It may surprise some that the financial services sector remains in the firing line when it comes to data breaches. Surely most firms do take risk management seriously and give security the highest priority.
Yet, according to the Information Commissioner’s Office (ICO), data theft from financial services firms rose by almost 25% last year, with those affected including banks, insurers and a range of advisory businesses. There were some 140 data breaches in the year to the end of March, up from 114 for the previous year.
The Italian job
Banks are of course, a prime target and one breach which received widespread coverage was announced in July when Italian bank UniCredit, the country’s largest, admitted it had been affected by a series of hacks resulting in the theft of biographical and loan data from 400,000 client accounts.
It is understood hackers accessed the data through an outside business employed by the bank, which has not been identified. UniCredit has since carried out checks and has since closed the breaches and upgraded IT systems. Clearly one key lesson here for risk managers is to ensure business partners are chosen with the utmost care and audits are carried out frequently.
However, overall, the ICO did find that banks saw a decline of 45% in their number of breaches, while insurers were less secure - the insurance sector reported 32 breaches to ICO in 2016/17, compared to 16 in the preceding year. Just one example of an impacted insurer was RSA, which in January was fined £150,000 by the ICO following the loss of personal information of nearly 60,000 customers.
Prevention is better than cure
When it comes to data security, there are strategies common to all that can reduce exposures. Indeed, the Online Trust Alliance has said that having strong compliance processes, training and up to date technology for detection and response can prevent 90% of data breaches.
Further, some of the issues risk managers within financial services may want to discuss with boards and IT to ensure security is as robust as possible include:
- Ensure the business is GDPR ready
With the implementation of the General Data Protection Regulation just around the corner, now is the time for last minute checks on preparedness.
- Use the ICO as a useful reference source
The ICO is a powerful authority and will be even more since it is growing its staff by around 40%. It will also be overseeing the GDPR, but apart from its powers, it also produces invaluable guidance for businesses.
- Avoid complacency, even if there is effective security
IBM has said financial services are a magnet for cyber criminals because of the valuable data held. How can standards be tightened even further?
- Is there a better way of doing things?
Encryption is the norm for many firms as is automatic patch management. Equally, more businesses are now insisting that employees use strong passwords. Data security does not stand still and there may well be ways of refreshing processes.
- Are employees doing their bit?
A chain is only as strong as its weakest link and if some employees are lax about security, then they pose a risk. It was recently revealed that some NHS doctors were using Snapchat to send patient scans, which is viewed as unsafe. Equally, are staff aware that some phishing emails can be plausible and they must remain vigilant?
Data security issues may well be one of risk managers’ biggest concerns – but this is as it should be – and there appears to be no respite in sight. A rising number of breaches, far too many determined criminals and potentially huge regulatory fines mean financial services firms must do all they can to avoid being caught napping.