Accountability for a data breach

Cyber breaches have become an everyday threat for financial institutions, and with the threat coming both internally and externally, accountability remains an open question. OpRisk investigates exactly who is responsible within a financial institution when a cyber breach occurs

A finger pointing like Lord Alan Sugar does on the BBC show The Apprentice

Accountability for a data breach

Page 1
Page 1

Accountability for a data breach

page 2

page 3

In March 2013 the US Senate Select Committee on Intelligence named cyber risk as its top global threat. The committee said that the global system was dealing with uncertainty and doubt in the face of new and unpredictable cyber threats. The report pointed out that within the past year, there has been a denial-of-service campaign against the public websites of multiple US banks and stock exchanges, with servers being flooded with traffic, often preventing customers from accessing their accounts via the internet.

IT sabotage was one of Operational Risk & Regulation's top 10 risks for 2013, and in a speech in November 2012 Atlanta Federal Reserve Bank president David Lockhart said the increasing incidence and heightened magnitude of cyber attacks suggests the need to update thinking on cybersecurity. "What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications," he said.

This continued rise in cyber threats only serves to remind financial institutions of their vulnerabilities in this area. And with this comes the question of where accountability should lie within an institution when its cyber infrastructure is breached. In global financial institutions that serve markets across numerous jurisdictions, maintaining sound and secure cybersecurity is a mammoth task. And when that security is breached, someone has to be held accountable.

Forms of attack

There are many ways in which a financial institution can find itself the victim of a cyber breach. The risks can be external or internal, via hardware or software, through people, machines or both – and can threaten customers' private information as well as that held by the bank. The most visible attack is an attack that impacts customers directly. And this can come in different forms, explains Greg Bell, Atlanta-based services leader for information protection at KPMG.

An organisation has to make cybersecurity an inherent part of any new project or application when it is started, because if you build an app and then bolt security on later at the end of the process, you have no chance

"Attacks specifically impacting your customers may be an attack by a malicious third party seeking to gain personal financial information over your corporate and individual accounts or perhaps fraudulent activity that uses the attack to actually gain access to the funds in an account."

According to Chip Tsantes, a Washington-based principal for information security advisory services at Ernst & Young, the most public type of breach in financial services is one in which personally identifying information is exposed or lost. He points out that in the US, most of the states have reporting laws that require companies to notify customers when their data has been compromised, meaning the public always hears about it. This perhaps makes it the most well-recognised threat, but it is certainly not the only threat banks are facing. "Other types of breach might be the loss of intellectual property, which might be business-level information, acquisition information, software code or other business secrets," he says. "Any intellectual property an institution owns that gives them competitive advantage might fall victim to a cyber breach."

On top of this, Bell points out that there is a new type of attack that is gaining in prominence.

"Attacks against operational information that financial institutions may have are increasing. Examples of that might simply be patterns of trades. They are not necessarily going after the discrete trade itself, but we are seeing big movements going across large sectors of industry or large specific, financial trades that may check off that something may be happening."

Attacks can also come in the form of a targeted attack against the internal general ledger or financial reporting of a bank before it is released to the public, with the aim of making money through insider dealing, says Bell. "If I know a certain bank is going to miss their earnings increase and I can make profit that way, I might target them that way," he says.

Carrying the can

With all these threats on the table, financial institutions have to ask themselves who holds responsibility for their cyber breaches. As the risk increases and more breaches occur, regulators – and the companies themselves – will also be looking for someone to blame. But that is not as simple as it sounds, according to Bell.

"It's a pretty broad set of responsibilities," he says. "We use a term in a lot of cases called ‘due care' because often there is a regulatory action or a class action lawsuit that can do the company harm after an incident has happened and people are going back and seeking attribution."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here