In the same week the UK’s Financial Conduct Authority (FCA) revealed a fivefold rise in data breaches at financial services firms, Rupert Casey, technology solicitor at Keystone Law, warns that retail banks must get the basic procedures right or face regulatory rigor.
According to law firm RPC, 145 companies reported breaches to the FCA in 2018 compared to just 25 in 2017, a 480% increase. Retail bank breach reports rose from one to 25 between 2017 and 2018.
The sharp rise may be distorted by the “spotlight” of the General Data Protection Regulation (GDPR) mandatory reporting of data breaches, believes Casey, although he admits it still constitutes a concern.
“GDPR is one way in which consumers have the benefit of understanding whether or not their relevant financial institution has been has been targeted,” he says.
“If year on year [banks] are reporting more and then at some point you catch up with reality and reporting on a truthful basis, at that point does the market go up or down in the number of attacks? I don’t know, but you will see the regulator responding and being tougher on banks because public perception will always be that the number of attacks is going up.”
Casey suggests banks need to administer strict, formalised rules to show regulators they’re acting to prevent malicious behaviour.
“The only way banks can respond to this is a greater level of focus on policy and procedure. If you have all of that in place, it’s very difficult to bring the claim that you hadn’t taken the right steps,” he says.
Banks need a “systematic culture” of being aware of vulnerabilities and keeping up to date with the threat market, according to Casey.
“[With that culture in place] it will be very difficult for people to say you were culpable,” says Casey. “You may still be liable in terms of resulting damage but determining if you are culpable of being asleep at the wheel or in any way negligent - it will be consistently difficult to catch directors and senior personnel out on those grounds,” he says.
However, the arms race between hackers and bank security protocols is unlikely to result in a revision of GDPR Casey believes.
“My immediate sense is we have too many other things to be dealing with,” he says “GDPR is a global gold standard, I would be staggered if they did anything with this for at least a decade because it needs to bed down, analysed to see if it’s technologically neutral and I believe it is sufficiently neutral at the moment.
“Having said that, Moore’s law about technology is it will probably prove us all wrong on that,” he says.