According to a study by the mega-consulting firm Capgemini, only 21% of banking and insurance executives were highly confident in their ability to detect a breach, never mind defend against one. On the other hand, 83% of consumers trust their bank’s and insurance company’s ability to protect their data. So 4 out of 5 consumers think their bank has security handled, but only 1 out of 5 banks think their bank has security handled.
One out of four banks say that they have been hacked but only 3 percent of consumers think their bank has been hacked. That is a pretty big gap.
In Europe, the general data protection regulation (GDPR) goes into effect next year. At that point, banks will have 72 hours to disclose any breach. That might change perception dramatically.
Almost half of consumers won’t use the online services that banks and insurance companies offer due to security fears.
Almost three-quarters of consumers would switch banks in the event of a data breach.
While reality might differ from how these people answered the survey, the fact that 47% of consumers say they won’t use low cost (to the banks and insurance companies) online services and 74% of them say they would switch providers if there was a breach should be a concern to service providers.
At least in Europe, service providers will soon have a lot less leeway to sweep breaches under the rug. That means that they might want to consider “upping” their ability to both detect and defend from cyber attacks.
For U.S. entities, while they may not have the same “force of law” that GDPR will provide, at least some hackers seem to enjoy “outing” companies whom they have breached. Sometimes that is preceded by attempting to extort money from the companies that they have breached, but sometimes the hackers are on a mission and just want to hurt the companies – that is the motivation for the hack in the first place.
U.S. entities that think that the soon to be in force GDPR regulations won’t effect them may be wrong. According to the regulation, any bank (or other business) world wide that does business in the E.U. falls under this regulation. That means that a U.S. based bank, for example, that has a branch in Munich or Paris, would need to disclose any breach within 72 hours.
At least for multinationals, the bar regarding cyber security is going to be raised next year. A lot!
Under GDPR, the worst case maximum fine a company could face is 4% of their annual global turnover (AKA global revenue) or 20,000,000 Euros, WHICHEVER IS GREATER. That should be a strong incentive for anyone who falls under the rule of GDPR. Lets say that the authorities want to be nice and only fine a company 1% of their global revenue (remember this is revenue, not profit) or maybe 1,000,00 Euros. Sounds like a bargain, huh?
Given that it will take most institutions have a long way to go to truly secure their enterprises, now would be a jolly good time to start that project. May 2018, when GDPR goes into effect, is only 15 months away.
Information for this post came from Info Security Magazine.