GDPR: The biggest change to data laws in over 20 years but are companies ready?
Last year, financial services companies in the UK reported 17 incidents of data hacking attacks to the regulator, up from just four in the previous year.
Just months away from the biggest shake-up in data privacy legislation in over two decades there are worrying signs that companies are ill-prepared for what is about to hit them.
The European General Data Protection Regulation (GDPR), which comes into force on 25 May, aims to protect EU citizens' personal data, regardless of borders or where the data is processed. The new rules will transform how businesses collect, store and manage personal data.
Failure to comply with the GDPR could see businesses facing significant penalties of up to €20m, or four per cent of annual global turnover.
Given the nature and the volume of data they hold – a potential goldmine for the hackers hellbent on obtaining it - financial services companies are among those deemed high risk.
Financial services data attacks on the rise
New statistics obtained by RSM in response to a freedom of information request suggest that data hacking attacks against financial services companies are on the rise.
Last year, financial services companies in the UK reported 17 incidents of data hacking attacks to the regulator, up from just four in the previous year. There were also two separate incidents of 'data leakage'.
The new statistics shed more light on recent figures published by the Financial Conduct Authority (FCA) that the overall number of reported cyber incidents jumped over 80 per cent from 38 in 2016 to 69 in 2017.
During 2017, the retail banking sector suffered the highest number of reported attacks (17), followed by retail lenders (16) and investment management firms (16). There were a further 11 incidents reported to the FCA by insurance firms.
These may sound like relatively low numbers. Indeed, there is suspicion that some companies are failing to report cyber breaches to the regulator. But it is important to note that the FCA treats attack campaigns – where there is a series of incidents attributable to the same actor within a short period of time – as a single incident. What we don't know is how much data was compromised on each occasion.
The scale of the cyber threat
Clearly, cyber-attacks are a real and present danger and show no sign of abating.
According to the National Cyber Security Centre, there were over 1,100 reported cyber-attacks in the UK last year, with 590 regarded as significant. Thirty of these required action by government bodies, a number of which involved the Financial Services Sector.
In total, the UK deals with more than 10 significant cyber-attacks every week based on reported incidents.
In a recent speech, Robyn Jones, head of technology, resilience and cyber at the FCA warned that such attacks were a fact of life and appealed to firms to protect their critical information, have monitoring in place to detect attempts to breach protective controls and respond quickly and effectively.
Time for Action
With the countdown to the introduction of the General Data Protection Regulation (GDPR) well under way it is vitally important for organisations to complete their preparation and implementation phases for the impending rule changes. No-one wants to be the first to suffer the financial and reputational risks arising from non-compliance.
An organised data protection programme will need to be established, with all data activities accurately recorded. This obligation extends to any third-party contractors or partners, and presents companies with much greater legal liability in the event of a personal breach.
One of the key challenges is to identify all personal data which is collected and processed by the business. Many of our clients have found this to be a lengthy and difficult exercise.
For more complex organisations, particularly those operating in a regulated environment, there needs to be a comprehensive GDPR readiness and implementation project. GDPR won't end on the 25 May 2018, this will just be the beginning. Businesses will need to adopt policies, procedures and working practices to ensure an ongoing regime of personal data governance is embedded into the culture of the organisation.
It's not just about the tech
Companies wanting to protect themselves from data theft must focus on knowing what is important and protecting that for the benefit of the business and its customers.
Business leaders can often by lulled into a false sense of security by their investment in the technology, but people can often be the weakest link. Embedding a good security culture, with comprehensive staff awareness and training programmes, is key to spotting phishing emails, ransomware attacks and ensuring password disciplines and data security controls are maintained.
Monetise the risks
One useful strategy is to try and monetise the risks, as this can help push the issue of data security up the agenda in the boardroom. Attempts have been made to estimate financial loss values relating to cyber-attacks in the past. Often, these have been inaccurate, overstated and not based on sound cost estimation models.
However, valuing cyber risk can be a useful exercise to inform a company's corporate governance framework and cyber control environment.
Such valuation metrics can include consideration of the business impact of cyber-attack, based on the value of lost transactions, operational downtime, the level of legislative penalties and the reduction in demand through reputational loss.
The ever evolving threat
The FCA recently warned that individuals and criminal groups are developing tools and exploiting vulnerabilities on an industrial scale. And with the speed of data processing and interconnectedness of systems, attacks travel fast and are actively adapting to defensive controls.
One of the biggest challenges is trying to keep up. With the GDPR looming, this is now more pressing than ever.