Top 10 op risks: data theft

The continuing revelations of the activities of the US National Security Agency (NSA), brought to light by the exiled whistleblower Edward Snowden, have led to two entirely separate worrying conclusions. For most people, the headline finding was that the NSA's eavesdropping activities, without effective oversight of any kind, have extended far more widely than anyone expected.

For IT security personnel, it was equally worrying to realise that even a US intelligence organisation – whose obsessive concern for secrecy had given it the nickname 'No Such Agency' – couldn't reliably secure its own data, and, in fact, seemed to have had no idea of the breach until Snowden went public. (Had he simply gone to a foreign intelligence service instead, as some security specialists pointed out at the time, the NSA might never have known what it had lost.)

If the NSA can't keep its data secret, what hope for banks? Unlike intelligence agencies, banks are (more or less) effectively regulated, and many national regulators demand that all data breaches, especially those involving the loss of customer information, be made public.

Data breaches are also attracting regulatory attention – the European Union's (EU) proposed Network and Information Security Directive was opened for consultation in early 2013, and the EU is also pushing ahead with strengthened data protection rules that could see organisations fined up to €100 million or 5% of global turnover for failures in data security, and will also impose new restrictions on the transfer of data outside the EU.

While the proposed directive should be more or less a breakeven change for industry, at least according to an impact study by the UK Department for Business, Innovation & Skills – the cost of implementation should be mostly balanced by the savings on the cost of data loss incidents – this doesn't mean that banks should not be concerned. First, just because the directive is breakeven for the economy as a whole does not mean the same will be true for each individual company. Second, even if the profit and loss impact is zero, it still represents a new compliance challenge for banks. And third, even if the directive breaks even, the new data protection rules may still impose significant new costs.

From next year, points out Stephen Wares, Marsh's London-based cyber liability practice leader for Europe, the Middle East and Africa, banks will face the unpalatable choice between the certainty of high implementation costs and the risk of higher fines. "The cost to business of implementing the changes required to comply with this piece of regulation may be significant, but the cost of failing to comply could be far greater. It is clear there is a strong will from the EU to give national regulators increased powers, with the suggested fining structure acting as an effective deterrent for non-compliance," he says.

The financial sector is increasingly becoming a target for data thieves: a recent survey of data breaches by the telecommunications company Verizon found that 37% of breaches studied in 2012 affected financial organisations (rising). Most were financially motivated, took the victims months to discover, were opportunistic and were based on an initial easy intrusion. This provides some reasons for hope: in particular, it seems still to be true that most attacks will be deterred by an initial failure to gain access, and the attackers will move on to an easier target.

Another and more worrying avenue of data loss is as a side-effect of regulatory compliance. Closer regulatory scrutiny and increased reporting requirements (such as those under anti-money laundering laws like the US Foreign Account Tax Compliance Act) will require much more detailed and frequent transmission of data, including personal information, to the authorities. The data protection problems this raises have already attracted attention in Europe, where transmitting individual account information to the US government could well break privacy laws.

But it may also make banks more vulnerable. There is no obvious difference between a legally ordered disclosure and an insider attack, wrote Ed Felten, Princeton University's professor of computer science and public affairs. "From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee's motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company's technology."

Felten was writing with regard to the privacy of the users of encrypted email services, but his point could also apply to banks: putting precautions in place to ensure the protection of bulk customer information against attack could run directly counter to the bank's duty to provide bulk information to regulators, for tax evasion, money laundering or even systemic stability reasons. Banks hastening to comply with regulatory pressure should keep one eye on the security concerns this raises.

Our previous Top 10 Operational Risks for 2014...

Index rigging
Board overstretch
Back to introduction