Data security underinvestment leaves financial institutions in peril

Banks and financial services companies worldwide have failed to invest sufficiently in the field of data security. This lack of investment has in turn impacted their customers, according to industry analysis.

This year began brightly enough with news from regtech firm Fenergo that fines for data breaches imposed on financial institutions (FIs) had fallen from $10.6bn in 2020 to $5.37bn in 2021. However, recently published reports and specialist analysis suggests that, as a sector, financial services organisations are now facing the second highest costs of any sector for losses arising from data breaches. 

Published at the end of July, IBM’s ‘Cost of a Data Breach Report 2022’ revealed that the average loss from a data breach at a financial organisation is $5.97m, second only to healthcare breaches.

A moving target 

Supporting evidence of greater vulnerabilities to data breaches in the banking sector, a report from cyber security specialist Extrahop ranks financial services firms as the most vulnerable in relation to server message block (SMB), a computer protocol used to share files, with SMB exposed on an average of 34 devices out of 10,000, compared to just two in the retail sector.

Bob Kolasky, senior vice-president at risk and compliance firm Exiger and former assistant director for cyber security at the US Infrastructure Security Agency, says: “The bad guys have something to say about choosing their victims, so they go after financial institutions, because that’s where the money is.”

He adds that from his experience working with the government, major FIs have made significant investments and have improved their cyber practices significantly over the last 10 years.

Best defence

Andrea Babbs, UK manager of New York-based Vipre Security Group, says email will remain an essential platform for communication, but will continue to be a high-risk tool for businesses and employees to communicate both internally and externally. This is particularly the case for financial services organisations, as they remain a prime target for cyber hackers. 

“The finance industry must prioritise cyber security and invest in a layered approach, which must include security awareness training and data loss prevention tools, in order to minimise human error and provide the strongest possible defence in the modern security landscape,” she says.

The banking industry has one of the highest rates of insider data breaches despite significant investment in workforce training, according to Steve Bradford, senior vice-president, Europe, the Middle East and Africa at Texas-based security software firm SailPoint Technologies. He warns that FIs are prime targets for cyber crime and that investing in multiple security technologies is critical to warding off criminals.

“Layers of cyber defence is key,” he says. “As the cost of data breaches reaches an all-time high, it is crucial that financial services organisations review their defences.”

Training and tools

While banks and other financial services operations should ensure sound data protection policies and procedures are implemented and communicated to staff, these should be supported with technical tools and monitoring processes to oversee network activity and prevent data loss, according to Paul O’Leary, partner at tax and consulting firm RSM.

He stresses the importance of having regular staff training in place. “These organisations should follow good practice information security guidance, such as the NIST principles, ISO 27001 information security management, the [UK] government’s NCSC 10 steps to cyber security and the cyber essentials scheme,” says Mr O’Leary.

One of the best practices to combat data breaches is to build a validation step into existing processes. This validation principle simply asserts that when a suspicious communication comes in, its origin should be validated. Jelle Wieringa, advocate at security awareness training company KnowBe4, says: “As simple as this might appear to be, it is a very powerful tool against social engineering [human interaction-based] attacks.”

Given the plethora of cyber security risks, it is vital to acknowledge the diverse range of threats by addressing them individually. Preventative methods should be prioritised over reactive ones, especially given the financial and reputational expense that occurs after events of data breach.

Helen Davenport, UK partner at law firm Gowling WLG, stresses that “this must be matched with ongoing staff training and awareness and scenario-testing to increase the opportunities to spot issues before they escalate”.

Amid a growing push into the cloud by financial services firms, Aare Reintam, chief operating officer of Estonian cyber specialist CybExer Technologies, offers a warning. He says that the continued digitalisation of financial services, the obsolescence of certain banking information systems and the interconnection with third-party information systems – and therefore migration to the cloud – will only serve to increase cyber risk without proper training frameworks in place.

US shoulders heaviest costs

It is not all bad news. For example, while the IBM report shows that the US has the highest average cost per data breach, and that the country has topped the list for the 12th consecutive year, Laurance Dine, global partner of IBM X-Force Incident Response, says this may be down to US requirements for more frequent reporting than elsewhere. “That skews it a little bit,” he says.

The IBM report contends that the costs of data breaches are passed on by FIs to their customers. A key conclusion is that investment in additional data security measures should pay for themselves.