Jamie Dimon, CEO of JP Morgan Chase, had said that “the risk of a devastating cyberattack may be the single greatest danger to the US financial system” – and we continue to see this come true in the last few years. The past decade has witnessed a massive transition from traditional to digital data storage and transmission modes. But with such advancement, the risk of data breaches and theft also jumped the skies. Financial institutions deal with a vast amount of sensitive data daily, including personal information, account details, credit scores, etc. Protecting this data is critical to maintaining trust and ensuring the safety of both customers and the organization.
Data security has become one of the prime concerns of FIs in 2023, as cyberattacks, such as ransomware, state-sponsored attacks, etc., have risen by 38% in 2022. Statistics show that between 2020 and Q2 2022, ransomware attacks peaked in Q2 2021 with 188.9 million attacks. The same stats are present for spoofing and phishing, which are on the rise, specifically in financial institutions around the globe.
Understanding the Threat Landscape
To understand the threat landscape of data protection strategies, let’s understand the consequences of a data breach. IBM recently faced a hack of its healthcare data in June 2023 when perpetrators exploited the zero-day vulnerability in the MOVEit file-transfer software, impacting 4 million beneficiaries. Yum Brands’ data breach in January 2023 caused the company to close 300 locations in the UK. Another example is the Open AI data breach in March 2023, which exposed chat history, names, email IDs, payment addresses, and their premium users’ last four digits of credit cards.
The total cost of cybercrime in 2023 is forecasted to reach $8 Trillion across all industries and regions. Financial institutions invest significant resources into cybersecurity and risk management to protect their data and systems from cyber threats. Despite these efforts, FIs still struggle with data security for several reasons:
Legacy process: One of the significant reasons for an increased boost in data breaches is the poor legacy systems used by the institutions. Many FIs rely on legacy systems and software no longer supported by vendors or updated with security patches. These systems are vulnerable to attacks and can be difficult and costly to replace.
Sophistication: With the advancement of technology, cybercrimes are becoming more sophisticated. We are witnessing the usage of more advanced techniques like social engineering, zero-day exploits, and ransomware to bypass traditional security measures and procure sensitive data. Institutions need to take extra steps to protect their sensitive and precious data.
Lack of ignorance: Not all data breaches are evitable, and not all are targeted at a high level. A successful major data breach can financially and morally cost an organization a fortune. Organizations often ignore minor data leaks and focus only on sophisticated ones. It may sound valid as not every breach activity is predictable, but ignoring these minor breaches leads to system failure and allows cybercriminals to win the goal. As per the 2022 IBM Cost of a Data Breach report, an average organization takes up to 277 days to fully identify and contain a data breach, with the average cost of a data breach hovering at $4.35 Million.
Third-party involvement: Financial institutions often rely on third-party vendors and partners to manage all their data requirements, including security. Cybercriminals and hackers can easily take advantage of this situation as these vendors may not have strong security measures, creating vulnerabilities and increasing the risk of a data breach.
Steps to mitigate risks
Financial institutions deal with individuals’ high-value financial data, increasing the risks of a data breach and cybercrime. Customers’ personally identifiable information (PII) has become the sweet spot for hackers worldwide, with no limits for hackers to commit lucrative cybercrimes like identity theft and insurance fraud. Although it seems inevitable to counter these cyber-attacks, FIs can implement a few steps to mitigate the evolving risks:
RRA (Regular Risk Assessment): FIs must conduct regular risk assessments, identifying vulnerabilities and threats to their systems and data. Mock drills and employee training programs help assess the safety protocols. This process should include assessing risks related to technology, personnel, physical security, and third-party vendors.
Implementing a Data Breach response plan: Precaution is better than cure; having an in-house data breach response plan to counter an immediate cyber-attack ensures the safety of the information and sensitive data from hackers. FIs should have a data breach response plan outlining the response measures in the event of a breach, including whom to notify, what data to collect, and how to contain and mitigate the damage.
Areas of improvement: FIs should monitor their systems, audit their third-party vendors and partners, implement multiple layers of security controls, and monitor the protocols to improve their loose hands simultaneously. Now, with the use of AI and ML, self-learning and realization on a real-time basis help the software to become advanced and keep critical data secure.
Banks and financial institutions are required to thrive in a highly agile and ever-evolving competing playing field. With emerging technologies constantly disrupting our ways of life, they must alter their business models and processes aligned with these changes. In tandem, we are in a customer-centric era of super personalized omnichannel engagement and creating maximized customer value.
Protecting data in the truest sense can be challenging as we leverage more AI and open finance to deliver the best customized customer experience. As per Verizon’s 2023 Data Breach Investigation Report, the financial services industry was the most targeted industry, with compromised personal data accounting for almost 74% of the industry’s breaches. A 360-degree approach to data security will have to become de rigueur as organizations break the silos and consolidate internal and external information. Such holistic strategies will enable banks and FIs to comply with regulations governing data privacy, security, and ethical use as prescribed by laws such as GDPR and CCPA. Combating financial crime will be even more formidable as data becomes the most critical asset for the BFSI industry.
About The Author
As SVP for Maveric’s Data Competency Unit, Chandramouli Sundaram (Mouli) helms delivery, and governance, across customers and geographies for the overall Data Unit. His role is pivotal to Maveric’s aspiration to become one of the top three global BancTech providers by 2025.
Mouli brings rich technology leadership expertise, having scaled Wipro’s Big Data business from scratch to $100 M and Mexico’s growing Data team of 150+ specialists across Guadalajara and India.
Originally Published in Financial Express