FCSA is aware of the recent cyber-attacks on members. The consequences to employees of the affected umbrellas can be severe and may take some time to resolve. Many of those employees affected will understand just how difficult it is to fully secure systems in an era where technology is at the core of many businesses. Security, specifically IT security and data integrity, is a fundamental corporate risk.
Whilst there are current attacks underway, there is, naturally, a focus on resolving what are major system outages as soon as possible and striving to minimise the impact on employees expecting payments or having queries go unanswered. In our view it is crucial that workers are kept informed of progress.
FCSA’s view is that when a cyber-attack occurs, there should be rapid and open communication to affected workers, and that workers should be updated regularly. It is vital that steps should be taken to process payments, even if on an interim basis, as soon as is possible. It is our view that the integrity of services to, and the personal data of, workers should be of paramount concern.
FCSA recognises that, particularly in the case of ransomware attacks, the time from attack to resolution is affected by multiple factors and difficulties. These include the ability of targets to contact attackers, the involvement of law enforcement agencies and, often, engaging specialist data recovery experts to reactivate systems. It is rarely simple case of “restore from backup”.
However, we expect FCSA members to make every effort to ensure that employees are paid outstanding amounts as quickly as possible and that they are as open and honest with their employees as they can be given the need for the involvement of law enforcement personnel and recovery specialists.
FCSA is not a regulator, and its expertise is in compliance with employment and tax regulations for the sector. Nevertheless, we urge all our members, and all organisations in the supply chain, to prioritise their response to this risk by undertaking comprehensive and regular reviews of their system security and safeguarding of personal data and, at the very least, putting in place the appropriate measures recommended by the National Cyber Security Centre.