Financial service firms: beware. Your data is a target. A new report out of the United Kingdom (UK) cannot underscore enough the severity of the issue. But it is nothing new. The FBI has put the alarms on since 2011, from threats of account takeovers to third-party payment processor breaches to securities and market trading exploitation to mobile banking exploitation and even supply chain infiltration, among other ways. Hackers are more advanced and more prevalent than ever. What is shocking about the new statistics from the Financial Conduct Authority (FCA) is the sheer increase of breaches after the implementation of the General Data Protection Regulation (GDPR). Here’s what to know and what to do.
Alarming Statistics from the FCA
The numbers are alarming and demonstrate a real concern among financial institutions and the protection of their assets and data. The total number of breaches reported by UK financial services firms to the FCA was 145 in 2018, which was up from 25 in 2017. That makes it an increase of 480%.
The breakdown of the 145 reported breaches is shown in the below chart (as provided by the FCA) with the last three years also included — this demonstrates the stark increase in reported breaches over the course of four years.
General Insurance & Protection
Pension Savings & Retirement Income
Retail Banking & Payments
Wholesale Financial Markets
Why was there a dramatic increase in breaches in 2018?
There are a number of theories why financial services firms in the UK reported 480% more data breaches in 2018 than the previous year. The percentage alone is enough to send warning alarms throughout the work, but do the reasons justify the urgency?
First, the financial services sector offers a lot of what hackers want: data and money.
Second, much of the financial services sector has not been using the most advanced technology and artificial intelligence (AI) to protect their information and data, according to a report conducted by Accenture and released in 2018, Cost of Cybercrime: Financial Services. In fact, “only 26% have deployed AI-based security technologies and 31% advanced analytics.”
Third, hackers themselves are becoming more numerous, bolder, and more sophisticated — alongside the advancement of technology.
Fourth, the GDPR came into effect in 2018, which requires reporting breaches within 72 hours of discovery — so the increase in the statistics may be — in part — due to a legal requirement to report the breaches.
Thus, the combination of all these things: the financial services’ data, the desire of hackers to obtain that data, the limited protections financial services firms have had in place until recently, and the new requirement to report all play a role in the dramatic increase in reported breaches. So, not all is as bad as it seems. The increase can be in part attributed to the new requirement to report the breaches as opposed to earlier years when such a requirement was not present, and such reporting could be damaging to the reputation of the financial institution — thus, an incentive not to report until it became required.
What can financial services firms do to protect themselves better from hackers and data breaches?
Whether you are in the UK or the United States or elsewhere, financial services firms can protect themselves. It all involves a well-crafted IT plan-of-action that can include any of the below options according to the firm’s needs, wants, and specifications.
Implement and Education & Training Strategy
First thing’s first, you need to educate yourself and your firm on cybersecurity and cyber attacks. You need to know how hackers are hacking into your systems. You need to know what the latest technology is to counter hackers, including AI. You need to be informed on data management and data destruction and disposal. And you need to inform all staff and employees. The problem in data breaches is not only related to hackers hiding in a dark space using malware and other devices and software to obtain access to confidential information, but they use tricks via email and other means to gain access from, for example, unsuspecting and uninformed employees who open emails without thinking twice and who use poor passwords without consideration for how easy they are to be hacked.
An informed company and an informed staff are your first line of business. An internal team can conduct education awareness and training or else a third-party vendor can be hired to do so. It comes down to how large your firm is and what your resources are to manage it.
Assess Your Current Technology & Identify What You Need
You need to assess the current status of your technology, challenges, and vulnerabilities so that you can recognize what you need and where you need it. There are different ways or approaches a firm can take to assess its technology needs, but in general, it should include:
Gathering information on company and employee needs, considering functional needs, software requirements, technical requirements, and security needs (i.e., natural threats from environmental conditions, intentional human threats (e.g., hackers and disgruntled employees), and unintentional threats (e.g., poor password creation or unintentional leaks).
Reviewing the information gathered and prioritizing identified needs.
Document the results from your findings so that you have the information in one accessible location from which you can build a plan.
Acquire the Technology You Need & Implement It
Once you have the information you need, design a multi-layered system that is:
Financial services firms can no longer stand to be reactive; too much is at stake. Once you know and prioritize what you need, acquire it and implement it. Research to ensure you purchase the best in technology and/or hire the best third-party vendor (e.g., a managed services firm). The goal here is to bring those statistics back down, or in the least, maintain them.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.