By Jon Cano-Lopez, Chief Executive, REaD Group
It seems we can’t go a week without hearing of another high-profile data breach, news that understandably incites panic among businesses big and small. From the NHS to WPP, the list of organisations to fall victim of a security breach is both long and diverse. But these organisations have one thing in common; they have all faced devastating repercussions as a result of a breach.
With much discussion around cyber security, the UK government’s recent Cyber Governance Health Check Report is truly shocking. It focuses on FTSE 350 companies and highlights an urgent need for action. As businesses increasingly turn to digital formats to store their information, hackers are simultaneously devising more sophisticated means of gaining access. As a consequence, the likelihood of a data breach is growing. However, the report found that only 54 per cent of board members view cyber security as a top risk facing their company, implying that many are putting themselves in a vulnerable position.
There are many reasons why it’s important to protect your business from the growing threat of a cyber attack. For the financial sector, recovering from a data breach can be particularly expensive. In addition to compensating customers, fines canbe crippling. These figures are set to rise next year, when the EU General Data Protection Regulation (GDPR) comes into force.
The GDPRis widely accepted to be the biggest shake-up in data regulation of recent decades and replaces the Data Protection Act, which was introduced in 1998, before cyber security was such an issue. The regulation applies to any business in possession of European data, meaning it’s therefore likely to affect financial organisations operating around the world. With fines of up to €20 million or four per cent of annual turnover, businesses need to take this seriously.
A key focus of GDPR is data security. The rules clearly state that organisations should store information in a format that protects it against “unauthorised or unlawful processing and against accidental loss, destruction or damage”. If companies suspect their data has been illegally accessed, they will have 72 hours to report it and inform their customers. While the new laws should assure consumers, these preparations should also reduce the likelihood of a breach, making it more difficult for third parties to hack into personal records.
Aside from financial repercussions, the reputational damage associated with a data breach can be equally as difficult to recover from. Customers trust banks to store sensitive information in a responsible manner. If this trust is broken, financial organisations risk losing both new and existing customers. REaD Group recently commissioned research into consumer trust, which asked people which sector they most trust with their personal data. The financial sector came out on top, with 44% of people saying they still trust banks with their information.
How to protect your data
A good start to ensuring your data is secure is by becoming GDPR compliant. Meeting its conditions will have an ancillary effect of showing up insecure systems. But, according to the government report, only six per cent of board members would describe themselves as prepared for GDPR, despite the regulation coming into force in less than ten months’ time, showing that urgent action is needed.
Carrying out a ‘data health check’, will allow financial companies to understand what their information estate looks like. It is essential that they are clear on the information they have, how it was obtained, how it’s processed and where it’s stored. All data should be able to show a full audit trail. Even honest mistakes could be extremely costly once GDPR is implemented.
The regulation clearly states that data controllers must have a lawful basis for processing personal data including consent and legitimate interest. Due to the nature of their work, financial organisations often need a vast amount of personal data to operate. Banks need to communicate clearly with their customers to ensure they understand exactly what information is being shared. Hiding consent in the small print and confusing wording was a popular tactic in the past, but GDPR clearly indicates that this is no longer acceptable.
Ultimately, the financial industry needs to prove to consumers that it can be trusted with large quantities of personal information. In doing so, it will also make it more difficult for this information to be illegally accessed.
Unfortunately, there is no quick fix for cyber security issues but this should not discourage businesses from making the effort. The financial sector is an obvious target for hackers, with more personal data than many other sectors. The risk of financial and reputational damage is simply too significant not to take the issue seriously. The latest report from the government should act as a wake-up call; the financial sector needs to act swiftly before May 2017, when GDPR comes into force.