a result of a firm’s regulatory failings and its 137th settlement since 2006, bringing the total fines imposed by it to over €105 million.
This case closely follows the publication of an industry letter by the Central Bank on 10 March 2020 to asset management firms relating to thematic inspection findings into the cybersecurity risk management practices in asset management firms.
Coupled with the decision in this case, it highlights the Central Bank's continued focus on cyber security risk management and the importance of having proper policies and procedures in place.
Further Information
2. https://www.centralbank.ie/regulation/how-we-regulate/enforcement/administrative-sanctions-procedure
3. The European Union (Markets in Financial Instruments) Regulations 2007, since replaced by the European Union (Markets in Financial Instruments) Regulations 2017