Zurich Insurance was last week slapped with the biggest ever fine for security failings – £2.2m – as the Financial Services Authority flexed its muscles.
The hefty penalty was dished out for the firm’s failure to have systems and controls in place to prevent the loss of confidential cus-tomer information.
The failings were highlighted after 46,000 customers’ personal details, including bank account and credit card information, were lost.
The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary despite no evidence to suggest that the data was compro-mised or misused.
Zurich was also found to have failed to take reasonable care when managing risks of outsourcing its data. The insurer outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa.
But due to a lack of communi-cation it did not know about a back-up tape lost in August 2008 until a year later. The firm failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
Margaret Cole, director of enfor-cement and financial crime at the FSA, says: “Zurich let its customers down badly. It failed to oversee the outsourcing arrangement effec-tively and did not have full control over the data being processed by Zurich South Africa.
“Firms across the financial sec-tor would do well to look at the details of this case and learn from the mistakes Zurich made.”
As Zurich agreed to settle at an early stage of the investigation, it qualified for a 30% discount without which it would have been fined a whopping £3.25m.