Investment Executive

The UK’s Financial Services Authority today fined a financial firm almost £1 million for failing to provide adequate information security.

The FSA said it fined Nationwide Building Society £980,000 ($2.2 million) for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee’s home last year.
During its investigation, the FSA found that the firm did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.

The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.

Nationwide’s failings occurred at a time of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.

“Firms’ internal controls are fundamental in ensuring customers’ details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security,” said Margaret Cole, director of enforcement. “The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security.”

The FSA acknowledged that Nationwide has co-operated fully in the course of the investigation and has undertaken a number of actions to address this failure, including: taking a range of additional measures to increase security around accounts; informing customers of the loss of information; affirming its existing policy to reimburse any customer that has suffered financial loss as a result of this incident; and commissioning a comprehensive review of its information security procedures and controls.

By agreeing to settle at an early stage of the FSA’s investigation Nationwide qualified for a 30% discount under the FSA’s executive settlement procedures – without the discount the fine would have been £1.4 million.

(£1 = approx. $2.27)