Financial service firms: beware. Your data is a target. A new report out of the United Kingdom (UK) cannot underscore enough the severity of the issue. But it is nothing new. The FBI has put the alarms on since 2011, from threats of account takeovers to third-party payment processor breaches to securities and market trading exploitation to mobile banking exploitation and even supply chain infiltration, among other ways. Hackers are more advanced and more prevalent than ever. What is shocking about the new statistics from the Financial Conduct Authority (FCA) is the sheer increase of breaches after the implementation of the General Data Protection Regulation (GDPR). Here’s what to know and what to do.
The numbers are alarming and demonstrate a real concern among financial institutions and the protection of their assets and data. The total number of breaches reported by UK financial services firms to the FCA was 145 in 2018, which was up from 25 in 2017. That makes it an increase of 480%.
The breakdown of the 145 reported breaches is shown in the below chart (as provided by the FCA) with the last three years also included — this demonstrates the stark increase in reported breaches over the course of four years.
|General Insurance & Protection||33||7||1||3|
|Pension Savings & Retirement Income||9|
|Retail Banking & Payments||25||1||1||1|
|Wholesale Financial Markets||34||3|
There are a number of theories why financial services firms in the UK reported 480% more data breaches in 2018 than the previous year. The percentage alone is enough to send warning alarms throughout the work, but do the reasons justify the urgency?
Thus, the combination of all these things: the financial services’ data, the desire of hackers to obtain that data, the limited protections financial services firms have had in place until recently, and the new requirement to report all play a role in the dramatic increase in reported breaches. So, not all is as bad as it seems. The increase can be in part attributed to the new requirement to report the breaches as opposed to earlier years when such a requirement was not present, and such reporting could be damaging to the reputation of the financial institution — thus, an incentive not to report until it became required.
Whether you are in the UK or the United States or elsewhere, financial services firms can protect themselves. It all involves a well-crafted IT plan-of-action that can include any of the below options according to the firm’s needs, wants, and specifications.
First thing’s first, you need to educate yourself and your firm on cybersecurity and cyber attacks. You need to know how hackers are hacking into your systems. You need to know what the latest technology is to counter hackers, including AI. You need to be informed on data management and data destruction and disposal. And you need to inform all staff and employees. The problem in data breaches is not only related to hackers hiding in a dark space using malware and other devices and software to obtain access to confidential information, but they use tricks via email and other means to gain access from, for example, unsuspecting and uninformed employees who open emails without thinking twice and who use poor passwords without consideration for how easy they are to be hacked.
An informed company and an informed staff are your first line of business. An internal team can conduct education awareness and training or else a third-party vendor can be hired to do so. It comes down to how large your firm is and what your resources are to manage it.
You need to assess the current status of your technology, challenges, and vulnerabilities so that you can recognize what you need and where you need it. There are different ways or approaches a firm can take to assess its technology needs, but in general, it should include:
Once you have the information you need, design a multi-layered system that is:
Financial services firms can no longer stand to be reactive; too much is at stake. Once you know and prioritize what you need, acquire it and implement it. Research to ensure you purchase the best in technology and/or hire the best third-party vendor (e.g., a managed services firm). The goal here is to bring those statistics back down, or in the least, maintain them.