By Jacob Ghanty, Head of Financial Regulation at Kemp Little LLP
Banks and businesses are under increasing scrutiny to ensure they have the right security measures in place, especially in wake of the numerous high-profile data breaches that took place in 2017. In recent news, NatWest came under fire for failing to use an encrypted https (Hypertext Transfer Protocol Secure) connection for a customer-facing section of their website.
Internet banking has grown in popularity in the UK for its convenience and timesaving benefits.For many consumers it has overtaken the use of physical branches. However, security is still a main concern for consumers when it comes to moving from ‘offline’ to online banking and banks must ensure they are meeting both customer expectation in terms of convenience but also tough regulation restrictions in order to keep their customers safe online.
Not an isolated case
In the case of NatWest, the absence of an encrypted https was spotted by an external security expert and made public knowledge through Twitter. This security flaw meant hackers had the potential to redirect customers to a falseNatWest site which looked identical to the legitimate site. Although this issue was resolved within 48 hours by the team, this vulnerability could have left NatWest liable to numerous security and legal consequences.
Clearly, banks and financial institutions are legally obliged to protect customer data in order to maintain the security, integrity and confidentiality of information. Yet, since 2007, 11 banks to date have been named and shamed by the Information Commissioner’s Office (ICO) for unacceptable data security practice.
According to the Data Protection Act 1998 (DPA), organisations must have appropriate organisational and technical measures in place to protect data against unauthorised or unlawful processing, and accidental loss or destruction of or damage to personal data (data security breach). This is known as the seventh data protection principle.While the DPA does not specify how “appropriate organisational and technical measures” should be developed according to this principle, data controllers must ensure they prevent the possibility of data being compromised in any way.
Financial and legal obligations
From a financial perspective, banks must ensure they have reliable security mechanisms in place to protect the transfer of sensitive information, prevent the possibility of data corruption and leakagewhilemaintaining data confidentiality at all times. These requirements fall under the Prudential Regulation Authority Rulebook, and failure to meet the conditions leaves banks liable to disciplinary action.
From a data privacy law perspective, data controllers are at risk of huge fines should crucial customer information be compromised. For example, the ICO could impose penalties of up to £500,000, particularly in the case of a serious breach. In October 2016, TalkTalk was fined £400,000 for a breach which compromised the seventh data protection principle, in failing to have appropriate organisational nor technical measures in place.
Banks and financial institutions must also keep in mind the upcoming EU General Data Protection Regulation (GDPR), taking effect from 25 May 2018. This regulation will impose stricter obligations on data controllers than ever before and increase maximum fines under a two-tier system if they suffer a breach. Such fines, under GDPR, could look like the following:
- Up to 2% of a bank’s annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default
- Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers
The importance of comprehensive security measures
The above fines highlight the scale of the initial financial impact that the lack of HTTPS connection could have had on NatWest from their customer website.However, what cannot be calculated is the financial loss following the depreciation of trust and reputation from current and prospect customers. In order for financial institutions to safeguard such losses they must use a HTTPS connection to ensure that any data sent between a customer’s device and a website is encrypted and therefore, rendered inaccessible to anyone trying to intercept their data.
Hackers often create phishing sites which look similar to users to a bank’s website, in order to lure customers to share their personal data. They can look more similar than perhaps users realise – even using fake log-in mechanisms to simulate the real website. This underlines why banks and financial institutions must be thorough with their security processes: the sheer scale of customers processing data and transactions through online services entail undeniable security and financial risks to both the customer and the banks.
Important next steps for banks
An effective way to spot and resolve any vulnerabilities in online systems is through carrying out a cyber-security audit. Financial services and banks can maintain a high level of protection by using appropriate detection capabilities, and putting in place fast-acting recovery and response systems. This will provide websites and online banking systems with the right tools to react to any issues quickly, and to prevent service outages in the case of unexpected interruptions.
There are number of useful sources of information in this area including: the FCA’s speech in September 2016 on its supervisory approach to cyber security in financial services firms; various ICO guides on information security; the FCA’s Financial Crime Guide; and the FSA’s Thematic Review Report on data security in the financial services sector of April 2008.