Naomi Tudor, head of corporate banking, Shakespeare Martineau
In a world where data security is more important than ever, banks and banking institutions face a significant level of public and professional scrutiny about how exactly they proactively manage cybersecurity threats, and just how they respond in the event of a breach.
According to data released by the Financial Conduct Authority, the amount of breaches reported by financial institutions rose five-fold in 2021, in contrast to the previous year. So, at a time of heightened sensitivity, what kinds of threats do banks face and how should they go about managing them?
By their very nature, banks associated with a size are targets for criminals. They hold huge amounts of personal and financial data which may be exploited in a variety of ways, from directly transferring funds out of individual accounts, selling on customer information to other criminals or even leveraged to carry institutions hostage, with the aim of causing widespread business disruption.
The methods that criminals often employ to focus on banks are varied and sophisticated, ranging from direct attacks to computer systems and IT infrastructure, to approaches to customers in an attempt to gain understanding of their personal data. For example, a typical method employed by fraudsters uses fake email communications directed at customers asking them to transfer funds or confirm account details. If requests are complied with and cash is sent, by the time the funds reach a clearing bank it is usually too late and the money cannot be returned. The form of scam – although simple – catches lots of people every year.
However, even before the start of new GDPR regulations last year encouraged businesses across all sectors to re-think their data protection policies, larger banks and newer funders have been investing significant amounts of money into IT infrastructure. Having as secure systems as possible in house is important, however it is essential to remember that this stringent approach should also extend to an institution's supply chain too.
Vulnerabilities further down the chain with 3rd party suppliers can provide a route set for criminals who exploit weaknesses in order to gain access to larger parties further in the chain. Banks, in particular, have recognised how important it's to properly vet suppliers for suitability and appearance compliance. Any business which finds itself wanting to engage in a commercial arrangement with a financial institution will find itself faced with a lengthy and rigorous process to navigate – however, this really is all in the interest of security.
One thing which is a certainty is that any business, regardless of what precautions they have in place, can be taken in by a cyber-attack. Technology evolves at a rapid pace and with it, so the methods which criminals may employ to get into personal data. However, in the event of a breach taking place, the way in which customers are informed is important in limiting both reputational and financial repercussions.
In general, customers ought to be alerted as soon as possible if their personal data has been compromised and the majority of institutions will have processes in place to ensure that this is accomplished in a timely fashion. Not reacting suddenly and failing to inform customers can attract anger from both Information Commissioner's Office, and the public.
For banking institutions and funders, regardless of size, reputation is highly important. Gaining trust in the general public and from the business community that the service provided is going to be secure and transparent is particularly important both for attracting new customers and for retaining current ones.
A large number of defending against, and reacting to, cyberattacks within the best way possible comes down to training and awareness, both for internal employees and the public. In the wake of the GDPR legislation being introduced, data protection and information security courses have become much more commonplace in the working environment and there is a general push for all employees, regardless of seniority, to take a more proactive stance in ensuring that personal data is as protected as possible.
Within the general public, whilst fraudsters are always discovering new ways to trick people into handing over their private data, there must be a greater awareness of best practice when talking about sensitive financial information. Including, never giving out critical information, for example account numbers, over the phone and being conscious of emails from fraudsters masquerading as official messages from the bank or funder.
The reality is that organisations, no matter what sector they be employed in, must be more in tune than ever before to the threat of data security breaches. Aside from significant financial penalties from the Information Commissioner's Office, the lasting damage to reputation can be especially hard to repair.