RadarFirst Blog

On Our Radar: September 20, 2019

In last week’s installment of On Our Radar my colleague Greg discussed the data breaches and security incidents that threaten the healthcare industry, including the unique challenges for healthcare privacy professionals. This week, I wanted to take the same approach diving into another industry that is heavily regulated and is charged with protecting sensitive personal information: financial services.

The financial services industry is going through an evolution, becoming more digitally savvy to keep pace with the increase in cyberattacks. According to the recent survey Modern Bank Heists: The Bank Robbery Shifts to Cyberspace, almost 67% of financial institutions saw an increase in attacks within the past 12 months. The reason for this increase? The majority of surveyed financial institutions (over 75%) say that cyber criminals are becoming more sophisticated and looking to “outwit IT pros.” The  attacks on these institutions aren’t just for financial gain, either. From the survey: “these attacks are launched to be punitive by destroying data.” While there is a noted increase in cyberattacks, the average cost of a breached record in the financial industry is significantly higher than in other industries: $336 per breached record, compared to other industries at $225.

It’s not always about the dollar amount when it comes to impacts on a financial institution’s reputation. The impact of a breach on your brand and customer trust can be lasting: one 2016 study on the topic indicated that 28% of affected individuals left their banks, and the effects of that customer turnover can last up to 11 years after an incident. According to a Ponemon Institute’s consumer sentiment study, a data breach lands in the top three factors that affect the reputation of a company. 

In short, the financial sector is the oft-cited number one target for cyber criminals. A staggering 25% of all malware attacks are targeted towards financial institutions and the attacks taking place are increasingly creative and sophisticated. On the positive side, financial institutions are aware of these issues and undertaking preparations for this increase in cyber attacks.

Here are a few places privacy pros in finance can look to for a more proactive approach to data security: 

  • Table top exercises and simulated risk assessment fire drills
  • Build your internal and external team of specialists for risk management, investigation, media relations, regulatory advice, and legal. 
  • Know what data you collect, where, and why. Limit the data to only that which is strictly necessary for business. 
  • Keep ahead of changing data breach regulations - know your regulatory burden of proof, what triggers notification, what does not trigger notification, and what remediation and mitigation efforts are admissible.
  • Track and maintain operational metrics on your incident response program. Keep regular, updated reports on where incidents are coming from, what the most common root causes are, how your organization is managing them, and what the results are in terms of notifications to regulators. 

P.S. - will you be at IAPP PSR next week? Come visit me at the Radar Booth (#309) to talk all things incident response.