Digital code

TSB's £105m loss due to IT failings underlines cyber resilience importance

Dr Jason R.C. Nurse comments on the £105.4m in losses announced by TSB due to its 2018 IT meltdown and why cyber resilience is now a must for organisations of all types.

‘The complexity of IT systems today, especially in industries such as finance, is extremely high. These systems are often years in the making and are subject to constant changes and updates, by countless individuals.

‘The case of TSB is an interesting but unfortunate one that demonstrates this complexity and the impact on the public when necessary IT processes fail. It is hard to imagine that TSB would not have taken months to plan the migration of customer data from the IT systems of former owner Lloyds, to the new system managed by its Spanish owner, Sabadell. Nonetheless, it all still went very wrong.

IT meltdowns are not that uncommon and we have seen this happen to other large organisations. In 2017 for instance, British Airways reported a power surge impacting its systems that led to travel chaos for 75,000 passengers. In 2018, a hardware failure led to a Visa network outage causing payment failures across UK and Europe.

Amid these meltdowns, what is increasingly important is how organisations respond after cyber crises or IT problems, and ultimately how they remain cyber-resilient. Cyber resilience is a relatively new term but draws on familiar topics such as business continuity management. It aims to provide direction on how companies adequately bounce back from these issues such that services are not as significantly impacted as they were in the examples above.

‘Resilience is set to become one of the most important topics in cybersecurity simply because hacks, breaches and IT issues are more likely than not to occur. Therefore, every organisation needs to understand how to recover as elegantly as achievable and such that any resulting harms disturb as little customers, suppliers and stakeholders as possible. There are also regulatory aspects such as the requirements placed by the General Data Protection Regulation (GDPR).

‘The emergence of cyber harm is a crucially important topic for businesses as it encourages them to think about impacts broader than financial or reputational issues; for example, there is an emphasis on societal and psychological harms due to incidents. In the TSB case, up to 1.9 million digital and mobile banking customers were unable to access their accounts. Inability to access accounts could have led to an inability to conduct normal daily activities or even to pay bills or rent. This represents real, tangible issues beyond ‘just’ not having access to an online account.

‘Going forward, organisations will need to think very carefully about how they manage IT systems and how they develop programmes for cyber resilience that protect not only themselves but their customers and other stakeholders from harm.’

The University’s Press Office provides the media with expert comments in response to topical news events. Colleagues who would like to learn more about how to contribute their expertise or how the service works should contact the Press Office on 3985 or