Mike Turner, Global Cybersecurity Chief Operating Officer, Capgemini
Do you trust your bank to protect your data? In a recent CapGemini report, 83% of us trust banks to have very good cybersecurity systems. This is in comparison to trust in retailers (13%) and e-commerce (28%). Banks are seen as trusted partners but is that trust misplaced? The answer appears to be yes.
Around a quarter of all financial institutions have reported being the victim of a hack. This does not appear to have dented customer confidence. Just 3% believe that their bank might have been at risk. As an industry under constant attack, financial services organisations should be aware of the risks. CapGemini asked banking executives how confident were they about their organisations spotting and defeating a data breach. Only 21% were highly confident that their organisations could do this.
Mike Turner, Global Cybersecurity Chief Operating Officer, Capgemini, said: “Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100% secure. While banks are evolving to combat the sophisticated threat cybercriminals pose, public understanding of the threats and challenges remains low.”
Poor practices put customers at risk
The CapGemini report is entitled: The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure. It is available for free from the CapGemini website by clicking the link.
CapGemini created a Gartner style quadrant to assess the cybersecurity position of organisations. It uses two axis, Strengths of Security Framework and Strengths of Data Privacy Policies. These are fair and reasonable axis. The General Data Protection Regulation (GDPR) starts in 2018 so most, if not all, should already have strong privacy policies. GDPR also comes with mandatory reporting of breaches which could impact customer perceptions.
This is far from the case. Over 51% of organisations failed to get a mid-range ranking for their data privacy policies. This means that the embattled sector could face significant penalties in the event of a breach. Many institutions are struggling to meet regulatory requirements on capital reserves. A significant fine of 4% of global turnover is a business threatening situation as this will further deplete those reserves..
Of those that do have adequate data privacy policies only a few could be classed as very good. There is still much more to be done by the majority of financial institutions. If they don’t act then regulators will impose new rules which will cost more money and reduce their profits further.
Security frameworks not as strong as spending on tools suggests
Banks and financial institutions are regularly cited by security vendors as their customers. The majority of keynotes include video clips or personal appearances from financial services customers. All that spending on tools does not seem to have improved their security frameworks. Only 49% got above the adequate line in the survey. Just a very few can describe their frameworks as high.
This mismatch is no surprise. IT Security teams often struggle to integrate security tools from multiple vendors. There is also an air gap between framework designers and those deploying and implementing tools. This has to be looked at seriously and not just by financial institutions.
Governance and control are poor
IT has struggled to be represented at board level. This means that there is a lack of understanding of the state of security and what needs doing. While C-Suite Executives are quick to say how important security is, they don’t really know what is happening. A recent Trustwave and Osterman Research report showed that 75% of IT executives had no control over the security budget. It is also a case that many boardrooms believe they’ve allocated more than enough money in the last few years to solve cybersecurity.
It is not just a lack of engagement from the C-Suite. Insurers are selling cyber insurance products but providing little expertise or oversight. It is not unreasonable to expect a more active role from insurers to ensure privacy and security frameworks are fit for purpose. CapGemini found that this is not the case. In fact, they discovered that insurers are just passive partners in the cyber insurance market and don’t even require customers own boardrooms to set sensible policies.
CapGemini is calling for a more coherent security approach. It has to match data and security controls with business objectives. Financial institutions and insurers need to do more with their risk departments. Rather than be outward risk focused, they should be looking at internal risks and working with IT Security teams. This would provide an opportunity to review and strengthen controls and governance.
A hard lesson from retail
The impact of a data breach is not just about fines and reputational damage. It can have lasting effects on the value of a business. Yahoo accepted an offer from Verizon for $4.8 billion last year. It then announced two major security breaches. This has led to speculation that Verizon is renegotiating the deal or could even pull out. As of 24 Jan 2017, the deal was still on but Verizon had slowed the process down.
Banks could find that admission of data breaches will cost them customers. The CapGemini survey shows that 74% of consumers would switch banks if they announced a breach. This would mean a substantial outflow of capital from those organisations. That could lead some into difficult times.
Conclusion
Banking and finance likes to be seen as an honest and trustworthy industry. After years of financial scandals it is beginning to look more than a little tarnished. The claim that just 21% of banking executives believes their organisation is able to spot and remediate a data breach will not help their reputation.
