Banks and Their Legal Obligations to Defend Against Cybercrime

So, what potential threats are there and what should banks do to manage them? Naomi Tudor, head of corporate banking, Shakespeare Martineau, has the answers for Lawyer Monthly.

There are two main reasons as to why banks are often the victims of hackers.  Firstly, criminals often want to access the personal account details of consumers. This not only gives fraudsters access to other people’s money, but also provides them with the information they need to acquire access to other online accounts the individual may have. Secondly, hacking into a bank’s computer system can cause widescale business disruption. Large organisations are targeted, causing inconvenience for the company and thousands of customers. The time and resource needed to appropriately manage and rectify a cyber-attack can place immense strain on an organisation, impacting the organisation’s ability to carry out its day-to-day duties.

The methods through which criminals can gain hold of personal information are varied and financial institutions must be aware of any weaknesses in their organisations. For instance, personal information and account data can be leaked by rogue individuals, or attacks can be carried out by targeting the internal systems of the bank, such as the computer systems and IT infrastructure.

Since GDPR legislation was introduced last year, businesses have been encouraged to rethink their data protection policies in order to ensure their systems are as robust as they can be. Even in the time before GDPR, financial institutions focused a large amount of money on securing their IT infrastructure and honing their internal security processes. However, in a world where technology is playing an increasingly-large role, it is important that systems are continually updated.

Since GDPR legislation was introduced last year, businesses have been encouraged to rethink their data protection policies in order to ensure their systems are as robust as they can be.

Vulnerabilities within the supply chain must also be considered. No matter how advanced a bank’s cybersecurity is, if there are weaknesses in third-party supplier’s IT infrastructure, then access can still be attained to the main bank’s data. For this reason, before entering into any contract with a third-party supplier, suitable compliance checks and due diligence must be carried out.

However, sometimes the data leaks can be caused by consumers themselves and there have been many cases of people being scammed out of their money through fake emails asking for funds to be transferred. These emails can look entirely legitimate, and even the most careful of people can be lured into giving the people behind these scams access to their money.

Training and awareness are vital when it comes to combatting cyber-attacks. Both internal employees and the general public need to know the risks and types of scams that exist. GDPR legislation has made data protection and information security courses more accessible for employees in all sectors and there has been a push for all employees, to be more proactive about data protection. More junior staff members are often the first port of call for consumers who fear there has been an attempt to access their data unlawfully. It is especially important that these staff members know the correct protocol if a person has been unwittingly scammed. Educating the public to know the warning signs, so they can contact their bank as soon as possible is also an important step in tackling data breaches before they get out of hand.

Regardless of how careful financial institutions are, breaches and cyberattacks can – and will – still happen. If one is to occur, customers must be informed at an early stage if there is a possibility that their personal data has been compromised. Many banks have processes in place for such a situation to ensure that it is carried out correctly and in a way that causes as little panic as possible, however as recent news articles have shown, a sluggish approach can cause lasting damage to the institution’s consumer-facing brand.

Attracting anger from the Information Commissioner’s Office, and from the public, due to the situation being handled poorly can hugely damage a bank’s industry and consumer reputation. The banking sector does not work without consumers’ trust. Although difficult after a breach, it is essential that this trust is maintained, or else both new and prospective customers will be lost.

All organisations, not only banks and financial institutions, must be fully aware of data security. Having knowledge of vulnerabilities internally, as well as educating the general public, is vital.  The threat of financial penalties from the Information Commissioner’s Office should a cyber-attack be mishandled, and the lasting reputational damage that can arise, should be enough to ensure cybersecurity continues to be taken seriously.