Cyber LegalityCyber SecuritySecurity Culture

Foxmeyer Drugs Failure & GBP 300M Hit: Enough to Take Cyber Risk Seriously?

As long ago as the late 1990’s IT project failure had the potential to be an extinction level event, even for a major corporation.  The failure of USD 5 billion pharma giant FoxMeyer Drugs after a failed ERP implementation is now used as a teaching study at universities, click here.

Fast forward 20 years, and the BBC recently reported the effect of April 2018 IT problems at TSB Bank with some GBP 330m in extra costs pushing the bank into a GBP 105.4m loss in 2018, down from a GBP 162.7m profit in 2017. Read more.

The fiasco also cost TSB its chief executive, with Paul Pester stepping down in the wake of the affair.  The bank still faces an ongoing investigation by the Financial Conduct Authority, which has powers to issue multi-million pound fines. 

We should point out that TSB is by no means the only troubled bank.  Tesco Bank was fined GBP 16.4m for failures in a 2016 cyberattack and as far back as 2014 Royal Bank of Scotland, National Westminster Bank and Ulster Bank were fined GBP 42 million for IT failures in June 2012. Read more.

As reported here elsewhere, the FCA – and bear in mind this the banking industry regulator with only a tangential interest in matters IT and Cyber – is “deeply concerned” at the 138% increase in technology outages in the past year, with 15% of operational incidents related to third party issues and cyberattacks making up 18% of incidents reported between October 2017 and September 2018.


  • IT risks, whether from cyberattacks and data breaches or failures of business-critical systems, have reached the potential to be major disasters for businesses in every sector. 
  • The almost total dependency on information technology in the modern business world means that IT Risk can no longer be considered an arcane or esoteric field.
  • Expect to see cyber risk governance become part of mainstream corporate reporting, investment guidelines and regulator frameworks.

The UN-supported Principles for Responsible Investment initiative addresses the topic here.

The world bank has published two papers on Cybersecurity, Cyber Risk and Financial Sector Regulation and Supervision here.

The 2017 Deloitte “Governance in Focus: Cyber risk reporting in the UK” report found that “87% of the FTSE 100 clearly pulled out one or more elements of cyber risk as a principal risk in their disclosures. IT systems failure was identified in the principal risk disclosure by 71% of the FTSE 100 and cyber-crime or cyberattack was identified by a slightly higher 72%. Data protection risk – the risk around sensitive information, in particular compliance with data protection regulations – was identified by 59% while data theft or misappropriation of data, including intellectual property (IP) was specifically identified as a risk in only 33% of annual reports – although of course some companies will see this as falling under a broader risk of cybercrime. For one third of the FTSE 100 to call data theft out as a principal risk indicates just how reliant we all are on technology, and how this increases our vulnerability.”

In the USA, BDO’s 2018 cyber governance survey makes for interesting reading with the following data:

On 20th February 2018 the SEC voted to approve interpretive guidelines for cyber risk disclosure which includes the statement that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack. Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”

Show More
Back to top button

We use cookies on our website

We use cookies to give you the best user experience. Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.