The £14m fine imposed on Capita following its 2023 cyber breach is more than just a headline. Behind the numbers are people whose personal data was exposed, employees at risk and families whose financial security was shaken. It’s a stark reminder of the reputational, financial and operational risks that accompany weaknesses in data security but also a warning that the real cost of cybercrime is often human.
For any business that handles sensitive data, the stakes have never been higher. Mortgage lenders, servicers and technology providers hold some of the most confidential customer data in financial services. With cyber-crime now one of the UK’s fastest-growing economic threats, resilience isn’t only about protecting reputations and avoiding fines; it’s about safeguarding the people who trust us with their most personal information.
Accountability starts at the top
What’s clear from the Capita case is that security can no longer be treated as a technical issue delegated to IT teams. True resilience starts with board-level oversight. Every organisation should be asking:
Do our executives understand the specific risks to our business and to our customers?
Is security embedded into our governance and risk frameworks?
Are we resourcing it appropriately?
Boards that take a proactive approach – receiving regular security briefings, rehearsing incident responses and integrating cyber-risk into enterprise risk management – are far better equipped to respond quickly and limit damage when incidents occur.
The need for early warning
The National Cyber Security Centre (NCSC)’s Early Warning is a free service designed to inform your organisation of potential cyber-attacks on your network, as soon as possible, potentially giving you the crucial time needed to combat it. Yet many businesses either aren’t registered or don’t act on those notifications. These alerts can identify vulnerabilities before they’re exploited and provide guidance on mitigation – preventing the kind of real-world consequences we’ve seen affect families, customers and employees in recent attacks.
For regulated sectors like financial services, where operational resilience is already a supervisory priority for the FCA and PRA, leveraging the NCSC’s intelligence isn’t optional, it’s essential. Rapid response to emerging threats can mean the difference between a contained event and widespread impact on people’s lives, along with a multi-million-pound fine.
Security across the supply chain
Another lesson from recent breaches is that security must extend beyond your own perimeter. As businesses increasingly rely on third-party suppliers for everything from data storage to customer communications, weak links in the supply chain can expose the entire ecosystem.
The government’s Cyber Essentials framework offers a robust starting point. By requiring suppliers to demonstrate compliance with baseline security controls, organisations can build greater assurance into procurement processes and reduce systemic risk. In a connected market such as mortgages and savings, where multiple parties handle consumer data through the lifecycle of a loan, this level of due diligence is non-negotiable if we’re to protect consumers from harm.
The Capita fine will undoubtedly prompt many boards to review their own resilience measures. But the goal shouldn’t be fear-driven compliance; it should be continuous improvement. Cyber-risk evolves daily and so must the defences that protect consumers and the firms that serve them.
In an increasingly digital mortgage market, where automation, APIs and open data are driving innovation, the industry has a collective responsibility to safeguard the systems that power everyday financial lives. Because at its heart, cyber resilience isn’t about avoiding penalties – it’s about protecting people.
Warren Higgins is chief information officer at Phoebus Software
