The global proliferation of cyber attacks on financial organisations has thrust the issue of cyber security – and its seemingly routine failings – into national conversation. The most recent major data breach on Equifax, the credit report company, highlights the problems facing organisations and their investors today.
In September, the credit report company announced that the details of approximately 143 million US customers had been compromised in a breach. The information accessed included names, social security numbers, dates of birth, addresses and driving licence numbers. The hackers also accessed around 209,000 consumers’ credit card numbers.
This attack, however, was not restricted to the US. Indeed, in an investor Q&A, Equifax revealed that UK and Canadian customers had also been affected.
Thomas Fischer, global security advocate at Digital Guardian, says, ‘It may be ironic for a credit protector that is called upon after major data breaches to be a target of one itself, but it just goes to show that no company is immune to suffering a cyber attack.’
Once again, we see how unprepared management teams are to deal with the aftermath of a serious breach of this nature. We’re told that none of the ‘core’ data has been compromised, and yet the management team go on to say that investigators are still examining the extent of the breach. And why did it take the company so long to notify customers?’
This point arguably raises the biggest concern for customers and investors. Once hackers invade an organisation’s network, they could be running riot for months, or even years, without being detected.
The greater the amount of time that passes, the more personal data is accumulated, exponentially increasing the financial risk to both consumers and investors.
This threat is perhaps best demonstrated by the hack on Yahoo, where up to 1 billion accounts were exposed. News of this breach was revealed after its discovery in December 2016, but the hack actually occurred in 2013.
As the problem of cyber attacks has gained more and more media attention, security has increasingly come to the forefront of consumers’ minds.
Following the spate of high-profile cyber attacks over the past year, findings from financial technology company Intelligent Environments revealed that security continues to be a top priority for consumers when it comes to their financial data, alongside their bank’s reputation for being secure.
Precisely half of consumers said they would look to switch banks if they suffered a cyber attack, and a similar number (47%) said they would lose complete trust in their bank if this happened.
So how can organisations defend against this ever-present threat, while effectively protecting their customers and their investors’ pockets?
Dr Gary McGraw, vice president of security technology at Synopsys Software Integrity Group, says, ‘When a large database is connected to the internet through various applications, and is not designed and implemented to be secure, things like the Equifax breach happen.’
Software security that continually monitors the internal network as well as the endpoints is vital in defending against cyber attacks, and responding to them effectively when they do occur.
Incidents like the Equifax breach should make firms consider their incident response, according to some experts.
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, explains, ‘Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss, which simply opens up the company to further criticism and reputation damage when information is eventually published. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.’
The reputational damage also caused by a cyber attack – in the age of social media – will be of particular concern to investors. ‘I think we are drifting to a “trial by social media” scenario,’ says Gareth Lindahl-Wise, Director of Cyber Risk at ITC Secure Networking, ‘where the long-term reputational impact to companies (and hence the investments made in them) can be influenced by the perception of how well or badly they performed in an incident.’
‘Social media commentary may make the impact instant. This has to be a worry for investors who may see the impact occur in their funding cycle.’
Ultimately, the incredibly vast amount of malware being thrown at companies by hackers and cyber criminals means that an incident is almost inevitable. Incident response, therefore, has to be at the forefront of any security strategy and an investor priority, especially with stricter data regulations on the horizon.
GDPR and UK customers
Referring to the Equifax data breach, although this could be applied to any breach originating from a global company, a question arises surrounding the European General Data Protection Regulation arises; the fact that UK customers were impacted does have a bearing on the impending EU GDPR.
The new regulation, which is more appropriate for the world’s current circumstances than the UK’s current Data Protection Act, will offer greater data protection scope for consumers and tougher penalties for those who fail to comply with the requirements for handling and storing personal data.
Indeed, Fischer suggests, ‘US-based companies with customers in the European Union should take note. For example, under the GDPR, organisations like Equifax would need to clearly identify what sensitive data is being collected and let customers – and in some cases data protection authorities – know how it is being used.
Also, it’s not clear exactly what security measures the company had in place to protect data, but under the GDPR, businesses are required to use appropriate measures to protect all personal data, so any personally identifiable information that Equifax was processing should have been encrypted.
Lack of awareness
Regarding the impact on SMEs, Helen Davenport, director at Gowling WLG, refers to research carried out by the international law firm. It found that many SMEs will simply not be up to speed with the impending changes brought about by the new regulation. For example, in the research, only 14% of respondents were aware of the potential fines for breaching the GDPR.
‘A factor could be that not all SMEs have access to and the resources to pay for regulatory advice and support,’ explains Davenport. ‘Whatever the reason, and despite much already having been written on the GDPR, the survey suggests that more needs to be done to raise the awareness among SMEs. Awareness is of course also just the first step, and SMEs should start taking action now to prepare for the GDPR if they have not already.’
In the short term, investors should be aware that the UK will not have left the EU before the GDPR comes into effect, so the UK government does not have a choice in the matter in terms of compliance.
A question that gets asked a lot, however, is: when the UK leaves the EU, will the country and the businesses that reside within it be susceptible to this impending EU directive? The answer is a firm ‘yes’, and implementing the regulation into UK law is a firm priority of the UK government and its Data Protection Bill.
The new Data Protection Bill, launched on 14 September, aims to overhaul UK data laws, and will transfer the EU’s GDPR into UK law, being maintained fully after Brexit. The government promised the Data Protection Bill in its election manifesto, and in its recent Statement of Intent (issued on 7 August) regarding the Bill, the government confirmed it intends that implementation will be carried out in a way that complies with the GDPR in full, ‘so the principles of the GDPR are here to stay’, remarks Davenport.
However, the government has negotiated ‘vital’ exemptions to create a more ‘proportionate’ regime for Britain, it says.
These exemptions will protect professionals in a range of professional spheres, including journalism, scientific and historical research organisations, anti-doping agencies and financial services firms who handle personal data in relation to the suspicion of terrorist financing or money laundering, or concerning employees who – when justified – access sensitive data without consent to fulfil the obligations of employment law.
Colin Truran, principal technology strategist at Quest Software, says, ‘If we do end up leaving the European Economic Area after Brexit, we will be seen as what is called a “third country” in the eyes of GDPR. This means the UK must have the same data privacy standards as the EU, or trade and data flow will become difficult – especially if the EU deems the Data Protection Bill to be deficient with regard to protecting data subjects and its enforcement thereof.’
The increasing threat of cyber attacks to an organisation’s customer data, financial position and reputation means that cyber security must be an investment priority, and this starts in the boardroom.
A study from data research body the Ponemon Institute shows the average cost to businesses from a breach is now $4 million – a 29% increase since 2013.
As a result, businesses are finding themselves in a constant battle to keep their organisation safe from attempted breaches while at the same time not restricting business or employee growth, according to Jeremy van Doorn, EMEA director of networking and security at VMware.
Business leaders must not underestimate the cyber threat, and security must be higher up the corporate agenda. Arguably, at the moment it is not high enough up this ladder to get the board’s interest.
‘This is symptomatic of the wider disconnect between senior management and IT decision-makers currently emerging within organisations, in relation to both security and other aspects of their IT strategy,’ explains van Doorn.
‘With loss of customer data, fines and reputational risk, embedding security into the heart of your IT and correctly educating your employees will put you in a strong position to protect your organisation from an attack,’ he says.
If the board is unwilling, or ignorant of the importance of security, then perhaps it is the investors’ place to alert them.