New laptop sir? That'll be £980,000

by admin on February 15, 2007

in General

The FSA is clearly taking coaching lessons from the SEC, dishing out harsh fines for accidents and mistakes. The latest miscreant, Nationwide Building Society, got slapped with a £980,000 penalty after a laptop which contained sensitive customer data was stolen. The fine would have been £1.4 million but they were given a 30% early settlement discount. (that made me giggle). Which is just as well because reading the detailed account reads like a comedy of errors. In its detailed report, the FSA said:

Nationwide failed adequately to assess the risks in relation to the security of its customer information.

Nationwide had procedures in relation to information security which failed adequately and effectively to manage the risks it faced.

Nationwide failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood bystaff.

Nationwide failed to implement adequate controls to mitigate information security risks, to ensure that employees adhered to its procedures and to ensure that it provided an appropriate level of information security.

Nationwide failed to have appropriate procedures in place to deal with an incident involving the loss of customer information and, as a result,

Nationwide did not respond appropriately and in a timely manner to establish the risks to Nationwide customers of financial crime arising from the theft of a Nationwide laptop computer.

The report then goes on to say that although risk cannot be entirely eliminated, Nationwide did a pretty poor job. The period of failure was December 2004-6. Two years.

Auditors are PwC. What part of Auditing 101 did they miss? It kinda goes like this:

Do you have laptops?

How are they managed? (lots of extra questions here)

How is customer data secured? (more questions on data security model)

What are the procedures in case of loss? (other than ring insurers…)

Is that too hard?

Technorati Tags: ,

Comments have been disabled for this post.
Sort: Newest | Oldest
Dennis Howlett

Andrew: that's a perfectly valid point. However, with my idea, the FSA and PwC could come to a cozy arrangement on a discounted audit fee. Same result. Howzat?

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
andrew

Leaving aside the audit issue for one moment, how does fining the society make any sense? The only people that were harmed by Nationwide's action were the members. So the FSA's solution? To fine the members!

This is a double-whammy - completely the wrong solution to this perceived problem. The only sensible action would have been to have fined management and redistributed back to members (recognising that it's unlikely that that would have generated any meaningful distribution).

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Dennis Howlett

We might have to agree to differ on this one Alastair but the report was clear about the causes of failure. that was how I made the link.

And yes - you can't control people!

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
alastair

which part of the audit? To my mind this is an internal risk issue - the auditors may come along with a checklist approach and a fee proposal, but if I was paying for the audit of financial statements then I personally would not buy it.

Laptops have been around for many years, and this kind of problem has been blipping over the radar for as many years. I agree its not unknown, but in practice how would you audit it? After all it is common audit practice to make sure that access controls are properly implemented, policied, and policies followed, but however good the audit it is a fact of life that in practice many people write down their passwords - however well written the policy that says don't!

And suggesting encryption is fine, but if you do and you forget the password, then a) you loose your data, and b) under recent legislation you can get locked up for it.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Dennis Howlett

As I read the FSA report, customer information was on the stolen machine and was therefore at risk when the laptop was stolen. That's a risk issue which *could* have had financial consequences for Nationwide.

If there are inadequate audit checks then how is management meant to come up with an appropriate risk management strategy.

Part of the audit assignment is to identify control weaknesses and report those for follow up.

FSA determined inadequate control over an extended period so post-BS doesn't cut it for me.

This is a one-off event for sure but the failures arose from basic issues. Issues that should have been covered by audit recommendations.

To me, they are inextricably linked.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
alastair

Somewhat bemused by your slant on the auditors. The fine is after all a post balance sheet event, and the facts of this case hardly impact on the financial systems that deliver the financial statements.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Dennis Howlett

It says something about the weakness of the UK audit oversight authorities that they've not announced an investigation into PwC systems control audits and how they dovetail (or not) to the general audit. In this day and age, it's essential stuff.

This is much more than risk management.

It's worth following FSA - they have a big stick. If it was me, I'd fine PwC the same on the basis of presumptive audit failure in previous years. They can hardly argue 'we didn't know' or 'management cover up.'

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Thomas Otter

interesting that it is the FSA handing out the fines, not the Data Protection Authorities. (information commissioners office) The FSA has a bigger stick...

share
  • spam
  • offensive
  • disagree
  • off topic
 Like

Previous post:

Next post: