Naomi Tudor, head of corporate banking, Shakespeare Martineau
In a world where data security is more important than ever, banks and financial institutions face a significant level of public and professional scrutiny about how they proactively manage cybersecurity threats, and how they respond in the event of a breach.
According to data released by the Financial Conduct Authority, the number of breaches reported by financial institutions rose five-fold in 2018, compared with the previous year. So, at a time of heightened sensitivity, what types of threats do banks face and how should they go about managing them?
By their very nature, banks of any size are targets for criminals. They hold vast amounts of personal and financial data which can be exploited in a variety of ways, from directly transferring funds out of individual accounts, selling on customer information to other criminals or even leveraged to hold institutions hostage, with the aim of causing widespread business disruption.
The methods that criminals often employ to target banks are varied and sophisticated, ranging from direct attacks to computer systems and IT infrastructure, to approaches to customers in an attempt to gain knowledge of their personal data. For example, a common method employed by fraudsters uses fake email communications targeted at customers asking them to transfer funds or confirm account details. If requests are complied with and money is sent, by the time the funds reach a clearing bank it is usually too late and the money cannot be returned. The form of scam – although simple – catches many people every year.
However, even before the onset of new GDPR regulations last year encouraged businesses across all sectors to re-think their data protection policies, larger banks and newer funders have been investing significant amounts of money into IT infrastructure. Having as secure systems as possible in house is important, however it is essential to remember that this stringent approach should also extend to an institution’s supply chain as well.
Vulnerabilities further down the chain with third party suppliers can provide a route in for criminals who exploit weaknesses in order to gain access to larger parties further up the chain. Banks, in particular, have recognised how important it is to properly vet suppliers for suitability and check compliance. Any business which finds itself wanting to engage in a commercial arrangement with a financial institution will find itself faced with a lengthy and rigorous process to navigate – however, this is all in the interest of security.
One thing which is a certainty is that any business, no matter what precautions they have in place, can fall prey to a cyber-attack. Technology evolves at a rapid pace and with it, so do the methods which criminals may employ to gain access to personal data. However, in the event of a breach taking place, the way in which customers are informed is essential in limiting both reputational and financial repercussions.
In general, customers should be alerted as soon as possible if their personal data has been compromised and the majority of institutions will have processes in place to ensure that this is done in a timely fashion. Not reacting quickly enough and failing to inform customers can attract anger from both the Information Commissioner’s Office, and the general public.
For banking institutions and funders, regardless of size, reputation is highly important. Gaining trust from the general public and from the business world that the service provided will be secure and transparent is especially important both for attracting new customers and for retaining current ones.
A large part of defending against, and reacting to, cyberattacks in the best way possible comes down to training and awareness, both for internal employees and the general public. In the wake of the GDPR legislation being introduced, data protection and information security courses have become much more commonplace in the working environment and there is a general push for all employees, no matter seniority, to take a more proactive stance in ensuring that personal data is as protected as it can be.
Within the general public, whilst fraudsters are continually discovering new ways to trick people into handing over their personal data, there must be a greater awareness of best practice when talking about sensitive financial information. This includes, never giving out critical information, such as account numbers, over the phone and being aware of emails from fraudsters masquerading as official messages from the bank or funder.
The reality is that all organisations, no matter what sector they operate in, must be more in tune than ever before to the threat of data security breaches. Aside from significant financial penalties from the Information Commissioner’s Office, the lasting damage to reputation can be especially hard to repair.
